www.zyxel.com Contents Manage APs through NXC Controller ............7 1.1 How to Manage APs through NXC Controller ........7 1.1.1 Configuration in the AP ..............8 1.1.2 Test the Result ................... 9 1.1.3 What Could Go Wrong? ............... 10 1.2 How to Enlarge Managed AP Number with License ......11 1.2.1 Device Registration ...............
Page 3
www.zyxel.com 2.4 How to Set up Seamless Wireless Roaming? ........51 2.4.1 Configure APs via AP Group ............52 2.4.2 Test the Result ................. 55 2.4.3 What Could Go Wrong? ............... 56 Optimize the Wireless Environment ............59 3.1 How to Set up User Ratio of 2.4GHz and 5GHz to Avoid WiFi Congestion? ....................
Page 4
www.zyxel.com 4.2.3 Test the Result ................. 97 4.2.4 What Could Go Wrong ............... 102 4.3 How to Configure 802.1x to Secure the Wireless Environment with an External LDAP Server? ..................7 4.3.1 Configure LDAP Server Setting ........... 104 4.3.2 Configure AP Profile ..............106 4.3.3 Test the Result ................
Page 5
www.zyxel.com 4.6.3.2 Configure VLAN ................ 163 4.6.3.3 Create Assistance Account ............ 165 4.6.3.4 Set Guest Address & Zone ............167 4.6.3.5 Configure Captive Portal ............168 4.6.3.6 Test the Result ................171 4.6.3.7 What Could Go Wrong ............174 4.6.4 Captive Portal with External Webserver? ........160 4.6.4.1 Configure Interface ..............
Page 6
www.zyxel.com 5.2.2 Reset to Default from Hardware ..........215 5.2.3 Test the Result ................216 Trouble Shooting ..................217 6.1 How to Collect the Diagnostic Info? ..........217 6.1.1 Collect Diagnostic Info ............... 218 6.1.2 Test the Result ................220 6.2 How to Configure the E-mail Settings for Sending Logs? ....
www.zyxel.com Manage APs through NXC Controller 1.1 How to Manage APs through NXC Controller This example shows how to use the NXC controller to manage APs via manual setting, DHCP option 138 and broadcast. In this case shown as below, there are two subnets in the environment. The APs can find NXC controller in the same subnet via broadcasting without any settings.
www.zyxel.com 1.1.1 Configuration in the AP 1 In the same subnet (for AP1 and AP2), the APs don‟t need to do any setting. The APs can find the NXC controller via broadcast and NXC controller always accepts APs to managed list by default. The NXC controller manages the APs without any setting.
www.zyxel.com 1.1.2 Test the Result 1 When the APs and the NXC controller are in the same subnet, the NXC controller manages the APs without any settings. The result is visible in MONITOR > Wireless > AP Information > AP List. 2 When the APs and the NXC controller are in the different subnets, the APs can find NXC controller through manually setting NXC controller‟s IP or DHCP option 138.
www.zyxel.com 1.1.3 What Could Go Wrong? 1 To make sure the NXC controller goes to correct traffic routing, please remember to set up the gateway in NXC controller. 2 When you use the manual NXC controller IP or DHCP option 138, please make sure the NXC controller‟s IP is correct so that the APs can find the NXC controller.
www.zyxel.com 1.2 How to Enlarge Managed AP Number with License This example shows how to enlarge managed AP number with license. The default managed AP number for NXC2500 is 8 units and NXC5500 is 64 units. If you want to control more than default managed units, it‟s necessary to import the license to enlarge managed AP number.
www.zyxel.com 1.2.1 Device Registration 1 Click the hyperlink on NXC controller‟s GUI to connect portal.myzyxel.com in CONFIGURATION > Licensing > Registration. 2 After log in the registration portal, click the Device Registration to register a device by filling in the MAC Address and Serial Number.
Page 13
www.zyxel.com 3 Click Next to activate security services on the device, and click Close in next step. 13/225...
www.zyxel.com 1.2.2 Service Registration 1 Click Service Registration and fill in the License Key. Click Submit to register the license key. 2 Click Service Management, and click the Link. Select a device, and then click Submit to activate the license key for the selected device.
www.zyxel.com Set up a Wireless Connection Environment 2.1 How to Set WiFi Multiple SSID for Office Environment? 2.1.1 When USG is DHCP Server for VLAN10 and VLAN20 The example instructs how to configure VLANs and set different VLANs for different SSIDs in NXC. In this example, USG is the only DHCP server in the environment, and NXC only needs to set VLAN for passing traffic.
www.zyxel.com 2.1.1.1 Configure NXC’s Interface to Go to Internet 1 Connect NXC controller to USG LAN port. In the USG, all LAN ports are DHCP server for interface LAN, VLAN10, VLAN20, and all the stations connected to APs get an IP from the USG.
www.zyxel.com 2.1.1.2 Configure VLAN 1 Connect Switch to NXC ge2 (P2), and connect all APs to the switch. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN, Click Add to create a new VLAN (VLAN10). 19/225...
Page 20
www.zyxel.com 3 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan10; set VID: In Member Configuration, set ge2 to be a Member and Tx Tagging to yes. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask.
Page 21
www.zyxel.com 4 Click Add to create VLAN20 configuration in CONFIGURATION > Network > Interface > VLAN. 21/225...
Page 22
www.zyxel.com 5 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan20; set VID: In Member Configuration, set ge2 to be a Member and Tx Tagging to yes. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask.
www.zyxel.com 2.1.1.3 Configure Security and SSID 1 Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add to create a new security profile for staff. In General Settings, key in Staff as profile name, and set security mode to wpa2.
Page 24
www.zyxel.com 2 Click Add to create a new security profile for guest. In General Settings, key in guest as profile name, and set security mode to none. Click OK. 3 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List and click Add to create a SSID for staff.
Page 25
www.zyxel.com 4 Click Add to create a SSID for guest in vlan20. In Profile Name and SSID, key in guest. In Security Profile, select guest. In VLAN ID, key in 20. Click OK. 25/225...
www.zyxel.com 2.1.1.4 Configure AP Profile to Broadcast SSID 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click Edit for default group. In Radio 1 and Radio 2, set the SSID profile, Staff and guest. Click OK to apply the configuration. 26/225...
www.zyxel.com 2.1.2 When NXC is DHCP Server for VLAN10 and VLAN20 The example instructs how to configure VLANs and set different VLANs for different SSIDs in NXC when NXC is DHCP server for VLANs. The USG does not need to do any other settings when there are different VLANs add to the environment since NXC is a DHCP server for VLANs.
www.zyxel.com 2.1.2.1 Configure Interface ge1 to Go to Internet 1 Connect ge1 (P1) to USG LAN port. In USG, LAN ports are DHCP server and all APs get IP from LAN. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN to set USG‟s LAN IP as the gateway.
www.zyxel.com 2.1.2.2 Configure VLAN 1 Connect Switch to NXC ge2, and connect all APs to the switch. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN, Click Add to create a new VLAN. 29/225...
