Page 1 NWA-3160 Series Models: NWA-3160 & NWA-3163 Default Login Details IP Address http://192.168.1.2 User Name Password 1234 Firmware Version 3.7 www.zyxel.com Edition 2, 03/2009 www.zyxel.com Copyright © 2009 ZyXEL Communications Corporation...
Page 3: About This User's Guide
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the NWA-3160 Series using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Page 4: Document Conventions
Syntax Conventions • The products in the NWA-3160 Series may be referred to as the “NWA”, the “device” or the “system” in this User’s Guide. Note: The NWA-3160 Series includes the NWA-3160 and the NWA-3163. Illustrations used throughout this book are based on the NWA-3163.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The NWA icon is not an exact representation of your device. Computer Notebook computer Server Printer Firewall Telephone Switch Router NWA-3160 Series User’s Guide...
Page 6: Safety Warnings
• If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. • The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors. This product is recyclable. Dispose of it properly. NWA-3160 Series User’s Guide...
Page 7: Table Of Contents
2.1 Overview ..........................31 2.2 Accessing the Web Configurator ..................31 2.3 Resetting the NWA ......................32 2.3.1 Methods of Restoring Factory-Defaults ..............32 2.4 Navigating the Web Configurator ..................33 Chapter 3 Tutorials ........................... 35 NWA-3160 Series User’s Guide...
Page 8 3.6.5 Setting Your NWA in Managed AP Mode ..............69 3.6.6 Configuring the Managed Access Points List ............. 70 3.6.7 Checking your Settings and Testing the Configuration ..........73 Part II: The Web Configurator ............... 75 NWA-3160 Series User’s Guide...
Page 9 7.2 General Screen ......................... 103 7.3 Password Screen ......................105 7.4 Time Setting Screen ......................107 7.5 Technical Reference ......................109 7.5.1 Administrator Authentication on RADIUS ..............109 7.5.2 Pre-defined NTP Time Servers List ................109 NWA-3160 Series User’s Guide...
Page 10 9.1.2 What You Need To Know About SSID ..............138 9.2 The SSID Screen ....................... 139 9.2.1 Configuring SSID ..................... 140 Chapter 10 Wireless Security Screen ..................... 143 10.1 Overview .......................... 143 10.1.1 What You Can Do in the Security Screen .............. 143 NWA-3160 Series User’s Guide...
Page 11 14.1.1 What You Can Do in the IP Screen ................ 171 14.1.2 What You Need To Know About IP ................ 171 14.2 The IP Screen ........................172 14.3 Technical Reference ......................173 14.3.1 WAN IP Address Assignment ................. 173 NWA-3160 Series User’s Guide...
Page 12 18.1.2 What You Need To Know About Certificates ............204 18.2 My Certificates Screen ....................204 18.2.1 My Certificates Import Screen ................206 18.2.2 My Certificates Create Screen ................208 18.2.3 My Certificates Details Screen ................211 18.3 Trusted CAs Screen ......................214 NWA-3160 Series User’s Guide...
Page 13 20.3.4.1 Second Rx VLAN Setup Example ..........249 Chapter 21 Load Balancing ........................253 21.1 Overview .......................... 253 21.1.1 What You Need to Know About Load Balancing ............ 253 21.2 The Load Balancing Screen .................... 255 21.2.1 Disassociating and Delaying Connections ............. 256 NWA-3160 Series User’s Guide...
Page 14 Appendix D IP Addresses and Subnetting ................309 Appendix E Text File Based Auto Configuration..............331 Appendix F How to Access and Use the CLI ............... 339 Appendix G Legal Information....................345 Appendix H Customer Support..................... 349 Index............................357 NWA-3160 Series User’s Guide...
Page 15: Part I Introduction
Introduction Introduction (17) The Web Configurator (31) Tutorials (35)
Page 17: Chapter 1 Introduction
H A P T E R Introduction Note: The NWA-3160 Series includes the NWA-3160 and the NWA-3163. Illustrations used throughout this book are based on the NWA-3163. 1.1 Overview Your NWA extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.
Page 18: Applications For The Nwa
The NWA is an ideal access solution for wireless Internet connection. A typical Internet access application for your NWA is shown as follows. Stations A, B and C can access the wired network through the NWAs. Figure 1 Access Point Application BSS2 BSS1 NWA-3160 Series User’s Guide...
Page 19: Bridge / Repeater
Once the security settings of peer sides match one another, the connection between devices is made. At the time of writing, WDS security is compatible with other ZyXEL access points only. Refer to your other access point’s documentation for details. Figure 2 Bridge Application NWA-3160 Series User’s Guide...
Page 20: Bridge / Repeater Mode Example
WDS (Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers in LAN 2. Figure 4 Bridging Example Be careful to avoid bridge loops when you enable bridging in the NWA. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible NWA-3160 Series User’s Guide...
Page 21 To prevent bridge loops, ensure that you enable Spanning Tree Protocol (STP) in the Wireless screen or your NWA is not set to bridge mode while connected to both wired and wireless segments of the same LAN. NWA-3160 Series User’s Guide...
Page 22: Ap + Bridge
A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA NWA-3160 Series User’s Guide...
Page 23 Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network (LAN) behind the AP and can access only the Internet. Figure 8 Multiple BSSs NWA-3160 Series User’s Guide...
Page 24: Pre-Configured Ssid Profiles
IEEE 802.11b and IEEE 802.11g clients to access the wired network, and WLAN2 in AP + Bridge mode to allow an IEEE 802.11a AP to communicate with the wired network. Figure 9 Dual WLAN Adaptors Example WLAN1 WLAN2 802.11b/g 802.11b/g Access Point Bridge Internet NWA-3160 Series User’s Guide...
Page 25: Capwap
• NWA-3166 The following figure illustrates a CAPWAP wireless network. The user (U) configures the controller AP (C), which then automatically updates the configurations of the managed APs (M1 ~ M4). Figure 10 CAPWAP Network Example NWA-3160 Series User’s Guide...
Page 26: Ways To Manage The Nwa
NWA to its factory default settings. If you backed up an earlier configuration file, you won’t have to totally re-configure the NWA; you can simply restore your last configuration. 1.6 Hardware Connections See your Quick Start Guide for information on making hardware connections. NWA-3160 Series User’s Guide...
Page 27: Antennas
The NWA has two antennas. When you are looking at the NWA from the front, the main antenna is on the left. The main antenna can both transmit and receive. If you have only one antenna, attach it to the connector on the left of the NWA. Figure 11 Main Antenna NWA-3160 Series User’s Guide...
Page 28: Leds
The NWA is in AP+Bridge or Bridge/Repeater mode and has not established a Wireless Distribution System (WDS) connection. Green The NWA is in AP+Bridge or Bridge/Repeater mode, and has successfully established a Wireless Distribution System (WDS) connection. NWA-3160 Series User’s Guide...
Page 29 Blinking Either • If the LED blinks during the boot up process, the system is starting up. • If the LED blinks after the boot up process, the system has failed. The NWA successfully boots up. NWA-3160 Series User’s Guide...
Page 30 Chapter 1 Introduction NWA-3160 Series User’s Guide...
Page 31: The Web Configurator
You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) then click Apply. Alternatively, click Ignore. Note: If you do not change the password, this screen appears every time you login. NWA-3160 Series User’s Guide...
Page 32: Resetting The Nwa
IP address of the NWA is not known. • Use the web configurator to restore defaults (refer to Chapter 23 on page 263). • Transfer the configuration file to your NWA using File Transfer Protocol (FTP). NWA-3160 Series User’s Guide...
Page 33: Navigating The Web Configurator
Load Balancing, and DCS. • Click MAINTENANCE to view information about your NWA or upgrade configuration and firmware files. Maintenance features include Status (Statistics), Association List, Channel Usage, F/W (Firmware) Upload, Configuration (Backup, Restore and Default) and Restart. NWA-3160 Series User’s Guide...
Page 34 Chapter 2 The Web Configurator NWA-3160 Series User’s Guide...
Page 35: Chapter 3 Tutorials
• Use MBSSID (Multiple Basic Service Set Identifier) operating mode if you want to use the NWA as an access point with some groups of users having different security or QoS settings from other groups of users. See Section 1.2.4 on page for details. NWA-3160 Series User’s Guide...
Page 36: Wireless Lan Configuration Overview
Configure internal AUTH. SERVER (optional). Configure Layer 2 Configure Layer 2 Isolation (optional). Isolation (optional). Configure Layer 2 Isolation (optional). Configure MAC Filter Configure MAC Filter (optional). (optional). Configure MAC Filter (optional). Check your settings and test. NWA-3160 Series User’s Guide...
Page 37: Further Reading
To do this, you will take the following steps: Change the operating mode from Access Point to MBSSID and reactivate the standard network. Configure a wireless network for VoIP users. Configure a wireless network for guests to your office. NWA-3160 Series User’s Guide...
Page 38 The following table shows the addresses used in this example. Table 2 Tutorial: Example Information Network router (A) MAC address 00:AA:00:AA:00:AA Network printer (B) MAC address AA:00:AA:00:AA:00 NWA-3160 Series User’s Guide...
Page 39: Change The Operating Mode
Section 2.2 on page 31). Click Wireless > Wireless. The Wireless screen appears. In this example, the NWA is in Access Point operating mode, and is currently set to use the SSID03 profile. Figure 16 Tutorial: Wireless LAN: Before NWA-3160 Series User’s Guide...
Page 40 Select the Index box for the entry and click Apply to activate the profile. Your standard wireless network (SSID03) is now accessible to your wireless clients as before. You do not need to configure anything else for your standard network. NWA-3160 Series User’s Guide...
Page 41: Configure The Voip Network
Figure 18 Tutorial: WIRELESS > SSID The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID’s radio button and click Edit. The following screen displays. Figure 19 Tutorial: VoIP SSID Profile Edit NWA-3160 Series User’s Guide...
Page 42: Set Up Security For The Voip Profile
Leave all the other fields at their defaults and click Apply. 3.3.2.1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network. Click the Security tab. Figure 20 Tutorial: VoIP Security NWA-3160 Series User’s Guide...
Page 43 In this example, the PSK is “ThisismyWPA2-PSKpre-sharedkey”. Click Apply. The Wireless > Security screen displays. Ensure that the Profile Name for entry 2 displays “VoIP_Security” and that the Security Mode is WPA2-PSK. Figure 22 Tutorial: VoIP Security: Updated NWA-3160 Series User’s Guide...
Page 44: Activate The Voip Profile
Guest_SSID profile can access only certain pre-defined devices on the network (see Section on page 162), and “intra-BSS traffic blocking” means that the client cannot access other clients on the same wireless network (see Section 8.1.2 on page 112). NWA-3160 Series User’s Guide...
Page 45 The standard network (SSID04) is already using the security01 profile, and the VoIP network is using the security02 profile (renamed VoIP_Security) so select the security03 profile from the Security field. Leave all the other fields at their defaults and click Apply. NWA-3160 Series User’s Guide...
Page 46: Set Up Security For The Guest Profile
