Page 2
NXC. Note: It is recommended you use the Web Configurator to configure the NXC. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. NXC2500 User’s Guide...
2.2 Front Panel ............................25 2.2.1 Front Panel LEDs ........................26 2.3 Rear Panel ............................27 Chapter 3 The Web Configurator ........................29 3.1 Overview ............................29 3.2 Access ...............................29 3.3 The Main Screen ..........................31 3.3.1 Title Bar ...........................31 3.3.2 Navigation Panel ........................38 NXC2500 User’s Guide...
Page 6
5.11 AP List ............................73 5.11.1 Station Count of AP .......................74 5.12 Radio List ............................75 5.12.1 AP Mode Radio Information ....................77 5.13 Station List ............................78 5.14 Detected Device ..........................79 5.15 View Log ............................80 5.16 View AP Log ...........................83 Chapter 6 Registration............................85 NXC2500 User’s Guide...
Page 7
8.3.2 Add/Edit VLAN ........................116 8.4 Technical Reference ........................121 Chapter 9 Policy and Static Routes ........................125 9.1 Overview ............................125 9.1.1 What You Can Do in this Chapter ..................125 9.1.2 What You Need to Know .......................125 9.2 Policy Route ...........................126 NXC2500 User’s Guide...
Page 8
13.1.1 What You Can Do in this Chapter ..................149 13.1.2 What You Need to Know ......................149 13.2 IP/MAC Binding Summary ......................150 13.2.1 Edit IP/MAC Binding ......................151 13.2.2 Add/Edit Static DHCP Rule ....................152 13.3 IP/MAC Binding Exempt List ......................153 Chapter 14 Captive Portal............................155 14.1 Overview ............................155 NXC2500 User’s Guide...
Page 9
16.3.1 SSID List ..........................193 16.3.2 Security List .........................196 16.3.3 MAC Filter List ........................201 Chapter 17 MON Profile ............................203 17.1 Overview ............................203 17.1.1 What You Can Do in this Chapter ..................203 17.1.2 What You Need To Know .....................203 NXC2500 User’s Guide...
Page 10
21.1.1 What You Can Do in this Chapter ..................227 21.1.2 What You Need To Know .....................227 21.2 Active Directory / LDAP .........................230 21.2.1 Add/Edit Active Directory / LDAP Server ................232 21.3 RADIUS ............................235 21.3.1 Add/Edit RADIUS .......................236 NXC2500 User’s Guide...
Page 11
24.6.2 Configuring the DNS Screen ....................265 24.6.3 Address Record ........................268 24.6.4 PTR Record .........................268 24.6.5 Adding an Address/PTR Record ..................268 24.6.6 Domain Zone Forwarder .....................269 24.6.7 Add Domain Zone Forwarder ....................269 24.6.8 MX Record ..........................270 24.6.9 Add MX Record ........................270 NXC2500 User’s Guide...
Page 12
25.3.4 Edit Remote Server Log Settings ..................307 25.3.5 Log Category Settings ......................308 Chapter 26 File Manager............................313 26.1 Overview ............................313 26.1.1 What You Can Do in this Chapter ..................313 26.1.2 What you Need to Know ......................313 26.2 Configuration File ..........................315 26.3 Firmware Package ........................319 NXC2500 User’s Guide...
Page 13
Shutdown............................347 30.1 Overview ............................347 30.1.1 What You Need To Know .....................347 30.2 Shutdown ............................347 Chapter 31 Troubleshooting..........................349 31.1 Overview ............................349 31.1.1 General ..........................349 31.1.2 Wireless ..........................354 31.2 Resetting the NXC ........................356 31.3 Getting More Troubleshooting Help ....................357 NXC2500 User’s Guide...
Page 14
Table of Contents Appendix A Log Descriptions......................359 Appendix B Common Services ......................387 Appendix C Importing Certificates ....................391 Appendix D Wireless LANs......................405 Appendix E Legal Information......................417 Index ..............................421 NXC2500 User’s Guide...
There are two types of interfaces in the NXC. In addition to being used in various features, interfaces also describe the network that is directly connected to it. • Ethernet interfaces are the foundation for defining other interfaces and network policies. NXC2500 User’s Guide...
• The LAN zone contains the ge1~ ge6 interfaces (physical ports P1~P6). By default, all LAN interfaces are put in vlan0. • The console port is not in a zone and can be directly accessed by a computer attached to it using a special console-to-Ethernet adapter. NXC2500 User’s Guide...
APs and determining what channels are currently being used by other devices not connected to the network. 1.3.6 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. NXC2500 User’s Guide...
If you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object. Use the Object Reference screen to see what objects are configured and which configuration settings reference specific objects. NXC2500 User’s Guide...
The NXC does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. NXC2500 User’s Guide...
Note: Failure to use the proper screws may damage the unit. 2.1.1 Rack-Mounted Installation Procedure Align one bracket with the holes on one side of the NXC and secure it with the included bracket screws (smaller than the rack-mounting screws). NXC2500 User’s Guide...
Page 24
Chapter 2 Hardware Installation and Connection Attach the other bracket in a similar fashion. NXC2500 User’s Guide...
Ethernet so the speed can be 100 Mbps or 1000 Mbps. The duplex mode can be both half or full duplex at 100 Mbps and full duplex only at 1000 Mbps. An auto-negotiating port can detect and NXC2500 User’s Guide...
Orange This port has a successful link to a 1000 Mbps Ethernet network. Blinking The NXC is sending or receiving packets to/from a 1000 Mbps Ethernet network on this port There is no connection on this port. NXC2500 User’s Guide...
• No flow control Connect the male 9-pin end of the RS-232 console cable to the console port of the NXC. Connect the female end to a serial port (COM1, COM2 or other COM port) of your computer. NXC2500 User’s Guide...
The recommended screen resolution is 1024 x 768 pixels and higher. 3.2 Access Make sure your NXC hardware is properly connected. See the Quick Start Guide. Browse to http://192.168.1.1. The Login screen appears. Enter the user name (default: “admin”) and password (default: “1234”). NXC2500 User’s Guide...
Page 30
Otherwise, the dashboard appears. This screen appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore. NXC2500 User’s Guide...
The icons provide the following functions. Table 6 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen. NXC2500 User’s Guide...
Page 32
This shows the version number of the software that handles the booting process of the NXC. Current Version This shows the firmware version of the NXC. Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen. NXC2500 User’s Guide...
Page 33
Figure 9 Site Map Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. Figure 10 Object Reference NXC2500 User’s Guide...
Page 34
Note: To view the functions in the Web Configurator user interface that correspond directly to specific NXC CLI commands, use the CLI Messages window (see Section on page 37) in tandem with this one. Figure 11 Console NXC2500 User’s Guide...
Page 35
• Your web browser of choice allows pop-up windows from the IP address assigned to your NXC. • Your web browser allows Java programs. • You are using the latest version of the Java program (http://www.java.com). To login in through the Console: Click the Console button on the Web Configurator title bar. NXC2500 User’s Guide...
Page 36
Next, enter the User Name of the account being used to log into your target device and then click You may be prompted to authenticate your account password, depending on the type of device that you are logging into. Enter the password and click OK. NXC2500 User’s Guide...
Page 37
Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following. Figure 12 CLI Messages Click Clear to remove the currently displayed information. See the Command Reference Guide for information about the commands. NXC2500 User’s Guide...
List the users currently logged into the NXC. Dynamic Guest List the dynamic guest accounts in the NXC’s local database. USB Storage Display details about a USB device connected to the NXC. Wireless AP Information AP List Display information about the connected APs. NXC2500 User’s Guide...
Page 39
Configure ranges of IP addresses to which the NXC does not apply IP/MAC binding. Captive Portal Captive Portal Assign the captive portal web page to various network services. Login Page Assign and customize the login page user’s see when they hit the captive portal. Object NXC2500 User’s Guide...
Page 40
Language Select the Web Configurator language. Log & Report Email Daily Configure where and how to send daily reports and what reports Report to send. Log Settings Configure the system log, e-mail logs, and remote syslog servers. NXC2500 User’s Guide...
3.3.4 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries. Manipulating Table Display Here are some of the ways you can manipulate the Web Configurator tables. NXC2500 User’s Guide...
Page 42
• Sort in ascending alphabetical order • Sort in descending (reverse) alphabetical order • Select which columns to display • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text. NXC2500 User’s Guide...
