Download Print this page

ZyXEL Communications NWA-3500 User Manual

ZyXEL Communications NWA-3500 User Manual

802.11a/g dual radio wireless business ap 802.11a/g dual radio outdoor wlan business ap

Hide thumbs Also See for NWA-3500:

User manual (324 pages)

,

Quick start manual (130 pages)

,

Specifications (2 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

NWA-3500/NWA-3550

802.11a/g Dual Radio Wireless Business AP

802.11a/g Dual Radio Outdoor WLAN Business AP

Default Login Details

IP Address

http://192.168.1.2

Password

Firmware Version 3.7

Edition 2, 8/2009

www.zyxel.com

www.zyxel.com

1234

Copyright © 2009

ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the NWA-3500 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications NWA-3500

Page 1 NWA-3500/NWA-3550 802.11a/g Dual Radio Wireless Business AP 802.11a/g Dual Radio Outdoor WLAN Business AP Default Login Details IP Address http://192.168.1.2 Password 1234 Firmware Version 3.7 Edition 2, 8/2009 www.zyxel.com www.zyxel.com Copyright © 2009 ZyXEL Communications Corporation...
Page 3: About This User's Guide
Help us help you. Send all User’s Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. E-mail: techwriters@zyxel.com.tw NWA-3500/NWA-3550 User’s Guide...
Page 4 Please have the following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it. NWA-3500/NWA-3550 User’s Guide...
Page 5: Document Conventions
Syntax Conventions • The NWA-3500 or the NWA-3550 may be referred to as the “NWA”, the “device”, the “system” or the “product” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 6 Figures in this User’s Guide may use the following generic icons. The NWA icon is not an exact representation of your NWA. Table 1 Common Icons Computer Notebook Server Printer Telephone Switch Router Internet Cloud Firewall DSLAM Wireless Signal NWA-3500/NWA-3550 User’s Guide...
Page 7: Safety Warnings
Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. NWA-3500/NWA-3550 User’s Guide...
Page 8 Safety Warnings NWA-3500/NWA-3550 User’s Guide...
Page 9: Table Of Contents
Certificates ..........................217 Log Screens ..........................235 VLAN ............................245 Load Balancing ........................265 Dynamic Channel Selection ....................271 Maintenance ..........................275 Troubleshooting and Specifications .................. 287 Troubleshooting ........................289 Product Specifications ......................297 Appendices and Index ......................303 NWA-3500/NWA-3550 User’s Guide...
Page 10 Contents Overview NWA-3500/NWA-3550 User’s Guide...
Page 11: Table Of Contents
1.7 Hardware Connections ......................34 1.7.1 Antennas ........................34 1.8 LEDs ............................ 34 Chapter 2 The Web Configurator ......................37 2.1 Overview ..........................37 2.2 Accessing the Web Configurator ..................37 2.3 Resetting the NWA ......................38 NWA-3500/NWA-3550 User’s Guide...
Page 12 3.6 How to Configure Management Modes ................71 3.6.1 Scenario ........................71 3.6.2 Your Requirements ....................72 3.6.3 Setup .......................... 72 3.6.4 Configure Your NWA in Controller AP Mode ............. 73 3.6.4.1 Secondary AP Controller ..............74 NWA-3500/NWA-3550 User’s Guide...
Page 13 6.5 Configuration Screen ......................101 6.6 Redundancy Screen ......................102 6.7 The Profile Edit Screens ....................102 6.7.1 The Radio Profile Screen ..................103 6.7.2 The Radio Profile Edit Screen .................. 104 Chapter 7 System Screens ........................109 NWA-3500/NWA-3550 User’s Guide...
Page 14 9.2.1 Configuring SSID ..................... 148 9.3 Technical Reference ......................149 9.3.1 WMM QoS ........................ 149 9.3.1.1 WMM QoS Priorities ..............150 9.3.2 ATC .......................... 150 9.3.3 ATC+WMM ......................151 9.3.3.1 ATC+WMM from LAN to WLAN ........... 152 NWA-3500/NWA-3550 User’s Guide...
Page 15 13.1 Overview .......................... 179 13.1.1 What You Can Do in the MAC Filter Screen ............179 13.1.2 What You Should Know About MAC Filter ............. 179 13.2 The MAC Filter Screen ....................180 13.2.1 Configuring the MAC Filter ..................180 NWA-3500/NWA-3550 User’s Guide...
Page 16 17.1.1 What You Can Do in this Chapter ................210 17.1.2 What You Need To Know ..................210 17.2 Internal RADIUS Server Setting Screen ................210 17.3 The Trusted AP Screen ....................212 17.4 The Trusted Users Screen ....................213 17.5 Technical Reference ......................214 NWA-3500/NWA-3550 User’s Guide...
Page 17 20.2.1 RADIUS VLAN Screen ................... 248 20.3 Technical Reference ......................250 20.3.1 VLAN Tagging ......................250 20.3.2 Configuring Management VLAN Example ............. 250 20.3.3 Configuring Microsoft’s IAS Server Example ............253 20.3.3.1 Configuring VLAN Groups ............254 NWA-3500/NWA-3550 User’s Guide...
Page 18 Part III: Troubleshooting and Specifications........287 Chapter 24 Troubleshooting........................289 24.1 Overview .......................... 289 24.2 Power, Hardware Connections, and LEDs ..............289 24.3 NWA Access and Login ....................290 24.4 AP Management Modes ....................292 24.5 Internet Access ........................ 294 NWA-3500/NWA-3550 User’s Guide...
Page 19 Appendix C Pop-up Windows, JavaScripts and Java Permissions ........347 Appendix D Importing Certificates..................355 Appendix E IP Addresses and Subnetting ................381 Appendix F Text File Based Auto Configuration ..............391 Appendix G Legal Information....................399 Index............................403 NWA-3500/NWA-3550 User’s Guide...
Page 20 Table of Contents NWA-3500/NWA-3550 User’s Guide...
Page 21: Introduction
Introduction Introducing the NWA (23) The Web Configurator (37) Status Screens (83) Management Mode (87) Tutorial (41)
Page 23: Introducing The Nwa
H A P T E R Introducing the NWA Note: This User’s Guide includes the NWA-3500 and the NWA-3550. Illustrations used throughout this book are based on the NWA-3500 (unless otherwise stated). The Web Configuration screens are based on the NWA-3500 (unless otherwise stated).
Page 24: Applications For The Nwa
The NWA is an ideal access solution for wireless Internet connection. A typical Internet access application for your NWA is shown as follows. Clients A, B and C can access the wired network through the NWAs. Figure 1 Access Point Application BSS2 BSS1 NWA-3500/NWA-3550 User’s Guide...
Page 25: Bridge / Repeater
Once the security settings of peer sides match one another, the connection between devices is made. At the time of writing, WDS security is compatible with other ZyXEL access points only. Refer to your other access point’s documentation for details. Figure 2 Bridge Application NWA-3500/NWA-3550 User’s Guide...
Page 26: Bridge / Repeater Mode Example
Be careful to avoid bridge loops when you enable bridging in the NWA. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem: NWA-3500/NWA-3550 User’s Guide...
Page 27 To prevent bridge loops, ensure that you enable Spanning Tree Protocol (STP) in the Wireless screen or your NWA is not set to bridge mode while connected to both wired and wireless segments of the same LAN. NWA-3500/NWA-3550 User’s Guide...
Page 28: Ap + Bridge
A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA NWA-3500/NWA-3550 User’s Guide...
Page 29 Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network (LAN) behind the AP and can access only the Internet. Figure 8 Multiple BSSs NWA-3500/NWA-3550 User’s Guide...
Page 30: Pre-Configured Ssid Profiles
IEEE 802.11b and IEEE 802.11g clients to access the wired network, and WLAN2 in AP+Bridge mode to allow an IEEE 802.11a AP to communicate with the wired network. Figure 9 Dual WLAN Adaptors Example WLAN1 WLAN2 802.11b/g 802.11a Access Point AP + Bridge Internet NWA-3500/NWA-3550 User’s Guide...
Page 31: Capwap
• NWA-3550 • NWA-3166 The following figure illustrates a CAPWAP wireless network. The user (U) configures the controller AP (C), which then automatically updates the configurations of the managed APs (M1 ~ M4). Figure 10 CAPWAP Network Example NWA-3500/NWA-3550 User’s Guide...
Page 32: Ways To Manage The Nwa
Your NWA comes with a variety of security features. This section summarizes these features and provides links to sections in the User’s Guide to configure security settings on your NWA. Follow the suggestions below to improve security on your NWA and network. NWA-3500/NWA-3550 User’s Guide...
Page 33: Control Access To Your Device
• Enable the MAC filter to allow only trusted users to access your wireless network or deny unwanted users access based on their MAC address. See Section 13.2 on page 180 for directions on configuring the MAC filter. NWA-3500/NWA-3550 User’s Guide...
Page 34: Hardware Connections
WLAN2 uses the RF2 antenna or the antenna on the left. If you connect only one antenna, you can use only the associated wireless LAN adaptor. 1.8 LEDs This section applies to the NWA-3500 only. Figure 11 LEDs NWA-3500/NWA-3550 User’s Guide...
Page 35 The NWA is receiving power and transmitting data to or receiving data from its wireless stations. Either The NWA is not receiving power. The ZyAIR LED has been disabled. See Section 8.3 on page 123 for how to enable the ZyAIR LED. NWA-3500/NWA-3550 User’s Guide...
Page 36 The NWA has a 10 Mbps Ethernet connection and is sending or receiving data. Yellow The NWA has a 100 Mbps Ethernet connection. Blinking The NWA has a 100 Mbps Ethernet connection and is sending/receiving data. The NWA does not have an Ethernet connection. NWA-3500/NWA-3550 User’s Guide...
Page 37: The Web Configurator
You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) then click Apply. Alternatively, click Ignore. Note: If you do not change the password, this screen appears every time you login. NWA-3500/NWA-3550 User’s Guide...
Page 38: Resetting The Nwa
IP address of the NWA is not known. • Use the web configurator to restore defaults (refer to Section 23.8 on page 282). • Transfer the configuration file to your NWA using File Transfer Protocol (FTP). NWA-3500/NWA-3550 User’s Guide...
Page 39: Navigating The Web Configurator
RADIUS VLAN), Load Balancing, and DCS. • Click MAINTENANCE to view information about your NWA or upgrade configuration and firmware files. Maintenance features include Association List, Channel Usage, F/W (Firmware) Upload, Configuration (Backup, Restore and Default) and Restart. NWA-3500/NWA-3550 User’s Guide...
Page 40 Chapter 2 The Web Configurator NWA-3500/NWA-3550 User’s Guide...
Page 41: Tutorial
• Use MBSSID (Multiple Basic Service Set Identifier) operating mode if you want to use the NWA as an access point with some groups of users having different security or QoS settings from other groups of users. See Section 1.2.4 on page for details. NWA-3500/NWA-3550 User’s Guide...
Page 42: Wireless Lan Configuration Overview
Configure internal AUTH. SERVER (optional). Configure Layer 2 Configure Layer 2 Isolation (optional). Isolation (optional). Configure Layer 2 Isolation (optional). Configure MAC Filter Configure MAC Filter (optional). (optional). Configure MAC Filter (optional). Check your settings and test. NWA-3500/NWA-3550 User’s Guide...
Page 43: Further Reading
To do this, you will take the following steps: Change the operating mode from Access Point to MBSSID and reactivate the standard network. Configure a wireless network for VoIP users. Configure a wireless network for guests to your office. NWA-3500/NWA-3550 User’s Guide...
Page 44 The following table shows the addresses used in this example. Table 2 Tutorial: Example Information Network router (A) MAC address 00:AA:00:AA:00:AA Network printer (B) MAC address AA:00:AA:00:AA:00 NWA-3500/NWA-3550 User’s Guide...
Page 45: Change The Operating Mode
37). Click Wireless > Wireless. The Wireless screen appears. 3.3.1.1 Access Point Set the NWA’s WLAN Interface WLAN1 is set to Access Point operating mode, and is currently using the SSID03 profile. Figure 15 Tutorial: Wireless LAN: Before NWA-3500/NWA-3550 User’s Guide...