Page 30
www.zyxel.com 3 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan10; VID: 10 In Member Configuration, set ge2 to be a Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway.
Page 31
www.zyxel.com 4 Click Add to create VLAN20 in CONFIGURATION > Network > Interface > VLAN. 31/225...
Page 32
www.zyxel.com 5 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan20; VID: 20 In Member Configuration, set ge2 are Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway. In DHCP Setting, select DHCP server and key in IP Pool Start Address and Pool Size.
www.zyxel.com 2.1.2.3 Set Policy Route 1 Set Policy Route in CONFIGURATION > Network > Routing > Policy Route to create new routing rule. Click Show Advanced Settings. In Configuration, check Enable. In Criteria, select Incoming as Interface and Please select one member is vlan10.
Page 34
www.zyxel.com 2 Set Policy Route in CONFIGURATION > Network > Routing > Policy Route to create new routing rule. Click Show Advanced Settings. In Configuration, check Enable. In Criteria, select Incoming as Interface and Please select one member is vlan20. In Next-Hop, select Type as Interface and Interface is vlan0 In Address Translation, select Source Network Address Translation to outgoing-interface to use the IP address of the...
www.zyxel.com 2.1.2.4 Configure Security and SSID 1 Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add to create a new security profile for staff. In General Settings, key in Staff as profile name, and set security mode to wpa2.
Page 36
www.zyxel.com 3 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List and click Add to create a SSID for staff. In Profile Name and SSID, key in Staff. In Security Profile, select Staff. In VLAN ID, key in 10. Click OK. 36/225...
Page 37
www.zyxel.com 4 Click Add to create a SSID for guest in vlan20. In Profile Name and SSID, key in guest. In Security Profile, select guest. In VLAN ID, key in 20. Click OK. 37/225...
www.zyxel.com 2.1.2.5 Configure AP Profile to Broadcast SSID 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click Edit for default group. In Radio 1 and Radio 2, set the SSID profile, Staff and guest. Click OK to apply the configuration. 38/225...
www.zyxel.com 2.1.3 Test the Result 1 Use a laptop to select SSID Staff and key in the security setting for connection. After connection successful, laptop can get an IP in VLAN10. 2 Use a mobile phone to select SSID guest and connect to it. After connection is successful, mobile phone can get an IP in VLAN20.
www.zyxel.com 2.1.4 What Could Go Wrong? 1 When USG is a DHCP server, users may not get IP if USG and switch do not set VLAN10 and VLAN20. 2 When NXC is a DHCP server, user may not go to Internet if the policy route does not set to outgoing-interface.
www.zyxel.com 2.2 How to Set up Fail Over/Fall Back? The example instructs how to set up fail over and fall back. All management APs connect to NXC controller 1 in this example. When the NXC controller 1 fails to connect, all managed APs are controlled by NXC controller 2 by fail over setting.
www.zyxel.com 2.2.1 Configure Fail Over and Fall Back 1 To set the fail over in CONFIGURATION > Wireless > AP Management > AP Policy, enable Force Override Controller IP Config on AP. Select Manual and set the Primary Controller: 192.168.1.55 and Secondary Controller: 192.168.1.60 2 To set the fall back in CONFIGURATION >...
www.zyxel.com 2.2.2 Test the Result 1 In MONITOR > Log, check whether the NXC controller 1 sets the configuration for the AP(s). Logs show the messages after the configuration is applied to in the AP. 2 Disconnect the NXC controller 1 from switch, and the managed APs go to find NXC controller 2 and get controlled by it.
www.zyxel.com 2.2.3 What Could Go Wrong? 1 The controllers need to have the same configurations/profiles and firmware, or the AP changes the setting/firmware after doing fail over. 2 If NXC controllers 1 and 2 control different APs, after the APs policy settings are applied, clear the Force Override option on controller 2 via unchecking the Force Override Controller IP Config on AP to avoid overriding the setting of APs from NXC...
www.zyxel.com 2.3 How to Set up Mesh to Extend Wireless Coverage? The example instructs how to set up ZyMesh. When AP‟s signal needs to extend, use ZyMesh to set up connection between root AP and repeater AP. Because ZyMesh profile makes the WDS connection, the root AP and repeater AP don‟t need to use the same SSID for users connecting.
www.zyxel.com 2.3.1 Configure ZyMesh Profile 1 Both root AP and repeater AP need to use the same ZyMesh profile to set up connection. Go to CONFIGURATION > Object > ZyMesh Profile, Click Add to create a ZyMesh SSID and pre-shared key. The ZyMesh SSID hides and it is not visible.
www.zyxel.com 2.3.2 Configure Root AP and Repeater AP 1 In the same AP, radio 2 is not able to work as the repeater when radio 1 is root AP. Select an AP in CONFIGURATION > Wireless > AP Management > Mgnt. AP List to edit the selected AP as root AP.
www.zyxel.com 2.3.3 Test the Result 1 Check ZyMesh Link Info in MONITOR > Wireless > ZyMesh > ZyMesh Link Info. When the ZyMesh sets up successfully, root AP and repeater AP information shows in the ZyMesh link info. 48/225...
www.zyxel.com 2.3.4 What Could Go Wrong? 1 If the ZyMesh profiles are not the same on root AP and repeater AP, it‟s not able to connect using ZyMesh successfully. Go to CONFIGURATION > Wireless > AP Management > Mgnt. AP List to make sure root AP and repeater AP‟s ZyMesh profile are the same.
Page 50
www.zyxel.com 4 The APs‟ country code must be the same for setting up ZyMesh connection. You can check the country code in CONFIGURATION > Wireless > Controller. 50/225...
www.zyxel.com 2.4 How to Set up Seamless Wireless Roaming? The example instructs how to configure two APs profile and topology for roaming. These two APs need to use the same SSID, security, DHCP server, and signal overlap. The two APs have the same DHCP server from USG, and this example shows how to configure APs in the same SSID and security.
www.zyxel.com 2.4.1 Configure APs via AP Group 1 Roaming needs to use the same SSID and security. AP group can assign APs‟ configuration, so that APs have the same SSID and security. Create a new security profile for roaming. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add.
Page 53
www.zyxel.com 2 Create a new SSID for roaming. In Profile Name and SSID, key in Roaming. In Security Profile, select Roaming. Click OK 53/225...
