How it Works
Zyxel
Loading...
NWA-3100
BROCHURE
2 pgs70.19 Kb0
Installation Guide
121 pgs1.89 Mb0
user manual
294 pgs8.25 Mb0
Table of contents
Loading...

Zyxel NWA-3100 user manual

Download
NWA-3100
802.11a/b/g Wireless Access Point

User’s Guide

Version 3.60 10/2006 Edition 1
www.zyxel.com
About This User's Guide
Intended Audience
This manual is intended for people who want to configure the ZyXEL Device using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Related Documentation
• Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. It contains
information on setting up your network and configuring for Internet access.
• Supporting Disk Refer to the included CD for support documents.
• ZyXEL Web Site Please refer to www.zyxel.com
certifications.
for additional support documentation and product
User Guide Feedback
Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!
The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
E-mail: techwriters@zyxel.com.tw
ZyXEL NWA-3100 User’s Guide
3

Document Conventions

Document Conventions
Warnings and Notes
These are how warnings and notes are shown in this User’s Guide.
1 Warnings tell you about things that could harm you or your device.
" Notes tell you other important information (for example, other things you may
need to configure or helpful tips) or recommendations.
Syntax Conventions
• The NWA-3100 may be referred to as the “ZyXEL Device”, the “device”, the “product” or the “system” in this User’s Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “enter” or “return” key on your keyboard.
• “Enter” means for you to type one or more characters and then press the [ENTER] key. “Select” or “choose” means for you to use one of the predefined choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen.
• Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
4
ZyXEL NWA-3100 User’s Guide
Document Conventions
Icons Used in Figures
Figures in this User’s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device.
ZyXEL Device Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
ZyXEL NWA-3100 User’s Guide
5

Safety Warnings

Safety Warnings
1 For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT use this device near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• ONLY qualified service personnel should service or disassemble this device.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
• Always disconnect all cables from this device before servicing or disassembling.
• Use ONLY an appropriate power adaptor or cord for your device.
• Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the device where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
• Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s).
• If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged.
• The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors.
• Fuse Warning! Replace a fuse only with a fuse of the same type and rating.
6
This product is recyclable. Dispose of it properly.
ZyXEL NWA-3100 User’s Guide
Safety Warnings
ZyXEL NWA-3100 User’s Guide
7
Safety Warnings
8
ZyXEL NWA-3100 User’s Guide

Contents Overview

Contents Overview
Introduction ............................................................................................................................ 29
Introducing the ZyXEL Device ...................................................................................................31
Introducing the Web Configurator .............................................................................................. 39
Tutorial ....................................................................................................................................... 43
The Web Configurator ...........................................................................................................61
System Screens ........................................................................................................................ 63
Wireless Configuration .............................................................................................................. 67
Wireless Security Configuration ................................................................................................81
MBSSID and SSID .................................................................................................................... 97
Other Wireless Configuration .................................................................................................. 105
IP Screen ..................................................................................................................................113
Rogue AP .................................................................................................................................117
Remote Management ..............................................................................................................123
Certificates ............................................................................................................................... 133
Log Screens ............................................................................................................................ 151
VLAN ....................................................................................................................................... 157
Maintenance ............................................................................................................................ 175
SMT and Troubleshooting ...................................................................................................185
Introducing the SMT ................................................................................................................ 187
General Setup ......................................................................................................................... 191
LAN Setup ............................................................................................................................... 193
SNMP Configuration ................................................................................................................ 195
System Password .................................................................................................................... 197
System Information and Diagnosis .......................................................................................... 199
Firmware and Configuration File Maintenance ........................................................................ 205
System Maintenance and Information ..................................................................................... 217
Troubleshooting ....................................................................................................................... 223
Appendices and Index ......................................................................................................... 227
ZyXEL NWA-3100 User’s Guide
9
Contents Overview
10
ZyXEL NWA-3100 User’s Guide