Page 46: Mbssid
Select the Index box for the entry and click Apply to activate the profile. Your standard wireless network (SSID03) is now accessible to your wireless clients as before. You do not need to configure anything else for your standard network. NWA-3500/NWA-3550 User’s Guide...
Page 47: Configure The Voip Network
Figure 17 Tutorial: WIRELESS > SSID The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID’s radio button and click Edit. The following screen displays. Figure 18 Tutorial: VoIP SSID Profile Edit NWA-3500/NWA-3550 User’s Guide...
Page 48: Set Up Security For The Voip Profile
Leave all the other fields at their defaults and click Apply. 3.3.2.1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network. Click the Security tab. Figure 19 Tutorial: VoIP Security NWA-3500/NWA-3550 User’s Guide...
Page 49 In this example, the PSK is “ThisismyWPA2-PSKpre-sharedkey”. Click Apply. The Wireless > Security screen displays. Ensure that the Profile Name for entry 2 displays “VoIP_Security” and that the Security Mode is WPA2-PSK. Figure 21 Tutorial: VoIP Security: Updated NWA-3500/NWA-3550 User’s Guide...
Page 50: Activate The Voip Profile
Guest_SSID profile can access only certain pre-defined devices on the network (see Section on page 174), and “intra-BSS traffic blocking” means that the client cannot access other clients on the same wireless network (see Section 8.3 on page 123). NWA-3500/NWA-3550 User’s Guide...
Page 51 The standard network (SSID04) is already using the security01 profile, and the VoIP network is using the security02 profile (renamed VoIP_Security) so select the security03 profile from the Security field. Leave all the other fields at their defaults and click Apply. NWA-3500/NWA-3550 User’s Guide...
Page 52: Set Up Security For The Guest Profile
PSK is “ThisismyGuestWPApre-sharedkey”. Click Apply. The WIRELESS > Security screen displays. Ensure that the Profile Name for entry 3 displays “Guest_Security” and that the Security Mode is WPA-PSK. Figure 25 Tutorial: Guest Security: Updated NWA-3500/NWA-3550 User’s Guide...
Page 53: Set Up Layer 2 Isolation
Figure 27 Tutorial: Layer 2 Isolation Profile Enter the MAC addresses and descriptions of the two network devices you want users on the guest network to be able to access: the main network router (00:AA:00:AA:00:AA) and the network printer (AA:00:AA:00:AA:00). Click Apply. NWA-3500/NWA-3550 User’s Guide...
Page 54: Activate The Guest Profile
2 isolation list). If you receive a reply, check the settings in the Wireless > Layer-2 Isolation > Edit screen, and ensure that the correct layer 2 isolation profile is enabled in the Guest_SSID profile screen. NWA-3500/NWA-3550 User’s Guide...
Page 55: How To Set Up And Use Rogue Ap Detection
There are no other static wireless networks in your coverage area. The following diagram shows the wireless networks in your area. Your access points are marked A, B, C and D. You also have a network mail/file server, NWA-3500/NWA-3550 User’s Guide...
Page 56 Table 3 Tutorial: Rogue AP Example Information DEVICE IP ADDRESS MAC ADDRESS Access Point A 192.168.1.1 00:AA:00:AA:00:AA Access Point B 192.168.1.2 AA:00:AA:00:AA:00 Access Point C 192.168.1.3 A0:0A:A0:0A:A0:0A Access Point D 192.168.1.4 0A:A0:0A:A0:0A:A0 File / Mail Server E 192.168.1.25 Access Point 1 UNKNOWN AF:AF:AF:FA:FA:FA NWA-3500/NWA-3550 User’s Guide...
Page 57: Set Up And Save A Friendly Ap List
Fill in the MAC Address and Description fields as in the following table. Click Add after you enter the details of each AP to include it in the list. MAC ADDRESS DESCRIPTION 00:AA:00:AA:00:AA My Access Point _A_ AA:00:AA:00:AA:00 My Access Point _B_ A0:0A:A0:0A:A0:0A My Access Point _C_ NWA-3500/NWA-3550 User’s Guide...
Page 58 Figure 31 Tutorial: Friendly AP (After Data Entry) Next, you will save the list of friendly APs in order to provide a backup and upload it to your other access points. Click the Configuration tab.The following screen appears. Figure 32 Tutorial: Configuration NWA-3500/NWA-3550 User’s Guide...
Page 59 Save the friendly AP list somewhere it can be accessed by all the other access points on the network. In this example, save it on the network file server (E in Figure 29 on page 56). The default filename is “Flist”. Figure 34 Tutorial: Save Friendly AP list NWA-3500/NWA-3550 User’s Guide...
Page 60: Activate Periodic Rogue Ap Detection
In the Expiration Time field, enter how long an AP’s entry can remain in the list before the NWA discards it from the list when the AP is no longer active. In this example, enter “30”. Click Apply. NWA-3500/NWA-3550 User’s Guide...
Page 61: Set Up E-Mail Logs
Enter a subject line for the alert e-mails in the Mail Subject field. Choose a subject that is eye-catching and identifies the access point - in this example, “ALERT_Access_Point_A”. Enter the email address to which you want alerts to be sent (myname@myfirm.com, in this example). NWA-3500/NWA-3550 User’s Guide...
Page 62: Configure Your Other Access Points
Activate periodic rogue AP detection. See Section 3.4.2 on page Set up e-mail logs as in Section 3.4.3 on page 61, but change the Mail Subject field so you can tell which AP the alerts come from (“ALERT_Access_Point_B”, etc.) NWA-3500/NWA-3550 User’s Guide...
Page 63: Test The Setup
You have two secure servers (1 and 2 in the following figure). Wireless user “Alice” (A) needs to access server 1 (but should not access server 2) and wireless user “Bob” (B) needs to access server 2 (but should not access server 1). Your NWA-3500/NWA-3550 User’s Guide...
Page 64: Your Requirements
SSID profile as shown in the following table. Table 4 Tutorial: SSID Profile Security Settings SSID Profile SERVER_1 SERVER_2 Name SSID SSID_S1 SSID_S2 Security Security Profile Security Profile security03: security04: WPA2-PSK WPA2-PSK Hide SSID Hide SSID Intra-BSS traffic Enabled Enabled blocking NWA-3500/NWA-3550 User’s Guide...
Page 65: Configure The Server_1 Network
1 via the network switch. You will configure the MAC filter to restrict access to Alice alone, and then configure layer-2 isolation to allow her to access only the network switch, the file server and the Internet security gateway. NWA-3500/NWA-3550 User’s Guide...
Page 66 Chapter 3 Tutorial Take the following steps to configure the SERVER_1 network. Log into the NWA’s Web Configurator and click Wireless > SSID. The following screen displays, showing the SSID profiles you already configured. Figure 38 Tutorial: SSID Profile NWA-3500/NWA-3550 User’s Guide...
Page 67 Change the Profile Name to “L-2-ISO_SERVER_1” and click Apply. You have restricted users on the SERVER_1 network to access only the devices with the MAC addresses you entered. Click the MAC Filter tab. When the MAC Filter screen appears, select macfilter03’s entry and click Edit. NWA-3500/NWA-3550 User’s Guide...
Page 68: Configure The Server_2 Network
SSID Edit (SERVER_2) Screen L2 Isolation L2Isolation04 MAC Filtering macfilter04 Layer-2 Isolation (L2Isolation04) Screen Profile Name L-2-ISO_SERVER-2 Set 1 MAC Address: 77:66:55:44:33:22 Description: NET_SWITCH Set 2 MAC Address: 99:88:77:66:55:44 Description: SERVER_2 Set 3 MAC Address: 66:55:44:33:22:11 Description: GATEWAY NWA-3500/NWA-3550 User’s Guide...
Page 69: Checking Your Settings And Testing The Configuration
Click Wireless > Wireless. Check that the Operating Mode is MBSSID and that the correct SSID profiles are selected and activated, as shown in the following figure. Figure 42 Tutorial: SSID Profiles Activated NWA-3500/NWA-3550 User’s Guide...
Page 70: Testing The Configuration
If you can do so, MAC filtering is misconfigured. Test the SERVER_2 network. • Using Bob’s computer and wireless client, and the correct security settings, do the following. Attempt to access Server 2. You should be able to do so. NWA-3500/NWA-3550 User’s Guide...
Page 71: How To Configure Management Modes
APs because of their location. You want to convert one of your NWA to a controller AP (A) which will allow you to manage all 4 NWA APs using the Web Configurator of this newly transformed NWA controller AP. NWA-3500/NWA-3550 User’s Guide...
Page 72: Your Requirements
SSID profile to just one NWA (which will serve as the NWA controller AP.) Note: This tutorial covers only the MGNT MODE and Controller screens. You will need to do the following steps to configure the management modes of your NWAs. NWA-3500/NWA-3550 User’s Guide...
Page 73: Configure Your Nwa In Controller Ap Mode
However in case you have both primary and secondary controller APs in the network, the secondary controller AP’s WLAN radio is turned off as long as the primary controller AP is turned on. NWA-3500/NWA-3550 User’s Guide...
Page 74: Secondary Ap Controller
To set your NWA in secondary controller AP mode, open the Controller > Redundacy screen (this screen only appears when the NWA is in Controller AP mode) in the Web Configurator of the NWA that you want to serve as backup. Figure 46 Tutorial: Secondary Controller AP NWA-3500/NWA-3550 User’s Guide...
Page 75: Primary Ap Controller
TELNET, FTP and SMNP features. To put it simply, the managed NWA is not directly configurable. This is because its controller AP is continuously managing it. You can switch the NWA to standalone AP mode by pressing the reset button on the casing (NWA-3500 only). Previous configurations are lost. NWA-3500/NWA-3550 User’s Guide...
Page 76: Configuring The Managed Access Points List
At this point, you have 3 NWA managed APs (B, C and D) that can now be managed by the primary controller AP. First in the Web Configurator of your primary controller AP (A), go to Controller > Configuration. Figure 49 Tutorial: Registration Type NWA-3500/NWA-3550 User’s Guide...
Page 77 Note: The NWA controller AP uses WLAN Radio Profile to categorize different wireless settings present in a managed AP. Each profile contains the SSID, security mode, RADIUS, Layer-2 Isolation and MAC filter configurations. NWA-3500/NWA-3550 User’s Guide...
Page 78 In this example, the 1st floor NWA managed AP uses radio06 for its WLAN1 Radio Profile. The WLAN2 radio is disabled. Refer to Section 8.3 on page 123 for instructions on how to set up WLAN radio profiles in the NWA controller APs. NWA-3500/NWA-3550 User’s Guide...
Page 79: Checking Your Settings And Testing The Configuration
AP when setting the congfiguration for the managed APs. If you accidentally set up the secondary controller AP instead, the changes you made will not take effect. They are overridden by the configurations of the primary controller AP. NWA-3500/NWA-3550 User’s Guide...
Page 80 Chapter 3 Tutorial NWA-3500/NWA-3550 User’s Guide...
Page 81: The Web Configurator
The Web Configurator System Screens (109) Wireless Configuration (119) SSID Screen (145) Wireless Security Screen (155) RADIUS Screen (169) Layer-2 Isolation Screen (173) MAC Filter Screen (179) IP Screen (183) Rogue AP Detection (187) Remote Management Screens (195) Internal RADIUS Server (209) Certificates (217) Log Screens (235) VLAN (245)
Page 83: Status Screens
4.2 The Status Screen Use this screen to get a quick view of system, Ethernet, WLAN and other information regarding your NWA. Click Status. The following screen displays. Figure 54 The Status Screen NWA-3500/NWA-3550 User’s Guide...
Page 84 NWA is to slow down. Some memory is required just to start the NWA and to run the web configurator. This field displays what percentage of the NWA’s processing ability is currently being used. The higher the CPU usage, the more likely the NWA is to slow down. NWA-3500/NWA-3550 User’s Guide...
Page 85 Click this to see a list of logs produced by the NWA. See Chapter 19 on page 239. Rogue AP List Click this to see a list of unauthorized access points in the local area. See Section 15.2.2 on page 196. NWA-3500/NWA-3550 User’s Guide...
Page 86: System Statistics Screen
This is total amount of time the line has been up. Poll Interval(s) Enter the time interval for refreshing statistics. Set Interval Click this button to apply the new poll interval you entered above. Stop Click this button to stop refreshing statistics. NWA-3500/NWA-3550 User’s Guide...
Page 87: Management Mode
