ZyXEL Communications NXC 2500 Handbook

ZyXEL Communications NXC 2500 Handbook

Nxc series
Hide thumbs Also See for NXC 2500:
Table of Contents

Advertisement

NXC Series
NXC 2500/ 5500
NXC Controllers
Firmware Version 5.10
Edition 23, 10/2017
Handbook
Default Login Details
LAN Port IP Address
User Name
Password
https://192.168.1.1
admin
1234
www.zyxel.com
Copyright © 2017 ZyXEL
Communications Corporation
1/225

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NXC 2500 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for ZyXEL Communications NXC 2500

  • Page 1 NXC Series NXC 2500/ 5500 NXC Controllers Firmware Version 5.10 Edition 23, 10/2017 Handbook Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright © 2017 ZyXEL Communications Corporation 1/225...
  • Page 2: Table Of Contents

    www.zyxel.com Contents Manage APs through NXC Controller ............7 1.1 How to Manage APs through NXC Controller ........7 1.1.1 Configuration in the AP ..............8 1.1.2 Test the Result ................... 9 1.1.3 What Could Go Wrong? ............... 10 1.2 How to Enlarge Managed AP Number with License ......11 1.2.1 Device Registration ...............
  • Page 3 www.zyxel.com 2.4 How to Set up Seamless Wireless Roaming? ........51 2.4.1 Configure APs via AP Group ............52 2.4.2 Test the Result ................. 55 2.4.3 What Could Go Wrong? ............... 56 Optimize the Wireless Environment ............59 3.1 How to Set up User Ratio of 2.4GHz and 5GHz to Avoid WiFi Congestion? ....................
  • Page 4 www.zyxel.com 4.2.3 Test the Result ................. 97 4.2.4 What Could Go Wrong ............... 102 4.3 How to Configure 802.1x to Secure the Wireless Environment with an External LDAP Server? ..................7 4.3.1 Configure LDAP Server Setting ........... 104 4.3.2 Configure AP Profile ..............106 4.3.3 Test the Result ................
  • Page 5 www.zyxel.com 4.6.3.2 Configure VLAN ................ 163 4.6.3.3 Create Assistance Account ............ 165 4.6.3.4 Set Guest Address & Zone ............167 4.6.3.5 Configure Captive Portal ............168 4.6.3.6 Test the Result ................171 4.6.3.7 What Could Go Wrong ............174 4.6.4 Captive Portal with External Webserver? ........160 4.6.4.1 Configure Interface ..............
  • Page 6 www.zyxel.com 5.2.2 Reset to Default from Hardware ..........215 5.2.3 Test the Result ................216 Trouble Shooting ..................217 6.1 How to Collect the Diagnostic Info? ..........217 6.1.1 Collect Diagnostic Info ............... 218 6.1.2 Test the Result ................220 6.2 How to Configure the E-mail Settings for Sending Logs? ....
  • Page 7: Manage Aps Through Nxc Controller

    www.zyxel.com Manage APs through NXC Controller 1.1 How to Manage APs through NXC Controller This example shows how to use the NXC controller to manage APs via manual setting, DHCP option 138 and broadcast. In this case shown as below, there are two subnets in the environment. The APs can find NXC controller in the same subnet via broadcasting without any settings.
  • Page 8: Configuration In The Ap

    www.zyxel.com 1.1.1 Configuration in the AP 1 In the same subnet (for AP1 and AP2), the APs don‟t need to do any setting. The APs can find the NXC controller via broadcast and NXC controller always accepts APs to managed list by default. The NXC controller manages the APs without any setting.
  • Page 9: Test The Result

    www.zyxel.com 1.1.2 Test the Result 1 When the APs and the NXC controller are in the same subnet, the NXC controller manages the APs without any settings. The result is visible in MONITOR > Wireless > AP Information > AP List. 2 When the APs and the NXC controller are in the different subnets, the APs can find NXC controller through manually setting NXC controller‟s IP or DHCP option 138.
  • Page 10: What Could Go Wrong

    www.zyxel.com 1.1.3 What Could Go Wrong? 1 To make sure the NXC controller goes to correct traffic routing, please remember to set up the gateway in NXC controller. 2 When you use the manual NXC controller IP or DHCP option 138, please make sure the NXC controller‟s IP is correct so that the APs can find the NXC controller.
  • Page 11: How To Enlarge Managed Ap Number With License

    www.zyxel.com 1.2 How to Enlarge Managed AP Number with License This example shows how to enlarge managed AP number with license. The default managed AP number for NXC2500 is 8 units and NXC5500 is 64 units. If you want to control more than default managed units, it‟s necessary to import the license to enlarge managed AP number.
  • Page 12: Device Registration

    www.zyxel.com 1.2.1 Device Registration 1 Click the hyperlink on NXC controller‟s GUI to connect portal.myzyxel.com in CONFIGURATION > Licensing > Registration. 2 After log in the registration portal, click the Device Registration to register a device by filling in the MAC Address and Serial Number.
  • Page 13 www.zyxel.com 3 Click Next to activate security services on the device, and click Close in next step. 13/225...
  • Page 14: Service Registration

    www.zyxel.com 1.2.2 Service Registration 1 Click Service Registration and fill in the License Key. Click Submit to register the license key. 2 Click Service Management, and click the Link. Select a device, and then click Submit to activate the license key for the selected device.
  • Page 15: License Refresh

    www.zyxel.com 1.2.3 License Refresh 1 Click Service License Refresh in below path of NXC controller web GUI. CONFIGURATION > Licensing > Registration 15/225...
  • Page 16: Test The Result

    www.zyxel.com 1.2.4 Test the Result 1 The Count of Managed AP number changes from 8 to 16 in CONFIGURATION > Licensing > Registration. 16/225...
  • Page 17: Set Up A Wireless Connection Environment

    www.zyxel.com Set up a Wireless Connection Environment 2.1 How to Set WiFi Multiple SSID for Office Environment? 2.1.1 When USG is DHCP Server for VLAN10 and VLAN20 The example instructs how to configure VLANs and set different VLANs for different SSIDs in NXC. In this example, USG is the only DHCP server in the environment, and NXC only needs to set VLAN for passing traffic.
  • Page 18: Configure Nxc"S Interface To Go To Internet

    www.zyxel.com 2.1.1.1 Configure NXC’s Interface to Go to Internet 1 Connect NXC controller to USG LAN port. In the USG, all LAN ports are DHCP server for interface LAN, VLAN10, VLAN20, and all the stations connected to APs get an IP from the USG.
  • Page 19: Configure Vlan

    www.zyxel.com 2.1.1.2 Configure VLAN 1 Connect Switch to NXC ge2 (P2), and connect all APs to the switch. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN, Click Add to create a new VLAN (VLAN10). 19/225...
  • Page 20 www.zyxel.com 3 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan10; set VID: In Member Configuration, set ge2 to be a Member and Tx Tagging to yes. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask.
  • Page 21 www.zyxel.com 4 Click Add to create VLAN20 configuration in CONFIGURATION > Network > Interface > VLAN. 21/225...
  • Page 22 www.zyxel.com 5 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan20; set VID: In Member Configuration, set ge2 to be a Member and Tx Tagging to yes. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask.
  • Page 23: Configure Security And Ssid

    www.zyxel.com 2.1.1.3 Configure Security and SSID 1 Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add to create a new security profile for staff. In General Settings, key in Staff as profile name, and set security mode to wpa2.
  • Page 24 www.zyxel.com 2 Click Add to create a new security profile for guest. In General Settings, key in guest as profile name, and set security mode to none. Click OK. 3 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List and click Add to create a SSID for staff.
  • Page 25 www.zyxel.com 4 Click Add to create a SSID for guest in vlan20. In Profile Name and SSID, key in guest. In Security Profile, select guest. In VLAN ID, key in 20. Click OK. 25/225...
  • Page 26: Configure Ap Profile To Broadcast Ssid