Page 54
www.zyxel.com 3 Create a new AP group for roaming, and select AP1 and AP2 as member of the AP group. In Profile Name, key in Roaming. In Radio1 Setting and Radio 2 Setting, change SSID profile to Roaming. In AP List, move two APs from Available to Member. Click OK. 54/225...
www.zyxel.com 2.4.2 Test the Result 1 User connects to the SSID and make sure the user can access the Internet without any problem. 2 When user is roaming from AP1 to AP2, the connection is not interrupted because of reconnection from AP1 to AP2. 55/225...
www.zyxel.com 2.4.3 What Could Go Wrong? 1 User may disconnect when AP1 and AP2‟s signal is not overlapping. If the Max out power is 30 and two APs still don‟t overlap, please move these two APs closer to make signal overlap.
Page 57
www.zyxel.com 3 Enable threshold in radio might cause disconnection between AP and station. When the overlap area RSSI is lower than threshold value, station is not able to connect to AP. The Station Signal Threshold and Disassociation Station Threshold should be lower than the overlapping area‟s RSSI. 4 “Band Select”...
Page 58
www.zyxel.com 6 It‟s up to station to roam or not. The roaming tendency is able to modify in computer‟s setting. 58/225...
www.zyxel.com Optimize the Wireless Environment 3.1 How to Set up User Ratio of 2.4GHz and 5GHz to Avoid WiFi Congestion? The example instructs how to configure AP profile with band select. When 2.4GHz and 5G capable users connect to the AP, user is easy to connect to 5GHz when enabling band select.
www.zyxel.com 3.1.1 Configure Band Select 1 Band select setting is in SSID. Before creating a new SSID, security is necessary to create first. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to create a new security rule for band select.
Page 61
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click Add to create a new SSID for band select. Use Band_Select as the Profile Name and SSID. Select BandSelect as the Security Profile. In Band Select, select standard to let user easy access to AP via band 5GHz.
Page 62
www.zyxel.com 3 Go to CONFIGURATION > AP Management > AP Group, click Add to create a new group for band select. In General Setting, set Group Name as Band_Select. In Radio 1 Setting and Radio 2 Setting, select SSID profile Band_Select.
www.zyxel.com 3.1.2 Test the Result 1 Use a 2.4GHz and 5GHz supported device (ex. Mobile phone or laptop) to connect with SSID Band_Select. The device connects to 5GHz first when it connects to the SSID. 64/225...
www.zyxel.com 3.1.3 What Could Go Wrong? 1 If the AP does not support dual band, band select does not work. 2 When the connected station number is greater than stop threshold station number, the band select stops working. 3 Band Select may potentially cause interruptions for time-sensitive applications if the client only has 2.4G ability, like roaming delays.
www.zyxel.com 3.2 How to Set up RSSI Threshold to Avoid Low Rate User Connection Affected Wireless Performance? The example instructs how to set up RSSI threshold. RSSI threshold ensure wireless clients receive good signal to prevent them from being impacted by the others with poor signal. There are two RSSI value to set. One is station signal threshold which sets a minimum client signal strength to connect with AP;...
www.zyxel.com 3.2.1 Configure Radio Setting for RSSI Threshold 1 Go to CONFIGURATION > Object > AP Profile > Radio, click Add to add a new 2.4GHz radio, RSSI_Threshold, for setting RSSI threshold. Click Show Advanced Settings to check Enable Signal Threshold, and edit the value for Station Signal Threshold and Disassociation Station Threshold.
www.zyxel.com 3.2.2 Apply Radio with RSSI Threshold 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default and Edit it. In Radio 1 Setting, change radio 1 AP Profile to RSSI_Threshold. Click Override Member AP Setting, and the click Yes to apply setting to member APs. 68/225...
www.zyxel.com 3.2.3 Test the Result 1 In MONITOR > Station Info > Station List, check the new connected client‟s signal strength is stronger than -76dBm. 2 In MONITOR > Log >View AP Log, select the AP to which the station is connected and query its log. When the connected client‟s RSSI is less than -80dBm, the AP kick-out the station because of the RSSI threshold.
www.zyxel.com 3.3 How to Set up Rate Limiting for Bandwidth Control? The example instructs how to set up rate limiting for each station traffic rate. In this example, downlink is to set the maximum incoming transmission data rate, and uplinks is to set the maximum outgoing transmission data rate for each client connected to specific SSID.
www.zyxel.com 3.3.1 Configure Rate Limiting 1 Go to CONFIGURATION > Object > AP Profile > SSID, click Add to add a new SSID, RateLimiting. Set the Downlink and Uplink maximum transmission data rate per station traffic. Click OK. 71/225...
www.zyxel.com 3.3.2 Apply Rate Limiting to Management AP 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default and Edit it. In Radio 1 Setting/Radio 2 Setting, change SSID Profile to RateLimiting. Click Override Member AP Setting, and the click Yes to apply setting to member APs.
www.zyxel.com 3.3.3 Test the Result 1 When the station connected to AP via SSID RateLimiting, the maximum incoming transmission data rate is not over 10mbps, and maximum outgoing transmission data rate is not over 5mbps. 73/225...
www.zyxel.com 3.4 How to Share AP loading to Optimize Wireless Performance? The example instructs how to set up AP group with load balance. There are three types for load balance, by station number, by traffic level, and by smart classroom. This example shows the configuration of these three kinds of load balance for different scenarios and the load balance is set per radio.
www.zyxel.com 3.4.1 Configure Load Balance to “by Station Number” 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default for editing. In Load Balancing Setting, check Enable Load Balancing and Disassociate station when overloaded. Change Mode to by Station Number and set the Max Station Number.
www.zyxel.com 3.4.2 Configure Load Balance to “by Traffic Level” 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default for editing. In Load Balancing Setting, check Enable Load Balancing and Disassociate station when overloaded. Select Mode to by Traffic Level and set the Traffic Level.
www.zyxel.com 3.4.3 Configure Load Balance to “by Smart Classroom” 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default for editing. In Load Balancing Setting, check Enable Load Balancing. Select Mode to by Smart Classroom and set the Max Station Number.
www.zyxel.com 3.4.4 Test the Result 1 When load balancing by station number, the AP disconnects client with the longest idle time first, and then with the poorest signal strength if the client number is greater than setting number. 2 The traffic level is set to low and the maximum bandwidth allowed is 11 Mbps.
Page 79
www.zyxel.com 3 When the station number is greater than the max station number, AP disconnects clients with the poorest signal strength. 79/225...
www.zyxel.com 3.4.5 What Could Go Wrong? 1 It needs two APs to do the load Balance, or the function is not workable. 2 Load balance‟s purpose is sharing loading instead of limiting the station numbers. 3 If all APs are over max station number setting/traffic level, the stations still can connect to APs.
www.zyxel.com Secure the Wireless Environment 4.1 How to Configure 802.1x to Secure the Wireless Environment with an External RADIUS Server? The example instructs how to set up NXC controller with an external radius server. When station wants to connect with AP, you can use an AAA server to provide access control to your network.