The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS). The following figure illustrates a CAPWAP wireless network. You (U) configure the controller AP (C), which then automatically updates the configurations of the managed APs (M1 ~ M4). Figure 56 CAPWAP Network Example DHCP SERVER NWA-3500/NWA-3550 User’s Guide...
Page 88: Capwap Discovery And Management
However, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following. • Activate DHCP option 43 on your network’s DHCP server. • Configure DHCP option 43 with the IP address of the CAPWAP AP controller on your network. NWA-3500/NWA-3550 User’s Guide...
Page 89: Notes On Capwap
• Only one AP controller can exist in any single broadcast domain. • If a managed AP’s link to the AP controller is broken, the managed AP continues to use the wireless settings with which it was last provided. NWA-3500/NWA-3550 User’s Guide...
Page 90: The Management Mode Screen
To discover its new IP address, check the DHCP server on your network. If your network has no DHCP server, the NWA’s IP address remains the same. You can also check the Controller > AP Lists screen of the AP controller on your network. NWA-3500/NWA-3550 User’s Guide...
Page 91 Managed AP, you cannot log in as the web configurator is disabled; you must manage the NWA through the management AP on your network. Reset Click this to return this screen to its previously-saved settings. NWA-3500/NWA-3550 User’s Guide...
Page 92 Chapter 5 Management Mode NWA-3500/NWA-3550 User’s Guide...
Page 93: Ap Controller Mode
The following terms and concepts may help as you read through this chapter. Controller AP Mode Your NWA can be a CAPWAP controller AP. In this setup, the NWA can manage the wireless configurations and device settings of several APs at the same time. NWA-3500/NWA-3550 User’s Guide...
Page 94: Before You Begin
Figure 60 System Restart Note: The NWA reboots every time you change mode in the MGMT MODE screen. You can switch from Standalone AP to Controller AP (and vice versa) using the Web Configurator. NWA-3500/NWA-3550 User’s Guide...
Page 95: Controller Ap Status Screen
When the NWA is in AP controller mode, the Status screen displays some unique fields in the System Information, AP Status, WLAN Association and System Status sections. The System Status links take you to screens that provide information on the access points managed by the NWA. NWA-3500/NWA-3550 User’s Guide...
Page 96 NWA, but are transmitting CAPWAP management requests. WLAN Association 802.11a This field displays the number of wireless clients associated with APs managed by the NWA (including the NWA itself) using 802.11a radio mode. NWA-3500/NWA-3550 User’s Guide...
Page 97: Ap Lists Screen
SSID, and the number of wireless clients associated with each SSID. 6.4 AP Lists Screen Use this screen to view and add managed APs. By default, the controller NWA is always included in this table. Although you cannot remove it, you can edit its settings. NWA-3500/NWA-3550 User’s Guide...
Page 98 This displays the MAC address of the managed AP. Model This displays the model name and 802.11 mode of the managed Description This displays the description of the managed AP. You can assign this in Section 6.4.1 on page 100. NWA-3500/NWA-3550 User’s Guide...
Page 99 Select the unmanaged AP from the list and click this to include the unmanaged AP in the NWA’s managed AP list. Automatic Refresh Enter how often you want the NWA to update this screen. Interval Refresh Click this to update this screen immediately. NWA-3500/NWA-3550 User’s Guide...
Page 100: The Ap Lists Edit Screen
Select Disable if you do not want to use a second radio profile. The AP’s radio is not active when you select Disable. Apply Click this to save the changes in this screen. Reset Click this to return the fields in this screen to their previously- saved values. NWA-3500/NWA-3550 User’s Guide...
Page 101: Configuration Screen
Select Always Accept to have the NWA manage any AP on your network that transmits a CAPWAP request for management. Apply Click this to save the changes in this screen. Reset Click this to return the fields in this screen to their previously-saved values. NWA-3500/NWA-3550 User’s Guide...
Page 102: Redundancy Screen
Click this to return the fields in this screen to their previously-saved values. 6.7 The Profile Edit Screens This section describes the Profile Edit screens, which are available only in AP controller mode. The following Profile Edit screens are identical to those in standalone mode: NWA-3500/NWA-3550 User’s Guide...
Page 103: The Radio Profile Screen
This field displays the index number of each radio profile. Profile Name This field displays the identification name of each radio profile on the NWA. 802.11 Mode This field displays the IEEE 802.11 wireless mode the radio profile uses. NWA-3500/NWA-3550 User’s Guide...
Page 104: The Radio Profile Edit Screen
6.7.2 The Radio Profile Edit Screen Use this screen to configure a specific radio profile. In the Profile Edit > Radio screen, select a profile and click Edit. The following screen displays. Figure 68 Radio Edit Screen NWA-3500/NWA-3550 User’s Guide...
Page 105 DCS is Disabled by default If the NWA is configured in Controller AP mode, it is recommended that you enable Dynamic Channel Selection (DCS). This allows the NWA to select channels with less intereference for Managed APs. NWA-3500/NWA-3550 User’s Guide...
Page 106 Each AP can use multiple SSID profiles simultaneously. Configure SSID profiles in the Profile Edit > SSID screens. Enable Antenna Select this to use antenna diversity. Antenna diversity uses Diversity multiple antennas to reduce signal interference. NWA-3500/NWA-3550 User’s Guide...
Page 107 Chapter 6 AP Controller Mode Table 17 Radio Edit Screen LABEL DESCRIPTION Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 108 Chapter 6 AP Controller Mode NWA-3500/NWA-3550 User’s Guide...
Page 109: System Screens
NWA. • Use the Time Setting screen (see Section 7.4 on page 115) to change your NWA’s time and date. This screen allows you to configure the NWA’s time based on your local time zone. NWA-3500/NWA-3550 User’s Guide...
Page 110: What You Need To Know About The System Screens
254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network. NWA-3500/NWA-3550 User’s Guide...
Page 111: General Screen
If you want to log into the NWA using the System Name, enter a name not longer than 15 alphanumeric characters. Domain Name This is not a required field. Leave this field blank or enter the domain name here if you know it. NWA-3500/NWA-3550 User’s Guide...
Page 112 DNS server, you must know the IP address of a machine in order to access it. The default setting is None. Apply Click Apply to save your changes. Reset Click Reset to reload the previous configuration for this screen. NWA-3500/NWA-3550 User’s Guide...
Page 113: Password Screen
Select this (and configure the other fields in this section) to have a RADIUS RADIUS server authenticate management logins to the NWA. Use old setting Select this to have a RADIUS server authenticate management logins to the NWA using the RADIUS username and password already configured on the device. NWA-3500/NWA-3550 User’s Guide...
Page 114 RADIUS server (see Section 11.2 on page 171). • The server must be set to Active in the profile. Apply Click Apply to save your changes. Reset Click Reset to reload the previous configuration for this screen. NWA-3500/NWA-3550 User’s Guide...
Page 115: Time Setting Screen
This field displays the last updated time from the time server or (hh:mm:ss) the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. NWA-3500/NWA-3550 User’s Guide...
Page 116 UTC). So in the European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). NWA-3500/NWA-3550 User’s Guide...
Page 117: Technical Reference
When you turn on the NWA for the first time, the date and time start at 2000-01- 01 00:00:00. When you select Auto in the System > Time Setting screen, the NWA then attempts to synchronize with one of the following pre-defined list of NTP time servers. NWA-3500/NWA-3550 User’s Guide...
Page 118 If the synchronization fails, then the NWA goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. NWA-3500/NWA-3550 User’s Guide...
Page 119: Wireless Configuration
8.2 What You Can Do in the Wireless Screen Use the Wireless > Wireless screen (see Section 8.3 on page 123) to configure the NWA to use a WLAN interface and operate in AP (Access Point), AP + Bridge, Bridge / Repeater or MBSSID mode. NWA-3500/NWA-3550 User’s Guide...
Page 120: What You Need To Know About The Wireless Screen
An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). NWA-3500/NWA-3550 User’s Guide...
Page 121 • MBSSID Mode. The Multiple Basic Service Set Identifier (MBSSID) mode allows you to use one access point to provide several BSSs simultaneously. Refer to Section 1.2 on page 24 for illustrations of these wireless applications. NWA-3500/NWA-3550 User’s Guide...
Page 122 • You must use different WEP keys for different BSSs. If two stations have different BSSIDs (they are in different BSSs), but have the same WEP keys, they may hear each other’s communications (but not communicate with each other). NWA-3500/NWA-3550 User’s Guide...
Page 123: The Wireless Screen
Note: Some fields in this screen may not apply to your NWA model. 8.3.1 Access Point Mode Use this screen to use your NWA as an access point. Select Access Point as the Operating Mode. The following screen displays. Figure 76 Wireless: Access Point NWA-3500/NWA-3550 User’s Guide...
Page 124 Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to- peer wireless network. To have the NWA automatically select a channel, click Auto Selection instead. NWA-3500/NWA-3550 User’s Guide...
Page 125 APs. Select one of the following 100%(Full Power), 50%, 25%, 12.5% or Minimum. See the product specifications for more information on your NWA’s output power. Note: Reducing the output power also reduces the NWA’s effective broadcast radius. NWA-3500/NWA-3550 User’s Guide...
Page 126: Bridge / Repeater Mode
Use this screen to have the NWA act as a wireless network bridge / repeater and establish wireless links with other APs. You need to know the MAC address of the peer device, which also must be in bridge / repeater mode. NWA-3500/NWA-3550 User’s Guide...
Page 127 Select which WLAN adapter you want to configure. It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions. Operating Mode Select Bridge / Repeater in this field. NWA-3500/NWA-3550 User’s Guide...
Page 128 RTS/CTS off. Fragmentation The threshold (number of bytes) for the fragmentation boundary for Threshold directed messages. It is the maximum data fragment size that can be sent. Enter an even number between 256 and 2346. NWA-3500/NWA-3550 User’s Guide...
Page 129 WDS. Index This is the index number of the bridge connection. Active Select the check box to enable the bridge connection. Otherwise, clear the check box to disable it. NWA-3500/NWA-3550 User’s Guide...
Page 130 Select the check box to activate STP on the NWA. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 131: Ap + Bridge Mode
8.3.3 AP + Bridge Mode Use this screen to have the NWA function as a bridge and access point simultaneously. Select AP + Bridge as the Operating Mode. The following screen diplays. Figure 78 AP + Bridge NWA-3500/NWA-3550 User’s Guide...
Page 132 Click this to disable DCS and select a channel ID manually. Note: DCS is Disabled by default Operating Channel This field displays only when you select 802.11a in the 802.11 Radio Mode field. This is the channel currently being used by your AP. NWA-3500/NWA-3550 User’s Guide...
Page 133 LAN and you change the NWA’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA’s new settings. NWA-3500/NWA-3550 User’s Guide...
Page 134 Type a pre-shared key (PSK) from 8 to 63 case-sensitive ASCII characters (including spaces and symbols). You must also set the peer device to use the same pre-shared key. Each peer device can use a different pre-shared key. NWA-3500/NWA-3550 User’s Guide...
Page 135 NWAs on the same subnet. Note: All APs on the same subnet and the wireless stations must have the same SSID to allow roaming. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 136: Mbssid Mode
