Page 1 NWA-3500/NWA-3550 802.11a/g Dual Radio Wireless Business AP 802.11a/g Dual Radio Outdoor WLAN Business AP Default Login Details IP Address http://192.168.1.2 Password 1234 Firmware Version 3.7 Edition 1, 1/2009 www.zyxel.com www.zyxel.com Copyright © 2009 ZyXEL Communications Corporation...
Page 3: About This User's Guide
Help us help you. Send all User’s Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
Page 4 About This User's Guide Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. See http://www.zyxel.com/ web/contact_us.php for contact information.
Page 5: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your NWA. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 6 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The NWA icon is not an exact representation of your NWA. Table 1 Common Icons Computer Notebook Server Printer Telephone Switch Router Internet Cloud Firewall DSLAM Wireless Signal...
Page 7: Safety Warnings
Safety Warnings Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. •...
Page 8 Safety Warnings NWA-3500/NWA-3550 User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................21 Introducing the NWA ........................23 Introducing the Web Configurator ....................35 Status Screens .......................... 39 Management Mode ........................47 Controller AP Mode ........................53 Tutorial ............................67 The Web Configurator ......................107 System Screens ........................109 Wireless Configuration ......................119 SSID Screen ..........................
Page 10 Contents Overview NWA-3500/NWA-3550 User’s Guide...
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................5 Safety Warnings........................7 Contents Overview ........................9 Table of Contents........................11 Part I: Introduction................. 21 Chapter 1 Introducing the NWA ......................23 1.1 Introducing the NWA ......................23 1.2 Applications for the NWA .....................
Page 12 Table of Contents Chapter 3 Status Screens ........................39 3.1 The Status Screen ....................... 40 3.1.1 AP List ........................44 3.1.2 AP Statistics ....................... 45 3.1.3 SSID Information ......................46 Chapter 4 Management Mode........................47 4.1 About CAPWAP ........................47 4.1.1 CAPWAP Discovery and Management ..............
Page 13 Table of Contents 6.2.2.2 Activate the VoIP Profile ..............77 6.2.3 Configure the Guest Network ..................77 6.2.3.1 Set Up Security for the Guest Profile ..........78 6.2.3.2 Set up Layer 2 Isolation ..............80 6.2.3.3 Activate the Guest Profile ............... 82 6.2.4 Testing the Wireless Networks ...................
Page 14 Table of Contents 7.5 Configuring the Password ....................113 7.6 Configuring Time Setting ....................116 7.7 Technical Reference ......................118 Chapter 8 Wireless Configuration......................119 8.1 Overview ..........................119 8.2 What You Can Do in the Wireless Screen ................119 8.3 What You Need To Know ....................120 8.3.1 Operating Mode .......................
Page 15 Table of Contents 10.1 Overview .......................... 147 10.2 What You Can Do in the Security Screen ................ 147 10.3 What You Need To Know ....................148 10.4 The Security Screen ......................150 10.4.1 Security: WEP ......................151 10.4.2 Security: 802.1x Only ..................... 153 10.4.3 Security: 802.1x Static 64-bit, 802.1x Static 128-bit ..........
Page 16 Table of Contents 14.5.1 WAN IP Address Assignment ................. 177 Chapter 15 Rogue AP Detection ......................179 15.1 Overview .......................... 179 15.2 What You Can Do in the Rogue AP Screen ..............180 15.3 What You Need To Know ....................180 15.3.1 Configuration Screen .....................
Page 17 Table of Contents 18.4.3 My Certificates Details Screen ................214 18.5 Trusted CAs Screen ......................218 18.5.1 Trusted CAs Import Screen ..................219 18.5.2 Trusted CAs Details Screen ................... 220 18.6 Technical Reference ......................223 18.6.1 Private-Public Certificates ..................224 18.6.2 Certification Authorities ..................
Page 18 Table of Contents 21.2 The Load Balancing Screen .................... 257 21.2.1 Disassociating and Delaying Connections ............. 258 Chapter 22 Dynamic Channel Selection....................261 22.1 Overview .......................... 261 22.2 The DCS Screen ......................262 Chapter 23 Maintenance .......................... 265 23.1 Overview .......................... 265 23.2 What You Can Do in the Maintenance Screens ..............
Page 19 Table of Contents Appendix C Pop-up Windows, JavaScripts and Java Permissions ........335 Appendix D Importing Certificates..................343 Appendix E IP Addresses and Subnetting ................369 Appendix F Text File Based Auto Configuration..............379 Appendix G Legal Information....................387 Index............................391 NWA-3500/NWA-3550 User’s Guide...
Page 20 Table of Contents NWA-3500/NWA-3550 User’s Guide...
Page 21: Introduction
Introduction Introducing the NWA (23) Introducing the Web Configurator (35) Status Screens (39) Management Mode (47) Tutorial (67)
Page 23: Introducing The Nwa
H A P T E R Introducing the NWA This chapter introduces the main applications and features of the NWA. It also introduces the ways you can manage the NWA. 1.1 Introducing the NWA Your NWA extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.
Page 24: Access Point
Chapter 1 Introducing the NWA • Access Point (AP) • Bridge/Repeater • AP+Bridge • MBSSID Applications for each operating mode are shown below. Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference. 1.2.1 Access Point The NWA is an ideal access solution for wireless Internet connection.
Page 25: Ap + Bridge
Chapter 1 Introducing the NWA When the NWA is in Bridge / Repeater mode, security between APs (the Wireless Distribution System or WDS) is independent of the security between the wireless stations and the AP. If you do not enable WDS security, traffic between APs is not encrypted.
Page 26: Mbssid
Chapter 1 Introducing the NWA In the figure below, A and B use X as an AP to access the wired network, while X and Y communicate in bridge mode. When the NWA is in AP + Bridge mode, security between APs (the Wireless Distribution System or WDS) is independent of the security between the wireless stations and the AP.
Page 27: Pre-Configured Ssid Profiles
Chapter 1 Introducing the NWA To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings. For example, you might want to set up a wireless network in your office where Internet telephony (Voice over IP, or VoIP) users have priority.
Page 28: Configuring Dual Wlan Adaptors
Chapter 1 Introducing the NWA Guest_SSID. This profile is intended for use by visitors and others who require access to certain resources on the network (an Internet gateway or a network printer, for example) but must not have access to the rest of the network. Layer 2 isolation is enabled (see Section on page 166), and QoS is set to NONE.
Page 29: Ways To Manage The Nwa
Chapter 1 Introducing the NWA ZyXEL’s CAPWAP allows a single access point to manage up to eight other access points. The managed APs receive all their configuration information from the controller AP. The CAPWAP dataflow is protected by DTLS (Datagram Transport Layer Security).
Page 30: Configuring Your Nwa's Security Features
Chapter 1 Introducing the NWA • SMT. System Management Terminal is a text-based configuration menu that you can use to configure your device. Use Telnet to access the SMT. • FTP. File Transfer Protocol for firmware upgrades and configuration backup and restore.
Page 31: Maintaining Your Nwa
Chapter 1 Introducing the NWA • Enable wireless security on your NWA. Choose the most secure encryption method that all devices on your network support. See Section 10.4 on page 150 for directions on configuring encryption. If you have a RADIUS server, enable IEEE 802.1x or WPA(2) user identification on your network so users must log in.
Page 32: Leds
Chapter 1 Introducing the NWA 1.8 LEDs This section applies to the NWA-3500 only. Figure 8 LEDs Table 3 LEDs LABEL LED COLOR STATUS DESCRIPTION Green The wireless adaptor WLAN1 is active. Blinking The wireless adaptor WLAN1 is active, and transmitting or receiving data.
Page 33 Chapter 1 Introducing the NWA Table 3 LEDs (continued) LABEL LED COLOR STATUS DESCRIPTION WDS/SYS Green The NWA is in AP + Bridge or Bridge/ Repeater mode, and has successfully established a Wireless Distribution System (WDS) connection. Flashing The NWA is starting up. Either The NWA is in Access Point or MBSSID mode and is functioning normally.
Page 34 Chapter 1 Introducing the NWA NWA-3500/NWA-3550 User’s Guide...
Page 35: Introducing The Web Configurator
H A P T E R Introducing the Web Configurator This chapter describes how to access the NWA’s web configurator and provides an overview of its screens. 2.1 Accessing the Web Configurator Make sure your hardware is properly connected and prepare your computer or computer network to connect to the NWA (refer to the Quick Start Guide).
Page 36 Chapter 2 Introducing the Web Configurator Note: If you do not change the password, the following screen appears every time you login. Figure 9 Change Password Screen Click Apply in the Replace Certificate screen to create a certificate using your NWA’s MAC address that will be specific to this device.
Page 37: Resetting The Nwa
Chapter 2 Introducing the Web Configurator 2.2 Resetting the NWA This replaces the current configuration file with the factory-default configuration file. This means that you will lose all the settings you previously configured. The password will be reset to 1234. 2.2.1 Methods of Restoring Factory-Defaults You can erase the current configuration and restore factory defaults in the following ways:...
Page 38 Chapter 2 Introducing the Web Configurator • Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated. Figure 11 The Status Screen of the Web Configurator •...
Page 39: Status Screens
H A P T E R Status Screens The Status screen displays when you log into the NWA, or click STATUS in the navigation menu. Use the Status screens to look at the current status of the device, system resources, interfaces and SSID status. The Status screen also provides detailed information about associated wireless clients, channel usage, logs and detected rogue APs.
Page 40: The Status Screen
Chapter 3 Status Screens 3.1 The Status Screen Cluck Status. The following screen displays. The Status screen varies slightly depending on the NWA’s management mode you configured in the MGMT MODE screen. The NWA works as a standalone AP by default. Figure 12 The Status Screen (Standalone AP) Figure 13 The Status Screen (AP Controller) The following table describes the labels in this screen.
Page 41 Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION System Information System Name This field displays the NWA system name. It is used for identification. You can change this in the System > General screen’s System Name field. Model This field displays the NWA’s exact model name.
Page 42 Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION Registration Type This field is available only when the NWA is in AP controller management mode. This displays Manual when an access point in managed AP mode needs to register to the NWA manually or Always Accept when the NWA automatically adds any detected access point in managed AP mode to the managed AP list.
Page 43 Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION SSID This field displays the SSID(s) currently used by each wireless module. BSSID This field displays the MAC address of the wireless adaptor. Security This field displays the type of wireless security used by each SSID. VLAN This field displays the VLAN ID of each SSID in use, or Disabled if the SSID does not use VLAN.
Page 44: Ap List
Chapter 3 Status Screens Table 4 The Status Screen LABEL DESCRIPTION Show Statistics This link is not available when the NWA is in AP controller management mode. Click this link to view port status and packet specific statistics. Section 23.4.1 on page 266.
Page 45: Ap Statistics
Chapter 3 Status Screens Table 5 Status > AP List LABEL DESCRIPTION Channel ID This is the channel ID number used by each wireless module on the AP. SSID List This is the SSID(s) currently used by each wireless module. VLAN This is the VLAN ID of each SSID in use.
Page 46: Ssid Information
Chapter 3 Status Screens 3.1.3 SSID Information Click the SSID Information link the Status screen when the NWA is in AP controller management mode. Figure 16 Status > SSID Information The following table describes the labels in this screen. Table 7 Status > SSID Information LABEL DESCRIPTION SSID...
Page 47: Management Mode
H A P T E R Management Mode This chapter discusses the MGNT MODE (Management Mode) screen. This screen determines whether the NWA is used in its default standalone AP mode or as part of a CAPWAP (Control And Provisioning of Wireless Access Points) network. 4.1 About CAPWAP The NWA supports CAPWAP (Control And Provisioning of Wireless Access Points).
Page 48: Capwap Discovery And Management
Chapter 4 Management Mode 4.1.1 CAPWAP Discovery and Management The link between CAPWAP-enabled access points proceeds as follows: An AP in managed AP mode joins a wired network (receives a dynamic IP address). The AP sends out a management request, looking for an AP in CAPWAP AP controller mode.
Page 49: Notes On Capwap