    www.zyxel.com 2.1.1.4 Configure AP Profile to Broadcast SSID 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click Edit for default group. In Radio 1 and Radio 2, set the SSID profile, Staff and guest. Click OK to apply the configuration. 26/225...
  • Page 27: When Nxc Is Dhcp Server For Vlan10 And Vlan20

    www.zyxel.com 2.1.2 When NXC is DHCP Server for VLAN10 and VLAN20 The example instructs how to configure VLANs and set different VLANs for different SSIDs in NXC when NXC is DHCP server for VLANs. The USG does not need to do any other settings when there are different VLANs add to the environment since NXC is a DHCP server for VLANs.
  • Page 28: Configure Interface Ge1 To Go To Internet

    www.zyxel.com 2.1.2.1 Configure Interface ge1 to Go to Internet 1 Connect ge1 (P1) to USG LAN port. In USG, LAN ports are DHCP server and all APs get IP from LAN. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN to set USG‟s LAN IP as the gateway.
  • Page 29: Configure Vlan

    www.zyxel.com 2.1.2.2 Configure VLAN 1 Connect Switch to NXC ge2, and connect all APs to the switch. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN, Click Add to create a new VLAN. 29/225...
  • Page 30 www.zyxel.com 3 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan10; VID: 10 In Member Configuration, set ge2 to be a Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway.
  • Page 31 www.zyxel.com 4 Click Add to create VLAN20 in CONFIGURATION > Network > Interface > VLAN. 31/225...
  • Page 32 www.zyxel.com 5 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan20; VID: 20 In Member Configuration, set ge2 are Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway. In DHCP Setting, select DHCP server and key in IP Pool Start Address and Pool Size.
  • Page 33: Set Policy Route

    www.zyxel.com 2.1.2.3 Set Policy Route 1 Set Policy Route in CONFIGURATION > Network > Routing > Policy Route to create new routing rule. Click Show Advanced Settings. In Configuration, check Enable. In Criteria, select Incoming as Interface and Please select one member is vlan10.
  • Page 34 www.zyxel.com 2 Set Policy Route in CONFIGURATION > Network > Routing > Policy Route to create new routing rule. Click Show Advanced Settings. In Configuration, check Enable. In Criteria, select Incoming as Interface and Please select one member is vlan20. In Next-Hop, select Type as Interface and Interface is vlan0 In Address Translation, select Source Network Address Translation to outgoing-interface to use the IP address of the...
  • Page 35: Configure Security And Ssid

    www.zyxel.com 2.1.2.4 Configure Security and SSID 1 Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add to create a new security profile for staff. In General Settings, key in Staff as profile name, and set security mode to wpa2.
  • Page 36 www.zyxel.com 3 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List and click Add to create a SSID for staff. In Profile Name and SSID, key in Staff. In Security Profile, select Staff. In VLAN ID, key in 10. Click OK. 36/225...
  • Page 37 www.zyxel.com 4 Click Add to create a SSID for guest in vlan20. In Profile Name and SSID, key in guest. In Security Profile, select guest. In VLAN ID, key in 20. Click OK. 37/225...
  • Page 38: Configure Ap Profile To Broadcast Ssid

    www.zyxel.com 2.1.2.5 Configure AP Profile to Broadcast SSID 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click Edit for default group. In Radio 1 and Radio 2, set the SSID profile, Staff and guest. Click OK to apply the configuration. 38/225...
  • Page 39: Test The Result

    www.zyxel.com 2.1.3 Test the Result 1 Use a laptop to select SSID Staff and key in the security setting for connection. After connection successful, laptop can get an IP in VLAN10. 2 Use a mobile phone to select SSID guest and connect to it. After connection is successful, mobile phone can get an IP in VLAN20.
  • Page 40: What Could Go Wrong

    www.zyxel.com 2.1.4 What Could Go Wrong? 1 When USG is a DHCP server, users may not get IP if USG and switch do not set VLAN10 and VLAN20. 2 When NXC is a DHCP server, user may not go to Internet if the policy route does not set to outgoing-interface.
  • Page 41: How To Set Up Fail Over/Fall Back

    www.zyxel.com 2.2 How to Set up Fail Over/Fall Back? The example instructs how to set up fail over and fall back. All management APs connect to NXC controller 1 in this example. When the NXC controller 1 fails to connect, all managed APs are controlled by NXC controller 2 by fail over setting.
  • Page 42: Configure Fail Over And Fall Back

    www.zyxel.com 2.2.1 Configure Fail Over and Fall Back 1 To set the fail over in CONFIGURATION > Wireless > AP Management > AP Policy, enable Force Override Controller IP Config on AP. Select Manual and set the Primary Controller: 192.168.1.55 and Secondary Controller: 192.168.1.60 2 To set the fall back in CONFIGURATION >...
  • Page 43: Test The Result

    www.zyxel.com 2.2.2 Test the Result 1 In MONITOR > Log, check whether the NXC controller 1 sets the configuration for the AP(s). Logs show the messages after the configuration is applied to in the AP. 2 Disconnect the NXC controller 1 from switch, and the managed APs go to find NXC controller 2 and get controlled by it.
  • Page 44: What Could Go Wrong

    www.zyxel.com 2.2.3 What Could Go Wrong? 1 The controllers need to have the same configurations/profiles and firmware, or the AP changes the setting/firmware after doing fail over. 2 If NXC controllers 1 and 2 control different APs, after the APs policy settings are applied, clear the Force Override option on controller 2 via unchecking the Force Override Controller IP Config on AP to avoid overriding the setting of APs from NXC...
  • Page 45: How To Set Up Mesh To Extend Wireless Coverage

    www.zyxel.com 2.3 How to Set up Mesh to Extend Wireless Coverage? The example instructs how to set up ZyMesh. When AP‟s signal needs to extend, use ZyMesh to set up connection between root AP and repeater AP. Because ZyMesh profile makes the WDS connection, the root AP and repeater AP don‟t need to use the same SSID for users connecting.
  • Page 46: Configure Zymesh Profile

    www.zyxel.com 2.3.1 Configure ZyMesh Profile 1 Both root AP and repeater AP need to use the same ZyMesh profile to set up connection. Go to CONFIGURATION > Object > ZyMesh Profile, Click Add to create a ZyMesh SSID and pre-shared key. The ZyMesh SSID hides and it is not visible.
  • Page 47: Configure Root Ap And Repeater Ap

    www.zyxel.com 2.3.2 Configure Root AP and Repeater AP 1 In the same AP, radio 2 is not able to work as the repeater when radio 1 is root AP. Select an AP in CONFIGURATION > Wireless > AP Management > Mgnt. AP List to edit the selected AP as root AP.
  • Page 48: Test The Result

    www.zyxel.com 2.3.3 Test the Result 1 Check ZyMesh Link Info in MONITOR > Wireless > ZyMesh > ZyMesh Link Info. When the ZyMesh sets up successfully, root AP and repeater AP information shows in the ZyMesh link info. 48/225...
  • Page 49: What Could Go Wrong

    www.zyxel.com 2.3.4 What Could Go Wrong? 1 If the ZyMesh profiles are not the same on root AP and repeater AP, it‟s not able to connect using ZyMesh successfully. Go to CONFIGURATION > Wireless > AP Management > Mgnt. AP List to make sure root AP and repeater AP‟s ZyMesh profile are the same.
  • Page 50 www.zyxel.com 4 The APs‟ country code must be the same for setting up ZyMesh connection. You can check the country code in CONFIGURATION > Wireless > Controller. 50/225...
  • Page 51: How To Set Up Seamless Wireless Roaming