Select which WLAN adapter you want to configure. It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions. Operating Mode Select MBSSID in this field to display the screen as shown NWA-3500/NWA-3550 User’s Guide...
Page 137 (and causing data collisions). A wireless client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off. NWA-3500/NWA-3550 User’s Guide...
Page 138 You must then change the wireless settings of your computer to match the NWA’s new settings. Index Select the check box to activate an SSID profile. Active Select the check box to enable the bridge connection. Otherwise, clear the check box to disable it. NWA-3500/NWA-3550 User’s Guide...
Page 139: Technical Reference
The NWA uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from NWA-3500/NWA-3550 User’s Guide...
Page 140: Stp Terminology
Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology. NWA-3500/NWA-3550 User’s Guide...
Page 141: Stp Port States
This is known as roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors. NWA-3500/NWA-3550 User’s Guide...
Page 142 Wireless station Y scans and detects the signal of access point AP 2. Wireless station Y sends an association request to access point AP 2. Access point AP 2 acknowledges the presence of wireless station Y and relays this information to access point AP 1 through the wired LAN. NWA-3500/NWA-3550 User’s Guide...
Page 143: Requirements For Roaming
To enable roaming on your NWA, click WIRELESS > Wireless. The screen appears as shown. Figure 81 Enabling Roaming Select the Enable Roaming check box and click Apply. Note: Roaming cannot be enabled in Bridge / Repeater mode. NWA-3500/NWA-3550 User’s Guide...
Page 144 Chapter 8 Wireless Configuration NWA-3500/NWA-3550 User’s Guide...
Page 145: Ssid Screen
(VoIP_SSID), and a guest profile that allows visitors access only the Internet and the network printer (Guest_SSID). 9.1.1 What You Can Do in the SSID Screen Use the Wireless > SSID screen (see Section 9.2 on page 147) to configure up to 16 SSID profiles for your NWA. NWA-3500/NWA-3550 User’s Guide...
Page 146: What You Need To Know About Ssid
• Wireless > Layer 2 Isolation (the layer 2 isolation list, if activated in the SSID profile) • Also, use the VLAN screen to set up wireless VLANs based on SSID Configure the fields in the above screens to use the settings in an SSID profile. NWA-3500/NWA-3550 User’s Guide...
Page 147: The Ssid Screen
This field displays which RADIUS profile is currently associated with each SSID profile, if you have a RADIUS server configured. This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile. NWA-3500/NWA-3550 User’s Guide...
Page 148: Configuring Ssid
RADIUS Select a RADIUS profile from the drop-down list box, if you have a RADIUS server configured. If you do not need to use RADIUS authentication, ignore this field. See Section 11.2 on page 171 more information. NWA-3500/NWA-3550 User’s Guide...
Page 149: Technical Reference
It controls WLAN transmission priority on packets to be transmitted over the wireless network. WMM QoS prioritizes wireless traffic according to the delivery requirements of the individual and applications. WMM QoS is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks. NWA-3500/NWA-3550 User’s Guide...
Page 150: Wmm Qos Priorities
ATC assigns priority based on packet size, since time-sensitive applications such as Internet telephony (Voice over IP or VoIP) tend to have smaller packet sizes than non-time sensitive applications such as FTP (File Transfer Protocol). The following table shows some common applications, their time sensitivity, and their NWA-3500/NWA-3550 User’s Guide...
Page 151: Atc+Wmm
• enable WMM QoS on your wireless network and automatically assign a WMM priority to packets that do not already have one (see Section 9.3.3.1 on page 152). • automatically prioritize all packets going from your wireless network to the wired network (see Section 9.3.3.2 on page 152). NWA-3500/NWA-3550 User’s Guide...
Page 152: Atc+Wmm From Lan To Wlan
9.3.4.1 DiffServ DiffServ is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route NWA-3500/NWA-3550 User’s Guide...
Page 153: Dscp And Per-Hop Behavior
DSCP value in order to make the best use of WMM QoS. A Voice over IP (VoIP) device for example may allow you to define the DSCP value. NWA-3500/NWA-3550 User’s Guide...
Page 154 224, 192 voice 160, 128 video 96, 0 besteffort 64, 32 background A. The NWA also uses best effort for any DSCP value for which another WMM QoS priority is not specified (255, 158 or 37 for example). NWA-3500/NWA-3550 User’s Guide...
Page 155: Wireless Security Screen
MAC address filtering. It can also hide its identity in the network. 10.1.1 What You Can Do in the Wireless Security Screen Use the Wireless > Security screen (see Section 10.2 on page 157) to choose the security mode for your NWA. NWA-3500/NWA-3550 User’s Guide...
Page 156: What You Need To Know About Wireless Security
• 802.1x-Only. This is a standard that extends the features of IEEE 802.11 to support extended authentication. It provides additional accounting and control features. This option does not support data encryption. NWA-3500/NWA-3550 User’s Guide...
Page 157: The Security Screen
The NWA when used as a wireless client employs Temporal Key Integrity Protocol (TKIP) data encryption. 10.2 The Security Screen Note: The following screens are configurable only in Access Point, AP + Bridge and MBSSID operating modes. NWA-3500/NWA-3550 User’s Guide...
Page 158 This field displays a name given to a security profile in the Security configuration screen. Security Mode This field displays the security mode this security profile uses. Edit Select an entry from the list and click Edit to configure security settings for that profile. NWA-3500/NWA-3550 User’s Guide...
Page 159: Security: Wep
Type a name to identify this security profile. Security Mode Choose WEP in this field. WEP Encryption Select Disable to allow wireless stations to communicate with the access points without any data encryption. Select 64-bit WEP or 128-bit WEP to enable data encryption. NWA-3500/NWA-3550 User’s Guide...
Page 160 You must configure all four keys, but only one key can be activated at any one time. The default key is key 1. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 161: Security: 802.1X Only
The default time interval is 3600 seconds (or 1 hour). Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 162: Security: 802.1X Static 64-Bit, 802.1X Static 128-Bit
The preceding “0x” is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1. NWA-3500/NWA-3550 User’s Guide...
Page 163: Security: Wpa
Select WPA in the Security Mode field to display the following screen. Figure 92 Security: WPA The following table describes the labels in this screen. Table 42 Security: WPA LABEL DESCRIPTION Profile Name Type a name to identify this security profile. Security Mode Choose WPA in this field. NWA-3500/NWA-3550 User’s Guide...
Page 164: Security: Wpa2 Or Wpa2-Mix
10.2.5 Security: WPA2 or WPA2-MIX Use this screen to set the selected profile to WPA2 or WPA2-MIX security mode. Select WPA2 or WPA2-MIX in the Security Mode field to display the following screen. Figure 93 Security:WPA2 or WPA2-MIX NWA-3500/NWA-3550 User’s Guide...
Page 165 AP’s coverage area. This speeds up roaming. Select Enable to allow pre-authentication, or Disable to switch it off. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 166: Security: Wpa-Psk, Wpa2-Psk, Wpa2-Psk-Mix
The NWA automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). NWA-3500/NWA-3550 User’s Guide...
Page 167: Technical Reference
• If you don’t have WPA/WPA2-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security. You can manually enter 64- bit, 128-bit or 152-bit WEP keys. More information on Wireless Security can be found in Appendix A on page 303. NWA-3500/NWA-3550 User’s Guide...
Page 168 Chapter 10 Wireless Security Screen NWA-3500/NWA-3550 User’s Guide...
Page 169: Radius Screen
NWA (ZyXEL Device). The NWA in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet. In this scenario, only client U’s identity is verified by the RADIUS server and allowed access to the Internet. NWA-3500/NWA-3550 User’s Guide...
Page 170: What You Can Do In The Radius Screen
You can configure up to four RADIUS server profiles. Each profile also has one backup authentication server and a backup accounting server. These profiles can be assigned to an SSID profile in the Wireless > SSID configuration screen. NWA-3500/NWA-3550 User’s Guide...
Page 171: The Radius Screen
Backup servers. Requests can be issued from the client interface to use the backup server. The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen. RADIUS Option NWA-3500/NWA-3550 User’s Guide...
Page 172 The key must be the same on the external accounting server and your NWA. The key is not sent over the network. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 173: Layer-2 Isolation Screen
Note: Intra-BSS Traffic Blocking is activated when you enable layer-2 isolation. Figure 97 Layer-2 Isolation Application MAC addresses that are not listed in the Allow devices with these MAC addresses table of the Wireless > Layer-2 Isolation screen are blocked from NWA-3500/NWA-3550 User’s Guide...
Page 174: What You Can Do In The Layer-2 Isolation Screen
MAC filtering on the NWA. If layer-2 isolation is enabled, you need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the NWA's wireless clients. NWA-3500/NWA-3550 User’s Guide...
Page 175: The Layer-2 Isolation Screen
This is the index number of the profile. Profile Name This field displays the name given to a layer-2 isolation profile in the Layer-2 Isolation Configuration screen. Edit Select an entry from the list and click Edit to configure settings for that profile. NWA-3500/NWA-3550 User’s Guide...
Page 176: Configuring Layer-2 Isolation
These are the MAC address of a wireless client, AP, computer or router. with these MAC A wireless client associated with the NWA can communicate with addresses another wireless client, AP, computer or router only if the MAC addresses of those devices are listed in this table. NWA-3500/NWA-3550 User’s Guide...
Page 177: Technical Reference
12.3 Technical Reference This section provides technical background information on the topics discussed in this chapter. The figure that follows illustrates two example layer-2 isolation configurations on your NWA (A). Figure 100 Layer-2 Isolation Example Configuration 00:00:c5:00:00:66 00:00:c5:00:00:cc NWA-3500/NWA-3550 User’s Guide...
Page 178 B and file server C but not wireless client 3. • Enter the server’s and your NWA’s MAC addresses in the MAC Address fields. Enter “File Server C” in C’s Description field, and enter “Access Point B” in B’s Description field. Layer-2 Isolation Example 2 NWA-3500/NWA-3550 User’s Guide...
Page 179: Mac Filter Screen
NWA. 13.1.2 What You Should Know About MAC Filter Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal NWA-3500/NWA-3550 User’s Guide...
Page 180: The Mac Filter Screen
Note: To activate MAC filtering on an SSID profile, select the correct filter from the Enable MAC Filtering drop-down list box in the Wireless > SSID > Edit screen and click Apply. Figure 103 Wireless > MAC Filter > Edit NWA-3500/NWA-3550 User’s Guide...
Page 181 Note: If you configure both the MAC Address Filter table and Group Settings table and a client matches a MAC address specified in both tables, the settings in the Group Settings is applied by the NWA first. NWA-3500/NWA-3550 User’s Guide...
Page 182 Chapter 13 MAC Filter Screen NWA-3500/NWA-3550 User’s Guide...
Page 183: Ip Screen
184) to configure the IP address of your NWA. 14.1.2 What You Need To Know About IP The Ethernet parameters of the NWA are preset with the following values: • IP address of 192.168.1.2 • Subnet mask of 255.255.255.0 (24 bits) NWA-3500/NWA-3550 User’s Guide...
Page 184: The Ip Screen
NWA; over the WAN, the gateway must be the IP address of one of the remote nodes. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 185: Technical Reference
Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. NWA-3500/NWA-3550 User’s Guide...
Page 186 Chapter 14 IP Screen NWA-3500/NWA-3550 User’s Guide...
Page 187: Rogue Ap Detection
Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker. In this case, any AP detected can be classified as rogue. Figure 106 Rogue AP Example NWA-3500/NWA-3550 User’s Guide...