Chapter 4 Management Mode DHCP Option 43 allows the CAPWAP management request (from the AP in managed AP mode) to reach the AP controller in a different subnet, as shown in the following figure. Figure 18 CAPWAP and DHCP Option 43 SUBNET 1 SUBNET 2 DHCP...
Page 50 Chapter 4 Management Mode Click MGNT MODE in the NWA’s navigation menu. The following screen displays. Figure 19 The Management Mode Screen The following table describes the labels in this screen. Table 8 The Management Mode Screen LABEL DESCRIPTION AP Controller Select this to manage other APs (in Managed AP mode) via this NWA.
Page 51 Chapter 4 Management Mode Table 8 The Management Mode Screen LABEL DESCRIPTION Manual AP Controller Check this is you know the IP address of the controller AP that you want to manage this AP. • Primary AP Controller IP - Enter the IP address of the primary controller AP.
Page 52 Chapter 4 Management Mode NWA-3500/NWA-3550 User’s Guide...
Page 53: Controller Ap Mode
H A P T E R Controller AP Mode 5.1 Overview This chapter discusses the Controller AP management mode. When the NWA is used as a CAPWAP (Control And Provisioning of Wireless Access Points) controller AP, the Web Configurator changes to reflect this by including the Controller and Profile Edit screens.
Page 54: Before You Begin
Chapter 5 Controller AP Mode In the figure below, an administrator is able to manage the security settings of 5 APs (1 controller AP and 4 managed APs). He changes the security mode to WPA- PSK just by accessing the Web Configurator of the controller AP (C). Figure 20 CAPWAP Controller Managed APs Note: Be careful when configuring the controller AP as its managed APs automatically...
Page 55: Controller Ap Status Screen
Chapter 5 Controller AP Mode After logging in again, the navigation menu changes to include links for the Controller and Profile Edit screens. The items marked below are screens that can be configured for all APs managed by the NWA. Figure 22 Controller AP Navigation Links In the figure above, changes made in the highlighted screens of the Controller AP (A) are automatically applied to all the Managed APs (B).
Page 56 Chapter 5 Controller AP Mode Figure 23 AP Controller: the Status Screen The following table describes the new labels in this screen. Table 9 AP Controller: the Status Screen LABEL DESCRIPTION Registration Type This field displays how the managed APs are registered with the NWA. •...
Page 57: Ap List Screen
Chapter 5 Controller AP Mode 5.4 AP List Screen Use this screen to view and add managed APs. By default, the NWA is always included in this table. Although you cannot remove it, you can edit its settings. Click Controller > AP Lists. The following screen displays. Figure 24 The Controller >...
Page 58 Chapter 5 Controller AP Mode Table 10 The Controller > AP Lists Screen LABEL DESCRIPTION Status This displays whether the managed AP is active, not active or upgrading its firmware. • Red: the AP is not active. • Green: the AP is active. •...
Page 59: The Ap Lists Edit Screen
Chapter 5 Controller AP Mode 5.4.1 The AP Lists Edit Screen Use this screen to change the description or radio profile of an AP managed by the NWA. Click Edit in the CONTROLLER > AP Lists screen. The following screen displays.
Page 60: Configuration Screen
Chapter 5 Controller AP Mode 5.5 Configuration Screen Use this screen to control the way in which the NWA accepts new APs to manage. You can also configure the pre-shared key (PSK) that is use to secure the data transmitted between the NWA and the APs it manages. When the NWA is in AP controller mode, click CONTROLLER >...
Page 61: Redundancy Screen
Chapter 5 Controller AP Mode 5.6 Redundancy Screen Use this screen to set the controller AP as a primary or secondary controller. If you set your NWA as a primary controller AP, you can have a secondary controller AP to serve as a backup. All configurations are synchronized between the NWA and the secondary controller AP.
Page 62: The Profile Edit Screens
Chapter 5 Controller AP Mode 5.7 The Profile Edit Screens This section describes the Profile Edit screens, which are available only in AP controller mode. The following Profile Edit screens are identical to those in regular mode: • The Profile Edit > SSID screen (see Section 9.2 on page 129).
Page 63 Chapter 5 Controller AP Mode The following table describes the labels in this screen. Table 13 The Profile Edit > Radio Screen LABEL DESCRIPTION Index This field displays the index number of each radio profile. Profile Name This field displays the identification name of each radio profile on the NWA.
Page 64: The Radio Profile Edit Screen
Chapter 5 Controller AP Mode 5.8 The Radio Profile Edit Screen Use this screen to configure a specific radio profile. In the Profile Edit > Radio screen, select a profile and click Edit. The following screen displays. Figure 30 The Profile Edit > Radio > Edit Screen NWA-3500/NWA-3550 User’s Guide...
Page 65 Chapter 5 Controller AP Mode The following table describes the labels in this screen. Table 14 The Profile Edit > Radio > Edit Screen LABEL DESCRIPTION Profile Name Enter a name identifying this profile. 802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the NWA.
Page 66 Chapter 5 Controller AP Mode Table 14 The Profile Edit > Radio > Edit Screen LABEL DESCRIPTION Rates Configuration This section controls the data rates permitted for clients of an AP using this radio profile. For each Rate, select an option from the Configuration list. The options are: Basic (1~11 Mbps only): Clients can always connect to the access point at this speed.
Page 67: Tutorial
H A P T E R Tutorial This chapter first provides an overview of how to configure the wireless LAN on your NWA, and then gives step-by-step guidelines showing how to configure your NWA for some example scenarios. 6.1 How to Configure the Wireless LAN This section shows how to choose which wireless operating mode you should use on the NWA, and the steps you should take to set up the wireless LAN in each wireless mode.
Page 68: Configuring Dual Wlan Adaptors
Chapter 6 Tutorial 6.1.1.1 Configuring Dual WLAN Adaptors The NWA is equipped with dual wireless adaptors. This means you can configure two different wireless networks to operate simultaneously. See Section 1.2.6 on page 28 for details. You can configure each wireless adaptor separately in the WIRELESS > Wireless screen.
Page 69 Chapter 6 Tutorial Figure 31 Configuring Wireless LAN Select the WLAN Interface you want to configure. Select Operating Mode Bridge / MBSSID AP + Bridge Access Point Repeater Mode. Mode. Mode. Mode. Select 802.11 Select 802.11 Select 802.11 Mode Select 802.11 Mode and Mode and and Channel ID.
Page 70: Further Reading
Chapter 6 Tutorial 6.1.3 Further Reading Use these links to find more information on the steps: • Choosing 802.11 Mode: see Section 8.4.1 on page 123. • Choosing a wireless Channel ID: see Section 8.4.1 on page 123. • Selecting and configuring SSID profile(s): see Section 8.4.1 on page 123 Section 9.4 on page 143.
Page 71 Chapter 6 Tutorial The following figure shows the multiple networks you want to set up. Your NWA is marked Z, the main network router is marked A, and your network printer is marked B. Figure 32 Tutorial: Example MBSSID Setup Internet VoIP_SSID Guest_SSID...
Page 72: Change The Operating Mode
Chapter 6 Tutorial 6.2.1 Change the Operating Mode Log in to the NWA (see Section 2.1 on page 35). Click WIRELESS > Wireless. The Wireless screen appears. In this example, the NWA is using WLAN Interface 1 in Access Point operating mode, and is currently set to use the SSID04 profile.
Page 73: Configure The Voip Network
Chapter 6 Tutorial Select MBSSID from the Operating Mode drop-down list box. The screen displays as follows. Figure 34 Tutorial: Wireless LAN: Change Mode This Select SSID Profile table allows you to activate or deactivate SSID profiles. Your wireless network was previously using the SSID04 profile, so select SSID04 in one of the Profile list boxes (number 3 in this example).
Page 74 Chapter 6 Tutorial network’s parameters, so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles. Figure 35 Tutorial: WIRELESS > SSID The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID’s radio button and click Edit.
Page 75: Set Up Security For The Voip Profile
Chapter 6 Tutorial • Choose a new SSID for the VoIP network. In this example, enter VOIP_SSID_Example. Note that although the SSID changes, the SSID profile name (VoIP_SSID) remains the same as before. • Select Enable from the Hide Name (SSID) list box. You want only authorized company employees to use this network, so there is no need to broadcast the SSID to wireless clients scanning the area.
Page 76 Chapter 6 Tutorial You already chose to use the security02 profile for this network, so select the radio button for security02 and click Edit. The following screen appears. Figure 38 Tutorial: VoIP Security Profile Edit • Change the Name field to “VoIP_Security” to make it easier to remember and identify.
Page 77: Activate The Voip Profile
Chapter 6 Tutorial 6.2.2.2 Activate the VoIP Profile You need to activate the VoIP_SSID profile before it can be used. Click the Wireless tab. In the Select SSID Profile table, select the VoIP_SSID profile’s Active checkbox and click Apply. Figure 40 Tutorial: Activate VoIP Profile Your VoIP wireless network is now ready to use.
Page 78: Set Up Security For The Guest Profile
Chapter 6 Tutorial Click WIRELESS > SSID. Select Guest_SSID’s entry in the list and click Edit. The following screen appears. Figure 41 Tutorial: Guest Edit • Choose a new SSID for the guest network. In this example, enter Guest_SSID_Example. Note that although the SSID changes, the SSID profile name (Guest_SSID) remains the same as before.
Page 79 Chapter 6 Tutorial You already chose to use the security03 profile for this network, so select security03’s entry in the list and click Edit. The following screen appears. Figure 42 Tutorial: Guest Security Profile Edit • Change the Name field to “Guest_Security” to make it easier to remember and identify.
Page 80: Set Up Layer 2 Isolation
Chapter 6 Tutorial 6.2.3.2 Set up Layer 2 Isolation Configure layer 2 isolation to control the specific devices you want the users on your guest network to access. Click WIRELESS > Layer-2 Isolation. The following screen appears. Figure 44 Tutorial: Layer 2 Isolation NWA-3500/NWA-3550 User’s Guide...
Page 81 Chapter 6 Tutorial The Guest_SSID network uses the l2isolation01 profile by default, so select its entry and click Edit. The following screen displays. Figure 45 Tutorial: Layer 2 Isolation Profile Enter the MAC addresses and descriptions of the two network devices you want users on the guest network to be able to access: the main network router (00:AA:00:AA:00:AA) and the network printer (AA:00:AA:00:AA:00).
Page 82: Activate The Guest Profile
Chapter 6 Tutorial 6.2.3.3 Activate the Guest Profile You need to activate the Guest_SSID profile before it can be used. Click the Wireless tab. In the Select SSID Profile table, select the check box for the Guest_SSID profile and click Apply. Figure 46 Tutorial: Activate Guest Profile Your guest wireless network is now ready to use.
Page 83: How To Set Up And Use Rogue Ap Detection
Chapter 6 Tutorial 6.3 How to Set Up and Use Rogue AP Detection This example shows you how to configure the rogue AP detection feature on the NWA. A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network.
Page 84 Chapter 6 Tutorial E, and a computer, marked F, connected to the wired network. The coffee shop’s access point is marked 1. Figure 47 Tutorial: Wireless Network Example In the figure, the solid circle represents the range of your wireless network, and the dashed circle represents the extent of the coffee shop’s wireless network.
Page 85: Set Up And Save A Friendly Ap List
Chapter 6 Tutorial Note: The NWA can detect the MAC addresses of APs automatically. However, it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually. For example, an attacker’s AP mimicking the correct SSID could be placed on the friendly AP list by accident, if selected from the list of auto-detected APs.
Page 86 Chapter 6 Tutorial Note: You can add APs that are not part of your network to the friendly AP list, as long as you know that they do not pose a threat to your network’s security. Table 17 Tutorial: Friendly AP Information MAC ADDRESS DESCRIPTION 00:AA:00:AA:00:AA...
Page 87 Chapter 6 Tutorial Next, you will save the list of friendly APs in order to provide a backup and upload it to your other access points. Click the Configuration tab.The following screen appears. Figure 50 Tutorial: Configuration Click Export. If a window similar to the following appears, click Save. Figure 51 Tutorial: Warning NWA-3500/NWA-3550 User’s Guide...
Page 88: Activate Periodic Rogue Ap Detection
Chapter 6 Tutorial Save the friendly AP list somewhere it can be accessed by all the other access points on the network. In this example, save it on the network file server (E in Figure 47 on page 84). The default filename is “Flist”. Figure 52 Tutorial: Save Friendly AP list 6.3.2 Activate Periodic Rogue AP Detection Take the following steps to activate rogue AP detection on the first of your NWAs.
Page 89: Set Up E-Mail Logs
Chapter 6 Tutorial Click Apply. 6.3.3 Set Up E-mail Logs In this section, you will configure the first of your four APs to send a log message to your e-mail inbox whenever a rogue AP is discovered in your wireless network’s coverage area.
Page 90: Configure Your Other Access Points
Chapter 6 Tutorial • Enter a subject line for the alert e-mails in the Mail Subject field. Choose a subject that is eye-catching and identifies the access point - in this example, “ALERT_Access_Point_A”. • Enter the email address to which you want alerts to be sent (myname@myfirm.com, in this example).