Table of Contents

Table of Contents
About This User's Guide ..........................................................................................................3
Document Conventions............................................................................................................4
Safety Warnings........................................................................................................................6
Contents Overview ...................................................................................................................9
Table of Contents.................................................................................................................... 11
List of Figures ......................................................................................................................... 19
List of Tables...........................................................................................................................25
Part I: Introduction................................................................................. 29
Chapter 1
Introducing the ZyXEL Device...............................................................................................31
1.1 Introducing the ZyXEL Device ............................................................................................ 31
1.2 Applications for the ZyXEL Device ...................................................................................... 31
1.2.1 Access Point .............................................................................................................. 31
1.2.2 AP + Bridge ................................................................................................................ 32
1.2.3 Bridge / Repeater ....................................................................................................... 33
1.2.4 MBSSID ..................................................................................................................... 35
1.2.5 Pre-Configured SSID Profiles .................................................................................... 36
1.3 Ways to Manage the ZyXEL Device .................................................................................... 36
1.4 Good Habits for Managing the ZyXEL Device ..................................................................... 36
1.5 LEDs .................................................................................................................................... 37
Chapter 2
Introducing the Web Configurator ........................................................................................ 39
2.1 Accessing the Web Configurator ......................................................................................... 39
2.2 Resetting the ZyXEL Device ................................................................................................ 40
2.2.1 Methods of Restoring Factory-Defaults ...................................................................... 41
2.3 Navigating the Web Configurator ......................................................................................... 41
Chapter 3
Tutorial ..................................................................................................................................... 43
3.1 How to Configure Multiple Wireless Networks ..................................................................... 43
ZyXEL NWA-3100 User’s Guide
11
Table of Contents
3.1.1 Change the Operating Mode ...................................................................................... 44
3.1.2 Configure the VoIP Network ....................................................................................... 46
3.1.2.1 Set Up Security for the VoIP Profile .................................................................. 47
3.1.2.2 Activate the VoIP Profile ................................................................................... 49
3.1.3 Configure the Guest Network ..................................................................................... 49
3.1.3.1 Set Up Security for the Guest Profile ................................................................ 50
3.1.3.2 Set up Layer 2 Isolation .................................................................................... 51
3.1.3.3 Activate the Guest Profile ................................................................................. 51
3.1.4 Testing the Wireless Networks ................................................................................... 52
3.2 How to Set Up and Use Rogue AP Detection ..................................................................... 52
3.2.1 Set Up and Save a Friendly AP list ............................................................................ 54
3.2.2 Activate Periodic Rogue AP Detection ....................................................................... 56
3.2.3 Set Up E-mail Logs .................................................................................................... 57
3.2.4 Configure Your Other Access Points .......................................................................... 58
3.2.5 Test the Setup ............................................................................................................ 58
Part II: The Web Configurator ............................................................... 61
Chapter 4
System Screens ...................................................................................................................... 63
4.1 System Overview ................................................................................................................. 63
4.2 Configuring General Setup ..................................................................................................63
4.3 Configuring Password ......................................................................................................... 64
4.4 Configuring Time Setting ..................................................................................................... 65
Chapter 5
Wireless Configuration........................................................................................................... 67
5.1 Wireless LAN Overview ....................................................................................................... 67
5.1.1 BSS ............................................................................................................................ 67
5.1.2 ESS ............................................................................................................................ 68
5.2 Wireless LAN Basics ........................................................................................................... 68
5.3 Quality of Service ................................................................................................................ 69
5.3.1 WMM QoS ..................................................................................................................69
5.3.1.1 WMM QoS Priorities ......................................................................................... 69
5.3.2 ATC ............................................................................................................................ 69
5.3.3 ATC+WMM ................................................................................................................. 70
5.3.3.1 ATC+WMM from LAN to WLAN ........................................................................ 70
5.3.3.2 ATC+WMM from WLAN to LAN ........................................................................ 71
5.3.4 Type Of Service (ToS) ................................................................................................ 71
5.3.4.1 DiffServ ............................................................................................................. 71
5.3.4.2 DSCP and Per-Hop Behavior ........................................................................... 71
12
ZyXEL NWA-3100 User’s Guide
Table of Contents
5.3.5 ToS (Type of Service) and WMM QoS ....................................................................... 72
5.4 Spanning Tree Protocol (STP) ............................................................................................. 72
5.4.1 Rapid STP .................................................................................................................. 72
5.4.2 STP Terminology ........................................................................................................ 73
5.4.3 How STP Works ......................................................................................................... 73
5.4.4 STP Port States ..........................................................................................................73
5.5 Wireless Screen Overview .................................................................................................. 74
5.6 Configuring Wireless Settings ............................................................................................. 74
5.6.1 Access Point Mode .................................................................................................... 74
5.6.2 Bridge/Repeater Mode ............................................................................................... 76
5.6.3 AP+Bridge Mode ........................................................................................................ 80
5.6.4 MBSSID Mode ........................................................................................................... 80
Chapter 6
Wireless Security Configuration ........................................................................................... 81
6.1 Wireless Security Overview .................................................................................................81
6.1.1 Encryption .................................................................................................................. 81
6.1.2 Restricted Access ...................................................................................................... 81
6.1.3 Hide Identity ............................................................................................................... 81
6.1.4 WEP Encryption ......................................................................................................... 81
6.2 802.1x Overview .................................................................................................................. 82
6.3 EAP Authentication Overview .............................................................................................. 82
6.4 Introduction to WPA ............................................................................................................. 82
6.4.1 User Authentication ................................................................................................... 83
6.4.2 Encryption ................................................................................................................. 83
6.4.3 WPA(2)-PSK Application Example ............................................................................. 84
6.5 WPA(2) with RADIUS Application Example ......................................................................... 84
6.6 Security Modes .................................................................................................................... 85
6.7 Wireless Client WPA Supplicants ........................................................................................ 86
6.8 Wireless Security Effectiveness ........................................................................................... 86
6.9 Configuring Security ............................................................................................................ 86
6.9.1 Security: WEP ............................................................................................................87
6.9.2 Security: 802.1x Only ................................................................................................. 88
6.9.3 Security: 802.1x Static 64-bit, 802.1x Static 128-bit ................................................... 89
6.9.4 Security: WPA ............................................................................................................91
6.9.5 Security: WPA2 or WPA2-MIX .................................................................................... 92
6.9.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX .................................................... 93
6.10 Introduction to RADIUS ..................................................................................................... 95
6.11 Configuring RADIUS .......................................................................................................... 95
Chapter 7
MBSSID and SSID ................................................................................................................... 97
7.1 Wireless LAN Infrastructures ...............................................................................................97
ZyXEL NWA-3100 User’s Guide
13
Table of Contents
7.1.1 MBSSID ..................................................................................................................... 97
7.1.2 Notes on Multiple BSS ............................................................................................... 97
7.1.3 Multiple BSS Example ................................................................................................ 97
7.1.4 Multiple BSS with VLAN Example .............................................................................. 97
7.1.5 Configuring Multiple BSSs ......................................................................................... 98
7.2 SSID .................................................................................................................................. 100
7.2.1 The SSID Screen ..................................................................................................... 100
7.2.2 Configuring SSID ..................................................................................................... 101
Chapter 8
Other Wireless Configuration..............................................................................................105
8.1 Layer-2 Isolation Introduction ............................................................................................ 105
8.2 Configuring Layer-2 Isolation ............................................................................................. 106
8.2.1 Layer-2 Isolation Examples ...................................................................................... 107
8.2.1.1 Layer-2 Isolation Example 1 ........................................................................... 108
8.2.1.2 Layer-2 Isolation Example 2 ........................................................................... 108
8.3 Configuring MAC Filter ...................................................................................................... 109
8.4 Configuring Roaming ......................................................................................................... . 111
8.4.1 Requirements for Roaming .......................................................................................112
Chapter 9
IP Screen................................................................................................................................ 113
9.1 Factory Ethernet Defaults ...................................................................................................113
9.2 TCP/IP Parameters ............................................................................................................113
9.2.1 WAN IP Address Assignment ....................................................................................113
9.3 Configuring IP .....................................................................................................................114
Chapter 10
Rogue AP............................................................................................................................... 117
10.1 Rogue AP Introduction .....................................................................................................117
10.2 Rogue AP Examples ........................................................................................................117
10.2.1 “Honeypot” Attack ...................................................................................................118
10.3 Configuring Rogue AP Detection ......................................................................................119
10.3.1 Rogue AP: Configuration ........................................................................................119
10.3.2 Rogue AP: Friendly AP .......................................................................................... 120
10.3.3 Rogue AP List ........................................................................................................ 121
Chapter 11
Remote Management............................................................................................................ 123
14
11.1 Remote Management Overview ...................................................................................... 123
11.1.1 Remote Management Limitations ........................................................................... 124
11.1.2 System Timeout ...................................................................................................... 124
11.2 SSH .................................................................................................................................. 124
ZyXEL NWA-3100 User’s Guide
Table of Contents
11.3 Telnet ............................................................................................................................. 124
11.4 Configuring FTP ............................................................................................................... 125
11.5 Configuring WWW ...........................................................................................................126
11.6 SNMP ............................................................................................................................... 128
11.6.1 Supported MIBs ...................................................................................................... 129
11.6.2 SNMP Traps ........................................................................................................... 129
11.7 SNMP Traps .................................................................................................................... 130
11.7.1 Configuring SNMP .................................................................................................. 130
Chapter 12
Certificates ............................................................................................................................133
12.1 Certificates Overview ....................................................................................................... 133
12.1.1 Advantages of Certificates ..................................................................................... 134
12.2 Self-signed Certificates .................................................................................................... 134
12.3 Verifying a Certificate ....................................................................................................... 134
12.3.1 Checking the Fingerprint of a Certificate on Your Computer .................................. 134
12.4 Configuration Summary ................................................................................................... 135
12.5 My Certificates ................................................................................................................. 135
12.6 Certificate File Formats .................................................................................................... 137
12.7 Importing a Certificate ..................................................................................................... 138
12.8 Creating a Certificate ....................................................................................................... 139
12.9 My Certificate Details ....................................................................................................... 141
12.10 Trusted CAs ................................................................................................................... 144
12.11 Importing a Trusted CA’s Certificate .............................................................................. 145
12.12 Trusted CA Certificate Details ....................................................................................... 146
Chapter 13
Log Screens ..........................................................................................................................151
13.1 Configuring View Log ....................................................................................................... 151
13.2 Configuring Log Settings ................................................................................................. 152
13.3 Example Log Messages .................................................................................................. 154
13.4 Log Commands ............................................................................................................... 155
13.4.1 Configuring What You Want the ZyXEL Device to Log .......................................... 155
13.4.2 Displaying Logs ...................................................................................................... 156
13.5 Log Command Example .................................................................................................. 156
Chapter 14
VLAN ...................................................................................................................................... 157
14.1 VLAN ............................................................................................................................... 157
14.1.1 Management VLAN ID ........................................................................................... 157
14.1.2 VLAN Tagging ........................................................................................................ 157
14.2 Configuring VLAN ............................................................................................................ 158
14.2.1 Wireless VLAN ....................................................................................................... 158
ZyXEL NWA-3100 User’s Guide
15
Table of Contents
14.2.2 RADIUS VLAN ....................................................................................................... 160
14.2.3 Configuring Management VLAN Example ............................................................. 161
14.2.4 Configuring Microsoft’s IAS Server Example ......................................................... 164
14.2.4.1 Configuring VLAN Groups ............................................................................ 164
14.2.4.2 Configuring Remote Access Policies ............................................................ 165
14.2.5 Second Rx VLAN ID Example ................................................................................ 172
14.2.5.1 Second Rx VLAN Setup Example ................................................................ 172
Chapter 15
Maintenance .......................................................................................................................... 175
15.1 Maintenance Overview .................................................................................................... 175
15.2 System Status Screen ..................................................................................................... 175
15.2.1 System Statistics .................................................................................................... 176
15.3 Association List ................................................................................................................ 177
15.4 Channel Usage ................................................................................................................ 178
15.5 F/W Upload Screen .........................................................................................................178
15.6 Configuration Screen ....................................................................................................... 180
15.6.1 Backup Configuration ............................................................................................. 181
15.6.2 Restore Configuration ........................................................................................... 181
15.6.3 Back to Factory Defaults ........................................................................................ 182
15.7 Restart Screen ................................................................................................................. 183
Part III: SMT and Troubleshooting...................................................... 185
Chapter 16
Introducing the SMT .............................................................................................................187
16.1 Connect to your ZyXEL Device Using Telnet ................................................................... 187
16.2 Changing the System Password ..................................................................................... 187
16.3 SMT Menu Overview Example ........................................................................................ 188
16.4 Navigating the SMT Interface .......................................................................................... 188
16.4.1 System Management Terminal Interface Summary ............................................... 190
Chapter 17
General Setup........................................................................................................................ 191
17.1 General Setup ................................................................................................................. 191
17.1.1 Procedure To Configure Menu 1 ............................................................................ 191
Chapter 18
LAN Setup.............................................................................................................................. 193
18.1 LAN Setup ....................................................................................................................... 193
18.2 TCP/IP Ethernet Setup .................................................................................................... 193
16
ZyXEL NWA-3100 User’s Guide
Table of Contents
Chapter 19
SNMP Configuration.............................................................................................................195
19.1 SNMP Configuration ........................................................................................................195
Chapter 20
System Password .................................................................................................................197
20.1 System Password ............................................................................................................ 197
Chapter 21
System Information and Diagnosis..................................................................................... 199
21.1 System Status .................................................................................................................. 199
21.2 System Information .......................................................................................................... 200
21.2.1 System Information ................................................................................................ 201
21.2.2 Console Port Speed ............................................................................................... 202
21.3 Log and Trace .................................................................................................................. 202
21.3.1 Viewing Error Log ................................................................................................... 202
21.4 Diagnostic ........................................................................................................................ 203
Chapter 22
Firmware and Configuration File Maintenance..................................................................205
22.1 Filename Conventions ..................................................................................................... 205
22.2 Backup Configuration ......................................................................................................206
22.2.1 Backup Configuration Using FTP ........................................................................... 206
22.2.2 Using the FTP command from the DOS Prompt .................................................... 207
22.2.3 Backup Configuration Using TFTP ......................................................................... 207
22.2.4 Example: TFTP Command ..................................................................................... 208
22.2.5 Backup Via Console Port ....................................................................................... 209
22.3 Restore Configuration ..................................................................................................... 210
22.3.1 Restore Using FTP ................................................................................................. 210
22.4 Uploading Firmware and Configuration Files .................................................................. 210
22.4.1 Firmware Upload .....................................................................................................211
22.4.2 Configuration File Upload ........................................................................................211
22.4.3 Using the FTP command from the DOS Prompt Example ..................................... 212
22.4.4 TFTP File Upload ................................................................................................... 213
22.4.5 Example: TFTP Command ..................................................................................... 213
22.4.6 Uploading Via Console Port ................................................................................... 213
22.4.7 Uploading Firmware File Via Console Port ............................................................ 214
22.4.8 Example Xmodem Firmware Upload Using HyperTerminal ................................... 214
22.4.9 Uploading Configuration File Via Console Port ...................................................... 215
22.4.10 Example Xmodem Configuration Upload Using HyperTerminal ........................... 215
Chapter 23
System Maintenance and Information ................................................................................217
ZyXEL NWA-3100 User’s Guide
17
Table of Contents
23.1 Command Interpreter Mode ............................................................................................ 217
23.1.1 Command Syntax ................................................................................................... 218
23.1.2 Command Usage ................................................................................................... 218
23.1.3 Brute-Force Password Guessing Protection .......................................................... 218
23.1.3.1 Configuring Brute-Force Password Guessing Protection: Example ............. 218
23.2 Time and Date Setting .....................................................................................................219
23.2.1 Resetting the Time ................................................................................................. 220
23.3 Remote Management Setup ............................................................................................ 220
23.3.1 Telnet ...................................................................................................................... 220
23.3.2 FTP ........................................................................................................................ 220
23.3.3 Web ........................................................................................................................ 220
23.3.4 Remote Management Setup .................................................................................. 220
23.3.5 Remote Management Limitations .......................................................................... 222
23.4 System Timeout ............................................................................................................... 222
Chapter 24
Troubleshooting.................................................................................................................... 223
24.1 Power, Hardware Connections, and LEDs ...................................................................... 223
24.2 ZyXEL Device Access and Login .................................................................................... 223
24.3 Internet Access ................................................................................................................ 225
Part IV: Appendices and Index ........................................................... 227
Appendix A Product Specifications.......................................................................................229
Appendix B Setting up Your Computer’s IP Address............................................................ 233
Appendix C IP Address Assignment Conflicts......................................................................245
Appendix D Wireless LANs .................................................................................................. 249
Appendix E Indoor Installation Recommendations............................................................... 259
Appendix F Pop-up Windows, JavaScripts and Java Permissions ...................................... 261
Appendix G IP Addresses and Subnetting ...........................................................................267
Appendix H Text File Based Auto Configuration ..................................................................275
Appendix I Legal Information................................................................................................ 283
Appendix J Customer Support .............................................................................................287
Index....................................................................................................................................... 291
18
ZyXEL NWA-3100 User’s Guide