Page 43
Select a column heading cell’s right border and drag to re-size the column. Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. NXC2500 User’s Guide...
Page 44
To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. NXC2500 User’s Guide...
Page 45
In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 15 Working with Lists NXC2500 User’s Guide...
Page 46
Chapter 3 The Web Configurator NXC2500 User’s Guide...
57) displays the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. • The Number of Login Users screen (Section 4.2.5 on page 58) displays the users currently logged into the NXC. NXC2500 User’s Guide...
Dashboard icon in the navigation panel. The Dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 16 Dashboard NXC2500 User’s Guide...
Page 51
NXC. Hover your cursor over this field to display icons. Click the Detail icon to go to the Session Monitor screen to see details about the active sessions. Click the Show Active Sessions icon to display a chart of NXC’s recent session usage. NXC2500 User’s Guide...
Page 52
Fallback to system default configuration - The NXC was unable to apply the lastgood.conf configuration file and fell back to the system default configuration file (system-default.conf). Booting in progress - The NXC is still applying the system configuration. NXC2500 User’s Guide...
Page 53
Displays the top 5 Access Points (AP) with the highest number of station (aka wireless client) connections. This field displays the rank of the station. AP MAC This field displays the MAC address of the AP to which the station belongs. NXC2500 User’s Guide...
The x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. NXC2500 User’s Guide...
The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. NXC2500 User’s Guide...
The x-axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. NXC2500 User’s Guide...
If this field is clear, this entry is a dynamic DHCP entry. The IP address is assigned to a DHCP client. To create a static DHCP entry using an existing dynamic DHCP entry, select this field. To remove a static DHCP entry, clear this field. NXC2500 User’s Guide...
If the user type is ext-user (external user), this field will show its external-group information when you move your mouse over it. If the external user matches two external- group objects, both external-group object names will be shown. Force Logout Click this icon to end a user’s session. NXC2500 User’s Guide...
Click this to stop the window from updating automatically. You can start it again by setting the Poll Interval and clicking Set Interval. Switch to Click this to display the port statistics as a line graph. Graphic View NXC2500 User’s Guide...
Page 61
Up Time This field displays how long the physical port has been connected. System Up Time This field displays how long the NXC has been running since it last restarted or was turned NXC2500 User’s Guide...
This line represents traffic transmitted from the NXC on the physical port since it was last connected. This line represents the traffic received by the NXC on the physical port since it was last connected. Last Update This field displays the date and time the information in the window was last updated. NXC2500 User’s Guide...
Up - The VLAN interface is enabled and one of its member Ethernet interfaces is connected. Down - The VLAN interface is enabled but none of its member Ethernet interfaces is connected. Inactive - The VLAN interface is disabled. NXC2500 User’s Guide...
5.5 Traffic Statistics Click Monitor > System Status > Traffic Statistics to display this screen. This screen provides basic information about the different kinds of data traffic moving through the NXC. For example: NXC2500 User’s Guide...
Page 65
Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet or VLAN interfaces. NXC2500 User’s Guide...
Page 66
HTTP GET packets. Many Web sites have HTTP GET references to other Web sites, and the NXC counts these as hits too. The count starts over at zero if the number of hits passes the hit count limit. See Table 25 on page NXC2500 User’s Guide...
You can also filter the information by user, protocol / service or service group, source address, and/ or destination address and view it by user. Click Monitor > System Status > Session Monitor to display the following screen. Figure 26 Monitor > System Status > Session Monitor NXC2500 User’s Guide...
Page 68
This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. NXC2500 User’s Guide...
This is when the device last established a session with the NXC through this interface. Description This field displays the descriptive name that helps identify the entry. Refresh Click this button to update the information in the screen. NXC2500 User’s Guide...
Internet or the NXC’s services in a specified period of time. Multiple dynamic guest accounts can be automatically generated at one time for guest users by using the web configurator and the guest-manager account. Guest users can log in with the dynamic accounts NXC2500 User’s Guide...
This field displays the additional information for the user account. Refresh Click this button to update the information in the screen. 5.10 USB Storage This screen displays information about a connected USB storage device. Click Monitor > System Status > USB Storage to display this screen. NXC2500 User’s Guide...
Page 72
Mounting - the NXC is mounting the USB storage device. Removing - the NXC is unmounting the USB storage device. none - the USB device is operating normally or not connected. NXC2500 User’s Guide...
NXC last started up. Last Off-line This displays the most recent time the AP went off-line. N/A displays if the AP has either Time not come on-line or gone off-line since the NXC last started up. NXC2500 User’s Guide...
Use this screen to look at station statistics for the connected AP. To access this screen, select an entry and click the More Information button in the AP List screen. Figure 32 Monitor > Wireless > AP Information > AP List > Station Count of AP NXC2500 User’s Guide...
This indicates the radio number on the AP to which it belongs. OP Mode This indicates the radio’s operating mode. Operating modes are AP (access point) or MON (monitor). Profile This indicates the profile name to which the radio belongs. NXC2500 User’s Guide...
Page 76
DESCRIPTION When an AP is being load balanced, this icon means it is operating over the maximum allocated bandwidth. When an AP is being load balanced, this icon means it is operating under the maximum allocated bandwidth. NXC2500 User’s Guide...
24 hours. To access this window, select an entry and click the More Information button in the Radio List screen. Figure 34 Monitor > Wireless > AP Information > Radio List > AP Mode Radio Information NXC2500 User’s Guide...
Click this to close this window. 5.13 Station List Use this screen to view statistics pertaining to the associated stations (or “wireless clients”). Click Monitor > Wireless > Station Info to access this screen. Figure 35 Monitor > Wireless > Station List NXC2500 User’s Guide...
Note: At least one radio of the APs connected to the NXC must be set to monitor mode in order to detect other wireless devices in the Wireless > AP Management screen) its vicinity. Figure 36 Monitor > Wireless > Rogue AP > Detected Device NXC2500 User’s Guide...
• For individual log descriptions, see Appendix A on page 359. • For the maximum number of log messages in the NXC, see the datasheet. NXC2500 User’s Guide...
Page 81
Debug Log. Source Address This displays when you show the filter. Type the source IP address of the incoming packet that generated the log message. Do not include the port in this filter. NXC2500 User’s Guide...
Page 82
This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. NXC2500 User’s Guide...
Last Log Query This indicates the last time the AP was queried for its log messages. Time Display Select the log file from the specified AP that you want displayed. Note: This criterion only appears when you Show Filter. NXC2500 User’s Guide...
Page 84
This displays content of the selected log message. Source This displays the source IP address of the selected log message. Destination This displays the source IP address of the selected log message. Note This displays any notes associated with the selected log message. NXC2500 User’s Guide...
The NXC is initially configured to support up to 8 managed APs (such as the NWA5123-NI). You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 managed APs while the maximum number of APs a single NXC can support is 24. NXC2500 User’s Guide...
Click this button to check with the myZyXEL.com database to verify the user name you entered has not been used. Password Enter a password of between six and 20 alphanumeric characters (and the underscore). Spaces are not allowed. Confirm Password Enter the password again for confirmation. NXC2500 User’s Guide...
Figure 40 Configuration > Licensing > Registration: Registered Device 6.3 Service Use this screen to display the status of your service registrations and upgrade licenses. To activate or extend a standard service subscription, purchase an iCard and enter the iCard’s PIN number NXC2500 User’s Guide...
Page 88
If a standard service subscription runs out, you need to buy a new iCard (specific to your NXC) and enter the new PIN number to extend the service. Service License Refresh Click this button to renew service license information (such as the registration status and expiration day). NXC2500 User’s Guide...
Wireless load balancing is the process where you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it so the AP does not become overloaded. NXC2500 User’s Guide...
Click Reset to return the screen to its last-saved settings. 7.3 AP Management Use this screen to manage all of the APs connected to the NXC. Click Configuration > Wireless > AP Management to access this screen. Figure 43 Configuration > Wireless > AP Management NXC2500 User’s Guide...
Page 91
AP’s management VLAN ID does not match the Mgnt. VLAN ID(AC). This field displays n/a if the NXC cannot get VLAN information from the AP. Description This field displays the AP’s description, which you can configure by selecting the AP’s entry and clicking the Edit button. NXC2500 User’s Guide...
MON Mode means the AP monitors the broadcast area for other APs, then passes their information on to the NXC where it can be determined if those APs are friendly or rogue. If an AP is set to this mode it cannot receive connections from wireless clients. NXC2500 User’s Guide...