PSK is “ThisismyGuestWPApre-sharedkey”. Click Apply. The Wireless > Security screen displays. Ensure that the Profile Name for entry 3 displays “Guest_Security” and that the Security Mode is WPA-PSK. Figure 26 Tutorial: Guest Security: Updated NWA-3160 Series User’s Guide...
Page 47: Set Up Layer 2 Isolation
Figure 28 Tutorial: Layer 2 Isolation Profile Enter the MAC addresses of the two network devices you want users on the guest network to be able to access: the main network router (00:AA:00:AA:00:AA) and the network printer (AA:00:AA:00:AA:00). Click Apply. NWA-3160 Series User’s Guide...
Page 48: Activate The Guest Profile
2 isolation list). If you receive a reply, check the settings in the WIRELESS > Layer-2 Isolation > Edit screen, and ensure that the correct layer 2 isolation profile is enabled in the Guest_SSID profile screen. NWA-3160 Series User’s Guide...
Page 49: How To Set Up And Use Rogue Ap Detection
A, B, C and D. You also have a network mail/file server, marked E, and a computer, marked F, connected to the wired network. The coffee shop’s access point is marked 1. Figure 30 Tutorial: Wireless Network Example NWA-3160 Series User’s Guide...
Page 50 MAC address of his AP. In this example, you will do the following things. Set up and save a friendly AP list. Activate periodic Rogue AP Detection. Set up e-mail alerts. Configure your other access points. Test the setup. NWA-3160 Series User’s Guide...
Page 51: Set Up And Save A Friendly Ap List
Add after you enter the details of each AP to include it in the list. MAC ADDRESS DESCRIPTION 00:AA:00:AA:00:AA My Access Point _A_ AA:00:AA:00:AA:00 My Access Point _B_ A0:0A:A0:0A:A0:0A My Access Point _C_ 0A:A0:0A:A0:0A:A0 My Access Point _D_ AF:AF:AF:FA:FA:FA Coffee Shop Access Point _1_ NWA-3160 Series User’s Guide...
Page 52 Figure 32 Tutorial: Friendly AP (After Data Entry) Next, you will save the list of friendly APs in order to provide a backup and upload it to your other access points. Click the Configuration tab.The following screen appears. Figure 33 Tutorial: Configuration NWA-3160 Series User’s Guide...
Page 53 Save the friendly AP list somewhere it can be accessed by all the other access points on the network. In this example, save it on the network file server (E in Figure 30 on page 49). The default filename is “Flist”. Figure 35 Tutorial: Save Friendly AP list NWA-3160 Series User’s Guide...
Page 54: Activate Periodic Rogue Ap Detection
In the Expiration Time field, enter how long an AP’s entry can remain in the list before the NWA discards it from the list when the AP is no longer active. In this example, enter “30¨. Click Apply. NWA-3160 Series User’s Guide...
Page 55: Set Up E-Mail Logs
In this example, your mail server’s IP address is 192.168.1.25. Enter this IP address in the Mail Server field. Enter a subject line for the alert e-mails in the Mail Subject field. Choose a subject that is eye-catching and identifies the access point - in this example, “ALERT_Access_Point_A”. NWA-3160 Series User’s Guide...
Page 56: Configure Your Other Access Points
Click Import. Check the ROGUE AP > Friendly AP screen to ensure that the friendly AP list has been correctly uploaded. Activate periodic rogue AP detection. Set up e-mail logs, but change the Mail Subject field so you can tell which AP the alerts come from (“ALERT_Access_Point_B”, etc.) NWA-3160 Series User’s Guide...
Page 57: Test The Setup
You have two secure servers (1 and 2 in the following figure). Wireless user “Alice” (A) needs to access server 1 (but should not access server 2) and wireless user “Bob” (B) needs to access server 2 (but should not access server 1). Your NWA-3160 Series User’s Guide...
Page 58: Your Requirements
SSID profile as shown in the following table. Table 4 Tutorial: SSID Profile Security Settings SSID Profile SERVER_1 SERVER_2 Name SSID SSID_S1 SSID_S2 Security Security Profile Security Profile security03: security04: WPA2-PSK WPA2-PSK Hide SSID Hide SSID Intra-BSS traffic Enabled Enabled blocking NWA-3160 Series User’s Guide...
Page 59: Configure The Server_1 Network
1 via the network switch. You will configure the MAC filter to restrict access to Alice alone, and then configure layer-2 isolation to allow her to access only the network router, the file server and the Internet security gateway. NWA-3160 Series User’s Guide...
Page 60 Take the following steps to configure the SERVER_1 network. Log into the NWA’s Web Configurator and click Wireless > SSID. The following screen displays, showing the SSID profiles you already configured. Figure 39 Tutorial: SSID Profile NWA-3160 Series User’s Guide...
Page 61 Enter server 1’s MAC Address and add a Description (“SERVER_1” in this case) in Set 2’s entry. Change the Profile Name to “L-2-ISO_SERVER_1” and click Apply. You have restricted users on the SERVER_1 network to access only the devices with the MAC addresses you entered. NWA-3160 Series User’s Guide...
Page 62: Configure The Server_2 Network
Table 7 Tutorial: SERVER_2 Network Information SSID Screen Index Profile Name SERVER_2 SSID Edit (SERVER_2) Screen L2 Isolation L2Isolation04 MAC Filtering macfilter04 Layer-2 Isolation (L2Isolation04) Screen Profile Name L-2-ISO_SERVER-2 Set 1 MAC Address: 77:66:55:44:33:22 Description: NET_ROUTER NWA-3160 Series User’s Guide...
Page 63: Checking Your Settings And Testing The Configuration
Click Wireless > Wireless. Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated, as shown in the following figure. Figure 43 Tutorial: SSID Profiles Activated NWA-3160 Series User’s Guide...
Page 64: Testing The Configuration
If you can do so, MAC filtering is misconfigured. Test the SERVER_2 network. • Using Bob’s computer and wireless client, and the correct security settings, do the following. Attempt to access Server 2. You should be able to do so. NWA-3160 Series User’s Guide...
Page 65: How To Configure Management Modes
APs because of their location. You want to convert one of your NWA to a controller AP (A) which will allow you to manage all 4 NWA APs using the Web Configurator of this newly transformed NWA controller AP. NWA-3160 Series User’s Guide...
Page 66: Your Requirements
SSID profile to just one NWA (which will serve as the NWA controller AP.) Note: This tutorial covers only the MGNT MODE and Controller screens. You will need to do the following steps to configure the management modes of your NWAs. NWA-3160 Series User’s Guide...
Page 67: Configure Your Nwa In Controller Ap Mode
However in case you have both primary and secondary controller APs in the network, the secondary controller AP’s WLAN radio is turned off as long as the primary controller AP is turned on. NWA-3160 Series User’s Guide...
Page 68: Secondary Ap Controller
Redundacy screen (this screen only appears when the NWA is in Controller AP mode) in the Web Configurator of the NWA that you want to serve as backup. Figure 47 Tutorial: Secondary Controller AP Enable Redundancy. Then select Secondary AP Controller and click Apply. NWA-3160 Series User’s Guide...
Page 69: Primary Ap Controller
TELNET, FTP and SMNP features. To put it simply, the managed NWA is not directly configurable. This is because its controller AP is continuously managing it. You can switch the NWA to standalone AP mode by pressing the reset button on the casing (NWA-3500 only). Previous configurations are lost. NWA-3160 Series User’s Guide...
Page 70: Configuring The Managed Access Points List
At this point, you have 3 NWA managed APs (B, C and D) that can now be managed by the primary controller AP. First in the Web Configurator of your primary controller AP (A), go to Controller > Configuration. Figure 50 Tutorial: Registration Type NWA-3160 Series User’s Guide...
Page 71 Note: The NWA controller AP uses WLAN Radio Profile to categorize different wireless settings present in a managed AP. Each profile contains the SSID, security mode, RADIUS, Layer-2 Isolation and MAC filter configurations. NWA-3160 Series User’s Guide...
Page 72 In the screen that opens, choose the radio profile for each WLAN radio and click Apply. Figure 53 Tutorial: Managed AP WLAN Radio Profile In this example, the 1st floor NWA managed AP uses radio06 for its WLAN1 Radio Profile. NWA-3160 Series User’s Guide...
Page 73: Checking Your Settings And Testing The Configuration
AP when setting the congfiguration for the managed APs. If you accidentally set up the secondary controller AP instead, the changes you made will not take effect. They are overridden by the configurations of the primary controller AP. NWA-3160 Series User’s Guide...
Page 74 Chapter 3 Tutorials NWA-3160 Series User’s Guide...
Page 75 The Web Configurator Status Screen (77) VLAN (231) Management Mode (81) Maintenance (263) System Screens (101) Wireless Screen (111) SSID Screen (137) Wireless Security Screen (143) RADIUS Screen (157) Layer-2 Isolation Screen (161) MAC Filter Screen (167) IP Screen (171) Rogue AP Detection (175) Remote Management Screens (183) Internal RADIUS Server (195)
Page 77: Chapter 4 Status Screen
4.2 The Status Screen Use this screen to get a quick view of system, Ethernet, WLAN and other information regarding your NWA. Click Status. The following screen displays. Figure 55 The Status Screen NWA-3160 Series User’s Guide...
Page 78 NWA is to slow down. WLAN Associations This field displays the number of wireless clients currently associated with the wireless module. It supports up to 128 concurrent associations. Interface Status Interface This column displays each interface of the NWA. NWA-3160 Series User’s Guide...
Page 79 Click this to see a list of logs produced by the NWA. See Chapter 19 on page 221. Rogue AP List Click this to see a list of unauthorized access points in the local area. See Section 15.2.2 on page 180. NWA-3160 Series User’s Guide...
Page 80 Chapter 4 Status Screen NWA-3160 Series User’s Guide...
Page 81: Chapter 5 Management Mode
The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS). The following figure illustrates a CAPWAP wireless network. You (U) configure the AP controller (C), which then automatically updates the configurations of the managed APs (M1 ~ M4). Figure 56 CAPWAP Network Example DHCP SERVER NWA-3160 Series User’s Guide...
Page 82: Capwap Discovery And Management
However, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following. • Activate DHCP option 43 on your network’s DHCP server. • Configure DHCP option 43 with the IP address of the CAPWAP AP controller on your network. NWA-3160 Series User’s Guide...
Page 83: Notes On Capwap
• Only one AP controller can exist in any single broadcast domain. • If a managed AP’s link to the AP controller is broken, the managed AP continues to use the wireless settings with which it was last provided. NWA-3160 Series User’s Guide...
Page 84: The Management Mode Screen
To discover its new IP address, check the DHCP server on your network. If your network has no DHCP server, the NWA’s IP address remains the same. You can also check the Controller > AP Lists screen of the AP controller on your network. NWA-3160 Series User’s Guide...
Page 85 Managed AP, you cannot log in as the web configurator is disabled; you must manage the NWA through the management AP on your network. Reset Click this to return this screen to its previously-saved settings. NWA-3160 Series User’s Guide...
Page 86 Chapter 5 Management Mode NWA-3160 Series User’s Guide...
Page 87: Chapter 6 Ap Controller Mode
The following terms and concepts may help as you read through this chapter. Controller AP Mode Your NWA can be a CAPWAP controller AP. In this setup, the NWA can manage the wireless configurations and device settings of several APs at the same time. NWA-3160 Series User’s Guide...
Page 88: Before You Begin
Figure 60 System Restart Note: The NWA reboots every time you change mode in the MGMT MODE screen. You can switch from Standalone AP to Controller AP (and vice versa) using the Web Configurator. NWA-3160 Series User’s Guide...