Page 82
www.zyxel.com 4.1.1 Configure Radius Server Setting 1 Go to CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and then click Edit. Set the Server Address, and Authentication Port is 1812. Enter the Key for Radius server and click OK.
www.zyxel.com 4.1.2 Configure AP Profile 1 Configure AP profile to use 802.1x authentication and user needs to log in with their ID and Password when connecting to AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.
Page 84
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for connection with 802.1x security. Key-in the Profile Name and SSID, and change Security Profile to RadiusTest which sets in step1. Click OK to save. 3 Go to CONFIGURATION >...
www.zyxel.com 4.1.3 Test the Result 1 Before connecting the SSID, the computer needs to do some settings to make connection successfully. Opening Network and Sharing Center in computer, click Set up a new connection or network for building up a new network.
Page 86
www.zyxel.com 3 Key-in the SSID Network name and change the Security type to WAP2-Enterprise, and the Encryption type is AES. Click Next. 4 Select Change connection settings. 5 Change Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings. 86/225...
Page 87
www.zyxel.com 6 Uncheck Validate server certificate and click Configure. 7 Uncheck the checkbox in the pop-up window. Click OK. 87/225...
Page 88
www.zyxel.com 8 Back to the security setting page and click Advanced settings. 9 Check Specify authentication mode. Click OK to save. 88/225...
Page 89
www.zyxel.com 10 Select to the SSID, RadiusTest, for wireless connection. Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is setup successfully. 89/225...
www.zyxel.com 4.1.4 What Could Go Wrong 1 There are two kinds of Radius Server Types in security profile setting. Internal means the authentication is doing between NXC controller and Radius server. The Radius server needs to add NXC controller as trusted client. 2 External means the authentication is doing between Managed AP and Radius server.
www.zyxel.com 4.2 How to Configure 802.1x to Secure the Wireless Environment with an External AD Server? The example instructs how to set up the NXC controller with an external AD server. When the station wants to connect with the AP, you can use an AAA server to provide access control to your network.
www.zyxel.com 4.2.1 Configure AD Server Setting 1 Go to CONFIGURATION > Object > AAA Server > Active Directory, click #1 ad, and then click Edit to configure AD server‟s information. 2 In Server Settings, enter Server Address. Here use 172.51.31.112 as the example.
Page 93
www.zyxel.com 4 In Doman Authentication for MSChap, check Enable and enter the User Name, User Password, Realm, and NetBIOS Name. The Realm is the domain name of the AD server. 5 After finishing the configuration, enter administrator as the Username and click Test in Configuration Validation. 93/225...
Page 94
www.zyxel.com 6 Go to CONFIGURATION > Object > Auth. Method. Select to the default method, and click Edit. Select the AD server you create. Click OK. 7 Go to CONFIGURATION > System > Date/Time and check Current Time and Date. The date and time must be the same as the date and time of the AD server.
www.zyxel.com 4.2.2 Configure AP Profile 1 Configure AP profile to use 802.1x authentication that the user needs to log in with their ID and Password when connecting to AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.
Page 96
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for the connection with 802.1x security. Key in the Profile Name and SSID, and change Security Profile to ADtest which you configured in step1. Click OK to save. 3 Go to CONFIGURATION >...
www.zyxel.com 4.2.3 Test the Result 1 Before connecting the SSID, the computer needs to do some settings to make a connection successfully. Here is an example for Windows 7. Open Network and Sharing Center in the computer, click Set up a new connection or network to build up a new network. 2 Select Manually connect to a wireless network.
Page 98
www.zyxel.com 4 Select Change connection settings. 5 Change Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings. 98/225...
Page 99
www.zyxel.com 6 Uncheck Validate server certificate and click Configure. 7 Uncheck the selection of the pop-up window. Click OK. 99/225...
Page 100
www.zyxel.com 8 Go back to the security setting page and click Advanced settings. 9 Check Specify authentication mode. Click OK to save. 100/225...
Page 101
www.zyxel.com 10 Select and connect to the pre-defined SSID "ADTest". Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is set up successfully. 101/225...
www.zyxel.com 4.2.4 What Could Go Wrong 1 There are two kinds of Radius Server Types in security profile setting. Internal means the authentication is doing between the NXC controller and the AD server. 2 When the Radius Server Types change to External, it means the authentication is doing between the Managed AP and the Radius server.
www.zyxel.com 4.3 How to Configure 802.1x to Secure the Wireless Environment with an External LDAP Server? The example instructs how to set up the NXC controller with an external LDAP server. When the station wants to connect with the AP, you can use an AAA server to provide access control to your network.
www.zyxel.com 4.3.1 Configure LDAP Server Setting 1 Go to CONFIGURATION > Object > AAA Server > LDAP, click #1 ldap, and then click Edit to edit the LDAP server‟s information. 2 In Server Settings, enter Server Address. Here use 10.253.31.239 as the example.
Page 105
www.zyxel.com 3 After finishing the configuration, enter administrator as the Username and click Test in Configuration Validation. 4 Go to CONFIGURATION > Object > Auth. Method. Select default method, and click Edit. Select the LDAP server you create. Click OK. 105/225...
www.zyxel.com 4.3.2 Configure AP Profile 1 Configure AP profile to use 802.1x authentication that user needs to log in with their ID and Password when connecting to AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, click Add to add security for 802.1x.
Page 107
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for the connection with 802.1x security. Key in the Profile Name and SSID, and change Security Profile to LDAP which you configured in step1. Click OK to save. 3 Go to CONFIGURATION >...
www.zyxel.com 4.3.3 Test the Result 1 The LDAP can be use in Android phone for authentication. When connecting to the SSID, the EAP method is set to TTLS, and Phase-2 authentication is PAP. Enter the user ID and password to connect. The station and AP connected with correct ID and password.
www.zyxel.com 4.3.4 What Could Go Wrong 1 The Radius server type is always internal in CONFIGURATION > Object > AP Profile > SSID > Security List because LDAP is not able to be used as the authentication server. It does not support external for LDAP server.
www.zyxel.com 4.4 How to Configure 802.1x to Secure the Wireless Environment with an Internal RADIUS in NXC? The example instructs how to set up NXC controller and let users do local authentication without external radius server. The user data base is set up in the NXC controller and the client can enter the username and password to do authentication via 802.1x.
www.zyxel.com 4.4.1 Configure Authentication Method Setting 1 Go to CONFIGURATION > Object > User/Group, and click add to create a new user ID and password. Stations can log in to connect with the AP to access the Internet via this account. 2 Go to CONFIGURATION >...