Click this button to add an AP to the list and assign it either friendly or rogue status. Edit Select an AP in the list to edit and reassign its status. Remove Select an AP in the list to remove. NXC2500 User’s Guide...
Enter up to 60 characters for the AP’s description. Spaces and underscores are allowed. Role Select either Rogue AP or Friendly AP for the AP’s role. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
Note: If you enable this function, you should ensure that there are multiple APs within the broadcast radius that can accept any rejected or kicked wireless clients; otherwise, a wireless client attempting to connect to an overloaded AP will be kicked continuously and never be allowed to connect. NXC2500 User’s Guide...
AP over its allotment, say to 7 Mbps, then the AP delays the red laptop’s connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare. Figure 48 Delaying a Connection NXC2500 User’s Guide...
7.6 DCS Use DCS (Dynamic Channel Selection) in an environment where are many APs and there may be interference. DCS allows APs to automatically find a less-used channel in such an environment. Use NXC2500 User’s Guide...
Page 98
If the channel on which it is currently broadcasting suddenly comes into use by another AP, the NXC will then dynamically select the next available clean channel or a channel with lower interference. NXC2500 User’s Guide...
Page 99
Select manual and specify the channels the AP uses in the 5 GHz band. Available This text box lists the channels that are available in the 5 GHz band. Select the channels channels that you want the AP to use, and click the right arrow button to add them. NXC2500 User’s Guide...
In the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart. Channel 1 is centered on 2.412 GHz while channel 13 is centered on 2.472 GHz. Figure 51 An Example Three-Channel Deployment NXC2500 User’s Guide...
AP. If he still connects to the AP regardless of the delay, then the AP may boot other people who are already connected in order to associate with the new connection. NXC2500 User’s Guide...
Page 102
AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP. NXC2500 User’s Guide...
You can create several types of interfaces in the NXC. • Ethernet interfaces are the foundation for defining other interfaces and network policies. • VLAN interfaces receive and send tagged frames. The NXC automatically adds or removes the tags as needed. NXC2500 User’s Guide...
However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. Figure 54 Configuration > Network > Interface > Ethernet NXC2500 User’s Guide...
Reset Click Reset to return the screen to its last-saved settings. 8.2.1 Edit Ethernet This screen lets you configure IP address assignment and interface parameters. To access this screen, click an Edit icon in the Ethernet screen. NXC2500 User’s Guide...
Page 106
IP address settings change. For example, if you change LAN’s IP address, the NXC automatically updates the corresponding interface- based, LAN subnet address object. Figure 55 Configuration > Network > Interface > Ethernet > Edit (general) NXC2500 User’s Guide...
Page 107
This field is enabled if you set the Interface Type to internal or you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. NXC2500 User’s Guide...
Page 108
This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting These fields appear when you set the Interface Type to Internal or General. NXC2500 User’s Guide...
Page 109
This table is available if you selected DHCP server. Options Configure this table if you want to send more information to DHCP clients through DHCP packets. Click this to create an entry in this table. See Section 8.2.3 on page 111. NXC2500 User’s Guide...
Page 110
SNAT behavior for an interface with the Interface Type set to Internal or External. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
DHCP option you select in this screen. To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP Setting section, and then click Add or Edit in the Extended Options table. NXC2500 User’s Guide...
Page 112
If you selected VIVS (125), enter additional information for the corresponding enterprise Information, number in these fields. Second Information Click this to close this screen and update the settings to the previous Edit screen. Cancel Click Cancel to close the screen. NXC2500 User’s Guide...
TFTP; however, the option may be used for purposes other than contacting a VoIP configuration server. 8.3 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. NXC2500 User’s Guide...
Page 114
This approach provides a few advantages. • Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users. NXC2500 User’s Guide...
This field is a sequential value, and it is not associated with any interface. Status This icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. NXC2500 User’s Guide...
VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. NXC2500 User’s Guide...
Page 117
Table 56 Configuration > Network > Interface > VLAN > Add/Edit LABEL DESCRIPTION Show / Hide Click this button to display a greater or lesser number of configuration fields. Advanced Settings General Settings Enable Select this to turn this interface on. Clear this to disable this interface. NXC2500 User’s Guide...
Page 118
Route to associate traffic with this VLAN. Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the NXC can send through Bandwidth the interface to the network. Allowed values are 0 - 1048576. NXC2500 User’s Guide...
Page 119
Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid. NXC2500 User’s Guide...
Page 120
This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
The NXC also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU). If a packet is larger than the MTU, the NXC divides At the time of writing, the NXC does not support ingress bandwidth management. NXC2500 User’s Guide...
Page 122
9.9.9.2, and the pool size is 253. • Subnet mask - The interface provides the same subnet mask you specify for the interface. • Gateway - The interface provides the same gateway you specify for the interface. NXC2500 User’s Guide...
Page 123
IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. NXC2500 User’s Guide...
Internet. To have the NXC send data to devices not reachable through the default gateway, use static routes. Policy Routes Versus Static Routes • Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules and NAT. NXC2500 User’s Guide...
IP protocol (ICMP, UDP, TCP, etc.) and port. The actions that can be taken include: • Routing the packet to a different gateway or outgoing interface. • Limiting the amount of bandwidth available and setting a priority for traffic. NXC2500 User’s Guide...
Page 127
This is the interface on which the packets are received. Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. NXC2500 User’s Guide...
Page 128
This is the source IP address that the route uses. It displays none if the NXC does not perform NAT for this route. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
Enable Select this to activate the policy. Description Enter a descriptive name of up to 60 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. NXC2500 User’s Guide...
Page 130
NXC send traffic that matches the policy route through the specified interface. Auto-Disable This field displays when you select Interface in the Type field. Select this to have the NXC automatically disable this policy route when the next-hop’s connection is down. DSCP Marking NXC2500 User’s Guide...
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. NXC2500 User’s Guide...
The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
Class 3 Class 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence AF12 (12) AF22 (20) AF32 (28) AF42 (36) High Drop Precedence AF13 (14) AF23 (22) AF33 (30) AF43 (38) NXC2500 User’s Guide...
Page 134
If traffic from an SSID does not have strict throughput requirements, then this access category is recommended. For example, an SSID that only has network printers connected to it. NXC2500 User’s Guide...
• Extra-zone traffic is traffic to or from any interface that is not assigned to a zone. • Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information. NXC2500 User’s Guide...
This field is a sequential value, and it is not associated with any interface. Name This field displays the name of the zone. Member This field displays the names of the interfaces that belong to each zone. NXC2500 User’s Guide...
Member lists the interfaces that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
11.2 NAT Summary The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this NXC2500 User’s Guide...
Page 140
This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the NXC. Reset Click this button to return the screen to its last-saved settings. NXC2500 User’s Guide...
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. NXC2500 User’s Guide...
Page 142
This field displays for Many 1:1 NAT. Select to which translated destination IP address Subnet/Range subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. NXC2500 User’s Guide...
Page 143
Click OK to save your changes back to the NXC. Cancel Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists). NXC2500 User’s Guide...
SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server’s mapped public IP address of 1.1.1.1. Figure 71 LAN Computer Queries a Public DNS Server xxx.LAN-SMTP.com = 1.1.1.1 xxx.LAN-SMTP.com = ? 1.1.1.1 192.168.1.21 192.168.1.89 NXC2500 User’s Guide...
Page 145
NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 73 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 NXC2500 User’s Guide...
LAN, you must also configure NAT (port forwarding) rules if you want to allow access to the server from the WAN. 12.1.3 Before You Begin You must also enable NAT in the NXC to allow sessions initiated from the WAN. NXC2500 User’s Guide...
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. NXC2500 User’s Guide...
NXC does not apply IP/MAC binding. 13.1.2 What You Need to Know The following terms and concepts may help as you read this chapter. DHCP IP/MAC address bindings are based on the NXC’s dynamic and static DHCP entries. NXC2500 User’s Guide...
This is the name of an interface that supports IP/MAC binding. Number of This field displays the interface’s total number of IP/MAC bindings and IP addresses that Binding the interface has assigned by DHCP. Apply Click Apply to save your changes back to the NXC. NXC2500 User’s Guide...
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. This is the index number of the static DHCP entry. NXC2500 User’s Guide...
Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer’s owner. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
Enter the first IP address in a range of IP addresses for which the NXC does not apply IP/ MAC binding. End IP Enter the last IP address in a range of IP addresses for which the NXC does not apply IP/ MAC binding. Apply Click Apply to save your changes back to the NXC. NXC2500 User’s Guide...
Figure 80 Captive Portal Example The captive portal page only appears once per authentication session. Unless a user idles out or closes the connection, he or she generally will not see it again during the same session. NXC2500 User’s Guide...
157) configures which HTTP-based network services default to the captive portal page when a client makes an initial network connection. • The Login Page screen (Section 14.3 on page 162) assigns a default login page or create a customized one. NXC2500 User’s Guide...
Internal Web Select this to use the login page built into the NXC. Portal The login page appears whenever the web portal intercepts network traffic, preventing unauthorized users from gaining access to the network. NXC2500 User’s Guide...
Page 158
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. NXC2500 User’s Guide...
Exceptional Services table on the Captive Portal screen to access this screen. Note: If you want 802.1x to work properly, you must set BOOTP_Client and DNS as exceptional services. Figure 82 Configuration > Captive Portal > Add Exceptional Services NXC2500 User’s Guide...
SSID Profile called ‘CoffeeBar’, then you can select it immediately from the SSID list in this screen. Enable Policy Select this to enable the new authentication policy. You can later edit the authentication policy and deselect it if you want to disable it. NXC2500 User’s Guide...
Page 161
Select this option to redirect HTTP traffic to the login screen if the user has not logged in Authentication yet. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
NXC’s default page as it is saved indefinitely. Use Customized Select this to use a custom login page instead of the default one built into the NXC. Once Login Page this option is selected, the custom login page controls below become active. NXC2500 User’s Guide...
Page 163
Title Enter 1-64 characters for the page title. Spaces are allowed. This corresponds to the “NXC2500” title in the default page. Title Color Select a font color for the page title. You can use the color palette chooser, or enter a color value of your own.
14.3.1 Custom Login and Access Pages The following identify the parts you can customize in the login and access pages. Figure 85 Login Page Customization Logo Title Message Color (color of all text) Background Note Message (last line of text) NXC2500 User’s Guide...
Page 165
Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it. Try selecting another color. NXC2500 User’s Guide...
You can also configure the look and feel of the web portal page if you use an external web portal or upload a web portal file to the NXC. Here are some examples. Figure 87 External Web Portal Login Page Example Figure 88 External Web Portal Welcome Page Example NXC2500 User’s Guide...
Page 167
Chapter 14 Captive Portal Figure 89 External Web Portal Session Page Example Figure 90 External Web Portal Logout Page Example NXC2500 User’s Guide...
Page 168
The remaining seconds before authentication timeout lease_time Total remaining seconds before lease timeout username Login username cgi_str The CGI for user login. The admin type is “admin.cgi” and the user related type is “login.cgi”. Ses_time Accounting session timeout NXC2500 User’s Guide...
Page 170
A dynamic guest account user can access the NXC’s services only within a given period of time and will become invalid after the expiration date/time. You cannot modify or edit a dynamic guest account. NXC2500 User’s Guide...
Page 171
‘user-aware policies’ that define what services they can use. User Role Priority The NXC checks the following in order of priority. User role setting in ext-user. User role setting in ext-group-user. User role setting in default user (ldap-users, ad-users, radius-users). NXC2500 User’s Guide...
- an external server authenticates wireless clients based on their MAC addresses. After authentication the NXC maps a wireless client to a MAC address user account (MAC role). User-aware features control MAC address user access to specific resources. Description This field displays the description for each user. NXC2500 User’s Guide...
• root • shutdown • sshd • sync • uucp • zyxel To access this screen, go to the User screen, and click Add or Edit. Figure 93 Configuration > User/Group > User > Add/Edit A User NXC2500 User’s Guide...
Page 174
Use a user account from the group specified above to test if the configuration is correct. Enter n Validation the account’s user name in the User Name field and click Test. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
Group Name This field displays the name of each user group. Description This field displays the description for each user group. Member This field lists the members in the user group. Each member is separated by a comma. NXC2500 User’s Guide...
NXC. You can also use this screen to specify when users must log in to the NXC before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/ Group > Setting. NXC2500 User’s Guide...
Page 178
Select this check box if you want the NXC to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The NXC automatically logs out the access user once the User idle timeout has been reached. NXC2500 User’s Guide...
Page 179
Enter the notes (such as the SSID and security key the dynamic guests can use to Note access the network services) you wan to display in the paper along with the account information you print out for dynamic guest users. You can enter up to 1024 ASCII characters. NXC2500 User’s Guide...
Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically, the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. NXC2500 User’s Guide...
Specify the name used to identify the dynamic guest group. Description Enter a description for the dynamic guest group. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
Remaining time This field displays how much longer the user can use the session before the NXC before session automatically logs the access user out. timeout NXC2500 User’s Guide...
Select the dynamic guest group with which the dynamic guest account(s) is associated. User Group Apply Click this icon to create the account(s). Logout Click this icon to exit and go back to the Web Configurator login screen. NXC2500 User’s Guide...
Page 184
Guest(s) Print Click this icon to print out the account information and the notes you specified in the User/ Group > Setting screen for dynamic guests. Return Click this icon to go back to the previous screen. NXC2500 User’s Guide...
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. NXC2500 User’s Guide...
NXC authenticate the MAC address or OUI using the local user database. Description Enter the description of the mapping, if any. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it. NXC2500 User’s Guide...
Table 94 Configuration > Object > AP Profile > Radio LABEL DESCRIPTION Click this to add a new radio profile. Edit Click this to edit the selected radio profile. Remove Click this to remove the selected radio profile. NXC2500 User’s Guide...
Page 189
Channel ID This field indicates the broadcast channel which this radio profile is configured to use. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 106 Configuration > Object > AP Profile > Add/Edit Radio Profile NXC2500 User’s Guide...
Page 191
802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. A-MPDU Limit Enter the maximum frame size to be aggregated. NXC2500 User’s Guide...
Page 192
Select the check box and set a minimum client signal strength for connecting to the AP. -20 dBm is the strongest signal you can require and -76 is the weakest. Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP. NXC2500 User’s Guide...
(such as the WiFi adapter in a laptop), and is displayed as the wireless network name when a person makes a connection to it. To access this screen click Configuration > Object > AP Profile > SSID. NXC2500 User’s Guide...
Page 194
This field indicates the QoS type associated with the SSID profile. MAC Filtering This field indicates which (if any) MAC Filter Profile is associated with the SSID profile. Profile VLAN ID This field indicates the VLAN ID associated with the SSID profile. NXC2500 User’s Guide...
Page 195
MAC filtering allows you to limit the wireless clients connecting to your network through a particular SSID by wireless client MAC addresses. Any clients that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections. The disable setting means no MAC filtering is used. NXC2500 User’s Guide...
This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it. To access this screen click Configuration > Object > AP Profile > SSID > Security List. NXC2500 User’s Guide...
Page 197
This field is a sequential value, and it is not associated with a specific profile. Profile Name This field indicates the name assigned to the security profile. Security Mode This field indicates this profile’s security mode (if any). NXC2500 User’s Guide...
Page 198
Add button or select a security profile from the list and click the Edit button. Note: This screen’s options change based on the Security Mode selected. Only the default screen is displayed here. Figure 110 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile NXC2500 User’s Guide...
Page 199
Station ID for MAC authentication. Configure the ones the external server uses. Delimiter (Account) Select the separator the external server uses for the two-character pairs within account MAC addresses. Case (Account) Select the case (upper or lower) the external server requires for letters in the account MAC addresses. NXC2500 User’s Guide...
Page 200
SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter List. Note: You can have a maximum of 32 MAC filtering profiles on the NXC. Figure 111 Configuration > Object > AP Profile > SSID > MAC Filter List NXC2500 User’s Guide...
Click this to edit the selected MAC address in the profile’s list. Remove Click this to remove the selected MAC address from the profile’s list. This field is a sequential value, and it is not associated with a specific profile. NXC2500 User’s Guide...
Page 202
This field displays a description for the MAC address associated with this profile. You can click the description to make it editable. Enter up to 60 characters, spaces and underscores allowed. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
802.11 frequencies by sending probe request frames. Passive Scan A passive scan is performed when an 802.11-compatible monitoring device is set to periodically listen to a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies. NXC2500 User’s Guide...