Page 188: What You Can Do In The Rogue Ap Screen
(save) your list of friendly APs often, especially if you have a network with a large number of access points. If you do not add them to the friendly AP list, these access points will appear in the Rogue AP list each time the NWA scans. NWA-3500/NWA-3550 User’s Guide...
Page 189 SSID (Service Set IDentifier) clients have no way of knowing that they are not associating with a legitimate company AP. The attacker can forward network traffic from associated clients to a legitimate AP, creating the impression of normal service. This is a variety of “man-in-the-middle” attack. NWA-3500/NWA-3550 User’s Guide...
Page 190: Configuration Screen
Enter the location of a previously-saved friendly AP list to upload to the NWA. Alternatively, click the Browse button to locate a list. Browse Click this button to locate a previously-saved list of friendly APs to upload to the NWA. NWA-3500/NWA-3550 User’s Guide...
Page 191: Friendly Ap Screen
AP. All wireless devices have a MAC address that uniquely identifies them. SSID This field displays the Service Set IDentifier (also known as the network name) of the AP. Channel This field displays the wireless channel the AP is currently using. NWA-3500/NWA-3550 User’s Guide...
Page 192: Rogue Ap Screen
Index This is the index number of the AP’s entry in the list. Select Use this check box to select the APs you want to move to the friendly AP list (see Section 15.2.1 on page 191) NWA-3500/NWA-3550 User’s Guide...
Page 193 Section 15.2.1 on page 191). When the NWA next scans for rogue APs, the selected AP does not appear in the rogue AP list. Reset Click Reset to return all fields in this screen to their default values. NWA-3500/NWA-3550 User’s Guide...
Page 194 Chapter 15 Rogue AP Detection NWA-3500/NWA-3550 User’s Guide...
Page 195: Remote Management Screens
In the figure below, the NWA (A) is being managed by a desktop computer (B) connected via LAN (Land Area Network). It is also being accessed by a notebook (C) connected via WLAN (Wireless LAN). Figure 111 Remote Management Example NWA-3500/NWA-3550 User’s Guide...
Page 196: What You Can Do In The Remote Management Screens
Your NWA supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA through the network. The NWA supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. . NWA-3500/NWA-3550 User’s Guide...
Page 197 • You may only have one remote management session running at one time. The NWA automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows: • Telnet • HTTP NWA-3500/NWA-3550 User’s Guide...
Page 198: The Telnet Screen
You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Select the interface(s) through which a computer may access the NWA Access using Telnet. NWA-3500/NWA-3550 User’s Guide...
Page 199: The Ftp Screen
Reset Click Reset to begin configuring this screen afresh. 16.3 The FTP Screen You can upload and download the NWA’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. NWA-3500/NWA-3550 User’s Guide...
Page 200: The Www Screen
16.4 The WWW Screen You can choose to configure your NWA via the World Wide Web (WWW) using a Web browser. This lets you specify which IP addresses or computers are able to communicate with and access the NWA. NWA-3500/NWA-3550 User’s Guide...
Page 201 NWA by sending the NWA a Certificates certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the NWA (see the appendix on importing certificates for details). NWA-3500/NWA-3550 User’s Guide...
Page 202 Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 203: The Snmp Screen
Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests. Trap Destination Type the IP address of the station to which you want the NWA to send SNMP traps. NWA-3500/NWA-3550 User’s Guide...
Page 204 Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 205: Snmpv3 User Profile
Authentication Select an authentication algorithm. MD5 (Message Digest 5) and Protocol SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. NWA-3500/NWA-3550 User’s Guide...
Page 206: Technical Reference
This section provides some technical background information about the topics covered in this chapter. 16.6.1 MIB Managed devices in an SMNP managed network contain object variables or managed objects that define each piece of information to be collected about a NWA-3500/NWA-3550 User’s Guide...
Page 207: Supported Mibs
This trap is sent after booting (software reboot). This trap is defined in RFC- 1215. linkDown 1.3.6.1.6.3.1.1.5.3 This trap is sent when the Ethernet link is down. linkUp 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. NWA-3500/NWA-3550 User’s Guide...
Page 208 Ethernet port (LAN) enet2 Wireless LAN adaptor WLAN2 Virtual enet3 ~ enet9 WLAN1 in MBSSID mode enet10 ~ enet16 WLAN2 in MBSSID mode enet17 ~ enet21 WLAN1 in WDS mode enet22 ~ enet26 WLAN2 in WDS mode NWA-3500/NWA-3550 User’s Guide...
Page 209: Internal Radius Server
Figure 118 RADIUS Server Access Request Wired Network Allow / Deny The NWA can also serve as a RADIUS server to authenticate other APs and their wireless clients. For more background information on RADIUS, see Section 11.2 on page 175. NWA-3500/NWA-3550 User’s Guide...
Page 210: What You Can Do In This Chapter
17.2 Internal RADIUS Server Setting Screen Use this screen to turn the NWA’s internal RADIUS server off or on and to view information about the NWA’s certificates. Click AUTH. SERVER > Setting. The following screen displays. Figure 119 Internal RADIUS Server Setting NWA-3500/NWA-3550 User’s Guide...
Page 211 Expiring! or Expired! message if the certificate is about to expire or has already expired. Apply Click Apply to have the NWA use certificates to authenticate wireless clients. Reset Click Reset to start configuring this screen afresh. NWA-3500/NWA-3550 User’s Guide...
Page 212: The Trusted Ap Screen
NWA. Both the NWA’s IP address and this shared secret must also be configured in the “external RADIUS” server fields of the trusted AP. Note: The first trusted AP fields are for the NWA itself. NWA-3500/NWA-3550 User’s Guide...
Page 213: The Trusted Users Screen
User Name Enter the user name for this user account. This name can be up to 31 alphanumeric characters long, including spaces. The wireless client’s utility must use this name as its login name. NWA-3500/NWA-3550 User’s Guide...
Page 214: Technical Reference
AUTH. SERVER > Trusted Users screen. The following figure shows how this is done. Wireless clients make access requests to trusted APs, which relay the requests to the NWA. Figure 122 Trusted APs Overview ZyXEL RADIUS Server Trusted APs Wireless clients NWA-3500/NWA-3550 User’s Guide...
Page 215 PEAP/MS-CHAPv2 settings, deselect the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only, do not specify a domain. NWA-3500/NWA-3550 User’s Guide...
Page 216 Chapter 17 Internal RADIUS Server NWA-3500/NWA-3550 User’s Guide...
Page 217: Certificates
• Use the Trusted CAs screens (see Chapter 18 on page 229) to save CA certificates to the NWA. This screen displays a summary list of certificates of the certification authorities that you have set the NWA to accept as trusted. NWA-3500/NWA-3550 User’s Guide...
Page 218: What You Need To Know About Certificates
64 ASCII characters to convert a binary PKCS#7 certificate into a printable form. 18.2 My Certificates Screen Use this screen to view the NWA’s summary of certificates and certification requests. Click Certificates > My Certificates. The following screen displays. Figure 124 Certificates > My Certificates NWA-3500/NWA-3550 User’s Guide...
Page 219 Click Create to go to the screen where you can have the NWA generate a certificate or a certification request. Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the NWA. NWA-3500/NWA-3550 User’s Guide...
Page 220: My Certificates Import Screen
Use this screen to import a certificate from your local computer to the NWA. Note: You can import only a certificate that matches a corresponding certification request that was generated by the NWA. Click Certificates > My Certificates and then Import to open the My Certificate Import screen. NWA-3500/NWA-3550 User’s Guide...
Page 221 Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the NWA. Note: The certificate you import replaces the corresponding request in the My Certificates screen. Cancel Click Cancel to quit and return to the My Certificates screen. NWA-3500/NWA-3550 User’s Guide...
Page 222: My Certificates Create Screen
You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. NWA-3500/NWA-3550 User’s Guide...
Page 223 You also need to fill in the Reference Number and Key if the certification authority requires them. NWA-3500/NWA-3550 User’s Guide...
Page 224 Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NWA to enroll a certificate online. NWA-3500/NWA-3550 User’s Guide...
Page 225: My Certificates Details Screen
NWA. Click Certificates > My Certificates to open the My Certificates screen (Figure 124 on page 218). Click the details button to open the My Certificate Details screen. Figure 127 Certificates > My Certificate Details NWA-3500/NWA-3550 User’s Guide...
Page 226 This field displays the type of algorithm that was used to sign the Algorithm certificate. The NWA uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). NWA-3500/NWA-3550 User’s Guide...
Page 227 Cancel Click Cancel to quit and return to the My Certificates screen. NWA-3500/NWA-3550 User’s Guide...
Page 228: Trusted Cas Screen
Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. NWA-3500/NWA-3550 User’s Guide...
Page 229: Trusted Cas Import Screen
Click Certificates >Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CAs Import screen. The following figure displays. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 129 Certificates > Trusted CAs Import NWA-3500/NWA-3550 User’s Guide...
Page 230: Trusted Cas Details Screen
NWA to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Click Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CAs Details screen. Figure 130 Certificates > Trusted CAs Details NWA-3500/NWA-3550 User’s Guide...
Page 231 (RSA public-private key encryption algorithm and the MD5 hash algorithm). Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. NWA-3500/NWA-3550 User’s Guide...
Page 232 NWA to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority. Cancel Click Cancel to quit and return to the Trusted CAs screen. NWA-3500/NWA-3550 User’s Guide...
Page 233: Technical Reference
There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the NWA to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. NWA-3500/NWA-3550 User’s Guide...
Page 234: Checking The Fingerprint Of A Certificate
Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary according to your situation. Possible examples would be over the telephone or through an HTTPS connection. NWA-3500/NWA-3550 User’s Guide...
Page 235: Log Screens
(Section 19.2 on page 236) to display all logs or logs for a certain category. You can view logs and alert messages in this page. Once the log entries are all used, old logs will be deleted. NWA-3500/NWA-3550 User’s Guide...
Page 236: What You Need To Know About Logs
You can view logs and alert messages in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. NWA-3500/NWA-3550 User’s Guide...
Page 237 Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page. Refresh Click Refresh to renew the log screen. Clear Log Click Clear Log to clear all the logs. NWA-3500/NWA-3550 User’s Guide...
Page 238: The Log Settings Screen
Use this screen to configure where and when the NWA will send the logs, and which logs and/or immediate alerts to send. Click Logs > Log Settings. The following screen displays. Figure 135 Logs > Log Settings NWA-3500/NWA-3550 User’s Guide...
Page 239 Use the drop down list box to select which day of the week to send the logs. Time for Enter the time of the day in 24-hour format (for example 23:00 Sending Log equals 11:00 pm) to send the logs. NWA-3500/NWA-3550 User’s Guide...
Page 240: Technical Reference
Someone has failed to log on to the NWA via telnet. TELNET Login Fail Someone has logged on to the NWA via FTP. FTP Login Successfully Someone has failed to log on to the NWA via FTP. FTP Login Fail NWA-3500/NWA-3550 User’s Guide...