Page 91: How To Use Multiple Mac Filters And L-2 Isolation Profiles
Chapter 6 Tutorial • Log into each AP’s Web configurator and click ROGUE AP > Rogue AP. Click Refresh. If any of the MAC addresses from Table 17 on page 86 appear in the list, the friendly AP function may be incorrectly configured - check the ROGUE AP >...
Page 92: Your Requirements
Chapter 6 Tutorial NWA is marked Z. C is a workstation on your wired network, D is your main network switch, and E is the security gateway you use to connect to the Internet. Figure 55 Tutorial: Example Network Internet 6.4.2 Your Requirements You want to set up a wireless network to allow only Alice to access Server 1 and the Internet.
Page 93: Configure The Server_1 Network
Chapter 6 Tutorial Configure the SERVER_1 network’s SSID profile to use specific MAC filter and layer-2 isolation profiles. Configure the SERVER_1 network’s MAC filter profile. Configure the SERVER_1 network’s layer-2 isolation profile. Repeat steps 1 ~ 3 for the SERVER_2 network. Check your settings and test the configuration.
Page 94 Chapter 6 Tutorial Log into the NWA’s Web Configurator and click WIRELESS > SSID. The following screen displays, showing the SSID profiles you already configured. Figure 56 Tutorial: SSID Profile Select SERVER_1’s entry and click Edit. The following screen displays. Figure 57 Tutorial: SSID Edit Select l2Isolation03 in the L2 Isolation field, and select macfilter03 in the MAC Filtering field.
Page 95 Chapter 6 Tutorial Click the Layer-2 Isolation tab. When the Layer-2 Isolation screen appears, select L2Isolation03’s entry and click Edit. The following screen displays. Figure 58 Tutorial: Layer-2 Isolation Edit Enter the network switch’s MAC Address and add a Description (“NET_SWITCH” in this case) in Set 1’s entry.
Page 96: Configure The Server_2 Network
Chapter 6 Tutorial 6.4.5 Configure the SERVER_2 Network Next, you will configure the SERVER_2 network that allows Bob to access secure server 2 and the Internet. To do this, repeat the procedure in Section 6.4.4 on page 93, substituting the following information.
Page 97 Chapter 6 Tutorial Click WIRELESS > Wireless. Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated, as shown in the following figure. Figure 60 Tutorial: SSID Profiles Activated Next, click the SSID tab. Check that each configured SSID profile uses the correct Security, Layer-2 Isolation and MAC Filter profiles, as shown in the following figure.
Page 98: Testing The Configuration
Chapter 6 Tutorial 6.4.6.2 Testing the Configuration Before you allow employees to use the network, you need to thoroughly test whether the setup behaves as it should. Take the following steps to do this. Test the SERVER_1 network. • Using Alice’s computer and wireless client, and the correct security settings, do the following.
Page 99: How To Configure Management Modes
Chapter 6 Tutorial 6.5 How to Configure Management Modes This example shows you how to configure the NWA’s controller AP and manage AP modes. 6.5.1 Scenario In this example, you are the administrator of a company network wherein a group of users need stable wireless connection.
Page 100: Setup
Chapter 6 Tutorial 6.5.3 Setup In this example, each of your NWA standalone AP mirror each other. They all have the same SSID profiles stored. First you need to download the configuration file from one of your NWAs for backup purposes. Refer to Section 23.8.1 on page 272 for information on how to download the configuration file from your NWA.
Page 101: Configure Your Nwa In Controller Ap Mode
Chapter 6 Tutorial 6.5.4 Configure Your NWA in Controller AP Mode The NWA is set to Standalone AP mode by default. After you have made sure you have the correct configuration (see Section 23.8 on page 272) in the NWAs (A and E) of the 1st floor, you need to set both of them to controller AP mode, one will serve as your main controller while the other works as your backup.
Page 102: Primary Ap Controller
Chapter 6 Tutorial To set your NWA in secondary controller AP mode, open the Controller > Redundacy screen (this screen only appears when the NWA is in Controller AP mode) in the Web Configurator of the NWA that you want to serve as backup. Figure 64 Tutorial: Secondary Controller AP Enable Redundancy.
Page 103: Setting Your Nwa In Managed Ap Mode
Chapter 6 Tutorial 6.5.5 Setting Your NWA in Managed AP Mode After setting the NWAs (A and E) to controller AP modes, you can now transform the NWAs (B, C and D) in the 2nd, 3rd and 4th floors of your company building to managed APs.
Page 104: Configuring The Managed Access Points List
Chapter 6 Tutorial 6.5.6 Configuring the Managed Access Points List At this point, you have 3 NWA managed APs (B, C and D) that can now be managed by the primary controller AP. First in the Web Configurator of your primary controller AP (A), go to Controller >...
Page 105 Chapter 6 Tutorial Select the NWA managed APs from the Un-Managed Access Points List as shown in the screen above. You can also identify these managed APs by filling in the Description field. Click Add. The 2nd, 3rd and 4th floor NWA managed APs (B, C and D) should now be in the Manged Access Points List.
Page 106: Checking Your Settings And Testing The Configuration
Chapter 6 Tutorial In this example, the 1st floor NWA managed AP uses radio06 for its WLAN1 Radio Profile. The WLAN2 radio is disabled. Refer to Section 5.7.1 on page 62 for instructions on how to set up WLAN radio profiles in the NWA controller APs. 6.5.7 Checking your Settings and Testing the Configuration The NWAs should be working at this point.
Page 107: The Web Configurator
The Web Configurator System Screens (109) Wireless Configuration (119) SSID Screen (141) Wireless Security Screen (147) RADIUS Screen (161) Layer-2 Isolation Screen (165) MAC Filter Screen (171) IP Screen (175) Rogue AP Detection (179) Remote Management Screens (187) Internal RADIUS Server (199) Certificates (207) Log Screens (227) VLAN (235)
Page 109: System Screens
H A P T E R System Screens 7.1 Overview This chapter provides information and instructions on how to identify and manage your NWA over the network. Figure 72 NWA Setup DNS Server Internet NTP Server In the figure above, the NWA connects to a Domain Name Server (DNS) server to avail of a domain name.
Page 110: What You Need To Know
Chapter 7 System Screens • Use the Time Setting screen (see Section 7.6 on page 116) to change your NWA’s time and date. This screen allows you to configure the NWA’s time based on your local time zone. 7.3 What You Need To Know IP Address Assignment Every computer on the Internet must have a unique IP address.
Page 111: Administrator Authentication On Radius
Chapter 7 System Screens reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved).
Page 112: General Setup Screen
Chapter 7 System Screens 7.4 General Setup Screen Use the General screen to identify your NWA over the network. Click System > General. The following screen displays. Figure 73 System > General The following table describes the labels in this screen. Table 23 System >...
Page 113: Configuring The Password
Chapter 7 System Screens Table 23 System > General LABEL DESCRIPTION First DNS Server Select From DHCP if your DHCP server dynamically assigns DNS server information (and the NWA's Ethernet IP address). The field to Second DNS the right displays the (read-only) DNS server IP address that the Server DHCP assigns.
Page 114 Chapter 7 System Screens Note: Regardless of how you configure this screen, you still use the local system password to log in via the console port (for internal use only). Figure 74 System > Password. The following table describes the labels in this screen. Table 24 System >...
Page 115 Chapter 7 System Screens Table 24 System > Password LABEL DESCRIPTIONS Password Type a password (up to 31 ASCII characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type. Spaces are allowed. Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length.
Page 116: Configuring Time Setting
Chapter 7 System Screens 7.6 Configuring Time Setting To change your NWA’s time and date, click SYSTEM > Time Setting. The screen appears as shown. Use this screen to configure the NWA’s time based on your local time zone. Figure 75 System > Time Setting The following table describes the labels in this screen.
Page 117 Chapter 7 System Screens Table 25 System > Time Setting LABEL DESCRIPTION New Date This field displays the last updated date from the time server or (yyyy:mm:dd) the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.
Page 118: Technical Reference
Chapter 7 System Screens 7.7 Technical Reference This section provides technical background information about the topics covered in this chapter. Pre-defined NTP Time Servers List When you turn on the NWA for the first time, the date and time start at 2000-01- 01 00:00:00.
Page 119: Wireless Configuration
H A P T E R Wireless Configuration 8.1 Overview This chapter discusses the steps to configure the Wireless Settings screen on the NWA. It also introduces the Wireless LAN (WLAN) and some basic scenarios. Figure 76 Wireless Mode In the figure above, the NWA allows access to another bridge device (A) and a notebook computer (B) upon verifying their settings and credentials.
Page 120: What You Need To Know
Chapter 8 Wireless Configuration 8.3 What You Need To Know The following are wireless network terminologies that are relevant to this chapter. A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
Page 121: Operating Mode
Chapter 8 Wireless Configuration their associated wireless stations within the same ESS must have the same ESSID in order to communicate. Figure 78 Extended Service Set 8.3.1 Operating Mode The NWA can run in four operating modes as follows: • AP (Access Point). The NWA is wireless access point that allows wireless communication to other devices in the network.
Page 122: Mbssid
Chapter 8 Wireless Configuration SSID The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Normally, the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area.
Page 123: Configuring Wireless Settings
Chapter 8 Wireless Configuration MBSSID should not replace but rather be used in conjunction with 802.1x security. 8.4 Configuring Wireless Settings Click WIRELESS > Wireless. The screen varies depending upon the operating mode you select. 8.4.1 Access Point Mode Select Access Point as the Operating Mode to display the screen shown next. Figure 79 Wireless: Access Point NWA-3500/NWA-3550 User’s Guide...
Page 124 Chapter 8 Wireless Configuration The following table describes the general wireless LAN labels in this screen. Table 27 Wireless: Access Point LABEL DESCRIPTION WLAN Select which WLAN adapter you want to configure. Interface It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.
Page 125 Chapter 8 Wireless Configuration Table 27 Wireless: Access Point LABEL DESCRIPTION RTS/CTS The threshold (number of bytes) for enabling RTS/CTS handshake. Data Threshold with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake.
Page 126: Bridge / Repeater Mode
Chapter 8 Wireless Configuration Table 27 Wireless: Access Point LABEL DESCRIPTION Rates This section controls the data rates permitted for clients. Configuration For each Rate, select an option from the Configuration list. The options are: • Basic (1~11 Mbps only): Clients can always connect to the access point at this speed.
Page 127 Chapter 8 Wireless Configuration To have the NWA act as a wireless bridge only, click WIRELESS > Wireless and select Bridge / Repeater as the Operating Mode. Figure 80 Wireless: Bridge / Repeater NWA-3500/NWA-3550 User’s Guide...
Page 128 Chapter 8 Wireless Configuration The following table describes the bridge labels in this screen. Table 28 Wireless: Bridge / Repeater LABEL DESCRIPTIONS Operating Mode Select Bridge / Repeater in this field. Enable WDS Select this to turn on security for the NWA’s Wireless Distribution Security System (WDS).
Page 129: Ap + Bridge Mode
Chapter 8 Wireless Configuration Table 27 on page 124 for information on the other labels in this screen. 8.4.3 AP + Bridge Mode Select AP + Bridge as the Operating Mode in the WIRELESS > Wireless screen to have the NWA function as a bridge and access point simultaneously. See the section on applications for more information.
Page 130: Mbssid Mode
Chapter 8 Wireless Configuration See the tables describing the fields in the Access Point and Bridge / Repeater operating modes for descriptions of the fields in this screen. 8.4.4 MBSSID Mode Use this screen to have the NWA function in MBSSID mode. Select MBSSID as the Operating Mode.
Page 131: Technical Reference
Chapter 8 Wireless Configuration The following table describes the labels in this screen. Table 29 Wireless: MBSSID LABEL DESCRIPTION Operating Mode Select MBSSID in this field to display the screen as shown Select SSID Profile An SSID profile is the set of parameters relating to one of the NWA’s BSSs.
Page 132: Stp Terminology
Chapter 8 Wireless Configuration to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding. 8.5.1.2 STP Terminology The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value (MAC address).
Page 133: Stp Port States
Chapter 8 Wireless Configuration 8.5.1.4 STP Port States STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops. Table 31 STP Port States PORT DESCRIPTIONS...
Page 134 Chapter 8 Wireless Configuration The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the other access points on the LAN about the change.
Page 135: Requirements For Roaming
Chapter 8 Wireless Configuration Access point AP 1 updates the new position of wireless station Y. 8.5.3.1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. • All the access points must be on the same subnet and configured with the same ESSID.
Page 136: Bridge / Repeater Example