List of Figures

List of Figures
Figure 1 Access Point Application .......................................................................................................... 32
Figure 2 AP+Bridge Application ............................................................................................................. 33
Figure 3 Bridge Application .................................................................................................................... 34
Figure 4 Repeater Application ................................................................................................................ 34
Figure 5 Multiple BSSs ........................................................................................................................... 35
Figure 6 LEDs ......................................................................................................................................... 37
Figure 7 Change Password Screen ........................................................................................................ 40
Figure 8 Replace Certificate Screen ....................................................................................................... 40
Figure 9 The MAIN MENU Screen of the Web Configurator .................................................................. 41
Figure 10 Tutorial: Example MBSSID Setup .......................................................................................... 44
Figure 11 Tutorial: Wireless LAN: Before ............................................................................................... 45
Figure 12 Tutorial: Wireless LAN: Change Mode ................................................................................... 45
Figure 13 Tutorial: WIRELESS > SSID .................................................................................................. 46
Figure 14 Tutorial: VoIP SSID Profile Edit .............................................................................................. 47
Figure 15 Tutorial: VoIP Security ............................................................................................................ 48
Figure 16 Tutorial: VoIP Security Profile Edit .......................................................................................... 48
Figure 17 Tutorial: VoIP Security: Updated ............................................................................................ 49
Figure 18 Tutorial: Activate VoIP Profile ................................................................................................. 49
Figure 19 Tutorial: Guest Edit ................................................................................................................. 50
Figure 20 Tutorial: Guest Security Profile Edit ........................................................................................ 50
Figure 21 Tutorial: Guest Security: Updated .......................................................................................... 51
Figure 22 Tutorial: Layer 2 Isolation ....................................................................................................... 51
Figure 23 Tutorial: Activate Guest Profile ............................................................................................... 52
Figure 24 Tutorial: Wireless Network Example ....................................................................................... 53
Figure 25 Tutorial: Friendly AP (Before Data Entry) ............................................................................... 54
Figure 26 Tutorial: Friendly AP (After Data Entry) ................................................................................. 55
Figure 27 Tutorial: Configuration ............................................................................................................ 55
Figure 28 Tutorial: Warning .................................................................................................................... 56
Figure 29 Tutorial: Save Friendly AP list ................................................................................................ 56
Figure 30 Tutorial: Periodic Rogue AP Detection .................................................................................. 56
Figure 31 Tutorial: Log Settings .............................................................................................................. 57
Figure 32 System General Setup ........................................................................................................... 63
Figure 33 Password. ............................................................................................................................... 64
Figure 34 Time Setting ........................................................................................................................... 65
Figure 35 Basic Service set .................................................................................................................... 67
Figure 36 Extended Service Set ............................................................................................................. 68
Figure 37 DiffServ: Differentiated Service Field ...................................................................................... 72
Figure 38 Wireless: Access Point ........................................................................................................... 75
ZyXEL NWA-3100 User’s Guide
19
List of Figures
Figure 39 Bridging Example ................................................................................................................... 77
Figure 40 Bridge Loop: Two Bridges Connected to Hub ........................................................................ 77
Figure 41 Bridge Loop: Bridge Connected to Wired LAN ....................................................................... 78
Figure 42 Wireless: Bridge/Repeater ..................................................................................................... 78
Figure 43 Wireless: AP+Bridge .............................................................................................................. 80
Figure 44 EAP Authentication ................................................................................................................ 82
Figure 45 WPA(2)-PSK Authentication ................................................................................................... 84
Figure 46 WPA(2) with RADIUS Application Example ........................................................................... 85
Figure 47 Security .................................................................................................................................. 87
Figure 48 Security: WEP ........................................................................................................................ 88
Figure 49 Security: 802.1x Only ............................................................................................................ 89
Figure 50 Security: 802.1x Static 64-bit, 802.1x Static 128-bit .............................................................. 90
Figure 51 Security: WPA ....................................................................................................................... 91
Figure 52 Security:WPA2 or WPA2-MIX ................................................................................................. 92
Figure 53 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX ............................................................. 94
Figure 54 RADIUS .................................................................................................................................. 95
Figure 55 Multiple BSS with VLAN Example .......................................................................................... 98
Figure 56 Wireless: Multiple BSS ........................................................................................................... 98
Figure 57 SSID ..................................................................................................................................... 101
Figure 58 Configuring SSID .................................................................................................................. 102
Figure 59 Layer-2 Isolation Application ................................................................................................ 106
Figure 60 Layer-2 Isolation Configuration Screen ................................................................................ 107
Figure 61 Layer-2 Isolation Example .................................................................................................... 108
Figure 62 Layer-2 Isolation Example 1 ................................................................................................. 108
Figure 63 Layer-2 Isolation Example 2 ................................................................................................. 109
Figure 64 MAC Address Filter ...............................................................................................................110
Figure 65 Roaming Example .................................................................................................................111
Figure 66 Roaming ................................................................................................................................112
Figure 67 IP Setup .................................................................................................................................114
Figure 68 Rogue AP: Example .............................................................................................................118
Figure 69 “Honeypot” Attack ..................................................................................................................119
Figure 70 ROGUE AP > Configuration ................................................................................................. 120
Figure 71 ROGUE AP > Friendly AP .................................................................................................... 121
Figure 72 ROGUE AP > Rogue AP ...................................................................................................... 122
Figure 73 Secure and Insecure Remote Management ........................................................................ 123
Figure 74 SSH Communication Example ............................................................................................. 124
Figure 75 Remote Management: Telnet ............................................................................................... 125
Figure 76 Remote Management: FTP .................................................................................................. 126
Figure 77 Remote Management: WWW ...............................................................................................127
Figure 78 SNMP Management Model .................................................................................................. 128
Figure 79 Remote Management: SNMP ..............................................................................................131
Figure 80 Certificates on Your Computer ............................................................................................. 134
Figure 81 Certificate Details ................................................................................................................ 135
20
ZyXEL NWA-3100 User’s Guide
List of Figures
Figure 82 My Certificates ...................................................................................................................... 136
Figure 83 My Certificate Import ............................................................................................................ 138
Figure 84 My Certificate Create ............................................................................................................ 139
Figure 85 My Certificate Details ........................................................................................................... 142
Figure 86 Trusted CAs .......................................................................................................................... 144
Figure 87 Trusted CA Import ................................................................................................................ 146
Figure 88 Trusted CA Details ............................................................................................................... 147
Figure 89 View Log ............................................................................................................................... 151
Figure 90 Log Settings ......................................................................................................................... 152
Figure 91 WIRELESS VLAN ................................................................................................................ 159
Figure 92 RADIUS VLAN ..................................................................................................................... 160
Figure 93 Management VLAN Configuration Example ......................................................................... 162
Figure 94 VLAN-Aware Switch - Static VLAN ....................................................................................... 162
Figure 95 VLAN-Aware Switch ............................................................................................................. 162
Figure 96 VLAN-Aware Switch - VLAN Status ......................................................................................163
Figure 97 VLAN Setup .......................................................................................................................... 163
Figure 98 New Global Security Group ................................................................................................. 165
Figure 99 Add Group Members ........................................................................................................... 165
Figure 100 New Remote Access Policy for VLAN Group .................................................................... 166
Figure 101 Specifying Windows-Group Condition ................................................................................ 166
Figure 102 Adding VLAN Group .......................................................................................................... 167
Figure 103 Granting Permissions and User Profile Screens ............................................................... 167
Figure 104 Authentication Tab Settings ................................................................................................ 168
Figure 105 Encryption Tab Settings ..................................................................................................... 168
Figure 106 Connection Attributes Screen ............................................................................................ 169
Figure 107 RADIUS Attribute Screen .................................................................................................. 169
Figure 108 802 Attribute Setting for Tunnel-Medium-Type .................................................................. 170
Figure 109 VLAN ID Attribute Setting for Tunnel-Pvt-Group-ID .......................................................... 170
Figure 110 VLAN Attribute Setting for Tunnel-Type .............................................................................171
Figure 111 Completed Advanced Tab ................................................................................................... 171
Figure 112 Second Rx VLAN ID Example ............................................................................................ 172
Figure 113 Configuring SSID: Second Rx VLAN ID Example .............................................................. 173
Figure 114 System Status ..................................................................................................................... 175
Figure 115 System Status: Show Statistics ........................................................................................... 176
Figure 116 Association List ................................................................................................................... 177
Figure 117 Channel Usage ................................................................................................................... 178
Figure 118 Firmware Upload ................................................................................................................ 179
Figure 119 Firmware Upload In Process .............................................................................................. 179
Figure 120 Network Temporarily Disconnected ....................................................................................180
Figure 121 Firmware Upload Error ....................................................................................................... 180
Figure 122 Configuration ...................................................................................................................... 181
Figure 123 Configuration Upload Successful ....................................................................................... 182
Figure 124 Network Temporarily Disconnected ....................................................................................182
ZyXEL NWA-3100 User’s Guide
21
List of Figures
Figure 125 Configuration Upload Error ................................................................................................. 182
Figure 126 Reset Warning Message .................................................................................................... 183
Figure 127 Restart Screen ................................................................................................................... 183
Figure 128 Login Screen ...................................................................................................................... 187
Figure 129 Menu 23 System Password ................................................................................................ 187
Figure 130 SMT Main Menu ................................................................................................................. 189
Figure 131 Menu 1 General Setup ....................................................................................................... 191
Figure 132 Menu 3 LAN Setup ............................................................................................................ 193
Figure 133 Menu 3.2 TCP/IP Setup ..................................................................................................... 193
Figure 134 Menu 22 SNMP Configuration ............................................................................................ 195
Figure 135 Menu 23 System Password ................................................................................................ 197
Figure 136 Menu 24 System Maintenance ........................................................................................... 199
Figure 137 Menu 24.1 System Maintenance: Status ............................................................................ 200
Figure 138 Menu 24.2 System Information and Console Port Speed .................................................. 201
Figure 139 Menu 24.2.1 System Information: Information ................................................................... 201
Figure 140 Menu 24.2.2 System Maintenance: Change Console Port Speed ..................................... 202
Figure 141 Menu 24.3 System Maintenance: Log and Trace ............................................................... 203
Figure 142 Sample Error and Information Messages ........................................................................... 203
Figure 143 Menu 24.4 System Maintenance: Diagnostic ..................................................................... 203
Figure 144 Menu 24.5 Backup Configuration ....................................................................................... 206
Figure 145 FTP Session Example ........................................................................................................ 207
Figure 146 System Maintenance: Backup Configuration ..................................................................... 209
Figure 147 System Maintenance: Starting Xmodem Download Screen ............................................... 209
Figure 148 Backup Configuration Example .......................................................................................... 209
Figure 149 Successful Backup Confirmation Screen ........................................................................... 209
Figure 150 Menu 24.6 Restore Configuration ...................................................................................... 210
Figure 151 Menu 24.7 System Maintenance: Upload Firmware ...........................................................211
Figure 152 Menu 24.7.1 System Maintenance: Upload System Firmware ...........................................211
Figure 153 Menu 24.7.2 System Maintenance: Upload System Configuration File ............................. 212
Figure 154 FTP Session Example ........................................................................................................ 212
Figure 155 Menu 24.7.1 as seen using the Console Port .................................................................... 214
Figure 156 Example Xmodem Upload .................................................................................................. 214
Figure 157 Menu 24.7.2 as seen using the Console Port ................................................................... 215
Figure 158 Example Xmodem Upload .................................................................................................. 215
Figure 159 Menu 24 System Maintenance ........................................................................................... 217
Figure 160 Valid CI Commands ............................................................................................................ 218
Figure 161 Menu 24.10 System Maintenance: Time and Date Setting ................................................ 219
Figure 162 Menu 24.11 Remote Management Control ........................................................................ 221
Figure 163 WIndows 95/98/Me: Network: Configuration ...................................................................... 234
Figure 164 Windows 95/98/Me: TCP/IP Properties: IP Address .......................................................... 235
Figure 165 Windows 95/98/Me: TCP/IP Properties: DNS Configuration .............................................. 236
Figure 166 Windows XP: Start Menu .................................................................................................... 237
Figure 167 Windows XP: Control Panel ............................................................................................... 237
22
ZyXEL NWA-3100 User’s Guide
List of Figures
Figure 168 Windows XP: Control Panel: Network Connections: Properties ......................................... 238
Figure 169 Windows XP: Local Area Connection Properties ............................................................... 238
Figure 170 Windows XP: Advanced TCP/IP Settings .......................................................................... 239
Figure 171 Windows XP: Internet Protocol (TCP/IP) Properties .......................................................... 240
Figure 172 Macintosh OS 8/9: Apple Menu .......................................................................................... 241
Figure 173 Macintosh OS 8/9: TCP/IP ................................................................................................. 241
Figure 174 Macintosh OS X: Apple Menu ............................................................................................ 242
Figure 175 Macintosh OS X: Network .................................................................................................. 243
Figure 176 IP Address Conflicts: Case A ............................................................................................. 245
Figure 177 IP Address Conflicts: Case B ............................................................................................. 246
Figure 178 IP Address Conflicts: Case C ............................................................................................. 246
Figure 179 IP Address Conflicts: Case D ............................................................................................. 247
Figure 180 Peer-to-Peer Communication in an Ad-hoc Network ......................................................... 249
Figure 181 Basic Service Set ............................................................................................................... 250
Figure 182 Infrastructure WLAN ........................................................................................................... 251
Figure 183 RTS/CTS ............................................................................................................................ 252
Figure 184 Pop-up Blocker ................................................................................................................... 261
Figure 185 Internet Options: Privacy .................................................................................................... 262
Figure 186 Internet Options: Privacy .................................................................................................... 263
Figure 187 Pop-up Blocker Settings ..................................................................................................... 263
Figure 188 Internet Options: Security ................................................................................................... 264
Figure 189 Security Settings - Java Scripting ....................................................................................... 265
Figure 190 Security Settings - Java ...................................................................................................... 265
Figure 191 Java (Sun) .......................................................................................................................... 266
Figure 192 Network Number and Host ID ............................................................................................ 268
Figure 193 Subnetting Example: Before Subnetting ............................................................................ 270
Figure 194 Subnetting Example: After Subnetting ............................................................................... 271
Figure 195 Text File Based Auto Configuration .................................................................................... 275
Figure 196 Configuration File Format ................................................................................................... 277
Figure 197 WEP Configuration File Example ....................................................................................... 278
Figure 198 802.1X Configuration File Example .................................................................................... 279
Figure 199 WPA-PSK Configuration File Example ............................................................................... 279
Figure 200 WPA Configuration File Example ....................................................................................... 280
Figure 201 wlan Configuration File Example ........................................................................................ 281
ZyXEL NWA-3100 User’s Guide
23
List of Figures
24
ZyXEL NWA-3100 User’s Guide