This icon is lit when the entry is active and dimmed when the entry is inactive. Profile Name This field indicates the name assigned to the monitor profile. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
Select auto to have the AP switch to the next sequential channel once the Channel dwell time expires. Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires. Selecting this options makes the Scan Channel List options available. NXC2500 User’s Guide...
(A). The company’s legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available NXC2500 User’s Guide...
Page 207
(those from recognized networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points. NXC2500 User’s Guide...
• HOST - a host address is defined by an IP Address. • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. NXC2500 User’s Guide...
The Add/Edit Address screen allows you to create a new address or edit an existing one. To access this screen, go to the Address screen, and click either the Add icon or an Edit icon. Figure 117 Configuration > Object > Address > Address > Add/Edit NXC2500 User’s Guide...
Configuration > Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 118 Configuration > Object > Address > Address Group NXC2500 User’s Guide...
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Description This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces. NXC2500 User’s Guide...
Page 213
Move any members you do not want included to the Available list. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. NXC2500 User’s Guide...
To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 120 Configuration > Object > Service > Service NXC2500 User’s Guide...
Number Enter the number of the next-level protocol (IP protocol). Allowed values are 0 - 255. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
This field is a sequential value, and it is not associated with a specific service group. Name This field displays the name of each service group. Description This field displays the description of each service group, if any. NXC2500 User’s Guide...
Move any members you do not want included to the Available list. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. NXC2500 User’s Guide...
Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry. This field is a sequential value, and it is not associated with a specific schedule. Name This field displays the name of the schedule, which is used to refer to the schedule. NXC2500 User’s Guide...
Specify the year, month, and day when the schedule ends. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) NXC2500 User’s Guide...
Specify the hour and minute when the schedule begins each day. Hour - 0 - 23 Minute - 0 - 59 StopTime Specify the hour and minute when the schedule ends each day. Hour - 0 - 23 Minute - 0 - 59 NXC2500 User’s Guide...
Page 225
LABEL DESCRIPTION Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the NXC. Cancel Click Cancel to exit this screen without saving your changes. NXC2500 User’s Guide...
A user logs in with a user name and password pair. The NXC tries to bind (or log in) to the LDAP/AD server. When the binding process is successful, the NXC checks the user information in the directory against the user name and password pair. NXC2500 User’s Guide...
Page 228
The following lists the types of authentication server the NXC supports. • Local user database The NXC uses the built-in local user database to authenticate administrative users logging into the NXC’s Web Configurator or network access users logging into the network through the NXC. NXC2500 User’s Guide...
Page 229
The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same “parent DN” (“cn=domain1.com, ou=Sales, o=MyCompany” in the following examples). cn=domain1.com, ou = Sales, o=MyCompany, c=US cn=domain1.com, ou = Sales, o=MyCompany, c=JP NXC2500 User’s Guide...
Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry. This field displays the index number. Name This is the name that you specified to identify the server. NXC2500 User’s Guide...
Page 231
Chapter 21 AAA Server Table 116 Configuration > Object > AAA Server > Active Directory/LDAP (continued) LABEL DESCRIPTION Server Address This is the address of the AD or LDAP server. Base DN This specifies a directory. For example, o=ZyXEL, c=US NXC2500 User’s Guide...
Note: The Active Directory and LDAP server setup screens are almost identical, so the features for both screens are described in this section. Figure 131 Configuration > Object > AAA Server > Active Directory > Add/Edit NXC2500 User’s Guide...
Page 233
Specify the timeout period (between 1 and 300 seconds) before the NXC disconnects from the AD server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the AD or LDAP server or the AD or LDAP server is down. NXC2500 User’s Guide...
Page 234
Use a user account from the server specified above to test if the configuration is correct. Validation Enter the account’s user name in the Username field and click Test. Click OK to save the changes. Cancel Click Cancel to discard the changes. NXC2500 User’s Guide...
Select an entry and click Object Reference to open a screen that shows which settings Reference use the entry. This field displays the index number. Name This is the name of the RADIUS server entry. Server Address This is the address of the AD or LDAP server. NXC2500 User’s Guide...
Specify the timeout period (between 1 and 300 seconds) before the NXC disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. NXC2500 User’s Guide...
Page 237
“RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. NXC2500 User’s Guide...
Configure AAA server objects before you configure authentication method objects. 22.2 Authentication Method Click Configuration > Object > Auth. Method to display this screen. Note: You can create up to 16 authentication method objects. Figure 135 Configuration > Object > Auth. Method NXC2500 User’s Guide...
If two accounts with the same username exist on two authentication servers you specify, the NXC does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. NXC2500 User’s Guide...
Page 240
NXC does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Click OK to save the changes. Cancel Click Cancel to discard the changes. NXC2500 User’s Guide...
Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key). NXC2500 User’s Guide...
Page 242
The NXC currently allows the importation of a PKS#7 file that contains a single certificate. • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. NXC2500 User’s Guide...
Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. NXC2500 User’s Guide...
Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate. CERT represents a certificate issued by a certification authority. NXC2500 User’s Guide...
Page 245
Expired! message if the certificate has expired. Import Click Import to open a screen where you can save a certificate to the NXC. Refresh Click Refresh to display the current validity status of the certificates. NXC2500 User’s Guide...
My Certificates Add screen. Use this screen to have the NXC create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 137 Configuration > Object > Certificate > My Certificates > Add NXC2500 User’s Guide...
Page 247
Certificate Details screen to view the certification request and copy it to send to the locally for later certification authority. manual enrollment Copy the certification request from the My Certificate Details screen and then send it to the certification authority. NXC2500 User’s Guide...
Page 248
My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NXC to enroll a certificate online. NXC2500 User’s Guide...
Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 138 Configuration > Object > Certificate > My Certificates > Edit NXC2500 User’s Guide...
Page 250
This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request. NXC2500 User’s Guide...
Note: You can import a certificate that matches a corresponding certification request that was generated by the NXC. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys. The certificate you import replaces the corresponding request in the My Certificates screen. NXC2500 User’s Guide...
Click Configuration > Object > Certificate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you have set the NXC to accept as trusted. The NXC also accepts any valid certificate signed by a certificate on this list as NXC2500 User’s Guide...
Page 253
Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the NXC. Refresh Click this button to display the current validity status of the certificates. NXC2500 User’s Guide...
NXC to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 141 Configuration > Object > Certificate > Trusted Certificates > Edit NXC2500 User’s Guide...
Page 255
Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field. NXC2500 User’s Guide...
Click Cancel to quit and return to the Trusted Certificates screen. 23.3.2 Import Trusted Certificates Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the NXC. NXC2500 User’s Guide...
The second is a reduction in network traffic since the NXC only gets information on the certificates that it needs to verify, not a huge list. When the NXC requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. NXC2500 User’s Guide...
• The Auth. Server screen (Section 24.12 on page 292) configures the device to operate as a RADIUS server. • The Language screen (Section 24.13 on page 295) sets the user interface language for the NXC’s Web Configurator screens. NXC2500 User’s Guide...
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. Click Configuration > System > USB Storage to open the screen as shown next. Figure 144 Configuration > System > USB Storage NXC2500 User’s Guide...
To change your NXC’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the NXC’s time and date or have the NXC get the date and time from a time server. Figure 145 Configuration > System > Date/Time NXC2500 User’s Guide...
Page 262
(1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). NXC2500 User’s Guide...
NTP time servers have been tried. 24.4.2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field. NXC2500 User’s Guide...
This section shows you how to set the console port speed when you connect to the NXC via the console port using a terminal emulation program. See Table 3 on page 21 for default console port settings. NXC2500 User’s Guide...
Click Configuration > System > DNS to change your NXC’s DNS settings. Use the DNS screen to configure the NXC to use a DNS server to resolve domain names for NXC system features like the time server. You can also configure the NXC to accept or discard DNS queries. Use the Network > NXC2500 User’s Guide...
Page 266
Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The NXC confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. NXC2500 User’s Guide...
Page 267
This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries. Action This displays whether the NXC accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). NXC2500 User’s Guide...
Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). IP Address Enter the IP address of the host in dotted decimal notation. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving NXC2500 User’s Guide...
0.0.0.0. Use the Query via field to select the interface through which the NXC sends DNS queries to a DNS server. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. NXC2500 User’s Guide...
Click Cancel to exit this screen without saving 24.6.10 Add Service Control Click the Add icon in the Service Control table to add a service control rule. Figure 152 Configuration > System > DNS > Add Service Control Rule NXC2500 User’s Guide...