Page 112
www.zyxel.com 3 Go to CONFIGURATION > System > Auth. Server, and set Authentication Method to localtest which is created in step 2. 112/225...
www.zyxel.com 4.4.2 Configure AP Profile 1 Configure the AP profile to use 802.1x authentication that user needs to log in with their ID and Password when connecting to the AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID >...
Page 114
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click add to add a SSID for the connection with 802.1x security. Key in the Profile Name and SSID, and change Security Profile to local802 which is created in step1. Click OK to save. 3 Go to CONFIGURATION >...
www.zyxel.com 4.4.3 Test the Result 1 Before connecting the SSID, the computer needs to do some settings to make the connection successfully. Here is an example for Windows 7. Opening Network and Sharing Center in computer, click Set up a new connection or network to build up a new network. 2 Select Manually connect to a wireless network.
Page 116
www.zyxel.com 4 Select Change connection settings. 5 Select Security type to WPA2-Enterprise, and Encryption type is AES. Click Settings. 116/225...
Page 117
www.zyxel.com 6 Uncheck Validate server certificate and click Configure. 7 Uncheck the selection of pop-up window. Click OK. 117/225...
Page 118
www.zyxel.com 8 Go back to the security setting page and click Advanced settings. 9 Check Specify authentication mode. Click OK to save. 10 Select and connect to the pre-defined SSID "ADTest". Enter user credentials for authentication. After entering the correct ID and password, the wireless connection is set up successfully.
www.zyxel.com 4.5 How to Configure 802.1x to Secure the Wireless Environment with Dynamic VLAN with NXC Controller Using External RADIUS Server? The example instructs how to set up dynamic VLAN with the NXC controller using external radius server. When the station wants to connect with the AP, you can use an AAA server to provide access control to your network.
Page 120
www.zyxel.com Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC2500 (Firmware Version: 5.10), GS2210-8HP (Firmware Version: V4.30) 120/225...
www.zyxel.com 4.5.1 Configure Interface 1 Go to CONFIGURATION > Network > Interface > VLAN, click vlan0 and Edit it. 2 Set ge1 (P1) to not be vlan0‟s member by selecting no in Member Configuration. Set the gateway IP in IP Address Assignment.
Page 122
www.zyxel.com 1 Connect Switch to NXC ge2 (P2), and APs all connect to the switch. 2 In the NXC, go to CONFIGURATION > Network > Interface > VLAN. Click Add to create a new VLAN configuration. 122/225...
Page 123
www.zyxel.com 3 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan10; VID: 10 In Member Configuration, set ge2 to be Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway.
Page 124
www.zyxel.com 4 Click Add to create VLAN20 in CONFIGURATION > Network > Interface > VLAN. 124/225...
Page 125
www.zyxel.com 5 In General Settings, check Enable. In Interface Properties, key in Interface Name: vlan20; VID: 20 In Member Configuration, set ge2 to be Member and Tx Tagging. In IP Address Assignment, Use Fixed IP Address and key in IP Address, Subnet Mask, and Gateway.
Page 126
www.zyxel.com 6 Go to CONFIGURATION > Network > Interface > Ethernet, select ge1 and Edit it. Change the Interface Type to external and Get Automatically in IP Address Assignment. 126/225...
Page 127
www.zyxel.com 7 Go to CONFIGURATION > Network >Routing > Policy Route and click Add to add a policy route. Select Interface ge1 in Next-Hop, and outgoing-interface in Address Translation after clicking Show Advanced Settings. 127/225...
www.zyxel.com 4.5.2 Configure Radius Server Setting 1 Go to CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and then click Edit. Set the Server Address, and Authentication Port is 1812. Enter the Key for Radius server and click OK.
www.zyxel.com 4.5.3 Configure AP Profile 1 Configure the AP profile to use 802.1x authentication that the user needs to log in with their ID and Password when connecting to the AP‟s SSID. Go to CONFIGURATION > Object > AP Profile > SSID > Security List, select the default AP profile and edit.
Page 130
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and select the default AP profile and edit. Key in the Profile Name and SSID, and change Security Profile to default which is created in step1. Click OK to save. 130/225...
Page 131
www.zyxel.com 3 Go to CONFIGURATION > Wireless > AP Management > AP Group, select the default AP profile and edit. Select default in the SSID Profile #1 in both radio1 and radio2. Click OK to apply the settings. 131/225...
www.zyxel.com 4.5.4 Test the Result 1 Use mobile phone to connect with SSID DyVlan. Enter the Username and Password which are in VLAN 10 group, and then click Join to connect with the AP. 2 The logged-in client gets an IP in VLAN10. 132/225...
Page 133
www.zyxel.com 3 Use the mobile phone to connect with SSID DyVlan. Enter the Username and Password which is in VLAN 20 group, and then click Join to connect with the AP. 4 The logged-in client gets an IP in VLAN20. 133/225...
www.zyxel.com 4.5.5 What Could Go Wrong 1 When you set the dynamic VLAN in the NXC controller, the radius server needs to set the corresponding VLAN groups for authentication. 2 Because the dynamic VLAN setting is in the NXC controller, it only supports radius server type “Internal”...
www.zyxel.com 4.6 How to Configure Captive Portal? 4.6.1 Captive Portal Redirect on Controller? The example instructs how to set up captive portal redirect on the controller. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page.
Page 136
www.zyxel.com Figure 18 Captive portal redirect on controller (NXC is gateway) Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC2500 (Firmware Version: 5.10), GS2210-8HP (Firmware Version: V4.30) 136/225...
www.zyxel.com 4.6.1.1 Configure Authentication Method Setting 1 Go to CONFIGURATION > Object > User/Group, click add to create a new user ID and password. Stations can log in captive portal to access the Internet via this account. Enter the User Name as login ID for captive portal and User Type is guest.
www.zyxel.com 4.6.1.2 Configure Captive Portal 1 Go to CONFIGURATION > Object > Address > Address, click add to create an address range which needs to do captive portal authentication before accessing to the Internet. Enter profile Name and change Address Type to RANGE. In this example, the IP range for guest is 192.168.1.100 to 192.168.1.200 on DHCP server (USG).
Page 139
www.zyxel.com 2 Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule for stations which get an IP range from 192.168.1.100 to 192.168.1.200. In General Settings, check Enable Policy and enter the Description of this policy.
www.zyxel.com 4.6.1.3 Configure AP Profile when USG is the Gateway 1 To make sure the USG is the gateway for vlan0 interface which is for client accessing the Internet, go to CONFIGURATION > Network > Interface > VLAN > vlan0 > Edit, enter USG‟s IP in Gateway.