List of Tables

List of Tables
Table 1 LEDs ......................................................................................................................................... 37
Table 2 Tutorial: Example Information ................................................................................................... 44
Table 3 Tutorial: Rogue AP Example Information .................................................................................. 53
Table 4 Tutorial: Friendly AP Information ............................................................................................... 54
Table 5 System General Setup .............................................................................................................. 63
Table 6 Password .................................................................................................................................. 64
Table 7 Time Setting .............................................................................................................................. 65
Table 8 WMM QoS Priorities ................................................................................................................. 69
Table 9 Typical Packet Sizes ................................................................................................................. 70
Table 10 Automatic Traffic Classifier Priorities ...................................................................................... 70
Table 11 ATC + WMM Priority Assignment (LAN to WLAN) .................................................................. 71
Table 12 ATC + WMM Priority Assignment (WLAN to LAN) .................................................................. 71
Table 13 ToS and IEEE 802.1d to WMM QoS Priority Level Mapping .................................................. 72
Table 14 STP Path Costs ...................................................................................................................... 73
Table 15 STP Port States ...................................................................................................................... 73
Table 16 Wireless: Access Point ........................................................................................................... 75
Table 17 Wireless: Bridge/Repeater ...................................................................................................... 79
Table 18 Security Modes ....................................................................................................................... 85
Table 19 Wireless Security Levels ......................................................................................................... 86
Table 20 Security ................................................................................................................................... 87
Table 21 Security: WEP ......................................................................................................................... 88
Table 22 Security: 802.1x Only .............................................................................................................. 89
Table 23 Security: 802.1x Static 64-bit, 802.1x Static 128-bit ................................................................90
Table 24 Security: WPA ......................................................................................................................... 91
Table 25 Security: WPA2 or WPA2-MIX ................................................................................................ 92
Table 26 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX ............................................................. 94
Table 27 RADIUS .................................................................................................................................. 95
Table 28 Wireless: Multiple BSS ............................................................................................................ 99
Table 29 SSID ...................................................................................................................................... 101
Table 30 Configuring SSID .................................................................................................................. 102
Table 31 Layer-2 Isolation Configuration ............................................................................................. 107
Table 32 MAC Address Filter ................................................................................................................110
Table 33 Private IP Address Ranges ....................................................................................................113
Table 34 IP Setup .................................................................................................................................114
Table 35 ROGUE AP > Configuration .................................................................................................. 120
Table 36 ROGUE AP > Friendly AP .................................................................................................... 121
Table 37 ROGUE AP > Rogue AP ....................................................................................................... 122
Table 38 Remote Management Overview ...........................................................................................123
ZyXEL NWA-3100 User’s Guide
25
List of Tables
Table 39 Remote Management: Telnet ................................................................................................ 125
Table 40 Remote Management: FTP ................................................................................................... 126
Table 41 Remote Management: WWW ...............................................................................................127
Table 42 SNMP Traps .......................................................................................................................... 129
Table 43 SNMP Interface Index to Physical Port Mapping .................................................................. 130
Table 44 Remote Management: SNMP ............................................................................................... 131
Table 45 My Certificates ...................................................................................................................... 136
Table 46 My Certificate Import ............................................................................................................. 138
Table 47 My Certificate Create ............................................................................................................ 139
Table 48 My Certificate Details ............................................................................................................ 142
Table 49 Trusted CAs .......................................................................................................................... 145
Table 50 Trusted CA Import ................................................................................................................. 146
Table 51 Trusted CA Details ................................................................................................................ 147
Table 52 View Log ............................................................................................................................... 151
Table 53 Log Settings .......................................................................................................................... 153
Table 54 System Maintenance Logs .................................................................................................... 154
Table 55 ICMP Notes ........................................................................................................................... 154
Table 56 Sys log .................................................................................................................................. 155
Table 57 Log Categories and Available Settings ................................................................................. 155
Table 58 WIRELESS VLAN ................................................................................................................. 159
Table 59 RADIUS VLAN ...................................................................................................................... 161
Table 60 Standard RADIUS Attributes ................................................................................................. 164
Table 61 System Status ....................................................................................................................... 175
Table 62 System Status: Show Statistics ............................................................................................. 176
Table 63 Association List ..................................................................................................................... 177
Table 64 Channel Usage ..................................................................................................................... 178
Table 65 Firmware Upload ................................................................................................................... 179
Table 66 Restore Configuration ........................................................................................................... 181
Table 67 SMT Menus Overview ........................................................................................................... 188
Table 68 Main Menu Commands ......................................................................................................... 189
Table 69 Main Menu Summary ............................................................................................................ 190
Table 70 Menu 1 General Setup .......................................................................................................... 191
Table 71 Menu 3.2 TCP/IP Setup ........................................................................................................ 194
Table 72 Menu 22 SNMP Configuration .............................................................................................. 195
Table 73 Menu 24.1 System Maintenance: Status .............................................................................. 200
Table 74 Menu 24.2.1 System Maintenance: Information ................................................................... 201
Table 75 Menu 24.4 System Maintenance Menu: Diagnostic .............................................................. 204
Table 76 Filename Conventions .......................................................................................................... 206
Table 77 General Commands for Third Party FTP Clients .................................................................. 207
Table 78 General Commands for Third Party TFTP Clients ............................................................... 208
Table 79 Brute-Force Password Guessing Protection Commands ..................................................... 218
Table 80 System Maintenance: Time and Date Setting ....................................................................... 219
Table 81 Menu 24.11 Remote Management Control ........................................................................... 221
26
ZyXEL NWA-3100 User’s Guide
List of Tables
Table 82 Hardware Specifications ....................................................................................................... 229
Table 83 Firmware Specifications ........................................................................................................ 229
Table 84 Power over Ethernet Injector Specifications ........................................................................ 230
Table 85 Power over Ethernet Injector RJ-45 Port Pin Assignments .................................................. 231
Table 86 North American Plug Standards ............................................................................................ 231
Table 87 European Plug Standards ..................................................................................................... 231
Table 88 United Kingdom Plug Standards ........................................................................................... 231
Table 89 Australia and New Zealand Plug Standards ......................................................................... 231
Table 90 Comparison of EAP Authentication Types ............................................................................ 256
Table 91 Wireless Security Relational Matrix ...................................................................................... 257
Table 92 Subnet Masks ....................................................................................................................... 268
Table 93 Subnet Masks ....................................................................................................................... 269
Table 94 Maximum Host Numbers ...................................................................................................... 269
Table 95 Alternative Subnet Mask Notation ......................................................................................... 269
Table 96 Subnet 1 ................................................................................................................................ 271
Table 97 Subnet 2 ................................................................................................................................ 272
Table 98 Subnet 3 ................................................................................................................................ 272
Table 99 Subnet 4 ................................................................................................................................ 272
Table 100 Eight Subnets ...................................................................................................................... 272
Table 101 24-bit Network Number Subnet Planning ............................................................................ 273
Table 102 16-bit Network Number Subnet Planning ............................................................................ 273
Table 103 Auto Configuration by DHCP .............................................................................................. 276
Table 104 Manual Configuration .......................................................................................................... 276
Table 105 Configuration via SNMP ...................................................................................................... 276
Table 106 Displaying the File Version .................................................................................................. 277
Table 107 Displaying the File Version .................................................................................................. 277
Table 108 Displaying the Auto Configuration Status ............................................................................278
ZyXEL NWA-3100 User’s Guide
27
List of Tables
28
ZyXEL NWA-3100 User’s Guide
PART I

Introduction

Introducing the ZyXEL Device (31)
Introducing the Web Configurator (39)
Tutorial (43)
29
30
CHAPTER 1

Introducing the ZyXEL Device

This chapter introduces the main applications and features of the ZyXEL Device. It also introduces the ways you can manage the ZyXEL Device.