Page 89: Controller Ap Status Screen
System Information, AP Status, WLAN Association and System Status sections. The System Status links take you to screens that provide information on the access points managed by the NWA. Click Status. The following screen displays. NWA-3160 Series User’s Guide...
Page 90 Click this to see information about each of the wireless clients connected to APs managed by the NWA. SSID Information Click this to see details of the security settings used by each SSID, and the number of wireless clients associated with each SSID. NWA-3160 Series User’s Guide...
Page 91: Ap Lists Screen
This displays the IP address of the managed AP. MAC Address This displays the MAC address of the managed AP. Model This displays the model name and 802.11 mode of the managed Description This displays the description of the managed AP. NWA-3160 Series User’s Guide...
Page 92 Select the unmanaged AP from the list and click this to include the unmanaged AP in the NWA’s managed AP list. Automatic Refresh Enter how often you want the NWA to update this screen. Interval Refresh Click this to update this screen immediately. NWA-3160 Series User’s Guide...
Page 93: The Ap Lists Edit Screen
Select Disable if you do not want to use a radio profile. The AP’s radio is not active when you select Disable. Apply Click this to save the changes in this screen. Reset Click this to return the fields in this screen to their previously- saved values. NWA-3160 Series User’s Guide...
Page 94: Configuration Screen
Select Always Accept to manage any AP on your network that transmits a CAPWAP request for management. Apply Click this to save the changes in this screen. Reset Click this to return the fields in this screen to their previously-saved values. NWA-3160 Series User’s Guide...
Page 95: Redundancy Screen
Secondary AP Controller Select this if the NWA is the secondary controller AP. Apply Click this to save the changes in this screen. Reset Click this to return the fields in this screen to their previously-saved values. NWA-3160 Series User’s Guide...
Page 96: The Profile Edit Screens
AP’s wireless settings and can be applied to APs managed by the NWA. In AP Controller mode, click Profile Edit > Radio. The following screen displays. Figure 68 The Profile Edit > Radio Screen NWA-3160 Series User’s Guide...
Page 97: The Radio Profile Edit Screen
Use this screen to configure a specific radio profile. In the Profile Edit > Radio screen, select a profile and click Edit. The following screen displays. Figure 69 The Profile Edit > Radio > Edit Screen NWA-3160 Series User’s Guide...
Page 98 Select 802.11b+g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA. The transmission rate of your NWA might be reduced. Select 802.11a (NWA-3160 only) to allow only IEEE 802.11a compliant WLAN devices to associate with the NWA. Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting.
Page 99 Select this to have access points using this radio profile use Diversity antenna diversity, where available. Antenna diversity uses multiple antennas to reduce signal interference. Apply Click this to save your changes. Reset Click this to reload the previous configuration for this screen. NWA-3160 Series User’s Guide...
Page 100 Chapter 6 AP Controller Mode NWA-3160 Series User’s Guide...
Page 101: Chapter 7 System Screens
ZyXEL Device. • Use the Time Setting screen (see Section 7.4 on page 107) to change your NWA’s time and date. This screen allows you to configure the NWA’s time based on your local time zone. NWA-3160 Series User’s Guide...
Page 102: What You Need To Know About The System Screens
The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as NWA-3160 Series User’s Guide...
Page 103: General Screen
This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted. Domain Name This is not a required field. Leave this field blank or enter the domain name here if you know it. NWA-3160 Series User’s Guide...
Page 104 DNS server, you must know the IP address of a machine in order to access it. The default setting is None. Apply Click Apply to save your changes. Reset Click Reset to reload the previous configuration for this screen. NWA-3160 Series User’s Guide...
Page 105: Password Screen
RADIUS RADIUS server authenticate management logins to the NWA. Use old setting Select this to have a RADIUS server authenticate management logins to the NWA using the RADIUS username and password already configured on the device. NWA-3160 Series User’s Guide...
Page 106 RADIUS server (see Section 11.2 on page 159). • The server must be set to Active in the profile. Apply Click Apply to save your changes. Reset Click Reset to reload the previous configuration for this screen. NWA-3160 Series User’s Guide...
Page 107: Time Setting Screen
This field displays the last updated time from the time server or (hh:mm:ss) the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. NWA-3160 Series User’s Guide...
Page 108 Sunday, October. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). NWA-3160 Series User’s Guide...
Page 109: Technical Reference
The NWA continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. Table 20 Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se NWA-3160 Series User’s Guide...
Page 110 If the synchronization fails, then the NWA goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. NWA-3160 Series User’s Guide...
Page 111: Chapter 8 Wireless Screen
Use the Wireless > Wireless screen (see Section 8.2 on page 115) to configure the NWA to use a WLAN interface and operate in AP (Access Point), AP + Bridge, Bridge / Repeater or MBSSID mode. NWA-3160 Series User’s Guide...
Page 112: What You Need To Know About The Wireless Screen
An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). NWA-3160 Series User’s Guide...
Page 113 • MBSSID Mode. The Multiple Basic Service Set Identifier (MBSSID) mode allows you to use one access point to provide several BSSs simultaneously. Refer to Chapter 1 on page 17 for illustrations of these wireless applications. NWA-3160 Series User’s Guide...
Page 114 • You must use different WEP keys for different BSSs. If two stations have different BSSIDs (they are in different BSSs), but have the same WEP keys, they may hear each other’s communications (but not communicate with each other). NWA-3160 Series User’s Guide...
Page 115: The Wireless Screen
Wireless. The screen varies depending upon the operating mode you select. 8.2.1 Access Point Mode Use this screen to use your NWA as an access point. Select Access Point as the Operating Mode. The following screen displays. Figure 77 Wireless: Access Point NWA-3160 Series User’s Guide...
Page 116 Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 100. NWA-3160 Series User’s Guide...
Page 117 NWAs on the same subnet. Note: All APs on the same subnet and the wireless stations must have the same SSID to allow roaming. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 118: Bridge / Repeater Mode
APs. You need to know the MAC address of the peer device, which also must be in bridge / repeater mode. Note: You can view an example of this setup in Section 8.3.7 on page 133. Figure 78 Wireless: Bridge / Repeater NWA-3160 Series User’s Guide...
Page 119 • Optional: Clients can connect to the access point at this speed, when permitted to do so by the AP. • Disabled: Clients cannot connect to the access point at this speed. NWA-3160 Series User’s Guide...
Page 120 (including spaces and symbols). You must also set the peer device to use the same pre-shared key. Each peer device can use a different pre-shared key. Enable Antenna Select this to use antenna diversity. Antenna diversity uses multiple Diversity antennas to reduce signal interference. NWA-3160 Series User’s Guide...
Page 121 Select the check box to activate STP on the NWA. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 122: Ap + Bridge Mode
Select AP + Bridge as the Operating Mode. The following screen diplays. Figure 79 AP + Bridge See the tables describing the fields in the Access Point and Bridge / Repeater operating modes for descriptions of the fields in this screen. NWA-3160 Series User’s Guide...
Page 123: Mbssid Mode
Chapter 8 Wireless Screen 8.2.4 MBSSID Mode Use this screen to have the NWA function in MBSSID mode. Select MBSSID as the Operating Mode. The following screen diplays. Figure 80 Multiple BSS NWA-3160 Series User’s Guide...
Page 124 Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 100. NWA-3160 Series User’s Guide...
Page 125 It allows a bridge to interact with other (R)STP -compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the NWA. NWA-3160 Series User’s Guide...
Page 126: Technical Reference
DSCP information in each packet’s header. The NWA automatically determines the priority to use for an individual traffic stream. This prevents reductions in data transmission for applications that are sensitive to latency and jitter (variations in delay). NWA-3160 Series User’s Guide...
Page 127: Wmm Qos Priorities
Table 25 Typical Packet Sizes TIME TYPICAL PACKET APPLICATION SENSITIVITY SIZE (BYTES) Voice over IP High < 250 (SIP) Online Gaming High 60 ~ 90 Web browsing Medium 300 ~ 600 (http) 1500 NWA-3160 Series User’s Guide...
Page 128: Atc+Wmm
ATC+WMM from LAN (the wired Local Area Network) to WLAN (the Wireless Local Area Network) allows WMM prioritization of packets that do not already have WMM QoS priorities assigned. The NWA automatically classifies data packets using ATC and then assigns WMM priorities based on that ATC classification. NWA-3160 Series User’s Guide...
Page 129: Atc+Wmm From Wlan To Lan
In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. NWA-3160 Series User’s Guide...
Page 130: Dscp And Per-Hop Behavior
160, 128 video 96, 0 besteffort 64, 32 background A. The NWA also uses best effort for any DSCP value for which another WMM QoS priority is not specified (255, 158 or 37 for example). NWA-3160 Series User’s Guide...
Page 131: Spanning Tree Protocol (Stp)
If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network. For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN. NWA-3160 Series User’s Guide...
Page 132: How Stp Works
However, a wireless LAN operating on the same frequency as an active radar system could disrupt the radar system. Therefore, if the NWA detects radar activity on the channel you select, it automatically instructs the wireless NWA-3160 Series User’s Guide...
Page 133: Roaming
APs when a wireless station moves between coverage areas. Wireless stations can still associate with other APs even if you disable roaming. Enabling roaming ensures correct traffic forwarding (bridge tables are updated) and maximum AP efficiency. The AP deletes records of wireless stations that associate NWA-3160 Series User’s Guide...
Page 134: Requirements For Roaming
8.3.7.1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. • All the access points must be on the same subnet and configured with the same ESSID. NWA-3160 Series User’s Guide...
Page 135: Additional Wireless Terms
NWA does, it cannot communicate with the NWA. Fragmentation A small fragmentation threshold is recommended for busy Threshold networks, while a larger threshold provides faster performance if the network is not very busy. NWA-3160 Series User’s Guide...
Page 136 RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. NWA-3160 Series User’s Guide...
Page 137: Chapter 9 Ssid Screen
(VoIP_SSID), and a guest profile that allows visitors access only the Internet and the network printer (Guest_SSID). 9.1.1 What You Can Do in the SSID Screen Use the Wireless > SSID screen (see Section 9.2 on page 139) to configure up to 16 SSID profiles for your NWA. NWA-3160 Series User’s Guide...
Page 138: What You Need To Know About Ssid
• Wireless > Layer 2 Isolation (the layer 2 isolation list, if activated in the SSID profile). • Also, use the VLAN screen to set up wireless VLANs based on SSID. Configure the fields in the above screens to use the settings in an SSID profile. NWA-3160 Series User’s Guide...