    www.zyxel.com 2.4 How to Set up Seamless Wireless Roaming? The example instructs how to configure two APs profile and topology for roaming. These two APs need to use the same SSID, security, DHCP server, and signal overlap. The two APs have the same DHCP server from USG, and this example shows how to configure APs in the same SSID and security.
  • Page 52: Configure Aps Via Ap Group

    www.zyxel.com 2.4.1 Configure APs via AP Group 1 Roaming needs to use the same SSID and security. AP group can assign APs‟ configuration, so that APs have the same SSID and security. Create a new security profile for roaming. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add.
  • Page 53 www.zyxel.com 2 Create a new SSID for roaming. In Profile Name and SSID, key in Roaming. In Security Profile, select Roaming. Click OK 53/225...
  • Page 54 www.zyxel.com 3 Create a new AP group for roaming, and select AP1 and AP2 as member of the AP group. In Profile Name, key in Roaming. In Radio1 Setting and Radio 2 Setting, change SSID profile to Roaming. In AP List, move two APs from Available to Member. Click OK. 54/225...
  • Page 55: Test The Result

    www.zyxel.com 2.4.2 Test the Result 1 User connects to the SSID and make sure the user can access the Internet without any problem. 2 When user is roaming from AP1 to AP2, the connection is not interrupted because of reconnection from AP1 to AP2. 55/225...
  • Page 56: What Could Go Wrong

    www.zyxel.com 2.4.3 What Could Go Wrong? 1 User may disconnect when AP1 and AP2‟s signal is not overlapping. If the Max out power is 30 and two APs still don‟t overlap, please move these two APs closer to make signal overlap.
  • Page 57 www.zyxel.com 3 Enable threshold in radio might cause disconnection between AP and station. When the overlap area RSSI is lower than threshold value, station is not able to connect to AP. The Station Signal Threshold and Disassociation Station Threshold should be lower than the overlapping area‟s RSSI. 4 “Band Select”...
  • Page 58 www.zyxel.com 6 It‟s up to station to roam or not. The roaming tendency is able to modify in computer‟s setting. 58/225...
  • Page 59: Optimize The Wireless Environment

    www.zyxel.com Optimize the Wireless Environment 3.1 How to Set up User Ratio of 2.4GHz and 5GHz to Avoid WiFi Congestion? The example instructs how to configure AP profile with band select. When 2.4GHz and 5G capable users connect to the AP, user is easy to connect to 5GHz when enabling band select.
  • Page 60: Configure Band Select

    www.zyxel.com 3.1.1 Configure Band Select 1 Band select setting is in SSID. Before creating a new SSID, security is necessary to create first. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to create a new security rule for band select.
  • Page 61 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click Add to create a new SSID for band select. Use Band_Select as the Profile Name and SSID. Select BandSelect as the Security Profile. In Band Select, select standard to let user easy access to AP via band 5GHz.
  • Page 62 www.zyxel.com 3 Go to CONFIGURATION > AP Management > AP Group, click Add to create a new group for band select. In General Setting, set Group Name as Band_Select. In Radio 1 Setting and Radio 2 Setting, select SSID profile Band_Select.
  • Page 63 www.zyxel.com 63/225...
  • Page 64: Test The Result

    www.zyxel.com 3.1.2 Test the Result 1 Use a 2.4GHz and 5GHz supported device (ex. Mobile phone or laptop) to connect with SSID Band_Select. The device connects to 5GHz first when it connects to the SSID. 64/225...
  • Page 65: What Could Go Wrong

    www.zyxel.com 3.1.3 What Could Go Wrong? 1 If the AP does not support dual band, band select does not work. 2 When the connected station number is greater than stop threshold station number, the band select stops working. 3 Band Select may potentially cause interruptions for time-sensitive applications if the client only has 2.4G ability, like roaming delays.
  • Page 66: How To Set Up Rssi Threshold To Avoid Low Rate User Connection Affected Wireless Performance

    www.zyxel.com 3.2 How to Set up RSSI Threshold to Avoid Low Rate User Connection Affected Wireless Performance? The example instructs how to set up RSSI threshold. RSSI threshold ensure wireless clients receive good signal to prevent them from being impacted by the others with poor signal. There are two RSSI value to set. One is station signal threshold which sets a minimum client signal strength to connect with AP;...
  • Page 67: Configure Radio Setting For Rssi Threshold

    www.zyxel.com 3.2.1 Configure Radio Setting for RSSI Threshold 1 Go to CONFIGURATION > Object > AP Profile > Radio, click Add to add a new 2.4GHz radio, RSSI_Threshold, for setting RSSI threshold. Click Show Advanced Settings to check Enable Signal Threshold, and edit the value for Station Signal Threshold and Disassociation Station Threshold.
  • Page 68: Apply Radio With Rssi Threshold

    www.zyxel.com 3.2.2 Apply Radio with RSSI Threshold 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default and Edit it. In Radio 1 Setting, change radio 1 AP Profile to RSSI_Threshold. Click Override Member AP Setting, and the click Yes to apply setting to member APs. 68/225...
  • Page 69: Test The Result

    www.zyxel.com 3.2.3 Test the Result 1 In MONITOR > Station Info > Station List, check the new connected client‟s signal strength is stronger than -76dBm. 2 In MONITOR > Log >View AP Log, select the AP to which the station is connected and query its log. When the connected client‟s RSSI is less than -80dBm, the AP kick-out the station because of the RSSI threshold.
  • Page 70: How To Set Up Rate Limiting For Bandwidth Control

    www.zyxel.com 3.3 How to Set up Rate Limiting for Bandwidth Control? The example instructs how to set up rate limiting for each station traffic rate. In this example, downlink is to set the maximum incoming transmission data rate, and uplinks is to set the maximum outgoing transmission data rate for each client connected to specific SSID.
  • Page 71: Configure Rate Limiting

    www.zyxel.com 3.3.1 Configure Rate Limiting 1 Go to CONFIGURATION > Object > AP Profile > SSID, click Add to add a new SSID, RateLimiting. Set the Downlink and Uplink maximum transmission data rate per station traffic. Click OK. 71/225...
  • Page 72: Apply Rate Limiting To Management Ap

    www.zyxel.com 3.3.2 Apply Rate Limiting to Management AP 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default and Edit it. In Radio 1 Setting/Radio 2 Setting, change SSID Profile to RateLimiting. Click Override Member AP Setting, and the click Yes to apply setting to member APs.
  • Page 73: Test The Result

    www.zyxel.com 3.3.3 Test the Result 1 When the station connected to AP via SSID RateLimiting, the maximum incoming transmission data rate is not over 10mbps, and maximum outgoing transmission data rate is not over 5mbps. 73/225...
  • Page 74: How To Share Ap Loading To Optimize Wireless Performance

    www.zyxel.com 3.4 How to Share AP loading to Optimize Wireless Performance? The example instructs how to set up AP group with load balance. There are three types for load balance, by station number, by traffic level, and by smart classroom. This example shows the configuration of these three kinds of load balance for different scenarios and the load balance is set per radio.
  • Page 75: Configure Load Balance To "By Station Number

    www.zyxel.com 3.4.1 Configure Load Balance to “by Station Number” 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default for editing. In Load Balancing Setting, check Enable Load Balancing and Disassociate station when overloaded. Change Mode to by Station Number and set the Max Station Number.
  • Page 76: Configure Load Balance To "By Traffic Level