1.1 Introducing the ZyXEL Device

Your ZyXEL Device extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.
It is highly versatile, supporting up to eight BSSIDs simultaneously. The Quality of Service (QoS) features allow you to prioritize time-sensitive or highly important applications such as Vo I P.
Multiple security profiles allow you to easily assign different types of security to groups of users. The ZyXEL Device controls network access with MAC address filtering, rogue AP detection and layer 2 isolation. It also provides a high level of network traffic security, supporting IEEE 802.1x, Wi-Fi Protected Access (WPA), WPA2 and WEP data encryption.
Your ZyXEL Device is easy to install, configure and use. The embedded Web-based configurator enables simple, straightforward management and maintenance.
See the Quick Start Guide for instructions on how to make hardware connections.

1.2 Applications for the ZyXEL Device

The ZyXEL Device can be configured to use the following WLAN operating modes
1 AP 2 AP+Bridge 3 Bridge/Repeater 4 MBSSID
Applications for each operating mode are shown below.
1.2.1 Access Point
The ZyXEL Device is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyXEL Device is shown as follows. Stations A, B and C can access the wired network through the ZyXEL Devices.
ZyXEL NWA-3100 User’s Guide
31
Chapter 1 Introducing the ZyXEL Device
Figure 1 Access Point Application
1.2.2 AP + Bridge
In AP+Bridge mode, the ZyXEL Device supports both AP and bridge connection at the same time.
In the figure below, A and B use X as an AP to access the wired network, while X and Y communicate in bridge mode.
When the ZyXEL Device is in AP + Bridge mode, security between APs (the Wireless Distribution System or WDS) is independent of the security between the wireless stations and the AP. See Section 5.6.2 on page 76 for more details.
Unless specified, the term “security settings” refers to the traffic between the wireless stations and the ZyXEL Device.
" If you do not enable WDS security in AP + Bridge mode, traffic between APs is
not encrypted.
32
ZyXEL NWA-3100 User’s Guide
Figure 2 AP+Bridge Application
Chapter 1 Introducing the ZyXEL Device
1.2.3 Bridge / Repeater
The ZyXEL Device can act as a wireless network bridge and establish wireless links with other APs. In the figure below, the two ZyXEL Devices (A and B) are connected to independent wired networks and have a bridge connection (A can communicate with B) at the same time. A ZyXEL Device in repeater mode (C) has no Ethernet connection. When the ZyXEL Device is in bridge mode, you should enable STP to prevent bridge loops.
When the ZyXEL Device is in Bridge / Repeater mode, security between APs (the Wireless Distribution System or WDS) is independent of the security between the wireless stations and the AP. When WDS security is enabled, both APs must use the same pre-shared key. See
Section 5.6.2 on page 76 for more details.
Once the security settings of the two APs match one another, the WDS connection is made.
" If you do not enable WDS security in Bridge / Repeater mode, traffic between
APs is not encrypted.
ZyXEL NWA-3100 User’s Guide
33
Chapter 1 Introducing the ZyXEL Device
Figure 3 Bridge Application
Figure 4 Repeater Application
34
ZyXEL NWA-3100 User’s Guide
1.2.4 MBSSID
A BSS (Basic Service Set) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). An SSID (Service Set IDentifier) is the name of a BSS. In MBSSID (Multiple BSS) mode, the ZyXEL Device provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile.
You can configure up to sixteen SSID profiles, and have up to eight active at any one time.
You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs.
To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings.
For example, you might want to set up a wireless network in your office where Internet telephony (Voice over IP, or VoIP) users have priority. You also want a regular wireless network for standard users, as well as a ‘guest’ wireless network for visitors. In the following figure, VoIP_SSID users have Quality of Service (QoS) priority, SSID03 is the wireless network for standard users, and Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired LAN behind the AP and can access only the Internet.
Chapter 1 Introducing the ZyXEL Device
Figure 5 Multiple BSSs
ZyXEL NWA-3100 User’s Guide
35
Chapter 1 Introducing the ZyXEL Device
1.2.5 Pre-Configured SSID Profiles
The ZyXEL Device has two pre-configured SSID profiles.
1 VoIP_SSID. This profile is intended for use by wireless clients requiring the highest
QoS (Quality of Service) level for VoIP (Voice over IP) telephony and other applications requiring low latency. The QoS level of this profile is not user-configurable. See Section
5.3.1 on page 69 for more information on QoS.
2 Guest_SSID. This profile is intended for use by visitors and others who require access
to certain resources on the network (an Internet gateway or a network printer, for example) but must not have access to the rest of the network. Layer 2 isolation is enabled (see Section 8.1 on page 105), and QoS is set to NONE. Intra-BSS traffic blocking is also enabled (see Section 5.1.1 on page 67). These fields are all user-configurable.

1.3 Ways to Manage the ZyXEL Device

Use any of the following methods to manage the ZyXEL Device.
• Web Configurator. This is recommended for everyday management of the ZyXEL Device using a (supported) web browser.
• Command Line Interface. Line commands are mostly used for troubleshooting by service engineers.
• SMT. System Management Terminal is a text-based configuration menu that you can use to configure your device. Use Telnet to access the SMT.
• FTP for firmware upgrades and configuration backup and restore.
• SNMP. The device can be monitored by an SNMP manager. See the SNMP chapter in this User’s Guide.

1.4 Good Habits for Managing the ZyXEL Device

Do the following things regularly to make the ZyXEL Device more secure and to manage it more effectively.
• Change the password often. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
• Write down the password and put it in a safe place.
• Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the ZyXEL Device to its factory default settings. If you backed up an earlier configuration file, you won’t have to totally re-configure the ZyXEL Device; you can simply restore your last configuration.
36
ZyXEL NWA-3100 User’s Guide

1.5 LEDs

Figure 6 LEDs
Chapter 1 Introducing the ZyXEL Device
Table 1 LEDs
LABEL LED COLOR STATUS DESCRIPTION
1 SYS Green On The ZyXEL Device is in AP+Bridge or Bridge/Repeater
mode, and has successfully established a Wireless Distribution System (WDS) connection.
Red Flashing The ZyXEL Device is starting up.
Off Either
The ZyXEL Device is in Access Point or MBSSID mode and is functioning normally.
The ZyXEL Device is in AP+Bridge or Bridge/ Repeater mode and has not established a Wireless Distribution System (WDS) connection.
or
The ZyXEL Device is not receiving power.
ZyXEL NWA-3100 User’s Guide
37
Chapter 1 Introducing the ZyXEL Device
Table 1 LEDs (continued)
LABEL LED COLOR STATUS DESCRIPTION
2 ZyAIR Blue On The ZyXEL Device is receiving power.
You can turn the ZyAIR LED off and on using the Web configurator. See Section 5.6.1 on page 74.
Blinking The ZyXEL Device is receiving power and transmitting
data to or receiving data from its wireless stations.
Off Either
The ZyXEL Device is not receiving power.
or
The ZyAIR LED has been disabled. See Section
5.6.1 on page 74 for how to enable the ZyAIR LED.
3 ETHN Green On The ZyXEL Device has a 10 Mbps Ethernet connection.
Blinking The ZyXEL Device has a 10 Mbps Ethernet connection
Yellow On The ZyXEL Device has a 100 Mbps Ethernet
Blinking The ZyXEL Device has a 100 Mbps Ethernet connection
Off The ZyXEL Device does not have an Ethernet
4 POWER Green On The ZyXEL Device is receiving power via the POWER
Red On The ZyXEL Device is receiving power via the
Off The ZyXEL Device is not receiving power.
and is sending or receiving data.
connection.
and is sending/receiving data.
connection.
socket.
ETHERNET port using Power over Ethernet (PoE).
38
ZyXEL NWA-3100 User’s Guide
CHAPTER 2
Introducing the Web
Configurator
This chapter describes how to access the ZyXEL Device’s web configurator and provides an overview of its screens.

2.1 Accessing the Web Configurator

1 Make sure your hardware is properly connected and prepare your computer or computer
network to connect to the ZyXEL Device (refer to the Quick Start Guide).
2
Launch your web browser.
3
Type "192.168.1.2" as the URL (default).
4
Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
5
You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) then click Apply. Alternatively, click Ignore.
" If you do not change the password, the following screen appears every time
you login.
ZyXEL NWA-3100 User’s Guide
39
Chapter 2 Introducing the Web Configurator
Figure 7 Change Password Screen
6 Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL
Device’s MAC address that will be specific to this device.
Figure 8 Replace Certificate Screen
You should now see the MAIN MENU screen.
" The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyXEL Device if this happens.

2.2 Resetting the ZyXEL Device

If you forget your password or cannot access the web configurator, you will need to use the RESET button. This replaces the current configuration file with the factory-default configuration file. This means that you will lose all the settings you previously configured. The password will be reset to 1234.
40
ZyXEL NWA-3100 User’s Guide
Chapter 2 Introducing the Web Configurator
2.2.1 Methods of Restoring Factory-Defaults
You can erase the current configuration and restore factory defaults in three ways:
Use the RESET button to upload the default configuration file. Hold this button in for about 10 seconds (the lights will begin to blink). Use this method for cases when the password or IP address of the ZyXEL Device is not known.
Use the web configurator to restore defaults (refer to Chapter 15 on page 175).
Transfer the configuration file to your ZyXEL Device using FTP. See the section on SMT configuration for more information.

2.3 Navigating the Web Configurator

The following summarizes how to navigate the web configurator from the MAIN MENU screen.
Click LOGOUT at any time to exit the web configurator.
Check the status bar at the bottom of the screen when you click Apply or OK to verify that the configuration has been updated.
Figure 9 The MAIN MENU Screen of the Web Configurator
ZyXEL NWA-3100 User’s Guide
41
Chapter 2 Introducing the Web Configurator
Click the links under ADVANCED to configure advanced features such as SYSTEM (General Setup, Password and Time Zone), WIRELESS (Wireless, SSID, Security, RADIUS, Layer-2 Isolation, MAC Filter), IP, ROGUE AP (Configuration, Friendly AP, Rogue AP), REMOTE MGNT (Telnet, FTP, WWW and SNMP), CERTIFICATES (
Trusted CAs), LOGS (View Logs and Log Settings) and VLAN (Wireless VLAN and RADIUS
VLAN).
Click MAINTENANCE to view information about your ZyXEL Device or upgrade configuration and firmware files. Maintenance features include Status (Statistics), Association List, Channel Usage, F/W (firmware) Upload, Configuration (Backup, Restore and Default) and Restart.
My Certificates,
42
ZyXEL NWA-3100 User’s Guide
CHAPTER 3

Tutorial

This chapter provides step-by-step guidelines showing how to configure your ZyXEL Device for some example scenarios. The first example shows how to create multiple wireless networks, and the second example shows how to use the rogue AP detection feature.