Page 139: The Ssid Screen
This field displays which RADIUS profile is currently associated with each SSID profile, if you have a RADIUS server configured. This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile. NWA-3160 Series User’s Guide...
Page 140: Configuring Ssid
Select a RADIUS profile from the drop-down list box, if you have a RADIUS server configured. If you do not need to use RADIUS authentication, ignore this field. See Section 11.2 on page 159 more information. NWA-3160 Series User’s Guide...
Page 141 Select a MAC filter profile from the drop-down list box. If you do not want to use MAC filtering on this profile, select Disable. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 142 Chapter 9 SSID Screen NWA-3160 Series User’s Guide...
Page 143: Wireless Security Screen
MAC address filtering. It can also hide its identity in the network. 10.1.1 What You Can Do in the Security Screen Use the Wireless > Security screen (see Section 10.2 on page 146) to choose the security mode for your NWA. NWA-3160 Series User’s Guide...
Page 144: What You Need To Know About Wireless Security
The available security modes in your NWA are as follows: • None. No data encryption. • WEP. Wired Equivalent Privacy (WEP) encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. NWA-3160 Series User’s Guide...
Page 145 The EAP methods employed by the NWA when in Wireless Client operating mode are Transport Layer Security (TLS), Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP) and Tunneled Transport Layer Security (TTLS). The authentication protocol may either be NWA-3160 Series User’s Guide...
Page 146: The Security Screen
The following table describes the labels in this screen. Table 36 Wireless > Security LABEL DESCRIPTION Index This is the index number of the security profile. Profile Name This field displays a name given to a security profile in the Security configuration screen. NWA-3160 Series User’s Guide...
Page 147: Security: Wep
The next screen varies according to the Security Mode you select. 10.2.1 Security: WEP Use this screen to set the selected profile to Wired Equivalent Privacy (WEP) security mode. Select WEP in the Security Mode field to display the following screen. Figure 90 Security: WEP NWA-3160 Series User’s Guide...
Page 148 You must configure all four keys, but only one key can be activated at any one time. The default key is key 1. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 149: Security: 802.1X Only
The default time interval is 3600 seconds (or 1 hour). Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 150: Security: 802.1X Static 64-Bit, 802.1X Static 128-Bit
The preceding “0x” is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1. NWA-3160 Series User’s Guide...
Page 151: Security: Wpa
Figure 93 Security: WPA The following table describes the labels in this screen. Table 40 Security: WPA LABEL DESCRIPTION Profile Name Type a name to identify this security profile. Security Mode Choose WPA in this field. NWA-3160 Series User’s Guide...
Page 152: Security: Wpa2 Or Wpa2-Mix
10.2.5 Security: WPA2 or WPA2-MIX Use this screen to set the selected profile to WPA2 or WPA2-MIX security mode. Select WPA2 or WPA2-MIX in the Security Mode field to display the following screen. Figure 94 Security:WPA2 or WPA2-MIX NWA-3160 Series User’s Guide...
Page 153 AP’s coverage area. This speeds up roaming. Select Enable to allow pre-authentication, or Disable to switch it off. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 154: Security: Wpa-Psk, Wpa2-Psk, Wpa2-Psk-Mix
The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). NWA-3160 Series User’s Guide...
Page 155: Technical Reference
• If you don’t have WPA(2)-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security. You can manually enter 64-bit, 128-bit or 152-bit WEP keys. More information on Wireless Security can be found in Appendix B on page 285. NWA-3160 Series User’s Guide...
Page 156 Chapter 10 Wireless Security Screen NWA-3160 Series User’s Guide...
Page 157: Chapter 11 Radius Screen
NWA. The NWA in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet. In this scenario, only client U’s identity is verified by the RADIUS server and allowed access to the Internet. NWA-3160 Series User’s Guide...
Page 158: What You Can Do In The Radius Screen
You can configure up to four RADIUS server profiles. Each profile also has one backup authentication server and a backup accounting server. These profiles can be assigned to an SSID profile in the Wireless > SSID configuration screen. NWA-3160 Series User’s Guide...
Page 159: The Radius Screen
Backup servers. Requests can be issued from the client interface to use the backup server. The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen. RADIUS Option NWA-3160 Series User’s Guide...
Page 160 The key must be the same on the external accounting server and your NWA. The key is not sent over the network. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 161: Layer-2 Isolation Screen
Note: Intra-BSS Traffic Blocking is activated when you enable layer-2 isolation. Figure 98 Layer-2 Isolation Application MAC addresses that are not listed in the Allow devices with these MAC addresses table of the Wireless > Layer-2 Isolation screen are blocked from NWA-3160 Series User’s Guide...
Page 162: What You Can Do In The Layer-2 Isolation Screen
MAC filtering on the NWA. If layer-2 isolation is enabled, you need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the ZyXEL Device's wireless clients. NWA-3160 Series User’s Guide...
Page 163: The Layer-2 Isolation Screen
This is the index number of the profile. Profile Name This field displays the name given to a layer-2 isolation profile in the Layer-2 Isolation Configuration screen. Edit Select an entry from the list and click Edit to configure settings for that profile. NWA-3160 Series User’s Guide...
Page 164: Configuring Layer-2 Isolation
These are the MAC address of a wireless client, AP, computer or router. with these MAC A wireless client associated with the NWA can communicate with addresses another wireless client, AP, computer or router only if the MAC addresses of those devices are listed in this table. NWA-3160 Series User’s Guide...
Page 165: Technical Reference
12.3 Technical Reference This section provides technical background information on the topics discussed in this chapter. The figure that follows illustrates two example layer-2 isolation configurations on your NWA (A). Figure 101 Layer-2 Isolation Example Configuration 00:00:c5:00:00:66 00:00:c5:00:00:cc NWA-3160 Series User’s Guide...
Page 166 • Enter the server’s and your NWA’s MAC addresses in the MAC Address fields. Enter “File Server C” in C’s Description field, and enter “Access Point B” in B’s Description field. Figure 103 Layer-2 Isolation Example 2 NWA-3160 Series User’s Guide...
Page 167: Chapter 13 Mac Filter Screen
ZyXEL Device. 13.1.2 What You Should Know About MAC Filter Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal NWA-3160 Series User’s Guide...
Page 168: The Mac Filter Screen
This is the index number of the profile. Profile Name This field displays the name given to a MAC filter profile in the MAC Filter Configuration screen. Edit Select an entry from the list and click Edit to configure settings for that profile. NWA-3160 Series User’s Guide...
Page 169: Configuring The Mac Filter
Chapter 13 MAC Filter Screen 13.2.1 Configuring the MAC Filter To change your NWA’s MAC filter settings, click WIRELESS > MAC Filter > Edit. The screen appears as shown. Figure 106 MAC Address Filter NWA-3160 Series User’s Guide...
Page 170 Click Reset to begin configuring this screen afresh. Note: To activate MAC filtering on an SSID profile, select the correct filter from the Enable MAC Filtering drop-down list box in the Wireless > SSID > Edit screen and click Apply NWA-3160 Series User’s Guide...
Page 171: Chapter 14 Ip Screen
14.1.2 What You Need To Know About IP The Ethernet parameters of the NWA are preset with the following values: • IP address of 192.168.1.2 • Subnet mask of 255.255.255.0 (24 bits) These parameters should work for the majority of installations. NWA-3160 Series User’s Guide...
Page 172: The Ip Screen
NWA; over the WAN, the gateway must be the IP address of one of the remote nodes. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 173: Technical Reference
Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. NWA-3160 Series User’s Guide...
Page 174 Chapter 14 IP Screen NWA-3160 Series User’s Guide...
Page 175: Chapter 15 Rogue Ap Detection
Figure 109 Rogue AP Example In the example above, a corporate network’s security is compromised by a rogue AP (R) set up by an employee at his workstation in order to allow him to connect NWA-3160 Series User’s Guide...
Page 176: What You Can Do In The Rogue Ap Screen
The friendly AP list displays details of all the access points in your area that you know are not a threat. If you have more than one AP in your network, you need to configure this list to include your other APs. If your wireless network overlaps with NWA-3160 Series User’s Guide...
Page 177 This scenario can also be part of a wireless denial of service (DoS) attack, in which associated wireless clients are deprived of network access. Other opportunities for the attacker include the introduction of malware (malicious software) into the network. NWA-3160 Series User’s Guide...
Page 178: Configuration Screen
Click this button to upload the previously-saved list of friendly APs displayed in the File Path field to the NWA. Apply Click Apply to save your settings. Reset Click Reset to return all fields in this screen to their previously- saved values. NWA-3160 Series User’s Guide...
Page 179: Friendly Ap Screen
This field displays the last time the NWA scanned for the AP. Description This is the description you entered when adding the AP to the list. Delete Click this button to remove an AP’s entry from the list. NWA-3160 Series User’s Guide...
Page 180: Rogue Ap Screen
If you want to move the AP’s entry to the friendly AP list, enter a short, explanatory description identifying the AP before you click Add to Friendly AP List. A maximum of 32 alphanumeric characters are allowed in this field. Spaces, underscores (_) and dashes (-) are allowed. NWA-3160 Series User’s Guide...
Page 181 Section 15.2.1 on page 179). When the NWA next scans for rogue APs, the selected AP does not appear in the rogue AP list. Reset Click Reset to return all fields in this screen to their default values. NWA-3160 Series User’s Guide...
Page 182 Chapter 15 Rogue AP Detection NWA-3160 Series User’s Guide...
Page 183: Remote Management Screens
Figure 114 Remote Management Example In the figure above, the NWA (A) is being managed by a desktop computer (B) connected via LAN (Land Area Network). It is also being accessed by a notebook (C) connected via WLAN (Wireless LAN). NWA-3160 Series User’s Guide...
Page 184: What You Can Do In The Remote Management Screens
Your NWA supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA through the network. The NWA supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. . NWA-3160 Series User’s Guide...
Page 185 NWA automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows: 1. Telnet 2. HTTP NWA-3160 Series User’s Guide...
Page 186: The Telnet Screen
You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Select the interface(s) through which a computer may access the NWA Access using Telnet. NWA-3160 Series User’s Guide...
Page 187: The Ftp Screen
You can upload and download the NWA’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. To change your NWA’s FTP settings, click REMOTE MGMT > FTP. The following screen displays. Figure 117 Remote Management: FTP NWA-3160 Series User’s Guide...
Page 188: The Www Screen