Chapter 8 Wireless Configuration 8.5.4 Bridge / Repeater Example This section shows an example of two NWAs in Bridge/Repeater mode forming a WDS (Wireless Distribution System) and allowing the computers in LAN 1 to connect to the computers in LAN 2. This is shown in the following figure. Figure 85 Bridging Example LAN2 LAN1...
Page 137: Quality Of Service
Chapter 8 Wireless Configuration • If your NWA (in bridge mode) is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN. Figure 87 Bridge Loop: Bridge Connected to Wired LAN Bridge Bridge Ethernet...
Page 138: Wmm Qos Priorities
Chapter 8 Wireless Configuration reductions in data transmission for applications that are sensitive to latency (delay) and jitter (variations in delay). 8.5.6.1 WMM QoS Priorities The following table describes the WMM QoS priority levels that the NWA uses. Table 32 WMM QoS Priorities PRIORITY LEVEL DESCRIPTION...
Page 139: Atc+Wmm
Chapter 8 Wireless Configuration Table 33 Typical Packet Sizes TIME TYPICAL PACKET APPLICATION SENSITIVITY SIZE (BYTES) Web browsing Medium 300 ~ 600 (http) 1500 When ATC is activated, the device sends traffic with smaller packets before traffic with larger packets if the network is congested. ATC assigns priority to packets as shown in the following table.
Page 140: Atc+Wmm From Wlan To Lan
Chapter 8 Wireless Configuration The following table shows how priorities are assigned for packets coming from the LAN to the WLAN. Table 35 ATC + WMM Priority Assignment (LAN to WLAN) PACKET SIZE ATC VALUE WMM VALUE (BYTES) 1 ~ 250 ATC_High WMM_VIDEO 250 ~ 1100...
Page 141: Ssid Screen
H A P T E R SSID Screen 9.1 Overview This chapter describes how you can configure Service Set Identifier (SSID) profiles in your NWA. Figure 88 Sample SSID Profiles In the figure above, the NWA has three SSID profiles configured: a standard profile (SSID04), a profile with high QoS settings for Voice over IP (VoIP) users (VoIP_SSID), and a guest profile that allows visitors access only the Internet and the network printer (Guest_SSID).
Page 142: What You Need To Know
Chapter 9 SSID Screen 9.3 What You Need To Know When the NWA is set to Access Point, AP + Bridge or MBSSID mode, you need to choose the SSID profile(s) you want to use in your wireless network (see Chapter 1 on page 31 for more information on operating modes).
Page 143: The Ssid Screen
Chapter 9 SSID Screen 9.4 The SSID Screen Use this screen to select the SSID profile you want to configure. Click Wireless > SSID to display the screen as shown. Figure 89 Wireless > SSID The following table describes the labels in this screen. Table 37 Wireless >...
Page 144: Configuring Ssid
Chapter 9 SSID Screen Table 37 Wireless > SSID LABEL DESCRIPTION Layer 2 Isolation This field displays which layer 2 isolation profile is currently associated with each SSID profile, or Disable if Layer 2 Isolation is not configured on an SSID profile. MAC Filter This field displays which MAC filter profile is currently associated with each SSID profile, or Disable if MAC filtering is not configured...
Page 145 Chapter 9 SSID Screen Table 38 Wireless > SSID > Edi LABEL DESCRIPTION Select the Quality of Service priority for this BSS’s traffic. • In the pre-configured VoIP_SSID profile, the QoS setting is VoIP. This is not user-configurable. The VoIP setting is available only on the VoIP_SSID profile, and provides the highest level of QoS.
Page 146 Chapter 9 SSID Screen NWA-3500/NWA-3550 User’s Guide...
Page 147: Wireless Security Screen
H A P T E R Wireless Security Screen 10.1 Overview This chapter describes how to use the Wireless Security screen. This screen allows you to configure the security mode for your NWA. Wireless security is vital to your network. It protects communications between wireless stations, access points and the wired network.
Page 148: What You Need To Know
Chapter 10 Wireless Security Screen 10.3 What You Need To Know User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it.
Page 149 Chapter 10 Wireless Security Screen • 802.1x-Only. This is a standard that extends the features of IEEE 802.11 to support extended authentication. It provides additional accounting and control features. This option does not support data encryption. • 802.1x-Static64. This provides 802.1x-Only authentication with a static 64bit WEP key and an authentication server.
Page 150: The Security Screen
Chapter 10 Wireless Security Screen Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2) or Generic Token Card (GTC). Further information on these terms can be found in Appendix B on page 233. 10.4 The Security Screen Note: The following screens are configurable only in Access Point, AP + Bridge and MBSSID operating modes.
Page 151: Security: Wep
Chapter 10 Wireless Security Screen Table 40 Wireless > Security LABEL DESCRIPTION Security Mode This field displays the security mode this security profile uses. Edit Select an entry from the list and click Edit to configure security settings for that profile. After selecting the security profile you want to edit, the following screen appears.
Page 152 Chapter 10 Wireless Security Screen The following table describes the labels in this screen. Table 41 Wireless > Security: WEP LABEL DESCRIPTION Profile Name Type a name to identify this security profile. Security Mode Choose WEP in this field. WEP Encryption Select Disable to allow wireless stations to communicate with the access points without any data encryption.
Page 153: Security: 802.1X Only
Chapter 10 Wireless Security Screen 10.4.2 Security: 802.1x Only Use this screen to set the selected profile to 802.1x Only security mode. Select 802.1x-Only in the Security Mode field to display the following screen. Figure 95 Wireless > Security: 802.1x Only The following table describes the labels in this screen.
Page 154: Security: 802.1X Static 64-Bit, 802.1X Static 128-Bit
Chapter 10 Wireless Security Screen 10.4.3 Security: 802.1x Static 64-bit, 802.1x Static 128-bit Use this screen to set the selected profile to 802.1x Static 64 or 802.1x Static 128 security mode. Select 802.1x Static 64 or 802.1x Static 128 in the Security Mode field to display the following screen.
Page 155: Security: Wpa
Chapter 10 Wireless Security Screen Table 43 Wireless > Security: 802.1x Static 64-bit, 802.1x Static 128-bit LABEL DESCRIPTION ReAuthentication Specify how often wireless stations have to resend user names and Timer passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).
Page 156: Security: Wpa2 Or Wpa2-Mix
Chapter 10 Wireless Security Screen Table 44 Wireless > Security: WPA LABEL DESCRIPTION ReAuthentication Specify how often wireless stations have to resend user names and Timer passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).
Page 157 Chapter 10 Wireless Security Screen The following table describes the labels not previously discussed Table 45 Wireless > Security: WPA2 or WPA2-MIX LABEL DESCRIPTIONS Profile Name Type a name to identify this security profile. Security Mode Choose WPA2 or WPA2-MIX in this field. ReAuthentication Specify how often wireless stations have to resend usernames and Timer...
Page 158: Security: Wpa-Psk, Wpa2-Psk, Wpa2-Psk-Mix
Chapter 10 Wireless Security Screen 10.4.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Use this screen to set the selected profile to WPA-PSK, WPA2-PSK or WPA2-PSK- MIX security mode. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen. Figure 99 Wireless >...
Page 159: Technical Reference
Chapter 10 Wireless Security Screen Table 46 Wireless > Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX LABEL DESCRIPTION Group Key The Group Key Update Timer is the rate at which the AP sends a Update Timer new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis.
Page 160 Chapter 10 Wireless Security Screen NWA-3500/NWA-3550 User’s Guide...
Page 161: Radius Screen
H A P T E R RADIUS Screen 11.1 Overview This chapter describes how you can use the Wireless > RADIUS screen. Remote Authentication Dial In User Service (RADIUS) is a protocol that can be used to manage user access to large networks. It is based on a client-server model that supports authentication, authorization and accounting.
Page 162: What You Need To Know
Chapter 11 RADIUS Screen 11.3 What You Need To Know The RADIUS server handles the following tasks: • Authentication which determines the identity of the users. • Authorization which determines the network services available to authenticated users once they are connected to the network. •...
Page 163: The Radius Screen
Chapter 11 RADIUS Screen 11.4 The RADIUS Screen Use this screen to set up your NWA’s RADIUS server settings. Click Wireless > RADIUS. The screen appears as shown. Figure 101 Wireless > RADIUS The following table describes the labels in this screen. Table 47 Wireless >...
Page 164 Chapter 11 RADIUS Screen Table 47 Wireless > RADIUS LABEL DESCRIPTION Internal Select this check box to use the NWA’s internal authentication server. The Active, RADIUS Server IP Address, RADIUS Server Port and Share Secret fields are not available when you use the internal authentication server.
Page 165: Layer-2 Isolation Screen
H A P T E R Layer-2 Isolation Screen 12.1 Overview This chapter describes how you can configure the Layer-2 Isolation screen on your NWA. Layer-2 isolation is used to prevent wireless clients associated with your NWA from communicating with other wireless clients, APs, computers or routers in a network.
Page 166: What You Can Do In The Layer-2 Isolation Screen
Chapter 12 Layer-2 Isolation Screen MAC addresses that are not listed in the Allow devices with these MAC addresses table of the Wireless > Layer-2 Isolation screen are blocked from communicating with the NWA’s wireless clients except for broadcast packets. Layer-2 isolation does not check the traffic between wireless clients that are associated with the same AP.
Page 167: The Layer-2 Isolation Screen
Chapter 12 Layer-2 Isolation Screen 12.4 The Layer-2 Isolation Screen Use this screen to select and configure a layer-2 isolation profile. Click Wireless > Layer-2 Isolation. The screen appears as shown next. Figure 103 Wireless > Layer 2 Isolation The following table describes the labels in this screen. Table 48 WIireless>...
Page 168 Chapter 12 Layer-2 Isolation Screen Note: When configuring this screen, remember to select the correct layer-2 isolation profile in the Wireless> SSID > Edit screen of the relevant SSID profile. Figure 104 Wireless > Layer-2 Isolation > Edit The following table describes the labels in this screen. Table 49 Wireless>...
Page 169: Technical Reference
Chapter 12 Layer-2 Isolation Screen Table 49 Wireless> Layer-2 Isolation > Edit LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 12.5 Technical Reference This section provides technical background information on the topics discussed in this chapter.
Page 170 Chapter 12 Layer-2 Isolation Screen • Enter C’s MAC address in the MAC Address field, and enter “File Server C” in the Description field. Figure 106 Layer-2 Isolation Example 1 Example 2: Restricting Access to Client In the following example wireless clients 1 and 2 can communicate with access point B and file server C but not wireless client 3.
Page 171: Mac Filter Screen
H A P T E R MAC Filter Screen 13.1 Overview This chapter discusses how you can use the Wireless > MAC Filter screen. The MAC filter function allows you to configure the NWA to grant access to devices (Allow Association) or exclude devices from accessing the NWA (Deny Association).
Page 172: What You Should Know About Mac Filter
Chapter 13 MAC Filter Screen 13.3 What You Should Know About MAC Filter Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of each device to configure MAC filtering on the NWA.
Page 173: Configuring The Mac Filter
Chapter 13 MAC Filter Screen The following table describes the labels in this screen. Table 50 Wireless > MAC Filter LABEL DESCRIPTION Index This is the index number of the profile. Profile Name This field displays the name given to a MAC filter profile in the MAC Filter Configuration screen.
Page 174 Chapter 13 MAC Filter Screen Table 51 Wireless > MAC Filter > Edit LABEL DESCRIPTION Index This is the index number of the MAC address. MAC Address Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless station to be allowed or denied access to the NWA. Description Type a name to identify this wireless station.
Page 175: Ip Screen
H A P T E R IP Screen 14.1 Overview This chapter describes how you can configure the IP address of your NWA. The Internet Protocol (IP) address identifies a device on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 176: What You Need To Know About Ip
Chapter 14 IP Screen 14.3 What You Need To Know About IP The Ethernet parameters of the NWA are preset in the factory with the following values: IP address of 192.168.1.2 Subnet mask of 255.255.255.0 (24 bits) These parameters should work for the majority of installations. 14.4 The IP Screen Use this screen to configure the IP address for your NWA.
Page 177: Technical Reference
Chapter 14 IP Screen Table 52 IP Setup LABEL DESCRIPTION IP Subnet Mask Type the subnet mask. Gateway IP Address Type the IP address of the gateway. The gateway is an immediate neighbor of your NWA that will forward the packet to the destination.
Page 178 Chapter 14 IP Screen NWA-3500/NWA-3550 User’s Guide...
Page 179: Rogue Ap Detection
H A P T E R Rogue AP Detection 15.1 Overview This chapter discusses rogue wireless access points and how to configure the NWA’s rogue AP detection feature. Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can open up holes in a network’s security.
Page 180: What You Can Do In The Rogue Ap Screen
Chapter 15 Rogue AP Detection (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software. In this example, the attacker now has access to the company network, including sensitive data stored on the file server (C).