3.1 How to Configure Multiple Wireless Networks

In this example, you have been using your ZyXEL Device as an access point for your office network (See your Quick Start Guide for information on how to set up your ZyXEL Device in Access Point mode). Now your network is expanding and you want to make use of the MBSSID feature (see Section 7.1 on page 97) to provide multiple wireless networks. Each wireless network will cater for a different type of user.
You want to make three wireless networks: one standard office wireless network with all the same settings you already have, another wireless network with high Quality of Service (QoS) settings for Voice over IP users, and a guest network that allows visitors to your office to access only the Internet and the network printer.
To do this, you will take the following steps:
1 Change the operating mode from Access Point to MBSSID and reactivate the standard
network.
2 Configure a wireless network for Voice over IP users. 3 Configure a wireless network for guests to your office.
The following figure shows the multiple networks you want to set up. Your ZyXEL Device is marked Z, the main network router is marked A, and your network printer is marked B.
ZyXEL NWA-3100 User’s Guide
43
Chapter 3 Tutorial
Figure 10 Tutorial: Example MBSSID Setup
The standard network (SSID04) has access to all resources. The VoIP network (VoIP_SSID) has access to all resources and a high Quality of Service (QoS) setting (see Section 5.3 on page
69 for information on QoS). The guest network (Guest_SSID) has access to the Internet and
the network printer only, and a low QoS setting.
To configure these settings, you need to know the MAC (Media Access Control) addresses of the devices you want to allow users of the guest network to access. The following table shows the addresses used in this example.
Table 2 Tutorial: Example Information
Network router (A) MAC address 00:AA:00:AA:00:AA
Network printer (B) MAC address AA:00:AA:00:AA:00
3.1.1 Change the Operating Mode
Log in to the ZyXEL Device (see Section 2.1 on page 39). Click WIRELESS > Wireless. The Wireless screen appears. In this example, the ZyXEL Device is set to Access Point operating mode, and is currently using the SSID04 profile.
44
ZyXEL NWA-3100 User’s Guide
Chapter 3 Tutorial
Figure 11 Tutorial: Wireless LAN: Before
Select MBSSID from the Operating Mode drop-down list box. The screen displays as follows.
Figure 12 Tutorial: Wireless LAN: Change Mode
This Select SSID Profile table allows you to activate or deactivate SSID profiles. Your wireless network was previously using the SSID04 profile, so select SSID04 in one of the Profile list boxes (number 3 in this example).
ZyXEL NWA-3100 User’s Guide
45
Chapter 3 Tutorial
Select the Index box for the entry and click Apply to activate the profile. Your standard wireless network (SSID04) is now accessible to your wireless clients as before. You do not need to configure anything else for your standard network.
3.1.2 Configure the VoIP Network
Next, click WIRELESS > SSID. The following screen displays. Note that the SSID04 SSID profile (the standard network) is using the security01 security profile. You cannot change this security profile without changing the standard network’s parameters, so when you set up security for the VoIP_SSID and Guest_SSID profiles you will need to set different security profiles.
Figure 13 Tutorial: WIRELESS > SSID
46
The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID’s radio button and click Edit. The following screen displays.
ZyXEL NWA-3100 User’s Guide
Chapter 3 Tutorial
Figure 14 Tutorial: VoIP SSID Profile Edit
• Choose a new SSID for the VoIP network. In this example, enter VOIP_SSID_Example. Note that although the SSID changes, the SSID profile name (VoIP_SSID) remains the same as before.
• Select Enable from the Hide Name (SSID) list box. You want only authorized company employees to use this network, so there is no need to broadcast the SSID to wireless clients scanning the area.
• The standard network (SSID04) is currently using the security01 profile, so use a different profile for the VoIP network. If you used the security01 profile, anyone who could access the standard network could access the VoIP wireless network. Select security02 from the Security field.
• Leave all the other fields at their defaults and click Apply.
3.1.2.1 Set Up Security for the VoIP Profile
Now you need to configure the security settings to use on the VoIP wireless network. Click the Security tab.
ZyXEL NWA-3100 User’s Guide
47
Chapter 3 Tutorial
Figure 15 Tutorial: VoIP Security
You already chose to use the security02 profile for this network, so select the radio button for security02 and click Edit. The following screen appears.
Figure 16 Tutorial: VoIP Security Profile Edit
•Change the Name field to “VoIP_Security” to make it easier to remember and identify.
• In this example, you do not have a RADIUS server for authentication, so select WPA2- PSK in the Security Mode field. WPA2-PSK provides strong security that anyone with a compatible wireless client can use, once they know the pre-shared key (PSK). Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is “ThisismyWPA2-PSKpre-sharedkey”.
48
ZyXEL NWA-3100 User’s Guide
• Click Apply. The WIRELESS > Security screen displays. Ensure that the Profile Name for entry 2 displays “VoIP_Security” and that the Security Mode is WPA2-PSK.
Figure 17 Tutorial: VoIP Security: Updated
3.1.2.2 Activate the VoIP Profile
You need to activate the VoIP_SSI D profile before it can be used. Click the Wireless tab. In the Select SSID Profile table, select the VoIP_SSID profile and click Apply.
Figure 18 Tutorial: Activate VoIP Profile
Chapter 3 Tutorial
Your VoIP wireless network is now ready to use. Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network.
3.1.3 Configure the Guest Network
When you are setting up the wireless network for guests to your office, your primary concern is to keep your network secure while allowing access to certain resources (such as a network printer, or the Internet). For this reason, the pre-configured Guest_SSID profile has layer-2 isolation and intra-BSS traffic blocking enabled by default. “Layer-2 isolation” means that a client accessing the network via the Guest_SSID profile can access only certain pre-defined devices on the network (see Section 8.1 on page 105), and “intra-BSS traffic blocking” means that the client cannot access other clients on the same wireless network (see Section 5.1.1 on
page 67).
Click WIRELESS > SSID. Select Guest_SSID’s entry in the list and click Edit. The following screen appears.
ZyXEL NWA-3100 User’s Guide
49
Chapter 3 Tutorial
Figure 19 Tutorial: Guest Edit
• Choose a new SSID for the guest network. In this example, enter Guest_SSID_Example. Note that although the SSID changes, the SSID profile name (Guest_SSID) remains the same as before.
• Select Disable from the Hide Name (SSID) list box. This makes it easier for guests to configure their own computers’ wireless clients to your network’s settings.
• The standard network (SSID04) is already using the security01 profile, and the VoIP network is using the security02 profile (renamed VoIP_Security) so select the security03 profile from the Security field.
• Leave all the other fields at their defaults and click Apply.
3.1.3.1 Set Up Security for the Guest Profile
Now you need to configure the security settings to use on the guest wireless network. Click the Security tab.
You already chose to use the security03 profile for this network, so select security03’s entry in the list and click Edit. The following screen appears.
Figure 20 Tutorial: Guest Security Profile Edit
•Change the Name field to “Guest_Security” to make it easier to remember and identify.
50
ZyXEL NWA-3100 User’s Guide
Chapter 3 Tutorial
• Select WPA-PSK in the Security Mode field. WPA-PSK provides strong security that is supported by most wireless clients. Even though your Guest_SSID clients do not have access to sensitive information on the network, you should not leave the network without security. An attacker could still cause damage to the network or intercept unsecured communications.
• Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is “ThisismyGuestWPApre-sharedkey”.
• Click Apply. The WIRELESS > Security screen displays. Ensure that the Profile Name for entry 3 displays “Guest_Security” and that the Security Mode is WPA-PSK.
Figure 21 Tutorial: Guest Security: Updated
3.1.3.2 Set up Layer 2 Isolation
Configure layer 2 isolation to control the specific devices you want the users on your guest network to access. Click WIRELESS > Layer-2 Isolation. The following screen appears.
Figure 22 Tutorial: Layer 2 Isolation
Enter the MAC addresses of the two network devices you want users on the guest network to be able to access; the main network router (00:AA:00:AA:00:AA) and the network printer (AA:00:AA:00:AA:00). Click Apply.
3.1.3.3 Activate the Guest Profile
You need to activate the Guest_SSID profile before it can be used. Click the Wireless tab. In the Select SSID Profile table, select the check box for the Guest_SSID profile and click Apply.
ZyXEL NWA-3100 User’s Guide
51
Chapter 3 Tutorial
Figure 23 Tutorial: Activate Guest Profile
Your Guest wireless network is now ready to use.
3.1.4 Testing the Wireless Networks
To make sure that the three networks are correctly configured, do the following.
• On a computer with a wireless client, scan for access points. You should see the Guest_SSID network, but not the VoIP_SSID network. If you can see the VoIP_SSID network, go to its SSID Edit screen and make sure Hide Name (SSID) is set to Enable.
Whether or not you see the standard network’s SSID (SSID04) depends on whether “hide SSID” is enabled.
• Try to access each network using the correct security settings, and then using incorrect security settings, such as the WPA-PSK for another active network. If the behavior is different from expected (for example, if you can access the VoIP wireless network using the security settings for the Guest_SSID wireless network) check that the SSID profile is set to use the correct security profile, and that the settings of the security profile are correct.
• Access the Guest_SSID network and try to access other resources than those specified in the Layer-2 Isolation screen.
You can use the ping utility to do this. Click Start > Run... and enter “cmd” in the Open: field. Click OK. At the c:\> prompt, enter “ping 192.168.1.10” (substitute the IP address of a real device on your network that is not on the layer 2 isolation list). If you receive a reply, check the settings in the WIRELESS > Layer-2 Isolation screen, and ensure that layer 2 isolation is enabled in the Guest_SSID profile screen.