Web browser. This lets you specify which IP addresses or computers are able to communicate with and access the NWA. To change your NWA’s WWW settings, click REMOTE MGNT > WWW. The following screen shows. Figure 118 Remote Management: WWW NWA-3160 Series User’s Guide...
Page 189 Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 190: The Snmp Screen
SNMP Version Select the SNMP version for the NWA. The SNMP version on the NWA must match the version on the SNMP manager. Choose SNMP version 1 (SNMPv1), SNMP version 2 (SNMPv2) or SNMP version 3 (SNMPv3). NWA-3160 Series User’s Guide...
Page 191 Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 192: Technical Reference
The NWA can send the following traps to the SNMP manager. Table 57 SNMP Traps OBJECT IDENTIFIER # TRAP NAME DESCRIPTION (OID) Generic Traps coldStart 1.3.6.1.6.3.1.1.5.1 This trap is sent after booting (power on). This trap is defined in RFC-1215. NWA-3160 Series User’s Guide...
Page 193 NWA’s physical and virtual ports. Table 58 SNMP Interface Index to Physical and Virtual Port Mapping TYPE INTERFACE PORT Physical enet0 Wireless LAN adaptor WLAN1 enet1 Ethernet port (LAN) enet2 Wireless LAN adaptor WLAN2 NWA-3160 Series User’s Guide...
Page 194 Table 58 SNMP Interface Index to Physical and Virtual Port Mapping TYPE INTERFACE PORT Virtual enet3 ~ enet9 WLAN1 in MBSSID mode enet10 ~ enet16 WLAN2 in MBSSID mode enet17 ~ enet21 WLAN1 in WDS mode enet22 ~ enet26 WLAN2 in WDS mode NWA-3160 Series User’s Guide...
Page 195: Internal Radius Server
Access Request Wired Network Allow / Deny The NWA can also serve as a RADIUS server to authenticate other APs and their wireless clients. For more background information on RADIUS, see Section 11.1.2 on page 158. NWA-3160 Series User’s Guide...
Page 196: What You Can Do In This Chapter
17.2 Internal RADIUS Server Setting Screen Use this screen to turn the NWA’s internal RADIUS server off or on and to view information about the NWA’s certificates. Click AUTH. SERVER > Setting. The following screen displays. Figure 121 Setting Screen NWA-3160 Series User’s Guide...
Page 197 Expiring! or Expired! message if the certificate is about to expire or has already expired. Apply Click Apply to have the NWA use certificates to authenticate wireless clients. Reset Click Reset to start configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 198: The Trusted Ap Screen
“external RADIUS” server fields of the trusted AP. Note: The first trusted AP fields are for the NWA itself. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 199: The Trusted Users Screen
The password on the wireless client’s utility must be the same as this password. Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3160 Series User’s Guide...
Page 200: Technical Reference
Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the NWA’s internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the NWA’s internal RADIUS server. NWA-3160 Series User’s Guide...
Page 201 PEAP/MS-CHAPv2 settings, deselect the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only, do not specify a domain. NWA-3160 Series User’s Guide...
Page 202 Chapter 17 Internal RADIUS Server NWA-3160 Series User’s Guide...
Page 203: Chapter 18 Certificates
• Use the Certificates > Trusted CAs (see Chapter 18 on page 215) screens to save CA certificates to the NWA. This screen displays a summary list of certificates of the certification authorities that you have set the NWA to accept as trusted. NWA-3160 Series User’s Guide...
Page 204: What You Need To Know About Certificates
64 ASCII characters to convert a binary PKCS#7 certificate into a printable form. 18.2 My Certificates Screen Use this screen to view the NWA’s summary of certificates and certification requests. Click Certificates > My Certificates. The following screen displays. Figure 126 Certificates > My Certificates NWA-3160 Series User’s Guide...
Page 205 Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. NWA-3160 Series User’s Guide...
Page 206: My Certificates Import Screen
My Certificate Import screen. Note: You can import only a certificate that matches a corresponding certification request that was generated by the NWA. Note: The certificate you import replaces the corresponding request in the My Certificates screen. NWA-3160 Series User’s Guide...
Page 207 Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the NWA. Cancel Click Cancel to quit and return to the My Certificates screen. NWA-3160 Series User’s Guide...
Page 208: My Certificates Create Screen
You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. NWA-3160 Series User’s Guide...
Page 209 You also need to fill in the Reference Number and Key if the certification authority requires them. NWA-3160 Series User’s Guide...
Page 210 Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NWA to enroll a certificate online. NWA-3160 Series User’s Guide...
Page 211: My Certificates Details Screen
NWA. Click Certificates > My Certificates to open the My Certificates screen (Figure 126 on page 204). Click the details button to open the My Certificate Details screen. Figure 129 Certificates > My Certificate Details NWA-3160 Series User’s Guide...
Page 212 This field displays the type of algorithm that was used to sign the Algorithm certificate. The NWA uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). NWA-3160 Series User’s Guide...
Page 213 Cancel Click Cancel to quit and return to the My Certificates screen. NWA-3160 Series User’s Guide...
Page 214: Trusted Cas Screen
Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. NWA-3160 Series User’s Guide...
Page 215: Trusted Cas Import Screen
Click Certificates >Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CAs Import screen. The following figure displays. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 131 Certificates > Trusted CAs Import NWA-3160 Series User’s Guide...
Page 216: Trusted Cas Details Screen
Click Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CAs Details screen. Figure 132 Certificates > Trusted CAs Details NWA-3160 Series User’s Guide...
Page 217 (RSA public-private key encryption algorithm and the MD5 hash algorithm). Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. NWA-3160 Series User’s Guide...
Page 218 NWA to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority. Cancel Click Cancel to quit and return to the Trusted CAs screen. NWA-3160 Series User’s Guide...
Page 219: Technical Reference
There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the NWA to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. NWA-3160 Series User’s Guide...
Page 220: Checking The Fingerprint Of A Certificate
Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary according to your situation. Possible examples would be over the telephone or through an HTTPS connection. NWA-3160 Series User’s Guide...
Page 221: Chapter 19 Log Screens
222) to display all logs or logs for a certain category. You can view logs and alert messages in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted. NWA-3160 Series User’s Guide...
Page 222: What You Need To Know About Logs
You can view logs and alert messages in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. NWA-3160 Series User’s Guide...
Page 223 Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page. Refresh Click Refresh to renew the log screen. Clear Log Click Clear Log to clear all the logs. NWA-3160 Series User’s Guide...
Page 224: The Log Settings Screen
Use this screen to configure where and when the NWA will send the logs, and which logs and/or immediate alerts to send. Click Logs > Log Settings. The following screen displays. Figure 137 Logs > Log Settings NWA-3160 Series User’s Guide...
Page 225 Use the drop down list box to select which day of the week to send the logs. Time for Enter the time of the day in 24-hour format (for example 23:00 Sending Log equals 11:00 pm) to send the logs. NWA-3160 Series User’s Guide...
Page 226: Technical Reference
Someone has failed to log on to the NWA via telnet. TELNET Login Fail Someone has logged on to the NWA via FTP. FTP Login Successfully Someone has failed to log on to the NWA via FTP. FTP Login Fail NWA-3160 Series User’s Guide...
Page 227 Table 73 Sys log LOG MESSAGE DESCRIPTION This message is sent by the "RAS" when this syslog is Mon dd hr:mm:ss hostname generated. The messages and notes are defined in this src="<srcIP:srcPort>" appendix’s other charts. dst="<dstIP:dstPort>" msg="<msg>" note="<note>" NWA-3160 Series User’s Guide...
Page 228: Log Commands
3 ras> sys logs save ras> sys logs display access time source destination notes message 0 | 11/11/2002 15:10:12 | 172.22.3.80:137 | 172.22.255.255:137 | ACCESS BLOCK NWA-3160 Series User’s Guide...
Page 229 Chapter 19 Log Screens NWA-3160 Series User’s Guide...
Page 230 Chapter 19 Log Screens NWA-3160 Series User’s Guide...
Page 231: Chapter 20 Vlan
• Use the Radius VLAN screen (Section 20.2.1 on page 235) to configure your RADIUS Virtual LAN setup. Your RADIUS server assigns VLAN IDs to a user or user group’s traffic based on what you set in this screen. NWA-3160 Series User’s Guide...
Page 232: What You Need To Know About Vlan
VLAN, then that device cannot manage the NWA. Note: If no devices are in the management VLAN, then you will be able to access the NWA only through the console port (not through the network). NWA-3160 Series User’s Guide...
Page 233: Wireless Vlan Screen
Chapter 20 VLAN 20.2 Wireless VLAN Screen Use this screen to enable and configure your Wireless Virtual LAN setup. Click VLAN > Wireless VLAN. The following screen appears. Figure 139 VLAN > Wireless VLAN NWA-3160 Series User’s Guide...
Page 234 VLAN ID or Second Rx VLAN ID fields. Section 20.3.4 on page 249 for more information. Apply Click this to save your changes to the NWA. Reset Click this to return this screen to its last-saved settings. NWA-3160 Series User’s Guide...
Page 235: Radius Vlan Screen
VLAN ID. See your RADIUS server documentation for more information on configuring VLAN ID attributes. Section 20.3.3 on page 239 for more information. Index Select a check box to enable the VLAN mapping profile. NWA-3160 Series User’s Guide...
Page 236: Technical Reference
This section shows you how to create a VLAN on an Ethernet switch. By default, the port on the NWA is a member of the management VLAN (VLAN ID 1). The following procedure shows you how to configure a tagged VLAN. NWA-3160 Series User’s Guide...
Page 237 Type a VLAN Group ID. This should be the same as the management VLAN ID on the NWA. Enable Transmitted Packets (Tx) Tagging on the port which you want to connect to the NWA. Disable Tx Tagging on the port you are using to connect to your computer. NWA-3160 Series User’s Guide...
Page 238 Figure 141 on page 237. In the NWA web configurator click VLAN to open the VLAN setup screen. Select the Enable VLAN Tagging check box and type a Management VLAN ID (10 in this example) in the field provided. NWA-3160 Series User’s Guide...
Page 239: Configuring Microsoft's Ias Server Example
VLAN (configured on the NWA) to an individual’s Windows User Account. When a wireless station is successfully authenticated to the network, it is automatically placed into it’s respective VLAN. NWA-3160 Series User’s Guide...
Page 240: Configuring Vlan Groups
VLAN defined on the NWA. The VLAN Groups must be created as Global/Security groups. Type a name for the VLAN Group that describes the VLAN Group’s function. Select the Global Group scope parameter check box. Select the Security Group type parameter check box. NWA-3160 Series User’s Guide...
Page 241: Configuring Remote Access Policies
20.3.3.2 Configuring Remote Access Policies Once the VLAN Groups have been created, the IAS Remote Access Policy needs to be defined. This allows the IAS to compare the user account being authenticated against the group memberships of each VLAN Group. NWA-3160 Series User’s Guide...