Page 241 Table 75 Sys log LOG MESSAGE DESCRIPTION This message is sent by the "RAS" when this syslog is Mon dd hr:mm:ss hostname generated. The messages and notes are defined in this src="<srcIP:srcPort>" appendix’s other charts. dst="<dstIP:dstPort>" msg="<msg>" note="<note>" NWA-3500/NWA-3550 User’s Guide...
Page 242: Log Commands
Use the sys logs category display command to show the log settings for all of the log categories. Use the sys logs display [log category] command to show the logs in an individual NWA log category. Use the sys logs clear command to erase all of the NWA’s logs. NWA-3500/NWA-3550 User’s Guide...
Page 243: Log Command Example
3 ras> sys logs save ras> sys logs display access time source destination notes message 0 | 11/11/2002 15:10:12 | 172.22.3.80:137 | 172.22.255.255:137 | ACCESS BLOCK NWA-3500/NWA-3550 User’s Guide...
Page 244 Chapter 19 Log Screens NWA-3500/NWA-3550 User’s Guide...
Page 245: Vlan
• Use the Radius VLAN screen (Section 20.2.1 on page 248) to configure your RADIUS Virtual LAN setup. Your RADIUS server assigns VLAN IDs to a user or user group’s traffic based on what you set in this screen. NWA-3500/NWA-3550 User’s Guide...
Page 246: What You Need To Know About Vlan
VLAN, then that device cannot manage the NWA. Note: If no devices are in the management VLAN, then you will be able to access the NWA only through the console port (not through the network). NWA-3500/NWA-3550 User’s Guide...
Page 247: Wireless Vlan Screen
At least one device in your network must belong to this VLAN group in order to manage the NWA. Note: Mail and FTP servers must have the same management VLAN ID to communicate with the NWA. Section 20.3.2 on page 250 for more information. NWA-3500/NWA-3550 User’s Guide...
Page 248: Radius Vlan Screen
Click this to return this screen to its last-saved settings. 20.2.1 RADIUS VLAN Screen Use this screen to configure your RADIUS Virtual LAN setup. Your RADIUS server assigns VLAN IDs to a user or user group’s traffic based on what you set in this screen. NWA-3500/NWA-3550 User’s Guide...
Page 249 This is the index number of the SSID profile. Active Select a check box to enable the SSID profile. Type a VLAN ID. Incoming traffic from the WLAN is authorized and assigned a VLAN ID before it is sent to the LAN. NWA-3500/NWA-3550 User’s Guide...
Page 250: Technical Reference
1). The following procedure shows you how to configure a tagged VLAN. Note: Use the out-of-band management port or console port to configure the switch if you misconfigure the management VLAN and lock yourself out from performing in-band management. NWA-3500/NWA-3550 User’s Guide...
Page 251 NWA. Disable Tx Tagging on the port you are using to connect to your computer. Under Control, select Fixed to set the port as a member of the VLAN. Figure 140 VLAN-Aware Switch - Static VLAN NWA-3500/NWA-3550 User’s Guide...
Page 252 Figure 139 on page 251. In the NWA web configurator click VLAN to open the VLAN setup screen. Select the Enable VLAN Tagging check box and type a Management VLAN ID (10 in this example) in the field provided. NWA-3500/NWA-3550 User’s Guide...
Page 253: Configuring Microsoft's Ias Server Example
Dynamic VLAN assignment can be used with the NWA. Dynamic VLAN assignment allows network administrators to assign a specific VLAN (configured on the NWA) to an individual’s Windows User Account. When a wireless station is successfully authenticated to the network, it is automatically placed into it’s respective VLAN. NWA-3500/NWA-3550 User’s Guide...
Page 254: Configuring Vlan Groups
VLAN defined on the NWA. The VLAN Groups must be created as Global/Security groups. Type a name for the VLAN Group that describes the VLAN Group’s function. Select the Global Group scope parameter check box. NWA-3500/NWA-3550 User’s Guide...
Page 255: Configuring Remote Access Policies
20.3.3.2 Configuring Remote Access Policies Once the VLAN Groups have been created, the IAS Remote Access Policy needs to be defined. This allows the IAS to compare the user account being authenticated against the group memberships of each VLAN Group. NWA-3500/NWA-3550 User’s Guide...
Page 256 Policy will be matched to one VLAN Group. An example may be, Allow - VLAN 10 Policy. Click Next. Figure 146 New Remote Access Policy for VLAN Group The Conditions window displays. Select Add to add a condition for this policy to act on. NWA-3500/NWA-3550 User’s Guide...
Page 257 Click OK and Next in the next few screens to accept the group value. Figure 148 Adding VLAN Group When the Permissions options screen displays, select Grant remote access permission. Click Next to grant access based on group membership. NWA-3500/NWA-3550 User’s Guide...
Page 258 Extensible Authentication Protocol check box. Select an EAP type depending on your authentication needs from the drop- down list box. Clear the check boxes for all other authentication types listed below the drop- down list box. Figure 150 Authentication Tab Settings NWA-3500/NWA-3550 User’s Guide...
Page 259 10 Click the Advanced tab. The current default parameters returned to the NWA should be Service-Type and Framed-Protocol. • Click the Add button to add an additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment. Figure 152 Connection Attributes Screen NWA-3500/NWA-3550 User’s Guide...
Page 260 11c Click the Add button. Figure 153 RADIUS Attribute Screen 12 The Enumerable Attribute Information screen displays. Select the 802 value from the Attribute value drop-down list box. Click OK. Figure 154 802 Attribute Setting for Tunnel-Medium-Type NWA-3500/NWA-3550 User’s Guide...
Page 261 15 Return to the RADIUS Attribute Screen shown as Figure 153 on page 260. 15a Select Tunnel-Type. 15b Click Add. 16 The Enumerable Attribute Information screen displays. 16a Select Virtual LANs (VLAN) from the attribute value drop-down list box. NWA-3500/NWA-3550 User’s Guide...
Page 262 Note: Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list. NWA-3500/NWA-3550 User’s Guide...
Page 263: Second Rx Vlan Id Example
SSID02 has no second Rx VLAN ID configured, and the NWA forwards only packets tagged with VLAN ID 2 to it. 20.3.4.1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the NWA. Log into the Web Configurator. NWA-3500/NWA-3550 User’s Guide...
Page 264 Figure 159 Configuring SSID: Second Rx VLAN ID Example Click Apply to save these settings. Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3, and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03. NWA-3500/NWA-3550 User’s Guide...
Page 265: Load Balancing
H A P T E R Load Balancing 21.1 Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Page 266 Chapter 21 Load Balancing Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can’t possibly know how many connections his NWA will have at any given moment. As such, he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows.
Page 267: The Load Balancing Screen
Chapter 21 Load Balancing The requirements for load balancing are fairly straight forward and should be met in order for a group of similar NWAs to take advantage of the feature: • They should all be within the same subnet. •...
Page 268: Disassociating And Delaying Connections
Chapter 21 Load Balancing Table 80 Load Balancing FIELD DESCRIPTION Dissociate station when Select Enable to “kick” connections to the AP when it becomes overloaded overloaded. If you set this option to Disable, then the AP simply delays the connection until it can afford the bandwidth it requires, or it shunts the connection to another AP within its broadcast radius.
Page 269 Chapter 21 Load Balancing can afford the bandwidth for it or the red laptop is picked up by a different AP that has bandwidth to spare. Figure 162 Delaying a Connection The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment.
Page 270 Chapter 21 Load Balancing NWA-3160 Series User’s Guide...
Page 271: Dynamic Channel Selection
H A P T E R Dynamic Channel Selection 22.1 Overview This chapter discusses how to configure dynamic channel selection on the NWA. Dynamic channel selection is a feature that allows your NWA to automatically select the radio channel upon which it broadcasts by scanning the area around and determining what channels are currently being used by other devices.
Page 272: The Dcs Screen
Chapter 22 Dynamic Channel Selection In this example, if the NWA attempts to broadcast on channels 1, 6, or 11 it is met with cross-channel interference from the other AP that shares the channel. This can result in noticeably slower data transfer rates, the dropping of the connection altogether, or even lost data packets.
Page 273 Chapter 22 Dynamic Channel Selection Table 81 DCS FIELD DESCRIPTION DCS Sensitivity Level Select the NWA’s sensitivity level toward other channels. Options are High, Medium, and Low. Generally, as long as the area in which your NWA is located has minimal interference from other devices you can set the DCS Sensitivity Level to Low.
Page 274 Chapter 22 Dynamic Channel Selection NWA-3160 Series User’s Guide...
Page 275: Maintenance
• Use Restart screen (Section 23.9 on page 284) to reboot the NWA without turning the power off. 23.3 What You Need To Know The following terms and concepts may help as you read through this chapter. NWA-3500/NWA-3550 User’s Guide...
Page 276: System Status Screen
23.4.1 Show Statistics Screen Use this screen to view diagnostic information about the NWA. Click Maintenance > Show Statistics. The following screen pops up. NWA-3500/NWA-3550 User’s Guide...
Page 277 This shows the reception speed in bytes per second on this port. Up Time This is total amount of time the line has been up. WLAN1 This section displays only when wireless LAN adaptor WLAN1 is in AP + Bridge or Bridge / Repeater mode. NWA-3500/NWA-3550 User’s Guide...
Page 278: Association List Screen
This field displays the MAC address of an associated wireless station. Association Time This field displays the time a wireless station first associated with the NWA. SSID This field displays the SSID to which the wireless station is associated. NWA-3500/NWA-3550 User’s Guide...
Page 279: Channel Usage Screen
Use this screen to see what channel the wireless clients are using to associate with the NWA, as well as the signal strength and network mode. Click Maintenance > Channel Usage. The following figure displays. Wait a moment while the NWA compiles the information. Figure 169 Channel Usage NWA-3500/NWA-3550 User’s Guide...
Page 280: F/W Upload Screen
LAN chapter) and security setup. Refresh Click Refresh to reload the screen. 23.7 F/W Upload Screen Use this scren to upload firmware to your NWA. Click MAINTENANCE > F/W Upload. The following screen displays. . Figure 170 Maintenance > F/W Upload NWA-3500/NWA-3550 User’s Guide...
Page 281 The NWA automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 172 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. NWA-3500/NWA-3550 User’s Guide...
Page 282: Configuration Screen
23.8.1 Backup Configuration Backup configuration allows you to back up (save) the NWA’s current configuration to a file on your computer. Once your NWA is configured and functioning properly, it is highly recommended that you back up your NWA-3500/NWA-3550 User’s Guide...
Page 283: Restore Configuration
Figure 176 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA IP NWA-3500/NWA-3550 User’s Guide...
Page 284: Back To Factory Defaults
You can also press the RESET button to reset your NWA to its factory default settings. Refer to Section 2.3 on page 38 for more information. 23.9 Restart Screen Use this screen to restart the NWA without turning it off and on. NWA-3500/NWA-3550 User’s Guide...
Page 285 Chapter 23 Maintenance Click Maintenance > Restart. The following screen displays. Click Restart to have the NWA reboot. This does not affect the NWA's configuration. Figure 179 Restart Screen NWA-3500/NWA-3550 User’s Guide...
Page 286 Chapter 23 Maintenance NWA-3500/NWA-3550 User’s Guide...
Page 287: Troubleshooting And Specifications
Troubleshooting and Specifications Troubleshooting (289) Product Specifications (297)
Page 289: Troubleshooting
• If the problem continues, contact the vendor. One of the LEDs does not behave as expected. • Make sure you understand the normal behavior of the LED. See Section 1.7 on page • Check the hardware connections. See the Quick Start Guide. NWA-3500/NWA-3550 User’s Guide...