Page 181 Chapter 15 Rogue AP Detection that of a neighbor (for example) you should also add these APs to the list, as they do not compromise your own network’s security. If you do not add them to the friendly AP list, these access points will appear in the Rogue AP list each time the NWA scans.
Page 182: Configuration Screen
Chapter 15 Rogue AP Detection 15.3.1 Configuration Screen Use this screen to enable your NWA’s Rogue AP detection settings. Click Rogue AP > Configuration. The following screen appears: Figure 115 Rogue AP > Configuration The following table describes the labels in this screen. Table 54 Rogue AP >...
Page 183: Friendly Ap Screen
Chapter 15 Rogue AP Detection 15.3.2 Friendly AP Screen Use this screen to specify APs as trusted. Click Rogue AP > Friendly AP. The following screen appears: Figure 116 Rogue AP > Friendly AP The following table describes the labels in this screen. Table 55 Rogue AP >...
Page 184: Rogue Ap Screen
Chapter 15 Rogue AP Detection 15.3.3 Rogue AP Screen Use this scren to display details of all wireless access points within the NWA’s coverage area. Click Rogue AP > Rogue AP. The following screen displays. Figure 117 Rogue AP > Rogue AP The following table describes the labels in this screen.
Page 185 Chapter 15 Rogue AP Detection Table 56 Rogue AP > Rogue AP LABEL DESCRIPTION Description If you want to move the AP’s entry to the friendly AP list, enter a short, explanatory description identifying the AP before you click Add to Friendly AP List. A maximum of 32 alphanumeric characters are allowed in this field.
Page 186 Chapter 15 Rogue AP Detection NWA-3500/NWA-3550 User’s Guide...
Page 187: Remote Management Screens
H A P T E R Remote Management Screens 16.1 Overview This chapter shows you how to enable remote management of your NWA. It provides information on determining which services or protocols can access which of the NWA’s interfaces. Remote Management allows a user to administrate the device over the network. You can manage your NWA from a remote location via the following interfaces: •...
Page 188: What You Can Do In The Remote Management Screens
Chapter 16 Remote Management Screens 16.2 What You Can Do in the Remote Management Screens • Use the Telnet screen (see Section 16.4 on page 190) to configure through which interface(s) and from which IP address(es) you can use Telnet to manage the ZyXEL Device.
Page 189 Chapter 16 Remote Management Screens version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Note: SNMP is only available if TCP/IP is configured. Figure 119 SNMP Management Mode An SNMP managed network consists of two main types of component: agents and a manager.
Page 190: The Telnet Screen
Chapter 16 Remote Management Screens 1. Telnet 2. HTTP System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The NWA automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Page 191: The Ftp Screen
Chapter 16 Remote Management Screens Table 57 Remote MGNT > Telnet LABEL DESCRIPTION Secured A secured client is a “trusted” computer that is allowed to communicate Client IP with the NWA using this service. Address Select All to allow any computer to access the NWA using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service.
Page 192: The Www Screen
Chapter 16 Remote Management Screens The following table describes the labels in this screen. Table 58 Remote MGNT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 193 Chapter 16 Remote Management Screens The following table describes the labels in this screen. Table 59 Remote MGNT > WWW LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 194: The Snmp Screen
Chapter 16 Remote Management Screens 16.7 The SNMP Screen Use this screen to have a manager station administrate your NWA over the network. To change your NWA’s SNMP settings, click REMOTE MGMT > SNMP. The following screen displays. Figure 123 Remote MGNT > SNMP The following table describes the labels in this screen.
Page 195: Technical Reference
Chapter 16 Remote Management Screens Table 60 Remote MGNT > SNMP LABEL DESCRIPTION User Profile This field is available only when you select SNMPv3 in the SNMP Version field. When sending SNMP v3 traps (messages sent independently by the SNMP agent) the agent must authenticate the SNMP manager. If the SNMP manager does not provide the correct security details, the agent does not send the traps.
Page 196: Supported Mibs
Chapter 16 Remote Management Screens device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects.SNMP itself is a simple request/response protocol based on the manager/ agent model.
Page 197 Chapter 16 Remote Management Screens Table 61 SNMP Traps OBJECT IDENTIFIER # TRAP NAME DESCRIPTION (OID) authenticationFailure 1.3.6.1.6.3.1.1.5.5 The device sends this trap when it (defined in RFC-1215) receives any SNMP get or set requirements with the wrong community (password). Note: snmpEnableAuthenTraps, OID 1.3.6.1.2.1.11.30 (defined in RFC 1214 and RFC 1907) must be enabled on in...
Page 198 Chapter 16 Remote Management Screens NWA-3500/NWA-3550 User’s Guide...
Page 199: Internal Radius Server
H A P T E R Internal RADIUS Server 17.1 Overview This chapter describes how the NWA can use its internal RADIUS server to authenticate wireless clients. Remote Authentication Dial In User Service (RADIUS) is a protocol that enables you to control access to a network by authenticating user credentials. The following figure shows the NWA (Z) using its internal RADIUS server to control access to a wired network.
Page 200: What You Can Do In The Internal Radius Server Screens
Chapter 17 Internal RADIUS Server 17.2 What You Can Do in the Internal Radius Server Screens • Use the AUTH. SERVER > Setting screen (see Section 17.4 on page 200) to turn the NWA’s internal RADIUS server off or on and to view information about the NWA’s certificates.
Page 201 Chapter 17 Internal RADIUS Server Click AUTH. SERVER > Setting. The following screen displays. Figure 125 Setting Screen The following table describes the labels in this screen. Table 63 Internal RADIUS Server Setting Screen LABEL DESCRIPTION Active Select the Active check box to have the NWA use its internal RADIUS server to authenticate wireless clients or other APs.
Page 202: The Trusted Ap Screen
Chapter 17 Internal RADIUS Server Table 63 Internal RADIUS Server Setting Screen (continued) LABEL DESCRIPTION Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Page 203 Chapter 17 Internal RADIUS Server Figure 126 Trusted AP Screen The following table describes the labels in this screen. Table 64 Trusted AP Screen LABEL DESCRIPTION This field displays the trusted AP index number. Active Select this check box to have the NWA use the IP Address and Shared Secret to authenticate a trusted AP.
Page 204: The Trusted Users Screen
Chapter 17 Internal RADIUS Server 17.6 The Trusted Users Screen Use this screen to configure trusted user entries. Click AUTH. SERVER > Trusted Users. The following screen displays. Figure 127 Trusted Users Screen The following table describes the labels in this screen. Table 65 Trusted Users LABEL DESCRIPTION...
Page 205: Technical Reference
Chapter 17 Internal RADIUS Server 17.7 Technical Reference This section provides some technical background information about the topics covered in this chapter. A trusted AP is an AP that uses the NWA’s internal RADIUS server to authenticate its wireless clients. Each wireless client must have a user name and password configured in the AUTH.
Page 206 Chapter 17 Internal RADIUS Server Note: The internal RADIUS server does not support domain accounts (DOMAIN/ user). When you configure your Windows XP SP2 Wireless Zero Configuration PEAP/MS-CHAPv2 settings, deselect the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server.
Page 207: Certificates
H A P T E R Certificates 18.1 Overview This chapter describes how your NWA can use certificates as a means of authenticating wireless clients. It gives background information about public-key certificates and explains how to use them. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 208: What You Need To Know
Chapter 18 Certificates 18.3 What You Need To Know A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. Note that the NWA also trusts any valid certificate signed by any of the imported trusted CA certificates.
Page 209 Chapter 18 Certificates Note: Certificates display in black and certification requests display in gray. Figure 130 Certificates > My Certificates The following table describes the labels in this screen. Table 66 Certificates > My Certificates LABEL DESCRIPTION PKI Storage This bar displays the percentage of the NWA’s PKI storage space that is Space in Use currently in use.
Page 210: My Certificates Import Screen
Chapter 18 Certificates Table 66 Certificates > My Certificates (continued) LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Valid To This field displays the date that the certificate expires.
Page 211: My Certificates Create Screen
Chapter 18 Certificates Note: You can import only a certificate that matches a corresponding certification request that was generated by the NWA. Note: The certificate you import replaces the corresponding request in the My Certificates screen. Note: You must remove any spaces from the certificate’s filename before you can import it.
Page 212 Chapter 18 Certificates Click Certificates > My Certificates and then Create to open the My Certificate Create screen. The following figure displays. Figure 132 Certificates > My Certificate Create The following table describes the labels in this screen. Table 68 Certificates > My Certificate Create LABEL DESCRIPTION Certificate Name...
Page 213 Chapter 18 Certificates Table 68 Certificates > My Certificate Create (continued) LABEL DESCRIPTION Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs. You may use any character, including spaces, but the NWA drops trailing spaces. Country Type up to 127 characters to identify the nation where the certificate owner is located.
Page 214: My Certificates Details Screen
Chapter 18 Certificates Table 68 Certificates > My Certificate Create (continued) LABEL DESCRIPTION CA Certificate Select the certification authority’s certificate from the CA Certificate drop-down list box. You must have the certification authority’s certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the NWA's list of certificates of trusted certification authorities.
Page 215 Chapter 18 Certificates Click Certificates > My Certificates to open the My Certificates screen (Figure 130 on page 209). Click the details button to open the My Certificate Details screen. Figure 133 Certificates > My Certificate Details NWA-3500/NWA-3550 User’s Guide...
Page 216 Chapter 18 Certificates The following table describes the labels in this screen. Table 69 Certificates > My Certificate Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate.
Page 217 Chapter 18 Certificates Table 69 Certificates > My Certificate Details (continued) LABEL DESCRIPTION Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Valid To This field displays the date that the certificate expires.
Page 218: Trusted Cas Screen
Chapter 18 Certificates 18.5 Trusted CAs Screen Use this screen to view the list of trusted certificates. The NWA accepts any valid certificate signed by a certification authority on this list as being trustworthy. You do not need to import any certificate that is signed by any certification authority on this list.
Page 219: Trusted Cas Import Screen
Chapter 18 Certificates Table 70 Trusted CAs (continued) LABEL DESCRIPTION CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists (CRL) check box in the certificate’s details screen to have the NWA check the CRL before trusting any certificates issued by the certification authority.
Page 220: Trusted Cas Details Screen
Chapter 18 Certificates The following table describes the labels in this screen. Table 71 Certificates > Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Page 221 Chapter 18 Certificates Click Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CAs Details screen. Figure 136 Certificates > Trusted CAs Details The following table describes the labels in this screen. Table 72 Certificates >...
Page 222 Chapter 18 Certificates Table 72 Certificates > Trusted CAs Details (continued) LABEL DESCRIPTION Certificate Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 223: Technical Reference
Chapter 18 Certificates Table 72 Certificates > Trusted CAs Details (continued) LABEL DESCRIPTION Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.
Page 224: Private-Public Certificates
Chapter 18 Certificates 18.6.1 Private-Public Certificates When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as “digital signatures”).
Page 225: Checking The Fingerprint Of A Certificate On Your Computer
Chapter 18 Certificates 18.6.3 Checking the Fingerprint of a Certificate on Your Computer A certificate’s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. Browse to where you have the certificate saved on your computer.
Page 226 Chapter 18 Certificates Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary according to your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 227: Log Screens
H A P T E R Log Screens 19.1 Overview This chapter provides information on viewing and generating logs on your NWA. Logs are files that contain recorded network activity over a set period. They are used by administrators to monitor the health of the computer system(s) they are managing.
Page 228: What You Can Do In The Log Screens
Chapter 19 Log Screens 19.2 What You Can Do in the Log Screens • Use the View Log screen (Section 19.4 on page 228) to display all logs or logs for a certain category. You can view logs and alert messages in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted.
Page 229: The Log Settings Screen