Page 242 Figure 148 New Remote Access Policy for VLAN Group The Conditions window displays. Select Add to add a condition for this policy to act on. In the Select Attribute screen, click Windows-Groups and the Add button. Figure 149 Specifying Windows-Group Condition NWA-3160 Series User’s Guide...
Page 243 Figure 151 Granting Permissions and User Profile Screens The Edit Dial-in Profile screen displays. Click the Authentication tab and select the Extensible Authentication Protocol check box. Select an EAP type depending on your authentication needs from the drop- down list box. NWA-3160 Series User’s Guide...
Page 244 Click the IP tab and select the Client may request an IP address check box for DHCP support. 10 Click the Advanced tab. The current default parameters returned to the NWA should be Service-Type and Framed-Protocol. NWA-3160 Series User’s Guide...
Page 245 802.1X Dynamic VLAN Assignment. Figure 154 Connection Attributes Screen 11 The RADIUS Attribute screen displays. From the list, three RADIUS attributes will be added: •Tunnel-Medium-Type •Tunnel-Pvt-Group-ID •Tunnel-Type 11a Click the Add button 11b Select Tunnel-Medium-Type NWA-3160 Series User’s Guide...
Page 246 14a In the Enter the attribute value in: field select String and type a number in the range 1 to 4094 or a Name for this policy. This Name should match a name in the VLAN mapping table on the NWA. Wireless stations belonging to NWA-3160 Series User’s Guide...
Page 247 16a Select Virtual LANs (VLAN) from the attribute value drop-down list box. 16b Click OK. Figure 158 VLAN Attribute Setting for Tunnel-Type 17 Return to the RADIUS Attribute Screen shown as Figure 155 on page 246. 17a Click the Close button. NWA-3160 Series User’s Guide...
Page 248 Note: Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list. NWA-3160 Series User’s Guide...
Page 249: Second Rx Vlan Id Example
SSID02 has no second Rx VLAN ID configured, and the NWA forwards only packets tagged with VLAN ID 2 to it. 20.3.4.1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the NWA. Log into the Web Configurator. NWA-3160 Series User’s Guide...
Page 250 Figure 161 Configuring SSID: Second Rx VLAN ID Example Click Apply to save these settings. Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3, and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03. NWA-3160 Series User’s Guide...
Page 251 Chapter 20 VLAN NWA-3160 Series User’s Guide...
Page 252 Chapter 20 VLAN NWA-3160 Series User’s Guide...
Page 253: Chapter 21 Load Balancing
Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range that have the same settings as the NWA (such as SSID, security mode, radio mode, and so on). NWA-3160 Series User’s Guide...
Page 254 AP is in range that can take on the burden of the new connection. Note: If no other APs with matching settings are in range of the NWA, then it will still accept the connection despite becoming overloaded. NWA-3160 Series User’s Guide...
Page 255: The Load Balancing Screen
• Low - Up to 6 Mbps before it becomes overloaded. • Medium - Up to 13 Mbps before it becomes overloaded. • High - Up to 20 Mbps before it becomes overloaded. NWA-3160 Series User’s Guide...
Page 256: Disassociating And Delaying Connections
For example, here the AP has a balanced bandwidth allotment of 6 Mbps. If the red laptop [R] attempts to connect and it could potentially push the AP over its allotment, say to 7 Mbps, then the AP delays the red laptop’s connection until it NWA-3160 Series User’s Guide...
Page 257 NWA first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle time. If no connections are idle, the next criteria the NWA analyzes is signal strength. Devices with the weakest signal strength are kicked first. NWA-3160 Series User’s Guide...
Page 258 Chapter 21 Load Balancing NWA-3160 Series User’s Guide...
Page 259: Dynamic Channel Selection
AP is using (or at least a channel that has a lower level of interferrence) in order to give the connected stations a minimum degree of cross-channel interference. Figure 166 An example of cross-channel interference NWA-3160 Series User’s Guide...
Page 260: The Dcs Screen
APs within its broadcast radius. If the channel on which it is currently broadcasting suddenly comes into use by another AP, the NWA will then dynamically select the next available empty channel or a channel with markedly lower interference. NWA-3160 Series User’s Guide...
Page 261 If you select Disable to turn the feature off. See Section 8.3.6 on page 132 for more information on dynamic frequency. Apply Click this to save your changes to the NWA. Reset Click this to return this screen to its last-saved settings. NWA-3160 Series User’s Guide...
Page 262 Chapter 22 Dynamic Channel Selection NWA-3160 Series User’s Guide...
Page 263: Chapter 23 Maintenance
The following terms and concepts may help as you read through this chapter. Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, for example "[Model #].bin". The upload process NWA-3160 Series User’s Guide...
Page 264: System Status Screen
This is the Ethernet port DHCP role - Client or None. Show Statistics Click Show Statistics to see the NWA performance statistics such as number of packets sent and number of packets received for each port. NWA-3160 Series User’s Guide...
Page 265: System Statistics Screen
This is total amount of time the line has been up. Poll Interval(s) Enter the time interval for refreshing statistics. Set Interval Click this button to apply the new poll interval you entered above. Stop Click this button to stop refreshing statistics. NWA-3160 Series User’s Guide...
Page 266: Association List Screen
This field displays a remote bridge MAC address. Link Time This field displays the WDS link up-time. Security This field displays whether traffic on the WDS is encrypted (TKIP or AES) or not (None). Refresh Click Refresh to reload the screen. NWA-3160 Series User’s Guide...
Page 267: Channel Usage Screen
Network Mode “Network mode” in this screen refers to your wireless LAN infrastructure (refer to the Wireless LAN chapter) and security setup. Refresh Click Refresh to reload the screen. NWA-3160 Series User’s Guide...
Page 268: F/W Upload Screen
Do not turn off the NWA while firmware upload is in progress! After you see the Firmware Upload in Process screen, wait two minutes before logging into the NWA again. Figure 173 Firmware Upload In Process NWA-3160 Series User’s Guide...
Page 269 After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 175 Firmware Upload Error NWA-3160 Series User’s Guide...
Page 270: Configuration Screen
The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the NWA’s current configuration to your computer. NWA-3160 Series User’s Guide...
Page 271: Restore Configuration
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA IP address (192.168.1.2). See your Quick Start Guide for details on how to set up your computer’s IP address. NWA-3160 Series User’s Guide...
Page 272: Back To Factory Defaults
Use this screen to restart the NWA without turning it off and on. Click Maintenance > Restart. The following screen displays. Click Restart to have the NWA reboot. This does not affect the NWA's configuration. Figure 181 Restart Screen NWA-3160 Series User’s Guide...
Page 273 Chapter 23 Maintenance NWA-3160 Series User’s Guide...
Page 274 Chapter 23 Maintenance NWA-3160 Series User’s Guide...
Page 275: Chapter 24 Troubleshooting
If the problem continues, contact the vendor. One of the LEDs does not behave as expected. Make sure you understand the normal behavior of the LED. See Section 1.7 on page Check the hardware connections. See the Quick Start Guide. NWA-3160 Series User’s Guide...
Page 276: Nwa Access And Login
WLAN MAC address when accessing the NWA over the wireless interface. If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page NWA-3160 Series User’s Guide...
Page 277 NWA, check the remote management settings to find out why the NWA does not respond to HTTP. • If your computer is connected to the WAN port or is connected wirelessly, use a computer that is connected to a LAN/ETHERNET port. NWA-3160 Series User’s Guide...
Page 278 I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. NWA-3160 Series User’s Guide...
Page 279: Internet Access
Check the signal strength. If the signal is weak, try moving the NWA closer to the AP (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on). NWA-3160 Series User’s Guide...
Page 280: Wireless Router/Ap Troubleshooting
Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the NWA. Make sure you allow the NWA to be remotely accessed through the WLAN interface. Check your remote management settings. NWA-3160 Series User’s Guide...
Page 281: Appendix A Product Specifications
6mm ~ 8mm (0.24" ~ 0.31") head width. mounting Table 87 Firmware Specifications Default IP Address 192.168.1.2 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 Wireless LAN Standards IEEE 802.11a, IEEE 802.11b, IEEE 802.11g Wireless security WEP, WPA(2), WPA(2)-PSK, 802.1x NWA-3160 Series User’s Guide...
Page 282 SNMP is a member of the TCP/IP protocol suite. Your NWA supports SNMP agent functionality, which allows a manger station to manage and monitor the NWA through the network. The NWA supports SNMP version one (SNMPv1) and version two c (SNMPv2c). NWA-3160 Series User’s Guide...
Page 283 DFS (Dynamic Frequency Selection) allows a wider choice of 802.11a wireless channels. CAPWAP The ZyXEL Device can be managed via CAPWAP (Control And Provisioning of Wireless Access Points), which allows multiple APs to be configured and managed by a single AP controller. NWA-3160 Series User’s Guide...
Page 284 Appendix A Product Specifications NWA-3160 Series User’s Guide...
Page 285: Appendix B Wireless Lans
(AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate NWA-3160 Series User’s Guide...
Page 286 This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. NWA-3160 Series User’s Guide...
Page 287 AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. NWA-3160 Series User’s Guide...
Page 288 RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra NWA-3160 Series User’s Guide...
Page 289: Preamble Type
Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications. Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. NWA-3160 Series User’s Guide...
Page 290 Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the NWA are data encryption, wireless client authentication, restricting access by device MAC address and hiding the NWA identity. NWA-3160 Series User’s Guide...
Page 291 RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users. NWA-3160 Series User’s Guide...
Page 292 Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. NWA-3160 Series User’s Guide...
Page 293 EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP- NWA-3160 Series User’s Guide...
Page 294 Table 90 Comparison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication Certificate – Client Optional Optional Certificate – Server Dynamic Key Exchange Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection NWA-3160 Series User’s Guide...
Page 295 PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. NWA-3160 Series User’s Guide...
Page 296 A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. NWA-3160 Series User’s Guide...
Page 297 AP and the wireless clients. Figure 186 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. NWA-3160 Series User’s Guide...
Page 298 MANUAL KEY IEEE 802.1X MANAGEMENT N METHOD PROTOCOL Open None Disable Enable without Dynamic WEP Open Enable with Dynamic WEP Key Enable without Dynamic WEP Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Disable NWA-3160 Series User’s Guide...
Page 299: Antenna Overview
5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic NWA-3160 Series User’s Guide...
Page 300 For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. NWA-3160 Series User’s Guide...
Page 301: Appendix C Pop-Up Windows, Javascripts And Java Permissions