Page 290: Nwa Access And Login
WLAN MAC address when accessing the NWA over the wireless interface. • If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page I forgot the password. NWA-3500/NWA-3550 User’s Guide...
Page 291 • You cannot log in to the web configurator while someone is using Telnet to access the NWA. Log out of the NWA in the other session, or ask the person who is logged in to log out. NWA-3500/NWA-3550 User’s Guide...
Page 292: Ap Management Modes
24.4 AP Management Modes The primary controller AP cannot connect to the secondary controller AP. The controllers need to have static IP addresses in the same network. Make sure you set the IP addresses in the IP screen. NWA-3500/NWA-3550 User’s Guide...
Page 293 A managed AP may potentially be turned off if it is within range of its controller AP while the controller AP updates its settings. The managed AP retains the last settings acquired from the controller AP and is automatically updated once it is detected again by the controller AP. NWA-3500/NWA-3550 User’s Guide...
Page 294: Internet Access
(microwaves, other wireless networks, and so on). • Reboot the NWA. • If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions NWA-3500/NWA-3550 User’s Guide...
Page 295: Wireless Router/Ap Troubleshooting
• If you enable this function, you should ensure that there are multiple APs within the broadcast radius that can accept any rejected or kicked wireless clients; otherwise, a wireless client attempting to connect to an overloaded NWA will be kicked continuously and never be allowed to connect. NWA-3500/NWA-3550 User’s Guide...
Page 296 Chapter 24 Troubleshooting NWA-3500/NWA-3550 User’s Guide...
Page 297: Product Specifications
Humidity: 20% ~ 95% RH Storage Environment Temperature: -40º C ~ 60º C Humidity: 5% ~ 95% RH Table 89 NWA-3500 Hardware Specifications Dimensions 212.5 (W) x 138.5 (D) x 52mm (H) mm Power Specification 12 V DC, 1 A Reset button Returns all settings to their factory defaults.
Page 298 WMM (Wi-Fi MultiMedia) QoS (Quality of Service) allows you to prioritize wireless traffic. Certificates The NWA can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. NWA-3500/NWA-3550 User’s Guide...
Page 299 DFS (Dynamic Frequency Selection) allows a wider choice of 802.11a wireless channels. CAPWAP (Control and The NWA can be managed via CAPWAP, which allows multiple Provisioning of Wireless APs to be configured and managed by a single AP controller. Access Points) NWA-3500/NWA-3550 User’s Guide...
Page 300 EN 301 489-1 V1.5.1: 11-2004 Environmental • 2002/95/EC (RoHS) Restriction of Hazardous Substances Directive • 2002/96/EC (WEEE) Waste Electrical and Electronic Equipment Directive • European Parliament and Council Directive 94/62/EC of 20 December 1994 on packaging and packaging waste NWA-3500/NWA-3550 User’s Guide...
Page 301 Humidity 95% at 95% at 95% at 95% at 95% at 95% at 95% at 25ºC 55ºC 55ºC 55ºC 55ºC 55ºC 55ºC Weight 337 gw 107 gw 407 g 1.6 kg 110 g 206 g 640 gw NWA-3500/NWA-3550 User’s Guide...
Page 302 Table 95 Power over Ethernet Injector RJ-45 Port Pin Assignments RJ-45 SIGNAL PIN NO ASSIGNMENT Output Transmit Data + Output Transmit Data - 1 2 3 4 5 6 7 8 Receive Data + Power + Power + Receive Data - Power - Power - NWA-3500/NWA-3550 User’s Guide...
Page 303: Appendices And Index
Appendices and Index Setting Up Your Computer’s IP Address (305) Wireless LANs (331) Pop-up Windows, JavaScripts and Java Permissions (347) Importing Certificates (355) IP Addresses and Subnetting (381) Text File Based Auto Configuration (391) Legal Information (399) Index (403)
Page 305: Appendix A Setting Up Your Computer's Ip Address
316 • Linux: Ubuntu 8 (GNOME) page 320 • Linux: openSUSE 10.3 (KDE) page 325 Windows XP/NT/2000 The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT. NWA-3500/NWA-3550 User’s Guide...
Page 306 Appendix A Setting Up Your Computer’s IP Address Click Start > Control Panel. Figure 180 Windows XP: Start Menu In the Control Panel, click the Network Connections icon. Figure 181 Windows XP: Control Panel NWA-3500/NWA-3550 User’s Guide...
Page 307 Right-click Local Area Connection and then select Properties. Figure 182 Windows XP: Control Panel > Network Connections > Properties On the General tab, select Internet Protocol (TCP/IP) and then click Properties. Figure 183 Windows XP: Local Area Connection Properties NWA-3500/NWA-3550 User’s Guide...
Page 308 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. NWA-3500/NWA-3550 User’s Guide...
Page 309: Windows Vista
Click Start > Control Panel. Figure 185 Windows Vista: Start Menu In the Control Panel, click the Network and Internet icon. Figure 186 Windows Vista: Control Panel Click the Network and Sharing Center icon. Figure 187 Windows Vista: Network And Internet NWA-3500/NWA-3550 User’s Guide...
Page 310 Figure 188 Windows Vista: Network and Sharing Center Right-click Local Area Connection and then select Properties. Figure 189 Windows Vista: Network and Sharing Center Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. NWA-3500/NWA-3550 User’s Guide...
Page 311 Appendix A Setting Up Your Computer’s IP Address Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Figure 190 Windows Vista: Local Area Connection Properties NWA-3500/NWA-3550 User’s Guide...
Page 312 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. NWA-3500/NWA-3550 User’s Guide...
Page 313 The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. Click Apple > System Preferences. Figure 192 Mac OS X 10.4: Apple Menu In the System Preferences window, click the Network icon. Figure 193 Mac OS X 10.4: System Preferences NWA-3500/NWA-3550 User’s Guide...
Page 314 Configure. Figure 194 Mac OS X 10.4: Network Preferences For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab. Figure 195 Mac OS X 10.4: Network Preferences > TCP/IP Tab. NWA-3500/NWA-3550 User’s Guide...
Page 315 • In the IP Address field, type your IP address. • In the Subnet Mask field, type your subnet mask. • In the Router field, type the IP address of your device. Figure 196 Mac OS X 10.4: Network Preferences > Ethernet NWA-3500/NWA-3550 User’s Guide...
Page 316 Figure 197 Mac OS X 10.4: Network Utility Mac OS X: 10.5 The screens in this section are from Mac OS X 10.5. Click Apple > System Preferences. Figure 198 Mac OS X 10.5: Apple Menu NWA-3500/NWA-3550 User’s Guide...
Page 317 Appendix A Setting Up Your Computer’s IP Address In System Preferences, click the Network icon. Figure 199 Mac OS X 10.5: Systems Preferences NWA-3500/NWA-3550 User’s Guide...
Page 318 From the Configure list, select Using DHCP for dynamically assigned settings. For statically assigned settings, do the following: • From the Configure list, select Manually. • In the IP Address field, enter your IP address. • In the Subnet Mask field, enter your subnet mask. NWA-3500/NWA-3550 User’s Guide...
Page 319 Appendix A Setting Up Your Computer’s IP Address • In the Router field, enter the IP address of your NWA. Figure 201 Mac OS X 10.5: Network Preferences > Ethernet Click Apply and close the window. NWA-3500/NWA-3550 User’s Guide...
Page 320 The following screens use the default Ubuntu 8 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in GNOME: NWA-3500/NWA-3550 User’s Guide...
Page 321 When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password. Figure 204 Ubuntu 8: Network Settings > Connections NWA-3500/NWA-3550 User’s Guide...
Page 322 In the Authenticate window, enter your admin account name and password then click the Authenticate button. Figure 205 Ubuntu 8: Administrator Account Authentication In the Network Settings window, select the connection that you want to configure, then click Properties. Figure 206 Ubuntu 8: Network Settings > Connections NWA-3500/NWA-3550 User’s Guide...
Page 323 • In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen. NWA-3500/NWA-3550 User’s Guide...
Page 324 Figure 208 Ubuntu 8: Network Settings > DNS Click the Close button to apply the changes. Verifying Settings Check your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices NWA-3500/NWA-3550 User’s Guide...
Page 325 The following screens use the default openSUSE 10.3 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE: NWA-3500/NWA-3550 User’s Guide...
Page 326 Click K Menu > Computer > Administrator Settings (YaST). Figure 210 openSUSE 10.3: K Menu > Computer Menu When the Run as Root - KDE su dialog opens, enter the admin password and click OK. Figure 211 openSUSE 10.3: K Menu > Computer Menu NWA-3500/NWA-3550 User’s Guide...
Page 327 Figure 212 openSUSE 10.3: YaST Control Center When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. Figure 213 openSUSE 10.3: Network Settings NWA-3500/NWA-3550 User’s Guide...
Page 328 Select Dynamic Address (DHCP) if you have a dynamic IP address. Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields. Click Next to save the changes and close the Network Card Setup window. NWA-3500/NWA-3550 User’s Guide...
Page 329 If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Figure 215 openSUSE 10.3: Network Settings Click Finish to save your settings and close the window. NWA-3500/NWA-3550 User’s Guide...
Page 330 From the Options sub-menu, select Show Connection Information. Figure 216 openSUSE 10.3: KNetwork Manager When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly. Figure 217 openSUSE: Connection Status - KNetwork Manager NWA-3500/NWA-3550 User’s Guide...
Page 331: Appendix B Wireless Lans
(AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate NWA-3500/NWA-3550 User’s Guide...
Page 332 This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. NWA-3500/NWA-3550 User’s Guide...
Page 333 A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or NWA-3500/NWA-3550 User’s Guide...
Page 334 RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. NWA-3500/NWA-3550 User’s Guide...
Page 335: Fragmentation Threshold
IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has NWA-3500/NWA-3550 User’s Guide...
Page 336: Wireless Security Overview
IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure Note: You must enable the same wireless security settings on the NWA and on all wireless clients that you want to associate with it. NWA-3500/NWA-3550 User’s Guide...
Page 337 The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: • Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. NWA-3500/NWA-3550 User’s Guide...
Page 338 The wireless client ‘proves’ that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. NWA-3500/NWA-3550 User’s Guide...
Page 339 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. NWA-3500/NWA-3550 User’s Guide...
Page 340: Dynamic Wep Key Exchange
RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. NWA-3500/NWA-3550 User’s Guide...
Page 341 The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption NWA-3500/NWA-3550 User’s Guide...
Page 342 RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. The AP passes the wireless client's authentication request to the RADIUS server. The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. NWA-3500/NWA-3550 User’s Guide...
Page 343 (including spaces and symbols). The AP checks each wireless client's password and (only) allows it to join the network if the password matches. The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key). NWA-3500/NWA-3550 User’s Guide...
Page 344: Security Parameters Summary
Enable without Dynamic WEP Open Enable with Dynamic WEP Key Enable without Dynamic WEP Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Disable TKIP/AES Enable WPA-PSK TKIP/AES Disable WPA2 TKIP/AES Enable WPA2-PSK TKIP/AES Disable NWA-3500/NWA-3550 User’s Guide...
Page 345: Antenna Characteristics
Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. NWA-3500/NWA-3550 User’s Guide...
Page 346 For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. NWA-3500/NWA-3550 User’s Guide...
Page 347: Appendix C Pop-Up Windows, Javascripts And Java Permissions
Disable pop-up Blockers In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 224 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. NWA-3500/NWA-3550 User’s Guide...