The allowed IP address (address object) in the Service Control table does not match the client IP address (the NXC disallows the session). The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. NXC2500 User’s Guide...
HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the NXC’s web server. HTTP connection requests from a web browser go to port 80 (by default) on the NXC’s web server. Figure 154 HTTP/HTTPS Implementation NXC2500 User’s Guide...
Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the NXC. Figure 155 Configuration > System > WWW > Service Control NXC2500 User’s Guide...
Page 274
IP address(es) in the Service Control table to access the NXC Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the NXC. NXC2500 User’s Guide...
24.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, TELNET, FTP or SNMP screen to add a service control rule. Figure 156 Configuration > System > Service Control Rule > Add/Edit NXC2500 User’s Guide...
You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked. Figure 157 Security Alert Dialog Box (Internet Explorer) NXC2500 User’s Guide...
Page 277
The SSL client needs a certificate if Authenticate Client Certificates is selected on the NXC. You must have imported at least one trusted CA to the NXC in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). NXC2500 User’s Guide...
Page 278
24.7.6.5 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Click Install Certificate and follow the wizard as shown earlier in this appendix. NXC2500 User’s Guide...
Page 279
Click Next to begin the wizard. The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. NXC2500 User’s Guide...
Page 280
Chapter 24 System Enter the password given to you by the CA. Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. NXC2500 User’s Guide...
Page 281
You should see the following screen when the certificate is correctly installed on your computer. 24.7.6.7 Using a Certificate When Accessing the NXC To access the NXC via HTTPS: Enter ‘https://NXC IP Address/ in your browser’s web address field. NXC2500 User’s Guide...
SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the NXC2500 User’s Guide...
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. NXC2500 User’s Guide...
SSH can be used to manage the NXC. You can also specify from which IP addresses the access can come. Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 162 Configuration > System > SSH NXC2500 User’s Guide...
This section describes how to access the NXC using the Secure Shell Client program. Launch the SSH client and specify the connection information (IP address, port number) for the NXC. Configure the SSH client to accept connection using SSH version 1. NXC2500 User’s Guide...
Page 286
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts. Administrator@192.168.1.1's password: The CLI screen displays next. NXC2500 User’s Guide...
This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the NXC zone(s) configured in the Zone field (Accept) or not (Deny). NXC2500 User’s Guide...
Select the certificate whose corresponding private key is to be used to identify the NXC for Certificate FTP connections. You must have certificates already configured in the My Certificates screen. Service Control This specifies from which computers you can access which NXC zones. NXC2500 User’s Guide...
Page 289
This displays whether the computer with the IP address specified above can access the NXC zone(s) configured in the Zone field (Accept) or not (Deny). Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. NXC2500 User’s Guide...
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the NXC. You can also specify from which IP addresses the access can come. Figure 169 Configuration > System > SNMP NXC2500 User’s Guide...
Click Reset to return the screen to its last-saved settings. 24.12 Authentication Server You can set the NXC to work as a RADIUS server to exchange messages with a RADIUS client, such as an AP for user authentication and authorization. Click Configuration > System > Auth. NXC2500 User’s Guide...
Page 293
This is the subnet mask of the RADIUS client. Description This is the description of the RADIUS client. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
The key is not sent over the network. This key must be the same on the external authentication server and the NXC. Description Enter the description of each server, if any. You can use up to 60 printable ASCII characters. Click OK to save the changes. Cancel Click Cancel to discard the changes. NXC2500 User’s Guide...
Select a display language for the NXC’s Web Configurator screens. You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the NXC. Reset Click Reset to return the screen to its last-saved settings. NXC2500 User’s Guide...
Page 296
Chapter 24 System NXC2500 User’s Guide...
25.2 Email Daily Report Use this screen to start or stop data collection and view various statistics about traffic passing through your NXC. Note: Data collection may decrease the NXC’s traffic throughput rate. NXC2500 User’s Guide...
Page 298
Table 149 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Select this to send reports by e-mail every day. Daily Report Mail Server Type the name or IP address of the outgoing SMTP server. NXC2500 User’s Guide...
Alternatively, if you want to edit what events is included in each log, you can also use the Log Category Settings screen to edit this information for all logs at the same time. NXC2500 User’s Guide...
Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Summary This field is a summary of the settings for each log. NXC2500 User’s Guide...
Page 301
Table 150 Configuration > Log & Report > Log Settings (continued) LABEL DESCRIPTION Log Category Click this button to open the Log Category Settings screen. Settings Apply Click this button to save your changes (activate and deactivate logs) and make them take effect. NXC2500 User’s Guide...
This screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen and click the system log Edit icon. Figure 175 Configuration > Log & Report > Log Settings > Edit (System Log) NXC2500 User’s Guide...
Page 303
Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1. enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 1. NXC2500 User’s Guide...
25.3.3 Edit USB Storage Log Settings The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Settings Summary screen, and click the USB storage Edit icon. NXC2500 User’s Guide...
Page 305
This field is a sequential value, and it is not associated with a specific entry. Log Category This field displays each category of messages. The Default category includes debugging messages generated by open source software. NXC2500 User’s Guide...
Page 306
(yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. NXC2500 User’s Guide...
This screen controls the settings for each log in the remote server (syslog). Go to the Log Settings Summary screen and click a remote server Edit icon. Figure 177 Configuration > Log & Report > Log Settings > Edit (Remote Server) NXC2500 User’s Guide...
This screen allows you to view and to edit what information is included in the system log, USB storage, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names). NXC2500 User’s Guide...
Page 309
Figure 178 Configuration > Log & Report > Log Settings > Log Category Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert. (The Default category includes debugging messages generated by open source software.) NXC2500 User’s Guide...
Page 310
Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. NXC2500 User’s Guide...
Page 311
(yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. NXC2500 User’s Guide...
Page 312
Chapter 25 Log and Report NXC2500 User’s Guide...
When you apply a configuration file, the NXC uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the NXC only applies the commands that it contains. Other settings do not change. NXC2500 User’s Guide...
Page 314
Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the NXC exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the NXC exit sub command mode. NXC2500 User’s Guide...
Once your NXC is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. NXC2500 User’s Guide...
Page 316
The NXC still generates a log for any errors. Figure 180 Maintenance > File Manager > Configuration File Do not turn off the NXC while configuration file upload is in progress. NXC2500 User’s Guide...
Page 317
Specify a name for the duplicate configuration file. Use up to 25 characters (including a- zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. NXC2500 User’s Guide...
Page 318
The lastgood.conf is the most recently used (valid) configuration file that was saved when the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration. NXC2500 User’s Guide...
You can upload the firmware package to the NXC with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package. NXC2500 User’s Guide...
Page 320
The NXC automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 183 Network Temporarily Disconnected After five minutes, log in again and check your new firmware version in the Dashboard screen. NXC2500 User’s Guide...
Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the NXC restarts. You could use multiple write commands in a long script. Figure 185 Maintenance > File Manager > Shell Script NXC2500 User’s Guide...
Page 322
The bottom part of the screen allows you to upload a new or previously saved shell script file Shell Script from your computer to your NXC. File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. NXC2500 User’s Guide...
Page 323
Table 158 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. NXC2500 User’s Guide...
This screen provides an easy way for you to generate a file containing the NXC’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 186 Maintenance > Diagnostics NXC2500 User’s Guide...
File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. NXC2500 User’s Guide...
Internet. Select any to capture packets for traffic sent by either IP version. Protocol Type Select the protocol type of traffic for which to capture packets. Select any to capture packets for all types of traffic. NXC2500 User’s Guide...
Page 328
Capture (Per Packet) truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets. NXC2500 User’s Guide...
Click a file to select it and click Download to save it to your computer. This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. NXC2500 User’s Guide...
Use the Core Dump screen to have the NXC save a process’s core dump to an attached USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. NXC2500 User’s Guide...
NXC or a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 192 Maintenance > Diagnostics > Core Dump > Files NXC2500 User’s Guide...
File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. NXC2500 User’s Guide...
Use the arrow buttons to move APs off this list and onto the Captured MON Mode APs list. Capture MON Mode This column displays the monitor-mode configured APs selected to for wireless frame capture. Misc Setting NXC2500 User’s Guide...
NXC has performed. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. Figure 195 Maintenance > Diagnostics > Wireless Frame Capture > Files NXC2500 User’s Guide...