In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 188 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. NWA-3160 Series User’s Guide...
Page 302 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab. NWA-3160 Series User’s Guide...
Page 303 Select Settings…to open the Pop-up Blocker Settings screen. Figure 190 Internet Options: Privacy Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. NWA-3160 Series User’s Guide...
Page 304 Figure 191 Pop-up Blocker Settings Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. NWA-3160 Series User’s Guide...
Page 305 Figure 192 Internet Options: Security Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default). NWA-3160 Series User’s Guide...
Page 306 Figure 193 Security Settings - Java Scripting Java Permissions From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. NWA-3160 Series User’s Guide...
Page 307 Click OK to close the window. Figure 194 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. NWA-3160 Series User’s Guide...
Page 308 Appendix C Pop-up Windows, JavaScripts and Java Permissions Click OK to close the window. Figure 195 Java (Sun) NWA-3160 Series User’s Guide...
Page 309: Appendix D Ip Addresses And Subnetting
192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. NWA-3160 Series User’s Guide...
Page 310 ID of an IP address (192.168.1.2 in decimal). Table 92 Subnet Masks OCTET: OCTET: OCTET: OCTET (192) (168) IP Address (Binary) 11000000 10101000 00000001 00000010 Subnet Mask (Binary) 11111111 11111111 11111111 00000000 NWA-3160 Series User’s Guide...
Page 311 An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). NWA-3160 Series User’s Guide...
Page 312 Table 95 Alternative Subnet Mask Notation SUBNET ALTERNATIVE LAST OCTET LAST OCTET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.12 1000 0000 255.255.255.19 1100 0000 255.255.255.22 1110 0000 255.255.255.24 1111 0000 255.255.255.24 1111 1000 255.255.255.25 1111 1100 NWA-3160 Series User’s Guide...
Page 313 You can “borrow” one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. NWA-3160 Series User’s Guide...
Page 314 Similarly, to divide a 24-bit address into four subnets, you need to “borrow” two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. NWA-3160 Series User’s Guide...
Page 315 Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.190 192.168.1.191 Table 99 Subnet 4 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001 11000000 Subnet Mask (Binary) 11111111.11111111.11111111 11000000 NWA-3160 Series User’s Guide...
Page 316 The following table is a summary for subnet planning on a network with a 24-bit network number. Table 101 24-bit Network Number Subnet Planning NO. “BORROWED” NO. HOSTS PER SUBNET MASK NO. SUBNETS HOST BITS SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NWA-3160 Series User’s Guide...
Page 317: Configuring Ip Addresses
(for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your NWA will compute the subnet mask automatically based on the IP address that NWA-3160 Series User’s Guide...
Page 318 "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the NWA’s LAN port. NWA-3160 Series User’s Guide...
Page 319 In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: In the Network window, click Add. Select Protocol and then click Add. NWA-3160 Series User’s Guide...
Page 320 • If your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 200 Windows 95/98/Me: TCP/IP Properties: IP Address NWA-3160 Series User’s Guide...
Page 321 Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your NWA and restart your computer when prompted. Verifying Settings Click Start and then Run. In the Run window, type "winipcfg" and then click OK to open the IP Configuration window. NWA-3160 Series User’s Guide...
Page 322 For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 202 Windows XP: Start Menu For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 203 Windows XP: Control Panel NWA-3160 Series User’s Guide...
Page 323 Properties. Figure 205 Windows XP: Local Area Connection Properties The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically. NWA-3160 Series User’s Guide...
Page 324 Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. NWA-3160 Series User’s Guide...
Page 325 Click Start, All Programs, Accessories and then Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. NWA-3160 Series User’s Guide...
Page 326 Appendix D IP Addresses and Subnetting Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/ IP Control Panel. Figure 208 Macintosh OS 8/9: Apple Menu NWA-3160 Series User’s Guide...
Page 327 Close the TCP/IP Control Panel. Click Save if prompted, to save changes to your configuration. Turn on your NWA and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window. NWA-3160 Series User’s Guide...
Page 328 • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. Figure 211 Macintosh OS X: Network For statically assigned settings, do the following: NWA-3160 Series User’s Guide...
Page 329 • Type the IP address of your NWA in the Router address box. Click Apply Now and close the window. Turn on your NWA and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. NWA-3160 Series User’s Guide...
Page 330 Appendix D IP Addresses and Subnetting NWA-3160 Series User’s Guide...
Page 331: Appendix E Text File Based Auto Configuration
Figure 212 Text File Based Auto Configuration Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download. NWA-3160 Series User’s Guide...
Page 332 Step 1 pwTftpServer Set the IP address of the TFTP server. Step 2 pwTftpFileName Set the file name, for example, g3000hcfg.txt. Step 3 pwTftpFileType Set to 3 (text configuration file). Step 4 pwTftpOpCommand Set to 2 (download). NWA-3160 Series User’s Guide...
Page 333 (newer), the AP uses the file. Configuration File Rules You can only use the wlan and wcfg commands in the configuration file. The AP ignores other ZyNOS commands but continues to check the next command. NWA-3160 Series User’s Guide...
Page 334 1 wep key4 defgh wcfg security 1 wep keyindex 1 wcfg security save wcfg ssid 1 name ssid-wep wcfg ssid 1 security Test-wep wcfg ssid 1 l2iolation disable wcfg ssid 1 macfilter disable wcfg ssid save NWA-3160 Series User’s Guide...
Page 335 3 groupkeytime 1800 wcfg security save wcfg ssid 3 name ssid-wpapsk wcfg ssid 3 security Test-wpapsk wcfg ssid 3 qos 4 wcfg ssid 3 l2siolation disable wcfg ssid 3 macfilter disable wcfg ssid save NWA-3160 Series User’s Guide...
Page 336 You could actually combine all of this chapter’s example configuration files into a single configuration file. Remember that the commands are applied in order. So for example, you would place the NWA-3160 Series User’s Guide...
Page 337 0 wlan ssidprofile ssid-wep !change operating mode -> MBSSID mode, !then select ssid-wpapsk, ssid-wpa2psk as running WLAN profiles wlan opmode 3 wlan ssidprofile ssid-wpapsk ssid-wpa2psk ! set output power level to 50% wlan output power 2 NWA-3160 Series User’s Guide...
Page 338 Appendix E Text File Based Auto Configuration NWA-3160 Series User’s Guide...
Page 339: Appendix F How To Access And Use The Cli
Terminal Emulation VT100 Baud Rate 9600 bps Parity None Number of Data Bits Number of Stop Bits Flow Control None Press [ENTER] to open the login screen. Telnet Connect your computer to one of the Ethernet ports. NWA-3160 Series User’s Guide...
Page 340 60 minutes of inactivity after you use the sys stdio set 60 command. Use the sys stdio show command to display the current idle timeout setting. Command Conventions Command descriptions follow these conventions: NWA-3160 Series User’s Guide...
Page 341 Used for the name of a rule, policy, set, group and so on. name Used for a number, for example 10, that you have to enter. number Note: Commands are case sensitive! Enter commands exactly as seen in the command interface. Remember to also include underscores if required. NWA-3160 Series User’s Guide...
Page 342 Log into the CLI. Type help and press [ENTER]. A list comes up which shows all the commands available for this device. ras> help alarm chsh config exit statistics switch voip ras> NWA-3160 Series User’s Guide...
Page 343: Saving Your Configuration
See the related section of this guide to see if a save command is required. Note: Unsaved configuration changes are lost once you restart the NWA Logging Out Use the exit command to log out of the CLI. NWA-3160 Series User’s Guide...
Page 344 Appendix F How to Access and Use the CLI NWA-3160 Series User’s Guide...
Page 345: Appendix G Legal Information
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 346 • To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. 注意 ! 依據低功率電波輻射性電機管理辦法第十二條經型式認證合格之低功率射頻電機，非經許可，公司、商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。第十四條低功率射頻電機之使用不得影響飛航安全及干擾合法通信；經發現有干擾現象時，應立即停用，並改善至無干擾時方得繼續使用。 NWA-3160 Series User’s Guide...
Page 347: Zyxel Limited Warranty
ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. NWA-3160 Series User’s Guide...
Page 348 To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. NWA-3160 Series User’s Guide...
Page 349: Appendix H Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan China - ZyXEL Communications (Beijing) Corp. • Support E-mail: cso.zycn@zyxel.cn • Sales E-mail: sales@zyxel.cn •...
Page 350 Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 • Fax: +420-241-091-359 • Web: www.zyxel.cz • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk •...
Page 351 Appendix H Customer Support • Fax: +358-9-4780-8448 • Web: www.zyxel.fi • Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland France • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest,...
Page 352 • Support Telephone: +1-800-978-7222 • Sales E-mail: sales@zyxel.com • Sales Telephone: +1-714-632-0882 • Fax: +1-714-632-0858 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806-2001, U.S.A. Norway • Support E-mail: support@zyxel.no NWA-3160 Series User’s Guide...
Page 353 Appendix H Customer Support • Sales E-mail: sales@zyxel.no • Telephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • Web: www.zyxel.no • Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway Poland • E-mail: info@pl.zyxel.com • Telephone: +48-22-333 8250 • Fax: +48-22-333 8251 •...
Page 354 • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Taiwan • Support E-mail: support@zyxel.com.tw • Sales E-mail: sales@zyxel.com.tw • Telephone: +886-2-27399889 •...
Page 355 • Sales E-mail: sales@zyxel.co.uk • Telephone: +44-1344-303044, 0845 122 0301 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) NWA-3160 Series User’s Guide...
Page 356 Appendix H Customer Support NWA-3160 Series User’s Guide...
Page 357: Index
(accessing the CLI) auto configuration status contact information Control and Providioning of Wireless Access Points See CAPWAP copyright backup Basic Service Set CTS (Clear to Send) NWA-3160 Series User’s Guide...
Page 358 Internal RADIUS Server Setting Screen Internet Assigned Numbers Authority See IANA FCC interference statement Internet security gateway file version Internet telephony filtering IP address 102, 173, 281 firmware file IPSec VPN capability maintenance isolation NWA-3160 Series User’s Guide...
Page 359 Telnet. See command interface. using the command interface. See command interface. mask max age MBSSID 18, 22 17, 141 Message Integrity Check (MIC) Quick Start Guide mobile access mode MSDU radio RADIUS message types messages network shared secret key NWA-3160 Series User’s Guide...
Page 360 17, 23, 141 VoIP SSID SSID profile pre-configured SSID profiles 23, 24 STP - how it works STP (Spanning Tree Protocol) warranty STP path costs note STP port states wcfg command STP terminology 19, 20, 22 NWA-3160 Series User’s Guide...
Page 361 WPA-PSK wireless client supplicant with RADIUS application example WPA2 17, 295 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 295, 296 application example WPA-PSK 295, 296 application example NWA-3160 Series User’s Guide...
Page 362 Index NWA-3160 Series User’s Guide...