Page 141
www.zyxel.com CP_test which created in step2. Click Override Member AP Setting to apply the SSID to AP and click Yes in the pop-up window. Click OK. 4 Logout from NXC controller. 141/225...
www.zyxel.com 4.6.1.4 Configure AP Profile when NXC is the Gateway 1 Make sure the NXC is the gateway for vlan0 interface which is the captive portal and stations need to connect to. Go to CONFIGURATION > Network > Interface > VLAN > vlan0 > Edit, select no in Member for ge2 and enter the NXC‟s IP in Gateway.
Page 143
www.zyxel.com 2 Go to CONFIGURATION > Network > Interface > Ethernet, click ge2 and then click Edit to make ge2 as the external interface for connecting with the Internet. Change Interface Type to external and IP Address Assignment is Get Automatically. Click OK to save.
Page 144
www.zyxel.com 3 Go to CONFIGURATION > Network > Routing > Policy Route, and click Add to add a routing rule for outgoing traffic. Click Show Advanced Settings. Check Enable in Configuration. Select Interface in Incoming and select to vlan0 in Please select one member.
Page 145
www.zyxel.com 4 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and click Add to add a SSID for captive portal. Key in the SSID to CP_guest, and change Security Profile to default which sets none security. Click OK to save. 5 Go to CONFIGURATION >...
www.zyxel.com 4.6.1.5 Test the Result 1 Connect to SSID CP_guest from the computer. After connection is successfully established, check if the IP is in the range from 192.168.1.100 to 192.168.1.200, and the gateway is NXC‟s IP. 2 Open a browser and visit a website it after the computer connects to the AP successfully.
Page 147
www.zyxel.com 3 After entering the username and password correctly, the connected station is able to access the Internet now. There is also a pop-window to show the detail information of the renew time and re-authentication time after authentication succeed. 147/225...
www.zyxel.com 4.6.1.6 What Could Go Wrong 1 The DNS MUST be set in the DHCP setting, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations access to.
Page 149
www.zyxel.com 5 When using the NXC2500 as the controller, the uplink port MUST be ge1. 149/225...
www.zyxel.com 4.6.2 Captive Portal Redirect on AP? The example instructs how to set up captive portal redirect on the AP. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. Typically, you often find captive portal pages in public hotspots.
www.zyxel.com 4.6.2.1 Configure AP Profile and User 1 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, click Add to add a SSID for captive portal. Key-in the Profile Name is CP_test and SSID as CP_guest, and select Security Profile to default which sets none security.
Page 152
www.zyxel.com 3 Go to CONFIGURATION > Object > Auth. Method,and click add to create an authentication method. Enter the Name of this authentication method and select to local in the Method List. 152/225...
www.zyxel.com 4.6.2.2 Configure Captive Portal 1 Go to CONFIGURATION > Captive Portal > Redirect on AP > Authentication Policy Rule, and click add to create a policy rule for stations which connect to SSID profile CP_test. In General Settings, check Enable Policy and enter the Profile Name of this policy.
Page 154
www.zyxel.com 2 Go to CONFIGURATION > Captive Portal > Redirect on AP > Authentication Policy Group, and click default to edit. In the setting, click Add to add the policy rule which is created in previous step. 3 Go to CONFIGURATION > Captive Portal > Captive Portal, check Enable Captive Portal.
www.zyxel.com 4.6.2.3 Broadcast SSlD 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default to Edit. Change #1 to CP_test. 155/225...
Page 156
www.zyxel.com 2 In the same setting page as previous step, select default for Auth. Policy Group in Poral Redirect on AP. Click OK to save. 3 Logout from NXC controller. 156/225...
www.zyxel.com 4.6.2.4 Test the Result 1 Connect the station to the SSID „CP_guest‟. Open a browser and visit a website after the computer and AP connect successfully. The browser redirects the webpage to captive portal page and the user needs to enter the username and password for authentication before accessing the Internet.
www.zyxel.com 4.6.2.5 What Could Go Wrong 1 The DNS MUST be set in the DHCP setting, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations access to.
www.zyxel.com 4.6.3 Captive Portal with QR Code? The example instructs how to set up captive portal authentication with QR code. This new feature offers two convenient and fast methods to access the Internet. The first method is authenticator assisted. This means that the employees are the authenticators, who can authenticate the guest to access the Internet.
www.zyxel.com 4.6.3.1 Configure AP Profile 1 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, and double click default to modify the SSID for captive portal. Key in the SSID to CP_QR, and change Security Profile to default which sets none security.
Page 161
www.zyxel.com 2 Go to CONFIGURATION > Object > AP Profile > SSID > Security List, Click Add to add the security profile for employees. Key in the Profile Name and SSID to employee. Click OK to save. 161/225...
Page 162
www.zyxel.com 3 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, double click Add to add the SSID for employees. Key in the Profile Name and SSID to CP_employee with VLAN ID 10, and change Security Profile to employee. Click OK to save. 162/225...
www.zyxel.com 4.6.3.2 Configure VLAN 1 Go to CONFIGURATION > Network > Interface > VLAN, click Add to add VLAN 10 and set NXC2500 as the DHCP server of VLAN 10. Click OK to save. 163/225...
Page 164
www.zyxel.com 2 Go to CONFIGURATION > Network > Interface > VLAN, click Add to add VLAN 20 and set NXC2500 as the DHCP server of VLAN 20. Click OK to save. 164/225...
www.zyxel.com 4.6.3.3 Create Assistance Account 1 Go to CONFIGURATION > Object > User/Group > User, and click Add to add the user as the assistance account for employees to help the guest pass the authentication when the guest scan the QR code. Click OK to save. 2 Go to CONFIGURATION >...
Page 166
www.zyxel.com 3 Go to CONFIGURATION > Object > Auth. Method > Authentication Method, and double click default to edit the method as local. Click OK to save. 166/225...
www.zyxel.com 4.6.3.4 Set Guest Address & Zone 1 Go to CONFIGURATION > Object > Address > Address, click Add to add the guest address. Change the Address Type to RANGE and enter the starting and end IP address. Click OK to save.
www.zyxel.com 4.6.3.5 Configure Captive Portal 1 Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule for guests whose IP addresses are in the setting range. In User Auth Policy, change Source Address to QR_Guest_addr and Authentication is required.
Page 169
www.zyxel.com 2 In the same page of step 1. Check the Authentication with QR code, and change the Guest Account to QR_Guest. Check Authenticator-assisted and the QR Portal Address is vlan10 interface IP. The Authenticator is the employee account or group. Click Apply. 3 Go to CONFIGURATION >...