3.2 How to Set Up and Use Rogue AP Detection

This example shows you how to configure the rogue AP detection feature on the ZyXEL Device. A rogue AP is a wireless access point operating in a network’s coverage area that is not a sanctioned part of that network. The example also shows how to set the ZyXEL Device to send out e-mail alerts whenever it detects a rogue wireless access point. See Chapter 10 on
page 117 for background information on the rogue AP function and security considerations.
In this example, you want to ensure that your company’s data is not accessible to an attacker gaining entry to your wireless network through a rogue AP.
52
ZyXEL NWA-3100 User’s Guide
Chapter 3 Tutorial
Your wireless network operates in an office building. It consists of four access points (all ZyXEL Devices) and a variable number of wireless clients. You also know that the coffee shop on the ground floor has a wireless network consisting of a single access point, which can be detected and accessed from your floor of the building. There are no other static wireless networks in your coverage area.
The following diagram shows the wireless networks in your area. Your access points are marked A, B, C and D. You also have a network mail/file server, marked E, and a computer, marked F, connected to the wired network. The coffee shop’s access point is marked 1.
Figure 24 Tutorial: Wireless Network Example
In the figure, the solid circle represents the range of your wireless network, and the dashed circle represents the extent of the coffee shop’s wireless network. Note that the two networks overlap. This means that one or more of your APs can detect the AP (1) in the other wireless network.
When configuring the rogue AP feature on your ZyXEL Devices in this example, you will need to use the information in the following table. You need the IP addresses of your APs to access their Web configurators, and you need the MAC address of each AP to configure the friendly AP list. You need the IP address of the mail server to set up e-mail alerts.
Table 3 Tutorial: Rogue AP Example Information
DEVICE IP ADDRESS MAC ADDRESS
Access Point A 192.168.1.1 00:AA:00:AA:00:AA
Access Point B 192.168.1.2 AA:00:AA:00:AA:00
Access Point C 192.168.1.3 A0:0A:A0:0A:A0:0A
Access Point D 192.168.1.4 0A:A0:0A:A0:0A:A0
ZyXEL NWA-3100 User’s Guide
53
Chapter 3 Tutorial
Table 3 Tutorial: Rogue AP Example Information
DEVICE IP ADDRESS MAC ADDRESS
File / Mail Server E 192.168.1.25 N/A
Access Point 1 UNKNOWN AF:AF:AF:FA:FA:FA
" The ZyXEL Device can detect the MAC addresses of APs automatically.
However, it is more secure to obtain the correct MAC addresses from another source and add them to the friendly AP list manually, if possible. For example, an attacker’s AP mimicking the correct SSID could be placed on the friendly AP list by accident, if selected from the list of auto-detected APs. In this example you have spoken to the coffee shop’s owner, who has told you the correct MAC address of his AP.
In this example, you will do the following things.
1 Set up and save a friendly AP list. 2 Activate periodic Rogue AP Detection. 3 Set up e-mail alerts. 4 Configure your other access points. 5 Test the setup.
3.2.1 Set Up and Save a Friendly AP list
Take the following steps to set up and save a list of access points you want to allow in your network’s coverage area.
1 On a computer connected to the wired network (F in the previous figure), open your
Internet browser and enter the URL of access point A (192.168.1.1). Login to the Web configurator and click ROGUE AP > Friendly AP. The following screen displays.
Figure 25 Tutorial: Friendly AP (Before Data Entry)
2 Fill in the MAC Address and Description fields as in the following table. Click Add
after you enter the details of each AP to include it in the list.
Table 4 Tutorial: Friendly AP Information
MAC ADDRESS DESCRIPTION
00:AA:00:AA:00:AA My Access Point _A_
AA:00:AA:00:AA:00 My Access Point _B_
54
ZyXEL NWA-3100 User’s Guide
Chapter 3 Tutorial
Table 4 Tutorial: Friendly AP Information
MAC ADDRESS DESCRIPTION
A0:0A:A0:0A:A0:0A My Access Point _C_
0A:A0:0A:A0:0A:A0 My Access Point _D_
AF:AF:AF:FA:FA:FA Coffee Shop Access Point _1_
" You can add APs that are not part of your network to the friendly AP list, as long
as you know that they do not pose a threat to your network’s security.
The Friendly AP screen now appears as follows.
Figure 26 Tutorial: Friendly AP (After Data Entry)
3 Next, you will save the list of friendly APs in order to provide a backup and upload it to
your other access points. Click the Configuration tab.The following screen appears.
Figure 27 Tutorial: Configuration
4 Click Export. If a window similar to the following appears, click Save.
ZyXEL NWA-3100 User’s Guide
55
Chapter 3 Tutorial
Figure 28 Tutorial: Warning
5 Save the friendly AP list somewhere it can be accessed by all the other access points on
Figure 29 Tutorial: Save Friendly AP list
the network. In this example, save it on the network file server (E in Figure 24 on page
53). The default filename is “Flist”.
3.2.2 Activate Periodic Rogue AP Detection
Take the following steps to activate rogue AP detection on the first of your ZyXEL Devices.
1 In the ROGUE AP > Configuration screen, select Ye s from the Activate Rogue AP
Period Detection field.
Figure 30 Tutorial: Periodic Rogue AP Detection
56
ZyXEL NWA-3100 User’s Guide
2 In the Period (min.) field, enter how often you want the ZyXEL Device to scan for
rogue APs. You can have the ZyXEL Device scan anywhere from once every ten minutes to once every hour. In this example, enter “10”.
3 Click Apply.
3.2.3 Set Up E-mail Logs
In this section, you will configure the first of your four APs to send a log message to your e­mail inbox whenever a rogue AP is discovered in your wireless network’s coverage area.
1 Click LOGS > Log Settings. The following screen appears.
Figure 31 Tutorial: Log Settings
Chapter 3 Tutorial
• In this example, your mail server’s IP address is 192.168.1.25. Enter this IP address in the Mail Server field.
• Enter a subject line for the alert e-mails in the Mail Subject field. Choose a subject that is eye-catching and identifies the access point - in this example, “ALERT_Access_Point_A”.
• Enter the email address to which you want alerts to be sent (myname@myfirm.com, in this example).
ZyXEL NWA-3100 User’s Guide
57
Chapter 3 Tutorial
•In the Send Immediate Alert section, select the events you want to trigger immediate e­mails. Ensure that Rogue AP is selected.
• Click Apply.
3.2.4 Configure Your Other Access Points
Access point A is now configured to do the following.
• Scan for access points in its coverage area every ten minutes.
• Recognize friendly access points from a list.
• Send immediate alerts to your email account if it detects an access point not on the list.
Now you need to configure the other wireless access points on your network to do the same things.
For each access point, take the following steps.
1 From a computer on the wired network, enter the access point’s IP address and login to
its Web configurator. See Table 3 on page 53 for the example IP addresses.
2 Import the friendly AP list. Click ROGUE AP > Configuration > Browse.... Find the
“Flist” file where you previously saved it on the network and click Open.
3 Click Import. Check the ROGUE AP > Friendly AP screen to ensure that the friendly
AP list has been correctly uploaded.
4 Activate periodic rogue AP detection. See Section 3.2.2 on page 56. 5 Set up e-mail logs as in Section 3.2.3 on page 57, but change the Mail Subject field so
you can tell which AP the alerts come from (“ALERT_Access_Point_B”, etc.)
3.2.5 Test the Setup
Next, test your setup to ensure it is correctly configured.
• Log into each AP’s Web configurator and click ROGUE AP > Rogue AP. Click Refresh. If any of the MAC addresses from Table 4 on page 54 appear in the list, the friendly AP function may be incorrectly configured - check the ROGUE AP > Friendly AP screen.
If any entries appear in the rogue AP list that are not in Table 4 on page 54, write down the AP’s MAC address for future reference and check your e-mail inbox. If you have received a rogue AP alert, email alerts are correctly configured on that ZyXEL Device.
• If you have another access point that is not used in your network, make a note of its MAC address and set it up next to each of your ZyXEL Devices in turn while the network is running.
Either wait for at least ten minutes (to ensure the ZyXEL Device performs a scan in that time) or login to the ZyXEL Device’s Web configurator and click ROGUE AP > Rogue AP > Refresh to have the ZyXEL Device perform a scan immediately.
• Check the ROGUE AP > Rogue AP screen. You should see an entry in the list with the same MAC address as your “rogue” AP.
• Check the LOGS > View Logs screen. You should see a Rogue AP Detection entry in red text, including the MAC address of your “rogue” AP.
58
ZyXEL NWA-3100 User’s Guide
Chapter 3 Tutorial
• Check your e-mail. You should have received at least one e-mail alert (your other ZyXEL Devices may also have sent alerts, depending on their proximity and the output power of your “rogue” AP).
ZyXEL NWA-3100 User’s Guide
59
Chapter 3 Tutorial
60
ZyXEL NWA-3100 User’s Guide
PART II
The Web
Configurator
System Screens (63)
Wireless Configuration (67)
Wireless Security Configuration (81)
MBSSID and SSID (97)
Other Wireless Configuration (105)
IP Screen (113)
Rogue AP (117)
Remote Management (123)
Certificates (133)
Log Screens (151)
VLAN (157)
Maintenance (175)
61
62
CHAPTER 4

System Screens

4.1 System Overview

This section provides information on general system setup.

4.2 Configuring General Setup

Click SYSTEM > General.
Figure 32 System General Setup
The following table describes the labels in this screen.
Table 5 System General Setup
LABEL DESCRIPTION
General Setup
System Name Type a descriptive name to identify the ZyXEL Device in the Ethernet network.
Domain Name This is not a required field. Leave this field blank or enter the domain name
Administrator Inactivity Timer
System DNS Servers
ZyXEL NWA-3100 User’s Guide
This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
here if you know it.
Type how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out.
The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.
A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
63
Chapter 4 System Screens
Table 5 System General Setup
LABEL DESCRIPTION
First DNS Server Second DNS Server Third DNS Server
Apply Click Apply to save your changes.
Reset Click Reset to reload the previous configuration for this screen.
Select From DHCP if your DHCP server dynamically assigns DNS server information (and the right displays the (read-only) DNS server IP address that the DHCP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
The default setting is None.