Chapter 19 Log Screens Click Logs > View Log. The following screen displays. Figure 140 Logs > View Log The following table describes the labels in this screen. Table 73 Logs > View Log LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category.
Page 230 Chapter 19 Log Screens Click Logs > Log Settings. The following screen displays. Figure 141 Logs > Log Settings The following table describes the labels in this screen. Table 74 Logs > Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e- mail addresses specified below.
Page 231 Chapter 19 Log Screens Table 74 Logs > Log Settings LABEL DESCRIPTION Send Alerts to Enter the e-mail address where the alert messages will be sent. If this field is left blank, alert messages will not be sent via e-mail. SMTP If you use SMTP authentication, the mail receiver should be the Authentication...
Page 232: Technical Reference
Chapter 19 Log Screens 19.6 Technical Reference This section provides some technical background information about the topics covered in this chapter. 19.6.1 Example Log Messages This section provides descriptions of some example log messages. Table 75 System Maintenance Logs LOG MESSAGE DESCRIPTION The NWA has adjusted its time based on information from Time calibration is...
Page 233: Log Commands
Chapter 19 Log Screens Table 76 ICMP Notes (continued) TYPE CODE DESCRIPTION A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Redirect datagrams for the Host...
Page 234: Displaying Logs
Chapter 19 Log Screens Use sys logs category followed by a log category and a parameter to decide what to record Table 78 Log Categories and Available Settings LOG CATEGORIES AVAILABLE PARAMETERS error 0, 1, 2, 3 mten 0, 1 to not record logs for that category, to record only logs for that category, record only alerts for that category, and...
Page 235: Vlan
H A P T E R VLAN 20.1 Overview This chapter discusses how to configure VLAN on the NWA. A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Stations on a logical network can belong to one or more groups.
Page 236: What You Need To Know About Vlan
Chapter 20 VLAN 20.3 What You Need To Know About VLAN When you use wireless VLAN and RADIUS VLAN together, the NWA first tries to assign VLAN IDs based on RADIUS VLAN configuration. If a client’s user name does not match an entry in the RADIUS VLAN screen, the NWA assigns a VLAN ID based on the settings in the Wireless VLAN screen.
Page 237: Wireless Vlan Screen
Chapter 20 VLAN 20.4 Wireless VLAN Screen Use this screen to enable and configure your Wireless Virtual LAN setup. Click VLAN > Wireless VLAN. The following screen appears. Figure 143 VLAN > Wireless VLAN NWA-3500/NWA-3550 User’s Guide...
Page 238 Chapter 20 VLAN The following table describes the labels in this screen Table 79 VLAN > Wireless VLAN FIELD DESCRIPTION Enable VIRTUAL LAN Select this box to enable VLAN tagging. Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group. At least one device in your network must belong to this VLAN group in order to manage the NWA.
Page 239: Radius Vlan Screen
Chapter 20 VLAN 20.4.1 RADIUS VLAN Screen Use this screen to configure your RADIUS Virtual LAN setup. Click VLAN > RADIUS VLAN. The following screen appears. Figure 144 VLAN > RADIUS VLAN The following table describes the labels in this screen. Table 80 VLAN >...
Page 240: Technical Reference
Chapter 20 VLAN Table 80 VLAN > RADIUS VLAN LABEL DESCRIPTION Name Type a name to have the NWA check for specific VLAN attributes on incoming messages from the RADIUS server. Access-accept packets sent by the RADIUS server contain VLAN related attributes. The configured Name fields are checked against these attributes.
Page 241 Chapter 20 VLAN On an Ethernet switch, create a VLAN that has the same management VLAN ID as the NWA. The following figure has the NWA connected to port 2 of the switch and your computer connected to port 1. The management VLAN ID is ten. Figure 145 Management VLAN Configuration Example Perform the following steps in the switch web configurator: 1 Click VLAN under Advanced Application.
Page 242 Chapter 20 VLAN Click Apply. The following screen displays. Figure 147 VLAN-Aware Switch Click VLAN Status to display the following screen. Figure 148 VLAN-Aware Switch - VLAN Status Follow the instructions in the Quick Start Guide to set up your NWA for configuration.
Page 243: Configuring Microsoft's Ias Server Example
Chapter 20 VLAN Click Apply. Figure 149 VLAN Setup The NWA attempts to connect with a VLAN-aware device. You can now access and mange the NWA though the Ethernet switch. Note: If you do not connect the NWA to a correctly configured VLAN-aware device, you will lock yourself out of the NWA.
Page 244: Configuring Vlan Groups
Chapter 20 VLAN ZyXEL uses the following standard RADIUS attributes returned from Microsoft’s IAS RADIUS service to place the wireless station into the correct VLAN: Table 81 Standard RADIUS Attributes ATTRIBUTE NAME TYPE VALUE Tunnel-Type 13 (decimal) – VLAN Tunnel-Medium-Type 6 (decimal) –...
Page 245: Configuring Remote Access Policies
Chapter 20 VLAN Click OK. Figure 150 New Global Security Group In VLAN Group ID Properties, click the Members tab. • The IAS uses group memberships to determine which user accounts belong to which VLAN groups. Click the Add button and configure the VLAN group details.
Page 246 Chapter 20 VLAN 1Using the Remote Access Policy option on the Internet Authentication Service management interface, create a new VLAN Policy for each VLAN Group defined in the previous section. The order of the remote access policies is important. The most specific policies should be placed at the top of the policy list and the most general at the bottom.
Page 247 Chapter 20 VLAN The Select Groups window displays. Select a remote access policy and click the Add button. The policy is added to the field below. Only one VLAN Group should be associated with each policy. Click OK and Next in the next few screens to accept the group value. Figure 154 Adding VLAN Group When the Permissions options screen displays, select Grant remote access permission.
Page 248 Chapter 20 VLAN Clear the check boxes for all other authentication types listed below the drop- down list box. Figure 156 Authentication Tab Settings Click the Encryption tab. Select the Strongest encryption option. This step is not required for EAP-MD5, but is performed as a safeguard. Figure 157 Encryption Tab Settings Click the IP tab and select the Client may request an IP address check box for DHCP support.
Page 249 Chapter 20 VLAN • Click the Add button to add an additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment. Figure 158 Connection Attributes Screen 11 The RADIUS Attribute screen displays. From the list, three RADIUS attributes will be added: •Tunnel-Medium-Type •Tunnel-Pvt-Group-ID...
Page 250 Chapter 20 VLAN 11c Click the Add button. Figure 159 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays. Select the 802 value from the Attribute value drop-down list box. • Click OK. Figure 160 802 Attribute Setting for Tunnel-Medium-Type 13 Return to the RADIUS Attribute Screen shown as Figure 159 on page 250.
Page 251 Chapter 20 VLAN the VLAN Group specified in this policy will be given a VLAN ID specified in the NWA VLAN table. 14b Click OK. Figure 161 VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID 15 Return to the RADIUS Attribute Screen shown as Figure 159 on page 250.
Page 252 Chapter 20 VLAN 17b The completed Advanced tab configuration should resemble the following screen. Figure 163 Completed Advanced Tab Note: Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list.
Page 253: Second Rx Vlan Id Example
Chapter 20 VLAN 20.5.4 Second Rx VLAN ID Example In this example, the NWA is configured to tag packets from SSID01 with VLAN ID 1 and tag packets from SSID02 with VLAN ID 2. VLAN 1 and VLAN 2 have access to a server, S, and the Internet, as shown in the following figure.
Page 254 Chapter 20 VLAN Click VLAN > Wireless VLAN. If VLAN is not already enabled, click Enable Virtual LAN and set up the Management VLAN ID (see Section 20.5.2 on page 240). Note: If no devices are in the management VLAN, then no one will be able to access the NWA and you will have to restore the default configuration file.
Page 255: Load Balancing
H A P T E R Load Balancing 21.1 Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Page 256 Chapter 21 Load Balancing Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can’t possibly know how many connections his NWA will have at any given moment. As such, he decides to put a limit the bandwidth that is available to his customers but not on the actual number of connections he allows.
Page 257: The Load Balancing Screen
Chapter 21 Load Balancing The requirements for load balancing are fairly straight forward and should be met in order for a group of similar NWAs to take advantage of the feature: • They should all be within the same subnet. •...
Page 258: Disassociating And Delaying Connections
Chapter 21 Load Balancing Table 82 Load Balancnig FIELD DESCRIPTION Dissociate station when Select this to “kick” connections to the AP when it becomes overloaded overloaded. If you leave this unchecked, then the AP simply delays the connection until it can afford the bandwidth it requires, or it shunts the connection to another AP within its broadcast radius.
Page 259 Chapter 21 Load Balancing can afford the bandwidth for it or the red laptop is picked up by a different AP that has bandwidth to spare. Figure 168 Delaying a Connection The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment.
Page 260 Chapter 21 Load Balancing NWA-3160 Series User’s Guide...
Page 261: Dynamic Channel Selection
H A P T E R Dynamic Channel Selection 22.1 Overview This chapter discusses how to configure dynamic channel selection on the NWA. Dynamic channel selection is a feature that allows your NWA to automatically select the radio channel upon which it broadcasts by scanning the area around and determining what channels are currently being used by other devices.
Page 262: The Dcs Screen
Chapter 22 Dynamic Channel Selection In this example, if the NWA attempts to broadcast on channels 1, 2, or 3 it is met with cross-channel interference from the other AP that shares the channel. This can result in noticeably slower data transfer rates, the dropping of the connection altogether, or even lost data packets.
Page 263 Chapter 22 Dynamic Channel Selection Table 83 Load Balancnig FIELD DESCRIPTION DCS Client Aware Select Enable to have the NWA wait until all connected clients have disconnected before switching channels. If you select Disable then the NWA switches channels immediately regardless of any client connections. In this instance, clients that are connected to the AP when it switches channels are dropped.
Page 264 Chapter 22 Dynamic Channel Selection NWA-3160 Series User’s Guide...
Page 265: Maintenance
H A P T E R Maintenance 23.1 Overview This chapter describes the maintenance screens. It discusses how you can view the association list and channel usage, upload new firmware, manage configuration and restart your NWA without turning it off and on. 23.2 What You Can Do in the Maintenance Screens The following is a list of the maintenance screens you can configure on the NWA.
Page 266: What You Need To Know About The Maintenance Screens
Chapter 23 Maintenance 23.3 What You Need To Know About the Maintenance Screens Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, for example "[Model #].bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
Page 267 Chapter 23 Maintenance Note: The Poll Interval field is configurable. The fields in this screen vary according to the current wireless mode of each WLAN adaptor. Figure 173 Maintenance > System Status: Show Statistics The following table describes the labels in this screen. Table 85 Maintenance >...
Page 268: Association List Screen
Chapter 23 Maintenance Table 85 Maintenance > System Status: Show Statistics LABEL DESCRIPTION WLAN1 This section displays only when wireless LAN adaptor WLAN1 is in AP+Bridge or Bridge/Repeater mode. WLAN2 This section displays only when wireless LAN adaptor WLAN2 is in AP+Bridge or Bridge/Repeater mode.
Page 269: Channel Usage Screen
Chapter 23 Maintenance Table 86 Maintenance > Association List LABEL DESCRIPTION Association Time This field displays the time a wireless station first associated with the NWA. SSID This field displays the SSID to which the wireless station is associated. Signal This field displays the RSSI (Received Signal Strength Indicator) of the wireless connection.
Page 270: F/W Upload Screen
Chapter 23 Maintenance The following table describes the labels in this screen. Table 87 Maintenance > Channel Usage LABEL DESCRIPTION SSID This is the Service Set IDentification name of the AP in an Infrastructure wireless network or wireless station in an Ad-Hoc wireless network.
Page 271 Chapter 23 Maintenance The following table describes the labels in this screen. Table 88 Maintenance > F/W Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 272: Configuration Screen
Chapter 23 Maintenance If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 179 Firmware Upload Error 23.8 Configuration Screen Use this screen backup or upload your NWA’s configuration file. You can also reset the configuration of your device in this screen.
Page 273: Restore Configuration
Chapter 23 Maintenance it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the NWA’s current configuration to your computer. 23.8.2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your NWA.
Page 274: Back To Factory Defaults
Chapter 23 Maintenance If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA IP address (192.168.1.2). See your Quick Start Guide for details on how to set up your computer’s IP address.