Page 170
www.zyxel.com 4 Go to CONFIGURATION > Captive Portal > Redirect on Controller > QR Code Configuration. Check Print Out QR Code and use the QR code for customer to do self-service. 170/225...
Page 171
www.zyxel.com 4.6.3.6 Broadcast SSlD 1 Go to CONFIGURATION > Wireless > AP Management > AP Group, click default to Edit. Change #1 to CP_QR and #2 to CP_employee. 171/225...
www.zyxel.com 4.6.3.7 Test the Result 1 Authenticator-assisted When the guests connect to the SSID „CP_QR‟, they get IP addresses between 192.168.20.100 to 192.168.20.110, and are redirected to captive portal with QR code as shown below. When the captive portal page is shown, the customer asks for an employee who has connected with SSID “CP_employee”...
Page 173
www.zyxel.com 2 Self-serviced When the guests connect to the SSID „CP_RQ‟, they get an IP addresses between 192.168.20.100 to 192.168.20.110, and is redirected to captive portal with QR code as shown below. When the captive portal page is shown, the guest scans the printed QR code in the last step.
www.zyxel.com 4.6.3.8 What Could Go Wrong 1 The DNS MUST be set in the DHCP server, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations want to access.
Page 175
www.zyxel.com 4 If the user enters an incorrect username or password, there is a login failure webpage. Please click Retry and use the correct username and password to log in. 5 When using the NXC2500 as the controller, the uplink port MUST be ge1.
www.zyxel.com 4.6.4 Captive Portal with External Webserver? The example instructs how to set up captive portal redirect via the external web page. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page.
www.zyxel.com 4.6.4.1 Configure Interface 1 Go to CONFIGURATION > Network > Interface > VLAN, click vlan0 and edit it. Remove ge6 by selecting “no” in the Member Configuration. Set a fixed IP for the interface, and use DHCP server with DNS. Click OK to save. 177/225...
Page 178
www.zyxel.com 2 Go to CONFIGURATION > Network > Interface > Ethernet, select ge6 and Edit it. Change the Interface Type to external Click OK to save. 178/225...
Page 179
www.zyxel.com 3 Go to CONFIGURATION > Network > Policy Route, click Add to add a routing rule for outgoing traffic. Click Show Advanced Settings. Check Enable in Configuration. Select Interface in Incoming and select to vlan0 in Please select one member. Change Type to Interface and select Interface ge6.
www.zyxel.com 4.6.4.2 Configure Authentication Method Setting & Address 1 Go to CONFIGURATION > Object > User/Group, click add to create a new user ID and password. Stations can log in to the captive portal to access the Internet via this account. Enter the User Name as login ID for captive portal and User Type is guest.
Page 181
www.zyxel.com 3 Go to CONFIGURATION > Object > Address > Address, click add to create an address range which needs to do captive portal authentication before accessing to the Internet. Enter profile Name and change Address Type to RANGE. In this example, the IP range for guest is 192.168.1.199 to 192.168.1.209.
www.zyxel.com 4.6.4.3 Configure Captive Portal 1 Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule. In User Auth Policy, change Source Address to CP_ex and Authentication is required. Check Force User Authentication, and change the Authentication Method to default.
Page 183
www.zyxel.com 3 Go to CONFIGURATION > Captive Portal > Captive Portal, check Enable Captive Portal. Click Apply to apply the settings. 183/225...
www.zyxel.com 4.6.4.4 Configure AP Profile 1 Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, double click add to add a SSID for wireless connection with external captive portal. Key in the SSID to CP_ex, and change Security Profile to default which sets none security.
www.zyxel.com 4.6.4.5 Test the Result 1 Connect the station to the SSID „CP_ex‟. Open a browser and visit a website after the computer and AP connect successfully. The browser redirects the webpage to external captive portal page and the user needs to enter the username and password for authentication before accessing the Internet.
www.zyxel.com 4.6.4.6 What Could Go Wrong 1 The DNS MUST be set in the DHCP server, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations want to access.
Page 187
www.zyxel.com 4 When using the NXC2500 as the controller, the uplink port MUST be ge1. 187/225...
www.zyxel.com 4.7 How to Generate and Import Certificate on NXC Controller? The example instructs how to import a certificate on NXC controller. It shows how to create two different types of certificates and save them to the controller.. Figure 22 Certificate on NXC Controller Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com 4.7.1 Create a Self-signed Certificate 1 Go to CONFIGURATION > Object > Certificate > My Certificates, click Add to create a certificate. Key in the Configuration > Name and Subject Information. In Enrollment Options, select Create a self-signed certificate. Click OK. 189/225...
Page 190
www.zyxel.com 2 Go to CONFIGURATION > Object > Certificate > My Certificates > Edit, and click Export Certificate with Private key to save the certificate. The exported certificate can be used by other devices, and once the devices have this certificate, they know the controller.
Page 191
www.zyxel.com 4 Go to CONFIGURATION > System > Auth. Server, change the Authentication Server Certificate to csotest which is created in the previous step. 191/225...
www.zyxel.com 4.7.2 Test the Result 1 Go to CONFIGURATION > Object > Certificate > My Certificates, click the self-signed certificate and click edit. It shows validation result=self-signed in certification path. 2 When the customer connects to a SSID with 802.1x security, there is a certificate trust request pop-up screen with the detailed information of the certificate created in step 4.7.1.
www.zyxel.com 4.7.3 Create a Certification Request and Save It Locally for later Manual Enrollment 1 Go to CONFIGURATION > Object > Certificate > My Certificates, and click Add to create a certificate. Key in the Configuration > Name and Subject Information. In Enrollment Options, select Create a certification request and save it locally for later manual enrollment.
Page 194
www.zyxel.com 2 Go to CONFIGURATION > Object > Certificate > My Certificates, and click the certificate that you just created in step 1. Click Edit. Copy the Certificate in PEM(Base-64) Encoded Format and send to the certificate server. Click OK. 194/225...
Page 195
www.zyxel.com 3 Go to CONFIGURATION > Object > Certificate > My Certificates, click Import to import the certificate released from the server. 4 Go to CONFIGURATION > Object > Certificate > Trusted Certificates, click Import to add a trusted certificate which is also released from the certificate server.
Page 196
www.zyxel.com 5 Go to CONFIGURATION > System > Auth. Server, change the Authentication Server Certificate to csotest2 which is created in the previous step. 196/225...
www.zyxel.com 4.7.4 Test the Result 1 Go to CONFIGURATION > Object > Certificate > My Certificates, the type in my certificates List shows CERT after importing the certificate gotten from the server. 2 Go to CONFIGURATION > Object > Certificate > My Certificates, double click the certificate (certnew.cer in this example).