Page 348 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab. NWA-3500/NWA-3550 User’s Guide...
Page 349 Select Settings…to open the Pop-up Blocker Settings screen. Figure 226 Internet Options: Privacy Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. NWA-3500/NWA-3550 User’s Guide...
Page 350 Figure 227 Pop-up Blocker Settings Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. NWA-3500/NWA-3550 User’s Guide...
Page 351 Figure 228 Internet Options: Security Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default). NWA-3500/NWA-3550 User’s Guide...
Page 352 Figure 229 Security Settings - Java Scripting Java Permissions From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. NWA-3500/NWA-3550 User’s Guide...
Page 353 Click OK to close the window. Figure 230 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. NWA-3500/NWA-3550 User’s Guide...
Page 354 Appendix C Pop-up Windows, JavaScripts and Java Permissions Click OK to close the window. Figure 231 Java (Sun) NWA-3500/NWA-3550 User’s Guide...
Page 355: Appendix D Importing Certificates
364 • Opera on page 369 • Konqueror on page 376 Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista. NWA-3500/NWA-3550 User’s Guide...
Page 356 Figure 232 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 233 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error > View certificates. Figure 234 Internet Explorer 7: Certificate Error NWA-3500/NWA-3550 User’s Guide...
Page 357 Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 235 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 236 Internet Explorer 7: Certificate Import Wizard NWA-3500/NWA-3550 User’s Guide...
Page 358 Next again and then go to step 9. Figure 237 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse. Figure 238 Internet Explorer 7: Certificate Import Wizard NWA-3500/NWA-3550 User’s Guide...
Page 359 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 239 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 240 Internet Explorer 7: Certificate Import Wizard NWA-3500/NWA-3550 User’s Guide...
Page 360 12 The next time you start Internet Explorer and go to a ZyXEL web configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 243 Internet Explorer 7: Website Identification NWA-3500/NWA-3550 User’s Guide...
Page 361 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 355 complete the installation process. Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer NWA-3500/NWA-3550 User’s Guide...
Page 362 Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 246 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 247 Internet Explorer 7: Internet Options NWA-3500/NWA-3550 User’s Guide...
Page 363 Remove. Figure 248 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 249 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes. Figure 250 Internet Explorer 7: Root Certificate Store NWA-3500/NWA-3550 User’s Guide...
Page 364 If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Select Accept this certificate permanently and click OK. Figure 251 Firefox 2: Website Certified by an Unknown Authority NWA-3500/NWA-3550 User’s Guide...
Page 365 Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. NWA-3500/NWA-3550 User’s Guide...
Page 366 Appendix D Importing Certificates Open Firefox and click Tools > Options. Figure 253 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 254 Firefox 2: Options NWA-3500/NWA-3550 User’s Guide...
Page 367 Use the Select File dialog box to locate the certificate and then click Open. Figure 256 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. NWA-3500/NWA-3550 User’s Guide...
Page 368 This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. Figure 257 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 258 Firefox 2: Options NWA-3500/NWA-3550 User’s Guide...
Page 369 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. NWA-3500/NWA-3550 User’s Guide...
Page 370 Figure 261 Opera 9: Certificate signer not found The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 262 Opera 9: Security information NWA-3500/NWA-3550 User’s Guide...
Page 371 Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Open Opera and click Tools > Preferences. Figure 263 Opera 9: Tools Menu NWA-3500/NWA-3550 User’s Guide...
Page 372 Appendix D Importing Certificates In Preferences, click Advanced > Security > Manage certificates. Figure 264 Opera 9: Preferences NWA-3500/NWA-3550 User’s Guide...
Page 373 Appendix D Importing Certificates In the Certificates Manager, click Authorities > Import. Figure 265 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open. Figure 266 Opera 9: Import certificate NWA-3500/NWA-3550 User’s Guide...
Page 374 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. NWA-3500/NWA-3550 User’s Guide...
Page 375 Appendix D Importing Certificates Open Opera and click Tools > Preferences. Figure 269 Opera 9: Tools Menu In Preferences, Advanced > Security > Manage certificates. Figure 270 Opera 9: Preferences NWA-3500/NWA-3550 User’s Guide...
Page 376 The following example uses Konqueror 3.5 on openSUSE 10.3, however the screens apply to Konqueror 3.5 on all Linux KDE distributions. If your device’s web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. NWA-3500/NWA-3550 User’s Guide...
Page 377 Click Forever when prompted to accept the certificate. Figure 273 Konqueror 3.5: Server Authentication Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 274 Konqueror 3.5: KDE SSL Information NWA-3500/NWA-3550 User’s Guide...
Page 378 Figure 275 Konqueror 3.5: Public Key Certificate File In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 276 Konqueror 3.5: Certificate Import Result The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 277 Konqueror 3.5: Kleopatra NWA-3500/NWA-3550 User’s Guide...
Page 379 Open Konqueror and click Settings > Configure Konqueror. Figure 278 Konqueror 3.5: Settings Menu In the Configure dialog box, select Crypto. On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 279 Konqueror 3.5: Configure NWA-3500/NWA-3550 User’s Guide...
Page 380 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. NWA-3500/NWA-3550 User’s Guide...
Page 381: Appendix E Ip Addresses And Subnetting
192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. NWA-3500/NWA-3550 User’s Guide...
Page 382: Subnet Masks
The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal). Table 100 Subnet Masks OCTET: OCTET: OCTET: OCTET (192) (168) IP Address (Binary) 11000000 10101000 00000001 00000010 Subnet Mask (Binary) 11111111 11111111 11111111 00000000 NWA-3500/NWA-3550 User’s Guide...
Page 383 An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). NWA-3500/NWA-3550 User’s Guide...
Page 384 Table 103 Alternative Subnet Mask Notation SUBNET ALTERNATIVE LAST OCTET LAST OCTET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.12 1000 0000 255.255.255.19 1100 0000 255.255.255.22 1110 0000 255.255.255.24 1111 0000 255.255.255.24 1111 1000 255.255.255.25 1111 1100 NWA-3500/NWA-3550 User’s Guide...
Page 385 You can “borrow” one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. NWA-3500/NWA-3550 User’s Guide...
Page 386 Similarly, to divide a 24-bit address into four subnets, you need to “borrow” two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192. NWA-3500/NWA-3550 User’s Guide...
Page 387 Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.190 192.168.1.191 Table 107 Subnet 4 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001 11000000 Subnet Mask (Binary) 11111111.11111111.11111111 11000000 NWA-3500/NWA-3550 User’s Guide...
Page 388 The following table is a summary for subnet planning on a network with a 24-bit network number. Table 109 24-bit Network Number Subnet Planning NO. “BORROWED” NO. HOSTS PER SUBNET MASK NO. SUBNETS HOST BITS SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NWA-3500/NWA-3550 User’s Guide...
Page 389 (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your NWA will compute the subnet mask automatically based on the IP address that NWA-3500/NWA-3550 User’s Guide...
Page 390 Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. NWA-3500/NWA-3550 User’s Guide...
Page 391: Appendix F Text File Based Auto Configuration
Figure 283 Text File Based Auto Configuration Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download. NWA-3500/NWA-3550 User’s Guide...
Page 392: Manual Configuration
Specify the TFTP server IP address and file name wcfg autocfg server [IP] from which the AP is to download a configuration [filename] file whenever the AP starts up. Configuration Via SNMP You can configure and trigger the auto configuration remotely via SNMP. NWA-3500/NWA-3550 User’s Guide...
Page 393 The text based configuration file must use the following format. Figure 284 Configuration File Format !#ZYXEL PROWLAN !#VERSION 12 wcfg security 1 xxx wcfg security save wcfg ssid 1 xxx wcfg ssid save The first line must be !#ZYXEL PROWLAN. NWA-3500/NWA-3550 User’s Guide...
Page 394 You can zip each configuration file. You must use the store compression method and a .zip file extension. When zipping a configuration file, you can also add password protection using the same password that you use to log into the AP. NWA-3500/NWA-3550 User’s Guide...
Page 395 2 backup 172.23.3.5 1812 1234 enable wcfg radius save wcfg ssid 2 name ssid-8021x wcfg ssid 2 security Test-8021x wcfg ssid 2 radius radius-rd wcfg ssid 2 qos 4 wcfg ssid 2 l2isolation disable wcfg ssid 2 macfilter disable wcfg ssid save NWA-3500/NWA-3550 User’s Guide...
Page 396 SSID profiles from the wcfg command configuration file examples and general wireless settings. You could actually combine all of this chapter’s example configuration files into a single configuration file. Remember that the commands are applied in order. So for example, you would place the NWA-3500/NWA-3550 User’s Guide...
Page 397 0 wlan ssidprofile ssid-wep !change operating mode -> MBSSID mode, !then select ssid-wpapsk, ssid-wpa2psk as running WLAN profiles wlan opmode 3 wlan ssidprofile ssid-wpapsk ssid-wpa2psk ! set output power level to 50% wlan output power 2 NWA-3500/NWA-3550 User’s Guide...
Page 398 Appendix F Text File Based Auto Configuration NWA-3500/NWA-3550 User’s Guide...
Page 399: Appendix G Legal Information
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 400 • To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. 注意 ! 依據低功率電波輻射性電機管理辦法第十二條經型式認證合格之低功率射頻電機，非經許可，公司、商號或使用者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。第十四條低功率射頻電機之使用不得影響飛航安全及干擾合法通信；經發現有干擾現象時，應立即停用，並改善至無干擾時方得繼續使用。 NWA-3500/NWA-3550 User’s Guide...
Page 401 ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. NWA-3500/NWA-3550 User’s Guide...
Page 402 Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. NWA-3500/NWA-3550 User’s Guide...
Page 403: Index
149, 150 ATC+WMM configuration file examples format authentication server configuration file rules auto configuration Control and Providioning of Wireless Access auto configuration status Points See CAPWAP copyright CTS (Clear to Send) backup Basic Service Set see BSS NWA-3500/NWA-3550 User’s Guide...
Page 404 Internet telephony IP address 110, 185, 298 IPSec VPN capability isolation FCC interference statement file version filtering firmware file maintenance fragmentation threshold layer-2 isolation 23, 30 friendly AP list 189, 191 LEDs 32, 197 log descriptions restrictions NWA-3500/NWA-3550 User’s Guide...
Page 405 Message Integrity Check (MIC) mobile access mode 23, 149 Quick Start Guide network radio network access RADIUS network bridge message types network number messages network traffic shared secret key rapid STP reauthentication time 161, 163, 164, 165, 166 registration product NWA-3500/NWA-3550 User’s Guide...
Page 406 WEP encryption subnet Wi-Fi Multimedia QoS subnet mask 110, 298, 382 Wi-Fi Protected Access 23, 340 subnetting wired network 23, 24, 25 syntax conventions wireless channel system name wireless client WPA supplicants system timeout Wireless Distribution System (WDS) NWA-3500/NWA-3550 User’s Guide...
Page 407 WPA-PSK wireless client supplicant with RADIUS application example WPA2 23, 340 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 340, 341 application example WPA-PSK application example NWA-3500/NWA-3550 User’s Guide...
Page 408 Index NWA-3500/NWA-3550 User’s Guide...

This manual is also suitable for:

Nwa-3550