Page 275 Chapter 23 Maintenance Click Maintenance > Restart. The following screen displays. Click Restart to have the NWA reboot. This does not affect the NWA's configuration. Figure 185 Restart Screen NWA-3500/NWA-3550 User’s Guide...
Page 276 Chapter 23 Maintenance NWA-3500/NWA-3550 User’s Guide...
Page 277: Troubleshooting And Specifications
Troubleshooting and Specifications Troubleshooting (279) Product Specifications (285)
Page 279: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power and Hardware Connections • NWA Access and Login • Internet Access •...
Page 280 Chapter 24 Troubleshooting If you changed the static IP address and have forgotten it, you have to reset the device to its factory defaults. Contact your vendor. If you set the NWA to get a dynamically assigned IP address from a DHCP server, check your DHCP server for the IP address assigned to the ZyXEL Device.
Page 281: Internet Access
Chapter 24 Troubleshooting • Try to access the NWA using another service, such as Telnet. If you can access the NWA, check the remote management settings to find out why the NWA does not respond to HTTP. I can see the Login screen, but I cannot log in to the NWA. Make sure you have entered the user name and password correctly.
Page 282 Chapter 24 Troubleshooting Check the hardware connections, and make sure the NWA is connected to a broadband modem or router that provides Internet access. See the Quick Start Guide. Make sure your Internet account is activated and you entered your ISP account information correctly in the broadband modem or router to which the NWA is connected.
Page 283: Wireless Router/Ap Troubleshooting
Chapter 24 Troubleshooting Advanced Suggestions • Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications. 24.4 Wireless Router/AP Troubleshooting I cannot access the NWA or ping any computer from the WLAN. Make sure the wireless LAN is enabled on the NWA Make sure the wireless adapter on the wireless client is working properly.
Page 284 Chapter 24 Troubleshooting NWA-3500/NWA-3550 User’s Guide...
Page 285: Product Specifications
H A P T E R Product Specifications The following tables summarize the NWA’s hardware and firmware features. Table 90 NWA-3550 Hardware Specifications SPECIFICATION DESCRIPTION Dimensions 256 (W) x 246 (D) x 82 (H) mm Weight 2000 g Power PoE draw: 48V 20W at least Ethernet Port Auto-negotiating: 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode.
Page 286 Chapter 25 Product Specifications Antenna SMA antenna connectors, equipped by default with 2dBi omni Specifications antenna, 60° When facing the front of the NWA, the antenna on the right is used by wireless LAN adaptor WLAN1, and the antenna on the left is used by wireless LAN adaptor WLAN2.
Page 287 Chapter 25 Product Specifications SSL Passthrough SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.
Page 288 Chapter 25 Product Specifications Table 93 Other Specifications Approvals Radio • USA: FCC Part 15C 15.247 FCC Part 15E 15.407 FCC OET65 • ETSI EN 300 328 V1.7.1 ETSI EN 301 893 V1.2.3 • Taiwan: DGT LP0002 • Canada: Industry Canada RSS-210 •...
Page 289 Chapter 25 Product Specifications Compatible ZyXEL Antennas At the time of writing, you can use the following antennas in your NWA. Table 94 NWA Compatible Antennas MODEL EXT-108 EXR-109 EXT-114 EXT-118 ANT2206 ANT3108 ANT3218 FEATURE Frequency 2400 ~ 2400 ~ 2400 ~ 2400 ~ 5150 ~...
Page 290 Chapter 25 Product Specifications Compatible ZyXEL Antenna Cables The following table shows you the cables you can use in the NWA to extend your connection to antennas at the time of writing. Table 95 NWA Compatible Antenna Cables MODEL NAME PART NUMBER (P/N) LENGTH LMR-400 91-005-075001G...
Page 291: Appendices And Index
Appendices and Index Setting Up Your Computer’s IP Address (293) Wireless LANs (319) Pop-up Windows, JavaScripts and Java Permissions (335) Importing Certificates (343) IP Addresses and Subnetting (369) Text File Based Auto Configuration (379) Legal Information (387) Index (391)
Page 293: Appendix A Setting Up Your Computer's Ip Address
P P E N D I X Setting Up Your Computer’s IP Address Note: Your specific ZyXEL device may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported. This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network.
Page 294 Appendix A Setting Up Your Computer’s IP Address Click Start > Control Panel. Figure 186 Windows XP: Start Menu In the Control Panel, click the Network Connections icon. Figure 187 Windows XP: Control Panel NWA-3500/NWA-3550 User’s Guide...
Page 295 Appendix A Setting Up Your Computer’s IP Address Right-click Local Area Connection and then select Properties. Figure 188 Windows XP: Control Panel > Network Connections > Properties On the General tab, select Internet Protocol (TCP/IP) and then click Properties. Figure 189 Windows XP: Local Area Connection Properties NWA-3500/NWA-3550 User’s Guide...
Page 296 Appendix A Setting Up Your Computer’s IP Address The Internet Protocol TCP/IP Properties window opens. Figure 190 Windows XP: Internet Protocol (TCP/IP) Properties Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP.
Page 297: Windows Vista
Appendix A Setting Up Your Computer’s IP Address Windows Vista This section shows screens from Windows Vista Professional. Click Start > Control Panel. Figure 191 Windows Vista: Start Menu In the Control Panel, click the Network and Internet icon. Figure 192 Windows Vista: Control Panel Click the Network and Sharing Center icon.
Page 298 Appendix A Setting Up Your Computer’s IP Address Click Manage network connections. Figure 194 Windows Vista: Network and Sharing Center Right-click Local Area Connection and then select Properties. Figure 195 Windows Vista: Network and Sharing Center Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue.
Page 299 Appendix A Setting Up Your Computer’s IP Address Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Figure 196 Windows Vista: Local Area Connection Properties NWA-3500/NWA-3550 User’s Guide...
Page 300 Appendix A Setting Up Your Computer’s IP Address The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. Figure 197 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP.
Page 301 Appendix A Setting Up Your Computer’s IP Address Mac OS X: 10.3 and 10.4 The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. Click Apple > System Preferences. Figure 198 Mac OS X 10.4: Apple Menu In the System Preferences window, click the Network icon.
Page 302 Appendix A Setting Up Your Computer’s IP Address When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure. Figure 200 Mac OS X 10.4: Network Preferences For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab.
Page 303 Appendix A Setting Up Your Computer’s IP Address For statically assigned settings, do the following: • From the Configure IPv4 list, select Manually. • In the IP Address field, type your IP address. • In the Subnet Mask field, type your subnet mask. •...
Page 304 Appendix A Setting Up Your Computer’s IP Address Verifying Settings Click Apply Now and close the window. Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab. Figure 203 Mac OS X 10.4: Network Utility Mac OS X: 10.5 The screens in this section are from Mac OS X 10.5.
Page 305 Appendix A Setting Up Your Computer’s IP Address In System Preferences, click the Network icon. Figure 205 Mac OS X 10.5: Systems Preferences NWA-3500/NWA-3550 User’s Guide...
Page 306 Appendix A Setting Up Your Computer’s IP Address When the Network preferences pane opens, select Ethernet from the list of available connection types. Figure 206 Mac OS X 10.5: Network Preferences > Ethernet From the Configure list, select Using DHCP for dynamically assigned settings. For statically assigned settings, do the following: •...
Page 307 Appendix A Setting Up Your Computer’s IP Address • In the Router field, enter the IP address of your NWA. Figure 207 Mac OS X 10.5: Network Preferences > Ethernet Click Apply and close the window. NWA-3500/NWA-3550 User’s Guide...
Page 308 Appendix A Setting Up Your Computer’s IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab. Figure 208 Mac OS X 10.5: Network Utility Linux: Ubuntu 8 (GNOME) This section shows you how to configure your computer’s TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution.
Page 309 Appendix A Setting Up Your Computer’s IP Address Click System > Administration > Network. Figure 209 Ubuntu 8: System > Administration Menu When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password.
Page 310 Appendix A Setting Up Your Computer’s IP Address In the Authenticate window, enter your admin account name and password then click the Authenticate button. Figure 211 Ubuntu 8: Administrator Account Authentication In the Network Settings window, select the connection that you want to configure, then click Properties.
Page 311 Appendix A Setting Up Your Computer’s IP Address The Properties dialog box opens. Figure 213 Ubuntu 8: Network Settings > Properties • In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address. • In the Configuration list, select Static IP address if you have a static IP address.
Page 312 Appendix A Setting Up Your Computer’s IP Address If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. Figure 214 Ubuntu 8: Network Settings > DNS Click the Close button to apply the changes.
Page 313 Appendix A Setting Up Your Computer’s IP Address tab. The Interface Statistics column shows data if your connection is working properly. Figure 215 Ubuntu 8: Network Tools Linux: openSUSE 10.3 (KDE) This section shows you how to configure your computer’s TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution.
Page 314 Appendix A Setting Up Your Computer’s IP Address Click K Menu > Computer > Administrator Settings (YaST). Figure 216 openSUSE 10.3: K Menu > Computer Menu When the Run as Root - KDE su dialog opens, enter the admin password and click OK.
Page 315 Appendix A Setting Up Your Computer’s IP Address When the YaST Control Center window opens, select Network Devices and then click the Network Card icon. Figure 218 openSUSE 10.3: YaST Control Center When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button.
Page 316 Appendix A Setting Up Your Computer’s IP Address When the Network Card Setup window opens, click the Address tab Figure 220 openSUSE 10.3: Network Card Setup Select Dynamic Address (DHCP) if you have a dynamic IP address. Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields.
Page 317 Appendix A Setting Up Your Computer’s IP Address If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Figure 221 openSUSE 10.3: Network Settings Click Finish to save your settings and close the window.
Page 318 Appendix A Setting Up Your Computer’s IP Address Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information. Figure 222 openSUSE 10.3: KNetwork Manager When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly.
Page 319: Appendix B Wireless Lans
P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 320 Appendix B Wireless LANs with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 225 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network.
Page 321 Appendix B Wireless LANs An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 226 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area.
Page 322 Appendix B Wireless LANs wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 227 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel.
Page 323: Fragmentation Threshold
Appendix B Wireless LANs Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.
Page 324: Wireless Security Overview
Appendix B Wireless LANs several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows: Table 98 IEEE 802.11g DATA RATE MODULATION (MBPS) DBPSK (Differential Binary Phase Shift Keyed) DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/...
Page 325 Appendix B Wireless LANs IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices.
Page 326 Appendix B Wireless LANs • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •...
Page 327 Appendix B Wireless LANs However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication.
Page 328: Dynamic Wep Key Exchange
Appendix B Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen.
Page 329 Appendix B Wireless LANs If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.
Page 330 Appendix B Wireless LANs keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network.
Page 331 Appendix B Wireless LANs The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
Page 332: Security Parameters Summary
Appendix B Wireless LANs The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them. Figure 229 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type.
Page 333: Antenna Characteristics
Appendix B Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Page 334 Appendix B Wireless LANs • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points.
Page 335: Appendix C Pop-Up Windows, Javascripts And Java Permissions
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here.
Page 336 Appendix C Pop-up Windows, JavaScripts and Java Permissions In Internet Explorer, select Tools, Internet Options, Privacy. Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 231 Internet Options: Privacy Click Apply to save this setting.
Page 337 Appendix C Pop-up Windows, JavaScripts and Java Permissions Select Settings…to open the Pop-up Blocker Settings screen. Figure 232 Internet Options: Privacy Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. NWA-3500/NWA-3550 User’s Guide...
Page 338 Appendix C Pop-up Windows, JavaScripts and Java Permissions Click Add to move the IP address to the list of Allowed sites. Figure 233 Pop-up Blocker Settings Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 339 Appendix C Pop-up Windows, JavaScripts and Java Permissions In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 234 Internet Options: Security Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default).
Page 340: Java Permissions