Page 198
www.zyxel.com 3 When the customer connects to a SSID with 802.1x security, there is a certificate trust request pop-up screen with the detailed information of the certificate created in step 4.7.3. 198/225...
www.zyxel.com 4.7.5 What Could Go Wrong 1 If the root certificate is not imported as a trusted certificats, although the certificate type switches to CERT, the certification path still shows Validation Result = incomplete path. 199/225...
www.zyxel.com 4.8 How to Defect the Rogue AP? A rogue AP works without being controlled by the administrator of the Network. It may cause the security issue for the network and we can use the AP in monitor mode to contain the rogue AP. Figure 23 Monitor Rogue AP and Containment Note: All network IP addresses and subnet masks are used as examples in this article.
www.zyxel.com 4.8.1 Configure AP to Monitor Mode 1 Configure a monitor profile in CONFIGURATION > Object > MON Profile. Select the default profile and click Edit to change. Check the Scan Channel Mode is auto and Country Code is correct and is the location where you use the AP. Click OK to save.
www.zyxel.com 4.8.2 Detected Devices and Containment 1 In MONITOR > Wireless > Detected Device, Click Refresh if there‟s no rogue AP in the list. Select the rogue AP and click Mark as Rogue AP. 2 When the AP is marked as a rogue AP, it can be set in the containment list in CONFIGURATION >...
www.zyxel.com 4.8.3 Test the Result 1 When the AP is marked as a rogue AP, it is shown in MONITOR > Wireless > Detected Device. 2 When the AP is set in the containment list, the stations are disconnected right away after they connect to the rogue AP. 203/225...
www.zyxel.com Maintain NXC Controller 5.1 How to Do Firmware upgrade 1. There are two ways to do firmware upgrade, GUI and FTP. The firmware can be downloaded from Zyxel support center. Please find below the website address of the support center. http://www.zyxel.com/support/support_landing.shtml 2.
www.zyxel.com 5.1.1 Firmware from GUI? The example instructs how to do FW upgrade from GUI. The Firmware version will be changed from v5.00 to v5.10. Figure 24 Firmware Upgrade from GUI Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
www.zyxel.com 5.1.1.1 Firmware Upgrade on GUI 1 In MAINTENANCE > File Manager > Firmware Package, check if the NXC's current firmware version is the same as the one you are going to install. 2 In MAINTENANCE > File Manager > Firmware Package, click Browse…in Upload File and select the firmware you want to install.
www.zyxel.com 5.1.1.2 Test the Result 1 After starting firmware upgrade, there‟s a notification about firmware upload. 2 After finishing firmware upload, the system will start to firmware upgrade. 3 After the firmware upgrade is complete and successful, you can check it on GUI Dashboard. 207/225...
www.zyxel.com 5.1.1.3 What Could Go Wrong 1 When the firmware is uploading and the traffic for transferring the firmware is disconnected, the firmware upgrade will not be successful. 2 When the firmware is upgrading, please do not reset or reboot the controller.
www.zyxel.com 5.1.2 Firmware from FTP? The example instructs how to do FW upgrade from FTP. This is usually used when you failed to access the web GUI. Figure 25 Firmware Upgrade from GUI Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
www.zyxel.com 5.1.2.1 Firmware Upgrade on GUI 1 Copy the firmware to the root directory of the C drive on your computer c:\ and do not change the file name of the firmware. 2 Use the following command to ping the controller for checking the connection.
Page 211
www.zyxel.com 5 Enter put c:\ 510AAIG1C0\510AAIG1C0.bin and wait for the file transfer to complete. After the transmission is finished, the controller will start to upgrade. 211/225...
www.zyxel.com 5.1.2.2 Test the Result 1 After starting firmware upgrade, the LED flashes and it takes about 5 minutes to finish. 2 After the firmware is upgraded successfully, you can check it on GUI Dashboard. 212/225...
www.zyxel.com 5.1.2.3 What Could Go Wrong 1 When the firmware is uploading and the traffic for transferring the firmware is disconnected, the firmware upgrade will not be successful. 2 When the firmware is upgrading, please do not reset or reboot the controller.
www.zyxel.com 5.2 How to Reset the Controller/AP? The example instructs how to reset the controller/AP. This is usually used when there‟s a new deployment or misconfiguration. Figure 26 Firmware Upgrade from GUI Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
www.zyxel.com 5.2.1 Reset to Default from GUI 1 Log in to controller and go to MANTENANCE > File Manager > Configuration File. Click “system-default conf” in the list and Apply. 5.2.2 Reset to Default from Hardware 1 Push the RESET button over 15 seconds for resetting to defaults. 215/225...
www.zyxel.com 5.2.3 Test the Result 1 After resetting to default settings, the controller‟s IP is 192.168.1.1 and AP‟s IP is 192.168.1.2. 2 All the settings are changed back to default settings. 216/225...
www.zyxel.com Trouble Shooting 6.1 How to Collect the Diagnostic Info? The diagnostic info needs to be collected when there‟s any problem happened on the controller or AP. Figure 27 Collect the Diagnostic Info Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
www.zyxel.com 6.1.1 Collect Diagnostic Info 1 In MAINTENANS > Diagnostic > Diagnostics, select on Collect on Controller and click Collect Now when the controller has any problem. 2 A window pops up when the controller is collecting the diagnostic. 218/225...
Page 219
www.zyxel.com 3 In MAINTENANS > Diagnostic > Diagnostics, select on Collect on AP and move the AP‟s MAC to the collected APs list. Click Collect Now to start collection. 4 A window pops up when the controller is collecting the diagnostic.
www.zyxel.com 6.1.2 Test the Result 1 When the collection finished, a pop-up window shows “Done the collection.” 2 After capturing the packet, there is a file in MAINTENANCE > Diagnostics > Diagnostic > Files for downloading. 220/225...
www.zyxel.com 6.2 How to Configure the E-mail Settings for Sending Logs? This configuration set email for sending logs and let the controller manager gets the daily report and the system logs. Figure 28 E-mail Settings for Sending Logs Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks.
www.zyxel.com 6.2.1 Configure Log & Report 1 Configure daily report in CONFIGURATION > Log & Report > Email Daily Report. In Email Settings, enter the Mail Server which can send out the email. Check the Append data time for daily report, and set the email address in Mail From and Mail To.
Page 223
www.zyxel.com 2 Configure daily report in CONFIGURATION > Log & Report > Log Settings. In Log Settings, click the first setting and Edit it. Check Active to activate this setting. Enter the Mail Server, and set the email address in Mail From and Mail To. Set the sending condition to Daily and When Full, and the Time for Sending Log.
Need help?
Do you have a question about the NXC 2500 and is the answer not in the manual?
Questions and answers