This manual is also suitable for:

Nwa-3163

ZyXEL Communications NWA-3160 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Table of Contents

PART I Introduction

Chapter 1 Introduction

Chapter 2 The Web Configurator

Chapter 3 Tutorials

Chapter 4 Status Screen

Chapter 5 Management Mode

Chapter 6 AP Controller Mode

Chapter 7 System Screens

Chapter 8 Wireless Screen

Chapter 9 SSID Screen

Chapter 10 Wireless Security Screen

Chapter 11 RADIUS Screen

Chapter 12 Layer-2 Isolation Screen

Chapter 13 MAC Filter Screen

Chapter 14 IP Screen

Chapter 15 Rogue AP Detection

Chapter 16 Remote Management Screens

Chapter 17 Internal RADIUS Server

Chapter 18 Certificates

Chapter 19 Log Screens

Chapter 20 VLAN

Chapter 21 Load Balancing

Chapter 22 Dynamic Channel Selection

Chapter 23 Maintenance

Chapter 24 Troubleshooting

Appendix A Product Specifications

Appendix B Wireless Lans

Appendix C Pop-Up Windows, Javascripts and Java Permissions

Appendix D IP Addresses and Subnetting

Appendix E Text File Based Auto Configuration

Appendix F How to Access and Use the CLI

Appendix G Legal Information

Appendix H Customer Support

Index

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications NWA-3160

Summary of Contents for ZyXEL Communications NWA-3160