Page 335
This column displays the label that identifies the file. The file name format is interface name- file suffix.cap. Size This column displays the size (in bytes) of a configuration file. Last Modified This column displays the date and time that the individual files were saved. NXC2500 User’s Guide...
• use policy routes to control 1-1 NAT by using the policy control-virtual-server-rules activate command. Note: Once a packet matches the criteria of a routing rule, the NXC takes the corresponding action and does not perform any further flow checking. NXC2500 User’s Guide...
Page 339
This is the number of an activated policy route. If you have configured a schedule for the route, this screen only displays the route at the scheduled time. Incoming This is the interface on which the packets are received. NXC2500 User’s Guide...
• use policy routes to control 1-1 NAT by using the policy control-virtual-server-rules activate command. Note: Once a packet matches the criteria of an SNAT rule, the NXC takes the corresponding action and does not perform any further flow checking. NXC2500 User’s Guide...
Page 342
The following fields are available if you click Default SNAT in the SNAT Flow section. This field is a sequential value, and it is not associated with any entry. Incoming This indicates internal interface(s) on which the packets are received. NXC2500 User’s Guide...
Page 343
This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the NXC uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. NXC2500 User’s Guide...
Click the Reboot button to restart the NXC. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the NXC. NXC2500 User’s Guide...
Click the Shutdown button to shut down the NXC. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the NXC. NXC2500 User’s Guide...
Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed. NXC2500 User’s Guide...
Page 350
It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2- PSK is recommended. The wireless security is not following the re-authentication timer setting I specified. NXC2500 User’s Guide...
Page 351
I cannot get the RADIUS server to authenticate the NXC‘s default admin account. The default admin account is always authenticated locally, regardless of the authentication method setting. The NXC fails to authentication the ext-user user accounts I configured. NXC2500 User’s Guide...
Page 352
PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the NXC. NXC2500 User’s Guide...
Page 353
• Include write commands in your scripts. Otherwise the changes will be lost when the NXC restarts. You could use multiple write commands in a long script. Note: “exit” or “!'” must follow sub commands if it is to make the NXC exit sub command mode. NXC2500 User’s Guide...
AP’s configuration is in conflict with the NXC’s settings for the AP. • The wireless client’s MAC address may be on the MAC filtering list. See Section 16.3.3 on page for details on managing the NXC MAC Filter. NXC2500 User’s Guide...
Page 355
If Captive Portal is using the external web portal: • Make sure the Captive Portal configuration pointing to it is correct. You must configure the Login URL field. • Check that the external Web server is configured properly. NXC2500 User’s Guide...
Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.) Release the RESET button, and wait for the NXC to restart. You should be able to access the NXC using the default settings. NXC2500 User’s Guide...
Chapter 31 Troubleshooting 31.3 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. NXC2500 User’s Guide...
1st:zysh entry name can't retrieve entry: 1st:zysh entry name can't get entry: %s! 1st:zysh entry name can't print entry: %s! 1st:zysh list name %s: cannot retrieve entries from list! 1st:zysh entry index can't get name for entry %d! NXC2500 User’s Guide...
Page 360
%s: invalid old/new index! 1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! NXC2500 User’s Guide...
Page 361
The NXC blocked a login because the maximum simultaneous login capacity Failed login attempt to for the administrator or access account has already been reached. EnterpriseWLAN from %s (reach the max. number %s: service name of simultaneous logon) NXC2500 User’s Guide...
Page 362
%s:Trial service activation has %s: service name succeeded. The device received an incomplete response from the myZyXEL.com server Trial service and it caused a parsing error for the device. activation has failed. Because of lack must fields. NXC2500 User’s Guide...
Page 363
The device failed to change the type of anti-virus engine. %s is the server Change Anti-Virus response error message. engine has failed:%s. The device successfully changed the type of anti-virus engine. Change Anti-Virus engine has succeeded. NXC2500 User’s Guide...
Page 364
The device successfully downloaded an IDP signature file. IDP signature download has succeeded. The device successfully downloaded and applied an IDP signature file. IDP signature update has succeeded. The device still cannot download the IDP signature after 3 retries. IDP signature download has failed. NXC2500 User’s Guide...
Page 365
The device processes a service expiration day check immediately after it starts System bootup. Do expiration daily- check. The device processes a service expiration day check immediately after device After register. Do registration. expiration daily- check immediately. NXC2500 User’s Guide...
Page 366
The file size downloaded for AS is not identical with content-length Download file size is wrong. Device can't parse the HTTP header in a response returned by a server. Maybe Parse HTTP header has some HTTP headers are missing. failed. NXC2500 User’s Guide...
Page 367
Policy-route rule %d was modified. %d: the policy route rule number Rule is moved. Policy-route rule %d was moved to %d. 1st %d: the original policy route rule number 2nd %d: the new policy route rule number NXC2500 User’s Guide...
Page 368
An administrator changed the port number for TELNET. TELNET port has been changed to port %s. %s is port number assigned by user An administrator changed the port number for TELNET back to the default TELNET port has been (23). changed to default port. NXC2500 User’s Guide...
Page 369
An administrator tried to add more than the maximum number of DNS access DNS access control control rules (64). rules have been reached the maximum number. An administrator added a new rule. DNS access control rule %u of DNS has %u is rule number been appended. NXC2500 User’s Guide...
Page 370
32. The maximum number of allowable rules has been reached. Access control rules of %s have reached the %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. maximum number of %u %u is the maximum number of access control rules. NXC2500 User’s Guide...
Page 371
%d%%: mem-threshold-min. When local storage usage drops below threshold-min, %s: partition_name file system drops below the threshold of %d%%: disk-threshold-min. DHCP Server executed with cautious mode enabled. DHCP Server executed with cautious mode enabled NXC2500 User’s Guide...
Page 372
NTP update successful, current time is %s %s is the date and time. The device was not able to synchronize with the NTP time server successfully. NTP update failed An administrator restarted the device. Device is rebooted by administrator! NXC2500 User’s Guide...
Page 373
Can't load %s module %s: the connectivity module, currently only ICMP available. The connectivity check process can't execute 'isalive' function from module for Can't handle 'isalive' check link-status. function of %s module %s: the connectivity module, currently only ICMP available. NXC2500 User’s Guide...
Page 374
FTP ALG has been modified. Default FTP ALG port has been changed. Signal port of FTP ALG has been modified. The H.323 ALG has been turned on or off. %s: Enable or Disable %s H.323 ALG has succeeded. NXC2500 User’s Guide...
Page 375
Certificate was not added to the cache. Certificate decoding failed. Certificate was not found (anywhere). Certificate chain looped (did not find trusted root). Certificate contains critical extension that was not handled. Certificate issuer was not valid (CA specific information missing). (Not used) NXC2500 User’s Guide...
Page 377
The NXC was not able to configure the wireless device to use WPA. Remove System internal error. the wireless device and reinstall it. Error configuring WPA state! The NXC was not able to enable WPA/IEEE 802.1X. System internal error. Error enabling WPA/ 802.1X! NXC2500 User’s Guide...
Page 378
A user changed an ISP account profile’s options. Account %s %s has been changed. 1st %s: profile type, 2nd %s: profile name. A user added a new ISP account profile. Account %s %s has been added. 1st %s: profile type, 2nd %s: profile name. NXC2500 User’s Guide...
Page 379
Resetting system... After the system reset, it started to apply the configuration file. System resetted. Now apply %s.. %s is configuration file name. An administrator ran the listed shell script. Running %s... %s is script file name. NXC2500 User’s Guide...
Page 380
The NXC could not connect to the SMTP e-mail server (%s). The address Failed to connect to configured for the server may be incorrect or there may be a problem with the mail server %s. NXC’s or the server’s network connection. NXC2500 User’s Guide...
Page 381
A Managed AP disconnected from the CAPWAP Server. AP Disconnect. MAC:%02x%02x%02x%02x%02x%02x, 1st %02x ~ 6th %02x: Managed AP MAC Address. Name:%s, Reason:%s in %s 7th %s: Managed AP Description. State,Model:%s 8th %s: Managed AP Disconnect Reason. 9th %s: Managed AP Model Name. NXC2500 User’s Guide...
Page 382
Start Send Updating Configuration to an AP in the Managed List. Start Send Updating Configuration to AP. 1st %02x ~ 6th %02x: Managed AP MAC Address. MAC:%02x%02x%02x%02x%02x%02x, 7th %s: Managed AP Description. Name:%s,Model:%s 8th %s: Managed AP Model Name. NXC2500 User’s Guide...