    www.zyxel.com 3.4.2 Configure Load Balance to “by Traffic Level” 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default for editing. In Load Balancing Setting, check Enable Load Balancing and Disassociate station when overloaded. Select Mode to by Traffic Level and set the Traffic Level.
  • Page 77: Configure Load Balance To "By Smart Classroom

    www.zyxel.com 3.4.3 Configure Load Balance to “by Smart Classroom” 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default for editing. In Load Balancing Setting, check Enable Load Balancing. Select Mode to by Smart Classroom and set the Max Station Number.
  • Page 78: Test The Result

    www.zyxel.com 3.4.4 Test the Result 1 When load balancing by station number, the AP disconnects client with the longest idle time first, and then with the poorest signal strength if the client number is greater than setting number. 2 The traffic level is set to low and the maximum bandwidth allowed is 11 Mbps.
  • Page 79 www.zyxel.com 3 When the station number is greater than the max station number, AP disconnects clients with the poorest signal strength. 79/225...
  • Page 80: What Could Go Wrong

    www.zyxel.com 3.4.5 What Could Go Wrong? 1 It needs two APs to do the load Balance, or the function is not workable. 2 Load balance‟s purpose is sharing loading instead of limiting the station numbers. 3 If all APs are over max station number setting/traffic level, the stations still can connect to APs.
  • Page 81: Secure The Wireless Environment

    www.zyxel.com Secure the Wireless Environment 4.1 How to Configure 802.1x to Secure the Wireless Environment with an External RADIUS Server? The example instructs how to set up NXC controller with an external radius server. When station wants to connect with AP, you can use an AAA server to provide access control to your network.
  • Page 82 www.zyxel.com 4.1.1 Configure Radius Server Setting 1 Go to CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and then click Edit. Set the Server Address, and Authentication Port is 1812. Enter the Key for Radius server and click OK.
  • Page 83: Configure Ap Profile

    www.zyxel.com 4.1.2 Configure AP Profile 1 Configure AP profile to use 802.1x authentication and user needs to log in with their ID and Password when connecting to AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.
  • Page 84 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for connection with 802.1x security. Key-in the Profile Name and SSID, and change Security Profile to RadiusTest which sets in step1. Click OK to save. 3 Go to CONFIGURATION >...
  • Page 85: Test The Result

    www.zyxel.com 4.1.3 Test the Result 1 Before connecting the SSID, the computer needs to do some settings to make connection successfully. Opening Network and Sharing Center in computer, click Set up a new connection or network for building up a new network.
  • Page 86 www.zyxel.com 3 Key-in the SSID Network name and change the Security type to WAP2-Enterprise, and the Encryption type is AES. Click Next. 4 Select Change connection settings. 5 Change Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings. 86/225...
  • Page 87 www.zyxel.com 6 Uncheck Validate server certificate and click Configure. 7 Uncheck the checkbox in the pop-up window. Click OK. 87/225...
  • Page 88 www.zyxel.com 8 Back to the security setting page and click Advanced settings. 9 Check Specify authentication mode. Click OK to save. 88/225...
  • Page 89 www.zyxel.com 10 Select to the SSID, RadiusTest, for wireless connection. Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is setup successfully. 89/225...
  • Page 90: What Could Go Wrong

    www.zyxel.com 4.1.4 What Could Go Wrong 1 There are two kinds of Radius Server Types in security profile setting. Internal means the authentication is doing between NXC controller and Radius server. The Radius server needs to add NXC controller as trusted client. 2 External means the authentication is doing between Managed AP and Radius server.
  • Page 91: How To Configure 802.1X To Secure The Wireless Environment With An External Ad Server

    www.zyxel.com 4.2 How to Configure 802.1x to Secure the Wireless Environment with an External AD Server? The example instructs how to set up the NXC controller with an external AD server. When the station wants to connect with the AP, you can use an AAA server to provide access control to your network.
  • Page 92: Configure Ad Server Setting

    www.zyxel.com 4.2.1 Configure AD Server Setting 1 Go to CONFIGURATION > Object > AAA Server > Active Directory, click #1 ad, and then click Edit to configure AD server‟s information. 2 In Server Settings, enter Server Address. Here use 172.51.31.112 as the example.
  • Page 93 www.zyxel.com 4 In Doman Authentication for MSChap, check Enable and enter the User Name, User Password, Realm, and NetBIOS Name. The Realm is the domain name of the AD server. 5 After finishing the configuration, enter administrator as the Username and click Test in Configuration Validation. 93/225...
  • Page 94 www.zyxel.com 6 Go to CONFIGURATION > Object > Auth. Method. Select to the default method, and click Edit. Select the AD server you create. Click OK. 7 Go to CONFIGURATION > System > Date/Time and check Current Time and Date. The date and time must be the same as the date and time of the AD server.
  • Page 95: Configure Ap Profile

    www.zyxel.com 4.2.2 Configure AP Profile 1 Configure AP profile to use 802.1x authentication that the user needs to log in with their ID and Password when connecting to AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.
  • Page 96 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for the connection with 802.1x security. Key in the Profile Name and SSID, and change Security Profile to ADtest which you configured in step1. Click OK to save. 3 Go to CONFIGURATION >...
  • Page 97: Test The Result

    www.zyxel.com 4.2.3 Test the Result 1 Before connecting the SSID, the computer needs to do some settings to make a connection successfully. Here is an example for Windows 7. Open Network and Sharing Center in the computer, click Set up a new connection or network to build up a new network. 2 Select Manually connect to a wireless network.
  • Page 98 www.zyxel.com 4 Select Change connection settings. 5 Change Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings. 98/225...
  • Page 99 www.zyxel.com 6 Uncheck Validate server certificate and click Configure. 7 Uncheck the selection of the pop-up window. Click OK. 99/225...
  • Page 100 www.zyxel.com 8 Go back to the security setting page and click Advanced settings. 9 Check Specify authentication mode. Click OK to save. 100/225...
  • Page 101 www.zyxel.com 10 Select and connect to the pre-defined SSID "ADTest". Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is set up successfully. 101/225...
  • Page 102: What Could Go Wrong

    www.zyxel.com 4.2.4 What Could Go Wrong 1 There are two kinds of Radius Server Types in security profile setting. Internal means the authentication is doing between the NXC controller and the AD server. 2 When the Radius Server Types change to External, it means the authentication is doing between the Managed AP and the Radius server.
  • Page 103: How To Configure 802.1X To Secure The Wireless Environment With An External Ldap Server

    www.zyxel.com 4.3 How to Configure 802.1x to Secure the Wireless Environment with an External LDAP Server? The example instructs how to set up the NXC controller with an external LDAP server. When the station wants to connect with the AP, you can use an AAA server to provide access control to your network.
  • Page 104: Configure Ldap Server Setting

    www.zyxel.com 4.3.1 Configure LDAP Server Setting 1 Go to CONFIGURATION > Object > AAA Server > LDAP, click #1 ldap, and then click Edit to edit the LDAP server‟s information. 2 In Server Settings, enter Server Address. Here use 10.253.31.239 as the example.
  • Page 105 www.zyxel.com 3 After finishing the configuration, enter administrator as the Username and click Test in Configuration Validation. 4 Go to CONFIGURATION > Object > Auth. Method. Select default method, and click Edit. Select the LDAP server you create. Click OK. 105/225...
  • Page 106: Configure Ap Profile

    www.zyxel.com 4.3.2 Configure AP Profile 1 Configure AP profile to use 802.1x authentication that user needs to log in with their ID and Password when connecting to AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.
  • Page 107 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for the connection with 802.1x security. Key in the Profile Name and SSID, and change Security Profile to LDAP which you configured in step1. Click OK to save. 3 Go to CONFIGURATION >...
  • Page 108: Test The Result