Appendix C Pop-up Windows, JavaScripts and Java Permissions Click OK to close the window. Figure 235 Security Settings - Java Scripting Java Permissions From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM.
Page 341 Appendix C Pop-up Windows, JavaScripts and Java Permissions Click OK to close the window. Figure 236 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. NWA-3500/NWA-3550 User’s Guide...
Page 342 Appendix C Pop-up Windows, JavaScripts and Java Permissions Click OK to close the window. Figure 237 Java (Sun) NWA-3500/NWA-3550 User’s Guide...
Page 343: Appendix D Importing Certificates
P P E N D I X Importing Certificates This appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar.
Page 344 Appendix D Importing Certificates If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 238 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 239 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error >...
Page 345 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 241 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 242 Internet Explorer 7: Certificate Import Wizard NWA-3500/NWA-3550 User’s Guide...
Page 346 Appendix D Importing Certificates If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 243 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse.
Page 347 Appendix D Importing Certificates In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 245 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 246 Internet Explorer 7: Certificate Import Wizard NWA-3500/NWA-3550 User’s Guide...
Page 348 Appendix D Importing Certificates 10 If you are presented with another Security Warning, click Yes. Figure 247 Internet Explorer 7: Security Warning 11 Finally, click OK when presented with the successful certificate installation message. Figure 248 Internet Explorer 7: Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL web configurator page, a sealed padlock icon appears in the address bar.
Page 349 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Double-click the public key certificate file.
Page 350 Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 252 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 253 Internet Explorer 7: Internet Options NWA-3500/NWA-3550 User’s Guide...
Page 351 Appendix D Importing Certificates In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove. Figure 254 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 255 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes.
Page 352 Appendix D Importing Certificates The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms. If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
Page 353 Appendix D Importing Certificates The certificate is stored and you can now connect securely to the web configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information. Figure 258 Firefox 2: Page Info Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL web configurator and installing a public key...
Page 354 Appendix D Importing Certificates In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 260 Firefox 2: Options In the Certificate Manager dialog box, click Web Sites > Import. Figure 261 Firefox 2: Certificate Manager NWA-3500/NWA-3550 User’s Guide...
Page 355 Appendix D Importing Certificates Use the Select File dialog box to locate the certificate and then click Open. Figure 262 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info >...
Page 356 Appendix D Importing Certificates In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 264 Firefox 2: Options In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 265 Firefox 2: Certificate Manager NWA-3500/NWA-3550 User’s Guide...
Page 357 Appendix D Importing Certificates In the Delete Web Site Certificates dialog box, click OK. Figure 266 Firefox 2: Delete Web Site Certificates The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional;...
Page 358 Appendix D Importing Certificates The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 268 Opera 9: Security information Installing a Stand-Alone Certificate File in Opera Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.
Page 359 Appendix D Importing Certificates In Preferences, click Advanced > Security > Manage certificates. Figure 270 Opera 9: Preferences NWA-3500/NWA-3550 User’s Guide...
Page 360 Appendix D Importing Certificates In the Certificates Manager, click Authorities > Import. Figure 271 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open. Figure 272 Opera 9: Import certificate NWA-3500/NWA-3550 User’s Guide...
Page 361 Appendix D Importing Certificates In the Install authority certificate dialog box, click Install. Figure 273 Opera 9: Install authority certificate Next, click OK. Figure 274 Opera 9: Install authority certificate The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Page 362 Appendix D Importing Certificates Open Opera and click Tools > Preferences. Figure 275 Opera 9: Tools Menu In Preferences, Advanced > Security > Manage certificates. Figure 276 Opera 9: Preferences NWA-3500/NWA-3550 User’s Guide...
Page 363 Appendix D Importing Certificates In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete. Figure 277 Opera 9: Certificate manager The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Page 364 Appendix D Importing Certificates Click Continue. Figure 278 Konqueror 3.5: Server Authentication Click Forever when prompted to accept the certificate. Figure 279 Konqueror 3.5: Server Authentication Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details.
Page 365 Appendix D Importing Certificates Installing a Stand-Alone Certificate File in Konqueror Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Double-click the public key certificate file.
Page 366 Appendix D Importing Certificates The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details. Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3.5. Open Konqueror and click Settings >...
Page 367 Appendix D Importing Certificates The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. NWA-3500/NWA-3550 User’s Guide...
Page 368 Appendix D Importing Certificates NWA-3500/NWA-3550 User’s Guide...
Page 369: Appendix E Ip Addresses And Subnetting
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 370: Subnet Masks
Appendix E IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. Figure 286 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask.
Page 371 Appendix E IP Addresses and Subnetting Table 102 Subnet Masks OCTET: OCTET: OCTET: OCTET (192) (168) Network Number 11000000 10101000 00000001 Host ID 00000010 By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits.
Page 372 Appendix E IP Addresses and Subnetting As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows: Table 104 Maximum Host Numbers MAXIMUM NUMBER OF SUBNET MASK HOST ID SIZE HOSTS 8 bits 255.0.0.0...
Page 373 Appendix E IP Addresses and Subnetting Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0.
Page 374 Appendix E IP Addresses and Subnetting The following figure shows the company network after subnetting. There are now two sub-networks, A and B. Figure 288 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of –...
Page 375 Appendix E IP Addresses and Subnetting Each subnet contains 6 host ID bits, giving 2 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnet’s broadcast address). Table 106 Subnet 1 LAST OCTET BIT IP/SUBNET MASK...
Page 376 Appendix E IP Addresses and Subnetting Table 109 Subnet 4 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255 Example: Eight Subnets Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111).
Page 377 Appendix E IP Addresses and Subnetting The following table is a summary for subnet planning on a network with a 16-bit network number. Table 112 16-bit Network Number Subnet Planning NO. “BORROWED” NO. HOSTS PER SUBNET MASK NO. SUBNETS HOST BITS SUBNET 255.255.128.0 (/17) 32766...
Page 378 Appendix E IP Addresses and Subnetting you entered. You don't need to change the subnet mask computed by the NWA unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems.
Page 379: Appendix F Text File Based Auto Configuration
P P E N D I X Text File Based Auto Configuration This chapter describes how administrators can use text configuration files to configure the wireless LAN settings for multiple APs. Text File Based Auto Configuration Overview You can use plain text configuration files to configure the wireless LAN settings on multiple APs.
Page 380: Manual Configuration
Appendix F Text File Based Auto Configuration You can have a different configuration file for each AP. You can also have multiple APs use the same configuration file. Note: If adjacent APs use the same configuration file, you should leave out the channel setting since they could interfere with each other’s wireless traffic.
Page 381 Appendix F Text File Based Auto Configuration Use the following procedure to have the AP download the configuration file. Table 115 Configuration via SNMP STEPS MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server. Step 2 pwTftpFileName Set the file name, for example, g3000hcfg.txt.
Page 382 Appendix F Text File Based Auto Configuration The second line must specify the file version. The AP compares the file version with the version of the last configuration file that it downloaded. If the version of the downloaded file is the same or smaller (older), the AP ignores the file. If the version of the downloaded file is larger (newer), the AP uses the file.
Page 383 Appendix F Text File Based Auto Configuration Wcfg Command Configuration File Examples These example configuration files use the wcfg command to configure security and SSID profiles. Figure 291 WEP Configuration File Example !#ZYXEL PROWLAN !#VERSION 11 wcfg security 1 name Test-wep wcfg security 1 security wep wcfg security 1 wep keysize 64 ascii wcfg security 1 wep key1 abcde...
Page 384 Appendix F Text File Based Auto Configuration Figure 293 WPA-PSK Configuration File Example !#ZYXEL PROWLAN !#VERSION 13 wcfg security 3 name Test-wpapsk wcfg security 3 mode wpapsk wcfg security 3 passphrase qwertyuiop wcfg security 3 reauthtime 1800 wcfg security 3 idletime 3600 wcfg security 3 groupkeytime 1800 wcfg security save wcfg ssid 3 name ssid-wpapsk...
Page 385 Appendix F Text File Based Auto Configuration commands that create security and SSID profiles before the commands that tell the AP to use those profiles. Figure 295 Wlan Configuration File Example !#ZYXEL PROWLAN !#VERSION 15 wcfg ssid 1 name ssid-wep wcfg ssid 1 security Test-wep wcfg ssid 2 name ssid-8021x wcfg ssid 2 security Test-8021x...
Page 386 Appendix F Text File Based Auto Configuration NWA-3500/NWA-3550 User’s Guide...
Page 387: Appendix G Legal Information
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 388 Appendix G Legal Information • This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Page 389: Zyxel Limited Warranty
Appendix G Legal Information 前項合法通信，指依電信規定作業之無線電信。低功率射頻電機須忍受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。在 5250MHz~5350MHz 頻帶內操作之無線資訊傳輸設備，限於室內使用。本機限在不干擾合法電臺與不受被干擾保障條件下於室內使用。 Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This device has been designed for the WLAN 2.4 GHz and 5 GHz networks throughout the EC region and Switzerland, with restrictions in France.
Page 390 Appendix G Legal Information Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose.
Page 391: Index
Index Index Bridge Protocol Data Units (BPDUs) Bridge/Repeater 23, 24 access 26, 319 BSSID access point access privileges address address assignment 110, 177 address filtering administrator authentication on RADIUS 224, 327 Advanced Encryption Standard CAPWAP 47, 53 See AES. Certificate Authority See CA.
Page 392 Index dimensions host ID disclaimer humidity 285, 286 Distribution System Dynamic Frequency Selection dynamic WEP key exchange IANA 110, 378 IBSS IEEE 802.11g EAP authentication IEEE 802.1x encryption in-band management 26, 329 Independent Basic Service Set 120, 320 see IBSS ESS IDentification initialization vector (IV) ESSID...
Page 393 Index maintenance pre-configured profiles management priorities Management Information Base (MIB) prioritization management VLAN private IP address 110, 177 managing the device private networks good habits product registration using FTP. See FTP. using Telnet. See command interface. using the command interface. See command interface.
Page 394 Index safety warnings security security profiles server Service Set 122, 125, 131 Service Set Identifier Virtual Local Area Network see SSID VLAN 235, 255, 261 SNMP VoIP 23, 27, 145 MIBs VoIP SSID traps specifications SSID SSID profile pre-configured warranty SSID profiles 26, 27 note...
Page 395 Index WPA2 23, 328 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 328, 329 application example WPA-PSK application example NWA-3500/NWA-3550 User’s Guide...
Page 396 Index NWA-3500/NWA-3550 User’s Guide...

This manual is also suitable for:

Nwa-3500 Nwa-3550

ZyXEL Communications 802.11 a/g User Manual

Chapter 1 Introducing the NWA

Chapter 2 Introducing the Web Configurator

Chapter 3 Status Screens

Chapter 4 Management Mode

Chapter 5 Controller AP Mode

Chapter 6 Tutorial

Chapter 7 System Screens

Chapter 8 Wireless Configuration

Chapter 9 SSID Screen

Chapter 10

Chapter 11 RADIUS Screen

Chapter 12 Layer-2 Isolation Screen

Chapter 13 MAC Filter Screen

Chapter 14 IP Screen

Chapter 15 Rogue AP Detection

Chapter 16 Remote Management Screens

Chapter 17 Internal RADIUS Server

Chapter 18 Certificates

Chapter 19 Log Screens

Chapter 20 VLAN

Chapter 21 Load Balancing

Chapter 22 Dynamic Channel Selection

Chapter 23 Maintenance

Chapter 24 Troubleshooting

Chapter 25

Appendix A Setting up Your Computer's IP Address

Appendix B Wireless Lans

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications 802.11 a/g

Summary of Contents for ZyXEL Communications 802.11 a/g