Page 383
CAPWAP Client connected to the WLAN Controller. Connect to WLAN Controller. IP:%s 1st %s: WLAN Controller IP Address. CAPWAP Client disconnected from to the WLAN Controller. Disconnect from WLAN Controller. IP:%s 1st %s: WLAN Controller IP Address. NXC2500 User’s Guide...
Page 384
Indicates that the specified station was removed from an AP’s wireless kick station network because the AP became overloaded. %02x:%02x:%02x:%02x:%0 2x:%02x Table 191 Rogue AP Logs LOG MESSAGE DESCRIPTION Indicates that rogue AP detection is enabled. rogue ap detection is enabled. NXC2500 User’s Guide...
Page 385
7th %s: Source WTP's description. To:%s 8th %s: Destination WTP's description. The number of wireless clients connected to the AP has reached the STA List Full. STA maximium limit. List of AP [%s] is Full 1st %s: Managed AP's description. NXC2500 User’s Guide...
Page 386
8th %s: Managed AP Description. An AP rejected a wireless client’s association request. AP Radio MAC=%02x:%02x:%02x:%02 1st %02x~6th%02x: AP’s MAC Address. x:%02x:%02x, Reject 7th %02x~12th%02x: Wireless client’s MAC Address. Station MAC%02x:%02x:%02x:%02x 13th %d: RSSI value :%02x:%02x, RSSI=%d NXC2500 User’s Guide...
File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 1720 NetMeeting uses this protocol. NXC2500 User’s Guide...
Page 388
REXEC Remote Execution Daemon. RLOGIN Remote Login. RTELNET Remote Telnet. RTSP TCP/UDP The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP Simple File Transfer Protocol. NXC2500 User’s Guide...
Page 389
TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. NXC2500 User’s Guide...
Page 390
Appendix B Common Services NXC2500 User’s Guide...
Note: You can see if you are browsing on a secure website if the URL in your web browser’s address bar begins with https:// or there is a sealed padlock icon ) somewhere in the main browser window (not all browsers show the padlock in the same location.) NXC2500 User’s Guide...
Page 392
If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Click Continue to this website (not recommended). In the Address Bar, click Certificate Error > View certificates. NXC2500 User’s Guide...
Page 393
Appendix C Importing Certificates In the Certificate dialog box, click Install Certificate. In the Certificate Import Wizard, click Next. NXC2500 User’s Guide...
Page 394
Next again and then go to step 9. Otherwise, select Place all certificates in the following store and then click Browse. In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. NXC2500 User’s Guide...
Page 395
Appendix C Importing Certificates In the Completing the Certificate Import Wizard screen, click Finish. 10 If you are presented with another Security Warning, click Yes. 11 Finally, click OK when presented with the successful certificate installation message. NXC2500 User’s Guide...
Page 396
Double-click the public key certificate file. In the security warning dialog box, click Open. Refer to steps 4-12 in the Internet Explorer procedure beginning on page 392 to complete the installation process. NXC2500 User’s Guide...
Page 397
This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP. Open Internet Explorer and click Tools > Internet Options. In the Internet Options dialog box, click Content > Certificates. NXC2500 User’s Guide...
Page 398
In the Certificates confirmation, click Yes. In the Root Certificate Store dialog box, click Yes. The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. NXC2500 User’s Guide...
Page 399
The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information. NXC2500 User’s Guide...
Page 400
Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Open Firefox and click Tools > Options. In the Options dialog box, click Advanced > Encryption > View Certificates. NXC2500 User’s Guide...
Page 401
Use the Select File dialog box to locate the certificate and then click Open. The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. NXC2500 User’s Guide...
Page 402
Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. In the Options dialog box, click Advanced > Encryption > View Certificates. NXC2500 User’s Guide...
Page 403
Delete. In the Delete Web Site Certificates dialog box, click OK. The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. NXC2500 User’s Guide...
Page 404
Appendix C Importing Certificates NXC2500 User’s Guide...
(AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is NXC2500 User’s Guide...
Page 406
APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. NXC2500 User’s Guide...
Page 407
AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. NXC2500 User’s Guide...
Page 408
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. NXC2500 User’s Guide...
Page 409
DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. NXC2500 User’s Guide...
Page 410
• Authentication Determines the identity of the users. • Authorization Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. NXC2500 User’s Guide...
Page 411
For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. NXC2500 User’s Guide...
Page 412
The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. NXC2500 User’s Guide...
Page 413
Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm NXC2500 User’s Guide...
Page 414
WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. NXC2500 User’s Guide...
Page 415
The AP checks each wireless client's password and allows it to join the network only if the password matches. The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. NXC2500 User’s Guide...
Page 416
Enable without Dynamic WEP Key Open Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable TKIP/AES Enable WPA-PSK TKIP/AES Disable WPA2 TKIP/AES Enable WPA2-PSK TKIP/AES Disable NXC2500 User’s Guide...
Your use of the NXC is subject to the terms and conditions of any related service providers. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 418
Lo smaltimento abusivo del prodotto da parte del detentore comporta l’applicazione delle sanzioni amministrative previste dalla normativa vigente." NXC2500 User’s Guide...
Page 419
Naam/titel: Raymond Huang / Quality & Customer Namn/Titel: Raymond Huang / Quality & Customer Service Division / Assistant VP. Service Division / Assistant VP. Service Division / Assistant VP. Data (aaaa/mm/gg): 2013/02/01 Datum(jjjj/mm/dd): 2013/02/01 Datum (åååå/mm/dd): 2013/02/01 NXC2500 User’s Guide...
Page 420
Appendix E Legal Information NXC2500 User’s Guide...
227, 229, 230, 231, 233, 234 and users directory structure and WWW Distinguished Name, see DN create password Authentication server port 233, 236 RADIUS client search time limit authentication server Authentication, Authorization, Accounting servers, address groups see AAA server NXC2500 User’s Guide...
Page 422
SSH system-default.conf and WWW uploading certification path 242, 250, 255 uploading with FTP expired use without restart factory-default file formats connectivity check 108, 120 fingerprints console port 251, 256 importing speed not used for encryption cookies revoked NXC2500 User’s Guide...
Page 423
IP address to domain name getting updated Mail eXchange (MX) records uploading 319, 320 pointer (PTR) records uploading with FTP DNS servers 265, 269 flash usage and interfaces FQDN documentation fragmentation threshold related front panel ports domain name NXC2500 User’s Guide...
Page 424
Internet Explorer UDP, see UDP HyperText Transfer Protocol over Secure Socket IP static routes, see static routes Layer, see HTTPS IP/MAC binding exempt list monitor static DHCP IBSS ICMP IEEE 802.11g IEEE 802.1q VLAN Java IEEE 802.1x NXC2500 User’s Guide...
Page 425
(HOST) logs and ALG descriptions and interfaces e-mail profiles and policy routes e-mailing log messages 82, 303 NAT example formats NBNS log consolidation 109, 119, 123 settings NetBIOS syslog servers Name Server, see NBNS. NXC2500 User’s Guide...
Page 426
Relative Distinguished Name (RDN) and address objects 229, 231, 233 and interfaces Remote Authentication Dial-In User Service, see RADIUS and schedules and user groups remote management 129, 130 and users FTP, see FTP 129, 130 NXC2500 User’s Guide...
Page 427
Secure Socket Layer, see SSL encryption methods serial number for secure Telnet service control how connection is established and users versions limitations with Linux timeouts with Microsoft Windows service groups and AAA service objects and AD Service Set and LDAP NXC2500 User’s Guide...
Page 428
(type) and zones admin, see also admin users with SSH and AAA servers Temporal Key Integrity Protocol (TKIP) and authentication method objects time and LDAP time servers (default) and policy routes 129, 130 and RADIUS trademarks NXC2500 User’s Guide...
Page 429
17, 135 warranty and FTP note and interfaces 17, 135 Web Configurator and SNMP 21, 29 access and SSH access users and Telnet requirements and VPN 17, 135 supported browsers and WWW NXC2500 User’s Guide...
Page 430
Index default extra-zone traffic inter-zone traffic intra-zone traffic types of traffic NXC2500 User’s Guide...
Need help?
Do you have a question about the NXC2500 and is the answer not in the manual?
Questions and answers