    www.zyxel.com 4.3.3 Test the Result 1 The LDAP can be use in Android phone for authentication. When connecting to the SSID, the EAP method is set to TTLS, and Phase-2 authentication is PAP. Enter the user ID and password to connect. The station and AP connected with correct ID and password.
  • Page 109: What Could Go Wrong

    www.zyxel.com 4.3.4 What Could Go Wrong 1 The Radius server type is always internal in CONFIGURATION > Object > AP Profile > SSID > Security List because LDAP is not able to be used as the authentication server. It does not support external for LDAP server.
  • Page 110: How To Configure 802.1X To Secure The Wireless Environment With An Internal Radius In Nxc

    www.zyxel.com 4.4 How to Configure 802.1x to Secure the Wireless Environment with an Internal RADIUS in NXC? The example instructs how to set up NXC controller and let users do local authentication without external radius server. The user data base is set up in the NXC controller and the client can enter the username and password to do authentication via 802.1x.
  • Page 111: Configure Authentication Method Setting

    www.zyxel.com 4.4.1 Configure Authentication Method Setting 1 Go to CONFIGURATION > Object > User/Group, and click add to create a new user ID and password. Stations can log in to connect with the AP to access the Internet via this account. 2 Go to CONFIGURATION >...
  • Page 112 www.zyxel.com 3 Go to CONFIGURATION > System > Auth. Server, and set Authentication Method to localtest which is created in step 2. 112/225...
  • Page 113: Configure Ap Profile

    www.zyxel.com 4.4.2 Configure AP Profile 1 Configure the AP profile to use 802.1x authentication that user needs to log in with their ID and Password when connecting to the AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID >...
  • Page 114 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for the connection with 802.1x security. Key in the Profile Name and SSID, and change Security Profile to local802 which is created in step1. Click OK to save. 3 Go to CONFIGURATION >...
  • Page 115: Test The Result

    www.zyxel.com 4.4.3 Test the Result 1 Before connecting the SSID, the computer needs to do some settings to make the connection successfully. Here is an example for Windows 7. Opening Network and Sharing Center in computer, click Set up a new connection or network to build up a new network. 2 Select Manually connect to a wireless network.
  • Page 116 www.zyxel.com 4 Select Change connection settings. 5 Select Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings. 116/225...
  • Page 117 www.zyxel.com 6 Uncheck Validate server certificate and click Configure. 7 Uncheck the selection of pop-up window. Click OK. 117/225...
  • Page 118 www.zyxel.com 8 Go back to the security setting page and click Advanced settings. 9 Check Specify authentication mode. Click OK to save. 10 Select and connect to the pre-defined SSID "ADTest". Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is set up successfully.
  • Page 119: How To Configure 802.1X To Secure The Wireless Environment With Dynamic Vlan With Nxc Controller Using External Radius Server

    www.zyxel.com 4.5 How to Configure 802.1x to Secure the Wireless Environment with Dynamic VLAN with NXC Controller Using External RADIUS Server? The example instructs how to set up dynamic VLAN with the NXC controller using external radius server. When the station wants to connect with the AP, you can use an AAA server to provide access control to your network.
  • Page 120 www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC2500 (Firmware Version: 5.10), GS2210-8HP (Firmware Version: V4.30) 120/225...
  • Page 121: Configure Interface

    www.zyxel.com 4.5.1 Configure Interface 1 Go to CONFIGURATION > Network > Interface > VLAN, click vlan0 and Edit it. 2 Set ge1 (P1) to not be vlan0‟s member by selecting no in Member Configuration. Set the gateway IP in IP Address Assignment.
  • Page 122 www.zyxel.com 1 Connect Switch to NXC ge2 (P2), and APs all connect to the switch. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN. Click Add to create a new VLAN configuration. 122/225...
  • Page 123 www.zyxel.com 3 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan10; VID: 10 In Member Configuration, set ge2 to be Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway.
  • Page 124 www.zyxel.com 4 Click Add to create VLAN20 in CONFIGURATION > Network > Interface > VLAN. 124/225...
  • Page 125 www.zyxel.com 5 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan20; VID: 20 In Member Configuration, set ge2 to be Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway.
  • Page 126 www.zyxel.com 6 Go to CONFIGURATION > Network > Interface > Ethernet, select ge1 and Edit it. Change the Interface Type to external and Get Automatically in IP Address Assignment. 126/225...
  • Page 127 www.zyxel.com 7 Go to CONFIGURATION > Network >Routing > Policy Route and click Add to add a policy route. Select Interface ge1 in Next-Hop, and outgoing-interface in Address Translation after clicking Show Advanced Settings. 127/225...
  • Page 128: Configure Radius Server Setting

    www.zyxel.com 4.5.2 Configure Radius Server Setting 1 Go to CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and then click Edit. Set the Server Address, and Authentication Port is 1812. Enter the Key for Radius server and click OK.
  • Page 129: Configure Ap Profile

    www.zyxel.com 4.5.3 Configure AP Profile 1 Configure the AP profile to use 802.1x authentication that the user needs to log in with their ID and Password when connecting to the AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, select the default AP profile and edit.
  • Page 130 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and select the default AP profile and edit. Key in the Profile Name and SSID, and change Security Profile to default which is created in step1. Click OK to save. 130/225...
  • Page 131 www.zyxel.com 3 Go to CONFIGURATION > Wireless > AP Management > AP Group, select the default AP profile and edit. Select default in the SSID Profile #1 in both radio1 and radio2. Click OK to apply the settings. 131/225...
  • Page 132: Test The Result

    www.zyxel.com 4.5.4 Test the Result 1 Use mobile phone to connect with SSID DyVlan. Enter the Username and Password which are in VLAN 10 group, and then click Join to connect with the AP. 2 The logged-in client gets an IP in VLAN10. 132/225...
  • Page 133 www.zyxel.com 3 Use the mobile phone to connect with SSID DyVlan. Enter the Username and Password which is in VLAN 20 group, and then click Join to connect with the AP. 4 The logged-in client gets an IP in VLAN20. 133/225...
  • Page 134: What Could Go Wrong

    www.zyxel.com 4.5.5 What Could Go Wrong 1 When you set the dynamic VLAN in the NXC controller, the radius server needs to set the corresponding VLAN groups for authentication. 2 Because the dynamic VLAN setting is in the NXC controller, it only supports radius server type “Internal”...
  • Page 135: How To Configure Captive Portal

    www.zyxel.com 4.6 How to Configure Captive Portal? 4.6.1 Captive Portal Redirect on Controller? The example instructs how to set up captive portal redirect on the controller. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page.
  • Page 136 www.zyxel.com Figure 18 Captive portal redirect on controller (NXC is gateway) Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC2500 (Firmware Version: 5.10), GS2210-8HP (Firmware Version: V4.30) 136/225...
  • Page 137: Configure Authentication Method Setting

    www.zyxel.com 4.6.1.1 Configure Authentication Method Setting 1 Go to CONFIGURATION > Object > User/Group, click add to create a new user ID and password. Stations can log in captive portal to access the Internet via this account. Enter the User Name as login ID for captive portal and User Type is guest.
  • Page 138: Configure Captive Portal

    www.zyxel.com 4.6.1.2 Configure Captive Portal 1 Go to CONFIGURATION > Object > Address > Address, click add to create an address range which needs to do captive portal authentication before accessing to the Internet. Enter profile Name and change Address Type to RANGE. In this example, the IP range for guest is 192.168.1.100 to 192.168.1.200 on DHCP server (USG).
  • Page 139 www.zyxel.com 2 Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule for stations which get an IP range from 192.168.1.100 to 192.168.1.200. In General Settings, check Enable Policy and enter the Description of this policy.
  • Page 140: Configure Ap Profile When Usg Is The Gateway

    www.zyxel.com 4.6.1.3 Configure AP Profile when USG is the Gateway 1 To make sure the USG is the gateway for vlan0 interface which is for client accessing the Internet, go to CONFIGURATION > Network > Interface > VLAN > vlan0 > Edit, enter USG‟s IP in Gateway.
  • Page 141 www.zyxel.com CP_test which created in step2. Click Override Member AP Setting to apply the SSID to AP and click Yes in the pop-up window. Click OK. 4 Logout from NXC controller. 141/225...
  • Page 142: Configure Ap Profile When Nxc Is The Gateway

    www.zyxel.com 4.6.1.4 Configure AP Profile when NXC is the Gateway 1 Make sure the NXC is the gateway for vlan0 interface which is the captive portal and stations need to connect to. Go to CONFIGURATION > Network > Interface > VLAN > vlan0 > Edit, select no in Member for ge2 and enter the NXC‟s IP in Gateway.
  • Page 143 www.zyxel.com 2 Go to CONFIGURATION > Network > Interface > Ethernet, click ge2 and then click Edit to make ge2 as the external interface for connecting with the Internet. Change Interface Type to external and IP Address Assignment is Get Automatically. Click OK to save.
  • Page 144 www.zyxel.com 3 Go to CONFIGURATION > Network > Routing > Policy Route, and click Add to add a routing rule for outgoing traffic. Click Show Advanced Settings. Check Enable in Configuration. Select Interface in Incoming and select to vlan0 in Please select one member.
  • Page 145 www.zyxel.com 4 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and click Add to add a SSID for captive portal. Key in the SSID to CP_guest, and change Security Profile to default which sets none security. Click OK to save. 5 Go to CONFIGURATION >...
  • Page 146: Test The Result

    www.zyxel.com 4.6.1.5 Test the Result 1 Connect to SSID CP_guest from the computer. After connection is successfully established, check if the IP is in the range from 192.168.1.100 to 192.168.1.200, and the gateway is NXC‟s IP. 2 Open a browser and visit a website it after the computer connects to the AP successfully.
  • Page 147 www.zyxel.com 3 After entering the username and password correctly, the connected station is able to access the Internet now. There is also a pop-window to show the detail information of the renew time and re-authentication time after authentication succeed. 147/225...
  • Page 148: What Could Go Wrong

    www.zyxel.com 4.6.1.6 What Could Go Wrong 1 The DNS MUST be set in the DHCP setting, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations access to.
  • Page 149 www.zyxel.com 5 When using the NXC2500 as the controller, the uplink port MUST be ge1. 149/225...
  • Page 150: Captive Portal Redirect On Ap

    www.zyxel.com 4.6.2 Captive Portal Redirect on AP? The example instructs how to set up captive portal redirect on the AP. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. Typically, you often find captive portal pages in public hotspots.
  • Page 151: Configure Ap Profile And User

    www.zyxel.com 4.6.2.1 Configure AP Profile and User 1 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click Add to add a SSID for captive portal. Key-in the Profile Name is CP_test and SSID as CP_guest, and select Security Profile to default which sets none security.
  • Page 152 www.zyxel.com 3 Go to CONFIGURATION > Object > Auth. Method,and click add to create an authentication method. Enter the Name of this authentication method and select to local in the Method List. 152/225...
  • Page 153: Configure Captive Portal

    www.zyxel.com 4.6.2.2 Configure Captive Portal 1 Go to CONFIGURATION > Captive Portal > Redirect on AP > Authentication Policy Rule, and click add to create a policy rule for stations which connect to SSID profile CP_test. In General Settings, check Enable Policy and enter the Profile Name of this policy.
  • Page 154 www.zyxel.com 2 Go to CONFIGURATION > Captive Portal > Redirect on AP > Authentication Policy Group, and click default to edit. In the setting, click Add to add the policy rule which is created in previous step. 3 Go to CONFIGURATION > Captive Portal > Captive Portal, check Enable Captive Portal.
  • Page 155: Broadcast Ssld

    www.zyxel.com 4.6.2.3 Broadcast SSlD 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default to Edit. Change #1 to CP_test. 155/225...
  • Page 156 www.zyxel.com 2 In the same setting page as previous step, select default for Auth. Policy Group in Poral Redirect on AP. Click OK to save. 3 Logout from NXC controller. 156/225...
  • Page 157: Test The Result

    www.zyxel.com 4.6.2.4 Test the Result 1 Connect the station to the SSID „CP_guest‟. Open a browser and visit a website after the computer and AP connect successfully. The browser redirects the webpage to captive portal page and the user needs to enter the username and password for authentication before accessing the Internet.
  • Page 158: What Could Go Wrong

    www.zyxel.com 4.6.2.5 What Could Go Wrong 1 The DNS MUST be set in the DHCP setting, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations access to.
  • Page 159: Captive Portal With Qr Code

    www.zyxel.com 4.6.3 Captive Portal with QR Code? The example instructs how to set up captive portal authentication with QR code. This new feature offers two convenient and fast methods to access the Internet. The first method is authenticator assisted. This means that the employees are the authenticators, who can authenticate the guest to access the Internet.
  • Page 160: Configure Ap Profile

    www.zyxel.com 4.6.3.1 Configure AP Profile 1 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and double click default to modify the SSID for captive portal. Key in the SSID to CP_QR, and change Security Profile to default which sets none security.
  • Page 161 www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add to add the security profile for employees. Key in the Profile Name and SSID to employee. Click OK to save. 161/225...
  • Page 162 www.zyxel.com 3 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, double click Add to add the SSID for employees. Key in the Profile Name and SSID to CP_employee with VLAN ID 10, and change Security Profile to employee. Click OK to save. 162/225...
  • Page 163: Configure Vlan

    www.zyxel.com 4.6.3.2 Configure VLAN 1 Go to CONFIGURATION > Network > Interface > VLAN, click Add to add VLAN 10 and set NXC2500 as the DHCP server of VLAN 10. Click OK to save. 163/225...
  • Page 164 www.zyxel.com 2 Go to CONFIGURATION > Network > Interface > VLAN, click Add to add VLAN 20 and set NXC2500 as the DHCP server of VLAN 20. Click OK to save. 164/225...
  • Page 165: Create Assistance Account

    www.zyxel.com 4.6.3.3 Create Assistance Account 1 Go to CONFIGURATION > Object > User/Group > User, and click Add to add the user as the assistance account for employees to help the guest pass the authentication when the guest scan the QR code. Click OK to save. 2 Go to CONFIGURATION >...
  • Page 166 www.zyxel.com 3 Go to CONFIGURATION > Object > Auth. Method > Authentication Method, and double click default to edit the method as local. Click OK to save. 166/225...
  • Page 167: Set Guest Address & Zone

    www.zyxel.com 4.6.3.4 Set Guest Address & Zone 1 Go to CONFIGURATION > Object > Address > Address, click Add to add the guest address. Change the Address Type to RANGE and enter the starting and end IP address. Click OK to save.
  • Page 168: Configure Captive Portal

    www.zyxel.com 4.6.3.5 Configure Captive Portal 1 Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule for guests whose IP addresses are in the setting range. In User Auth Policy, change Source Address to QR_Guest_addr and Authentication is required.
  • Page 169 www.zyxel.com 2 In the same page of step 1. Check the Authentication with QR code, and change the Guest Account to QR_Guest. Check Authenticator-assisted and the QR Portal Address is vlan10 interface IP. The Authenticator is the employee account or group. Click Apply. 3 Go to CONFIGURATION >...
  • Page 170 www.zyxel.com 4 Go to CONFIGURATION > Captive Portal > Redirect on Controller > QR Code Configuration. Check Print Out QR Code and use the QR code for customer to do self-service. 170/225...
  • Page 171 www.zyxel.com 4.6.3.6 Broadcast SSlD 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default to Edit. Change #1 to CP_QR and #2 to CP_employee. 171/225...
  • Page 172: Test The Result

    www.zyxel.com 4.6.3.7 Test the Result 1 Authenticator-assisted When the guests connect to the SSID „CP_QR‟, they get IP addresses between 192.168.20.100 to 192.168.20.110, and are redirected to captive portal with QR code as shown below. When the captive portal page is shown, the customer asks for an employee who has connected with SSID “CP_employee”...
  • Page 173 www.zyxel.com 2 Self-serviced When the guests connect to the SSID „CP_RQ‟, they get an IP addresses between 192.168.20.100 to 192.168.20.110, and is redirected to captive portal with QR code as shown below. When the captive portal page is shown, the guest scans the printed QR code in the last step.
  • Page 174: What Could Go Wrong

    www.zyxel.com 4.6.3.8 What Could Go Wrong 1 The DNS MUST be set in the DHCP server, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations want to access.
  • Page 175 www.zyxel.com 4 If the user enters an incorrect username or password, there is a login failure webpage. Please click Retry and use the correct username and password to log in. 5 When using the NXC2500 as the controller, the uplink port MUST be ge1.
  • Page 176: Captive Portal With External Webserver

    www.zyxel.com 4.6.4 Captive Portal with External Webserver? The example instructs how to set up captive portal redirect via the external web page. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page.
  • Page 177: Configure Interface

    www.zyxel.com 4.6.4.1 Configure Interface 1 Go to CONFIGURATION > Network > Interface > VLAN, click vlan0 and edit it. Remove ge6 by selecting “no” in the Member Configuration. Set a fixed IP for the interface, and use DHCP server with DNS. Click OK to save. 177/225...
  • Page 178 www.zyxel.com 2 Go to CONFIGURATION > Network > Interface > Ethernet, select ge6 and Edit it. Change the Interface Type to external Click OK to save. 178/225...
  • Page 179 www.zyxel.com 3 Go to CONFIGURATION > Network > Policy Route, click Add to add a routing rule for outgoing traffic. Click Show Advanced Settings. Check Enable in Configuration. Select Interface in Incoming and select to vlan0 in Please select one member. Change Type to Interface and select Interface ge6.
  • Page 180: Configure Authentication Method Setting & Address

    www.zyxel.com 4.6.4.2 Configure Authentication Method Setting & Address 1 Go to CONFIGURATION > Object > User/Group, click add to create a new user ID and password. Stations can log in to the captive portal to access the Internet via this account. Enter the User Name as login ID for captive portal and User Type is guest.
  • Page 181 www.zyxel.com 3 Go to CONFIGURATION > Object > Address > Address, click add to create an address range which needs to do captive portal authentication before accessing to the Internet. Enter profile Name and change Address Type to RANGE. In this example, the IP range for guest is 192.168.1.199 to 192.168.1.209.
  • Page 182: Configure Captive Portal

    www.zyxel.com 4.6.4.3 Configure Captive Portal 1 Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule. In User Auth Policy, change Source Address to CP_ex and Authentication is required. Check Force User Authentication, and change the Authentication Method to default.
  • Page 183 www.zyxel.com 3 Go to CONFIGURATION > Captive Portal > Captive Portal, check Enable Captive Portal. Click Apply to apply the settings. 183/225...
  • Page 184: Configure Ap Profile

    www.zyxel.com 4.6.4.4 Configure AP Profile 1 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, double click add to add a SSID for wireless connection with external captive portal. Key in the SSID to CP_ex, and change Security Profile to default which sets none security.
  • Page 185: Test The Result

    www.zyxel.com 4.6.4.5 Test the Result 1 Connect the station to the SSID „CP_ex‟. Open a browser and visit a website after the computer and AP connect successfully. The browser redirects the webpage to external captive portal page and the user needs to enter the username and password for authentication before accessing the Internet.
  • Page 186: What Could Go Wrong

    www.zyxel.com 4.6.4.6 What Could Go Wrong 1 The DNS MUST be set in the DHCP server, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations want to access.
  • Page 187 www.zyxel.com 4 When using the NXC2500 as the controller, the uplink port MUST be ge1. 187/225...
  • Page 188: How To Generate And Import Certificate On Nxc Controller

    www.zyxel.com 4.7 How to Generate and Import Certificate on NXC Controller? The example instructs how to import a certificate on NXC controller. It shows how to create two different types of certificates and save them to the controller.. Figure 22 Certificate on NXC Controller Note: All network IP addresses and subnet masks are used as examples in this article.
  • Page 189: Create A Self-Signed Certificate

    www.zyxel.com 4.7.1 Create a Self-signed Certificate 1 Go to CONFIGURATION > Object > Certificate > My Certificates, click Add to create a certificate. Key in the Configuration > Name and Subject Information. In Enrollment Options, select Create a self-signed certificate. Click OK. 189/225...
  • Page 190 www.zyxel.com 2 Go to CONFIGURATION > Object > Certificate > My Certificates > Edit, and click Export Certificate with Private key to save the certificate. The exported certificate can be used by other devices, and once the devices have this certificate, they know the controller.
  • Page 191 www.zyxel.com 4 Go to CONFIGURATION > System > Auth. Server, change the Authentication Server Certificate to csotest which is created in the previous step. 191/225...
  • Page 192: Test The Result

    www.zyxel.com 4.7.2 Test the Result 1 Go to CONFIGURATION > Object > Certificate > My Certificates, click the self-signed certificate and click edit. It shows validation result=self-signed in certification path. 2 When the customer connects to a SSID with 802.1x security, there is a certificate trust request pop-up screen with the detailed information of the certificate created in step 4.7.1.
  • Page 193: Create A Certification Request And Save It Locally For Later Manual Enrollment

    www.zyxel.com 4.7.3 Create a Certification Request and Save It Locally for later Manual Enrollment 1 Go to CONFIGURATION > Object > Certificate > My Certificates, and click Add to create a certificate. Key in the Configuration > Name and Subject Information. In Enrollment Options, select Create a certification request and save it locally for later manual enrollment.
  • Page 194 www.zyxel.com 2 Go to CONFIGURATION > Object > Certificate > My Certificates, and click the certificate that you just created in step 1. Click Edit. Copy the Certificate in PEM(Base-64) Encoded Format and send to the certificate server. Click OK. 194/225...
  • Page 195 www.zyxel.com 3 Go to CONFIGURATION > Object > Certificate > My Certificates, click Import to import the certificate released from the server. 4 Go to CONFIGURATION > Object > Certificate > Trusted Certificates, click Import to add a trusted certificate which is also released from the certificate server.
  • Page 196 www.zyxel.com 5 Go to CONFIGURATION > System > Auth. Server, change the Authentication Server Certificate to csotest2 which is created in the previous step. 196/225...
  • Page 197: Test The Result

    www.zyxel.com 4.7.4 Test the Result 1 Go to CONFIGURATION > Object > Certificate > My Certificates, the type in my certificates List shows CERT after importing the certificate gotten from the server. 2 Go to CONFIGURATION > Object > Certificate > My Certificates, double click the certificate (certnew.cer in this example).
  • Page 198 www.zyxel.com 3 When the customer connects to a SSID with 802.1x security, there is a certificate trust request pop-up screen with the detailed information of the certificate created in step 4.7.3. 198/225...
  • Page 199: What Could Go Wrong

    www.zyxel.com 4.7.5 What Could Go Wrong 1 If the root certificate is not imported as a trusted certificats, although the certificate type switches to CERT, the certification path still shows Validation Result = incomplete path. 199/225...
  • Page 200: How To Defect The Rogue Ap

    www.zyxel.com 4.8 How to Defect the Rogue AP? A rogue AP works without being controlled by the administrator of the Network. It may cause the security issue for the network and we can use the AP in monitor mode to contain the rogue AP. Figure 23 Monitor Rogue AP and Containment Note: All network IP addresses and subnet masks are used as examples in this article.
  • Page 201: Configure Ap To Monitor Mode

    www.zyxel.com 4.8.1 Configure AP to Monitor Mode 1 Configure a monitor profile in CONFIGURATION > Object > MON Profile. Select the default profile and click Edit to change. Check the Scan Channel Mode is auto and Country Code is correct and is the location where you use the AP. Click OK to save.
  • Page 202: Detected Devices And Containment

    www.zyxel.com 4.8.2 Detected Devices and Containment 1 In MONITOR > Wireless > Detected Device, Click Refresh if there‟s no rogue AP in the list. Select the rogue AP and click Mark as Rogue AP. 2 When the AP is marked as a rogue AP, it can be set in the containment list in CONFIGURATION >...
  • Page 203: Test The Result

    www.zyxel.com 4.8.3 Test the Result 1 When the AP is marked as a rogue AP, it is shown in MONITOR > Wireless > Detected Device. 2 When the AP is set in the containment list, the stations are disconnected right away after they connect to the rogue AP. 203/225...
  • Page 204: Maintain Nxc Controller

    www.zyxel.com Maintain NXC Controller 5.1 How to Do Firmware upgrade 1. There are two ways to do firmware upgrade, GUI and FTP. The firmware can be downloaded from Zyxel support center. Please find below the website address of the support center. http://www.zyxel.com/support/support_landing.shtml 2.
  • Page 205: Firmware From Gui

    www.zyxel.com 5.1.1 Firmware from GUI? The example instructs how to do FW upgrade from GUI. The Firmware version will be changed from v5.00 to v5.10. Figure 24 Firmware Upgrade from GUI Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
  • Page 206: Firmware Upgrade On Gui

    www.zyxel.com 5.1.1.1 Firmware Upgrade on GUI 1 In MAINTENANCE > File Manager > Firmware Package, check if the NXC's current firmware version is the same as the one you are going to install. 2 In MAINTENANCE > File Manager > Firmware Package, click Browse…in Upload File and select the firmware you want to install.
  • Page 207: Test The Result

    www.zyxel.com 5.1.1.2 Test the Result 1 After starting firmware upgrade, there‟s a notification about firmware upload. 2 After finishing firmware upload, the system will start to firmware upgrade. 3 After the firmware upgrade is complete and successful, you can check it on GUI Dashboard. 207/225...
  • Page 208: What Could Go Wrong

    www.zyxel.com 5.1.1.3 What Could Go Wrong 1 When the firmware is uploading and the traffic for transferring the firmware is disconnected, the firmware upgrade will not be successful. 2 When the firmware is upgrading, please do not reset or reboot the controller.
  • Page 209: Firmware From Ftp

    www.zyxel.com 5.1.2 Firmware from FTP? The example instructs how to do FW upgrade from FTP. This is usually used when you failed to access the web GUI. Figure 25 Firmware Upgrade from GUI Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
  • Page 210: Firmware Upgrade On Gui

    www.zyxel.com 5.1.2.1 Firmware Upgrade on GUI 1 Copy the firmware to the root directory of the C drive on your computer c:\ and do not change the file name of the firmware. 2 Use the following command to ping the controller for checking the connection.
  • Page 211 www.zyxel.com 5 Enter put c:\ 510AAIG1C0\510AAIG1C0.bin and wait for the file transfer to complete. After the transmission is finished, the controller will start to upgrade. 211/225...
  • Page 212: Test The Result

    www.zyxel.com 5.1.2.2 Test the Result 1 After starting firmware upgrade, the LED flashes and it takes about 5 minutes to finish. 2 After the firmware is upgraded successfully, you can check it on GUI Dashboard. 212/225...
  • Page 213: What Could Go Wrong

    www.zyxel.com 5.1.2.3 What Could Go Wrong 1 When the firmware is uploading and the traffic for transferring the firmware is disconnected, the firmware upgrade will not be successful. 2 When the firmware is upgrading, please do not reset or reboot the controller.
  • Page 214: How To Reset The Controller/Ap

    www.zyxel.com 5.2 How to Reset the Controller/AP? The example instructs how to reset the controller/AP. This is usually used when there‟s a new deployment or misconfiguration. Figure 26 Firmware Upgrade from GUI Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
  • Page 215: Reset To Default From Gui

    www.zyxel.com 5.2.1 Reset to Default from GUI 1 Log in to controller and go to MANTENANCE > File Manager > Configuration File. Click “system-default conf” in the list and Apply. 5.2.2 Reset to Default from Hardware 1 Push the RESET button over 15 seconds for resetting to defaults. 215/225...
  • Page 216: Test The Result

    www.zyxel.com 5.2.3 Test the Result 1 After resetting to default settings, the controller‟s IP is 192.168.1.1 and AP‟s IP is 192.168.1.2. 2 All the settings are changed back to default settings. 216/225...
  • Page 217: Trouble Shooting

    www.zyxel.com Trouble Shooting 6.1 How to Collect the Diagnostic Info? The diagnostic info needs to be collected when there‟s any problem happened on the controller or AP. Figure 27 Collect the Diagnostic Info Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
  • Page 218: Collect Diagnostic Info

    www.zyxel.com 6.1.1 Collect Diagnostic Info 1 In MAINTENANS > Diagnostic > Diagnostics, select on Collect on Controller and click Collect Now when the controller has any problem. 2 A window pops up when the controller is collecting the diagnostic. 218/225...
  • Page 219 www.zyxel.com 3 In MAINTENANS > Diagnostic > Diagnostics, select on Collect on AP and move the AP‟s MAC to the collected APs list. Click Collect Now to start collection. 4 A window pops up when the controller is collecting the diagnostic.
  • Page 220: Test The Result

    www.zyxel.com 6.1.2 Test the Result 1 When the collection finished, a pop-up window shows “Done the collection.” 2 After capturing the packet, there is a file in MAINTENANCE > Diagnostics > Diagnostic > Files for downloading. 220/225...
  • Page 221: How To Configure The E-Mail Settings For Sending Logs

    www.zyxel.com 6.2 How to Configure the E-mail Settings for Sending Logs? This configuration set email for sending logs and let the controller manager gets the daily report and the system logs. Figure 28 E-mail Settings for Sending Logs Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
  • Page 222: Configure Log & Report

    www.zyxel.com 6.2.1 Configure Log & Report 1 Configure daily report in CONFIGURATION > Log & Report > Email Daily Report. In Email Settings, enter the Mail Server which can send out the email. Check the Append data time for daily report, and set the email address in Mail From and Mail To.
  • Page 223 www.zyxel.com 2 Configure daily report in CONFIGURATION > Log & Report > Log Settings. In Log Settings, click the first setting and Edit it. Check Active to activate this setting. Enter the Mail Server, and set the email address in Mail From and Mail To. Set the sending condition to Daily and When Full, and the Time for Sending Log.
  • Page 224: Test The Result

    www.zyxel.com 6.2.2 Test the Result 1 The manager who has the email receives the system Daily report. 224/225...
  • Page 225 www.zyxel.com 2 The manager who has the email receives the log daily or when it‟s full. 225/225...

This manual is also suitable for:

Nxc 5500

Table of Contents