4.3 Configuring Password

ZyXEL Device's Ethernet IP address). The field to the
It is strongly recommended that you change your ZyXEL Device’s password. Click SYSTEM > Password. The screen appears as shown.
If you forget your ZyXEL Device’s password (or IP address), you will need to reset the device. See the section on resetting the ZyXEL Device for details
Figure 33 Password.
The following table describes the labels in this screen.
Table 6 Password
LABEL DESCRIPTIONS
Old Password Type in your existing system password (1234 is the default password).
New Password Type your new system password (up to 31 characters). Note that as you type
Retype to Confirm Retype your new system password for confirmation.
Apply Click Apply to save your changes.
Reset Click Reset to reload the previous configuration for this screen.
a password, the screen displays an asterisk (*) for each character you type.
64
ZyXEL NWA-3100 User’s Guide

4.4 Configuring Time Setting

To change your ZyXEL Device’s time and date, click SYSTEM > Time Setting. The screen appears as shown. Use this screen to configure the ZyXEL Device’s time based on your local time zone.
Figure 34 Time Setting
Chapter 4 System Screens
The following table describes the labels in this screen.
Table 7 Time Setting
LABEL DESCRIPTION
Time Protocol Select the time service protocol that your time server sends when you turn on
the ZyXEL Device. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868). Select None to enter the time and date manually.
Time Server Address Enter the IP address or the URL of your time server. Check with your ISP/
network administrator if you are unsure of this information.
Current Time (hh:mm:ss)
New Time (hh:mm:ss) This field displays the last updated time from the time server.
Current Date (yyyy/ mm/dd)
This field displays the time of your ZyXEL Device. Each time you reload this page, the ZyXEL Device synchronizes the time with
the time server.
When you select None in the Time Protocol field, enter the new time in this field and then click Apply.
This field displays the date of your ZyXEL Device. Each time you reload this page, the ZyXEL Device synchronizes the date with
the time server.
ZyXEL NWA-3100 User’s Guide
65
Chapter 4 System Screens
Table 7 Time Setting
LABEL DESCRIPTION
New Date (yyyy/mm/ dd)
Time Zone Choose the time zone of your location. This will set the time difference
Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period
Start Date (mm-dd) Enter the month and day that your daylight-savings time starts on if you
End Date (mm-dd) Enter the month and day that your daylight-savings time ends on if you
Apply Click Apply to save your changes.
Reset Click Reset to reload the previous configuration for this screen.
This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this
field and then click Apply.
between your time zone and Greenwich Mean Time (GMT).
from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.
selected Daylight Savings.
selected Daylight Savings.
66
ZyXEL NWA-3100 User’s Guide
CHAPTER 5

Wireless Configuration

This chapter discusses how to configure the Wireless screens on the ZyXEL Device.

5.1 Wireless LAN Overview

This section introduces the wireless LAN (WLAN) and some basic scenarios.
5.1.1 BSS
A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS traffic blocking is disabled, wireless station A and B can access the wired network and communicate with each other. When Intra-BSS traffic blocking is enabled, wireless station A and B can still access the wired network but cannot communicate with each other.
Figure 35 Basic Service set
ZyXEL NWA-3100 User’s Guide
67
Chapter 5 Wireless Configuration
5.1.2 ESS
An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate.
Figure 36 Extended Service Set

5.2 Wireless LAN Basics

See the Wireless LANs Appendix for information on the following:
• Wireless LAN Topologies
•Channel
• RTS/CTS
• Fragmentation Threshold
• IEEE 802.1x
• RADIUS
• Types of Authentication
•WPA
• Security Parameters Summary
68
ZyXEL NWA-3100 User’s Guide

5.3 Quality of Service

This section discusses the Quality of Service (QoS) features available on the ZyXEL Device.
5.3.1 WMM QoS
WMM (Wi-Fi MultiMedia) QoS (Quality of Service) ensures quality of service in wireless networks. It controls WLAN transmission priority on packets to be sent over the wireless network.
WMM QoS prioritizes wireless traffic according to the delivery requirements of the individual and applications. WMM QoS is a part of the IEEE 802.11e QoS enhancement to certified Wi­Fi wireless networks.
On APs without WMM QoS, all traffic streams are given the same access priority to the wireless network. If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity, then the new traffic stream reduces the throughput of the other traffic streams.
The ZyXEL Device uses WMM QoS to prioritize traffic streams according to the VLAN or DSCP information in each packet’s header. The ZyXEL Device automatically determines the priority to use for an individual traffic stream. This prevents reductions in data transmission for applications that are sensitive to latency (delay) and jitter (variations in delay).
Chapter 5 Wireless Configuration
5.3.1.1 WMM QoS Priorities
The following table describes the WMM QoS priority levels that the ZyXEL Device uses.
Table 8 WMM QoS Priorities
PRIORITY LEVEL DESCRIPTION
voice (WMM_VOICE)
video (WMM_VIDEO)
best effort (WMM_BEST_EFFORT)
background (WMM_BACKGROUND)
5.3.2 ATC
Automatic Traffic Classifier (ATC) is a bandwidth management tool that prioritizes data packets sent across the network. ATC assigns each packet a priority and then queues the packet accordingly. Packets assigned a high priority are processed more quickly than those with low priority if there is congestion, allowing time-sensitive applications to flow more smoothly. Time-sensitive applications include both those that require a low level of latency and a low level of jitter such as Voice over IP or Internet gaming, and those for which jitter alone is a problem such as Internet radio or streaming video.
Typically used for traffic that is especially sensitive to jitter. Use this priority to reduce latency for improved voice quality.
Typically used for traffic which has some tolerance for jitter but needs to be prioritized over other data traffic.
Typically used for traffic from applications or devices that lack QoS capabilities. Use best effort priority for traffic that is less sensitive to latency, but is affected by long delays, such as Internet surfing.
This is typically used for non-critical traffic such as bulk transfers and print jobs that are allowed but that should not affect other applications and users. Use background priority for applications that do not have strict latency and throughput requirements.
ZyXEL NWA-3100 User’s Guide
69
Chapter 5 Wireless Configuration
ATC assigns priority based on packet size, since time-sensitive applications such as Internet telephony (Voice over IP or VoIP) tend to have smaller packet sizes than non-time sensitive applications such as FTP (File Transfer Protocol). The following table shows some common applications, their time sensitivity, and their typical data packet sizes. Note that the figures given are merely examples - sizes may differ according to application and circumstances.
Table 9 Typical Packet Sizes
APPLICATION
Voice over IP (SIP) High < 250
Online Gaming High 60 ~ 90
Web browsing (http) Medium 300 ~ 600
FTP Low 1500
When ATC is activated, the device sends traffic with smaller packets before traffic with larger packets if the network is congested.
ATC assigns priority to packets as shown in the following table.
Table 10 Automatic Traffic Classifier Priorities
PACKET SIZE (BYTES) ATC PRIORITY
1 ~ 250 ATC_High
250 ~ 1100 ATC_Medium
1100 + ATC_Low
TIME SENSITIVITY
TYPICAL PACKET SIZE (BYTES)
You should activate ATC on the ZyXEL Device if your wireless network includes networking devices that do not support WMM QoS, or if you want to prioritize traffic but do not want to configure WMM QoS settings.
5.3.3 ATC+WMM
The ZyXEL Device can use a mapping mechanism to use both ATC and WMM QoS. The ATC+WMM function prioritizes all packets transmitted onto the wireless network using WMM QoS, and prioritizes all packets transmitted onto the wired network using ATC. See
Section 7.2.2 on page 101 for details of how to configure ATC+WMM.
Use the ATC+WMM function if you want to do the following:
• enable WMM QoS on your wireless network and automatically assign a WMM priority to packets that do not already have one (see Section 5.3.3.1 on page 70).
• automatically prioritize all packets going from your wireless network to the wired network (see Section 5.3.3.2 on page 71).
5.3.3.1 ATC+WMM from LAN to WLAN
ATC+WMM from LAN (the wired Local Area Network) to WLAN (the Wireless Local Area Network) allows WMM prioritization of packets that do not already have WMM QoS priorities assigned. The ZyXEL Device automatically classifies data packets using ATC and then assigns WMM priorities based on that ATC classification.
70
ZyXEL NWA-3100 User’s Guide
The following table shows how priorities are assigned for packets coming from the LAN to the WLAN.
Tabl e 11 ATC + WMM Priority Assignment (LAN to WLAN)
PACKET SIZE (BYTES) ATC VALU E WMM VALUE
1 ~ 250 ATC_High WMM_VIDEO
250 ~ 1100 ATC_Medium WMM_BEST_EFFORT
1100 + ATC_Low WMM_BACKGROUND
5.3.3.2 ATC+WMM from WLAN to LAN
ATC+WMM from WLAN to LAN automatically prioritizes (assigns an ATC value to) all packets coming from the WLAN. Packets are assigned an ATC value based on their WMM value, not their size.
The following table shows how priorities are assigned for packets coming from the WLAN to the LAN when using ATC+WMM.
Table 12 ATC + WMM Priority Assignment (WLAN to LAN)
WMM VALUE ATC VALU E
WMM_VOICE ATC_High
WMM_VIDEO ATC_High
WMM_BEST_EFFORT ATC_Medium
WMM_BACKGROUND ATC_Low
NONE ATC_Medium
Chapter 5 Wireless Configuration
5.3.4 Type Of Service (ToS)
Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on.
5.3.4.1 DiffServ
DiffServ is a class of service (CoS) model that marks packets so that they receive specific per­hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.
5.3.4.2 DSCP and Per-Hop Behavior
DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.
DSCP is backward compatible with the three precedence bits in the ToS octet so that non­DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.
ZyXEL NWA-3100 User’s Guide
71
Chapter 5 Wireless Configuration
Figure 37 DiffServ: Differentiated Service Field
DSCP (6-bit)
Unused
(2-bit)
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.
5.3.5 ToS (Type of Service) and WMM QoS
The DSCP value of outgoing packets is between 0 and 255. 0 is the default priority. WMM QoS checks the DSCP value in the header of data packets. It gives the traffic a priority according to this number.
In order to control which priority level is given to traffic, the device sending the traffic must set the DSCP value in the header. If the DSCP value is not specified, then the traffic is treated as best-effort. This means the wireless clients and the devices with which they are communicating must both set the DSCP value in order to make the best use of WMM QoS. A Voice over IP (VoIP) device for example may allow you to define the DSCP value.
The following table lists which WMM QoS priority level the ZyXEL Device uses for specific DSCP values.
Table 13 ToS and IEEE 802.1d to WMM QoS Priority Level Mapping
DSCP VALUE WMM QOS PRIORITY LEVEL
224, 192 voice
160, 128 video
A
96, 0
64, 32 background
besteffort
A. The ZyXEL Device also uses best effort for any DSCP value for which
another WMM QoS priority is not specified (255, 158 or 37 for example).

5.4 Spanning Tree Protocol (STP)

STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network.
5.4.1 Rapid STP
The ZyXEL Device uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding.
72
ZyXEL NWA-3100 User’s Guide
5.4.2 STP Terminology
The root bridge is the base of the spanning tree.
Path cost is the cost of transmitting a frame onto a LAN through that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the following table.
Table 14 STP Path Costs
LINK SPEED
Path Cost 4Mbps 250 100 to 1000 1 to 65535
Path Cost 10Mbps 100 50 to 600 1 to 65535
Path Cost 16Mbps 62 40 to 400 1 to 65535
Path Cost 100Mbps 19 10 to 60 1 to 65535
Path Cost 1Gbps 4 3 to 10 1 to 65535
Path Cost 10Gbps 2 1 to 5 1 to 65535
On each bridge, the root port is the port through which this bridge communicates with the root. It is the port on this switch with the lowest path cost to the root (the root path cost). If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network.
RECOMMENDED VALUE
Chapter 5 Wireless Configuration
RECOMMENDED RANGE
ALLOWED RANGE
For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN.
5.4.3 How STP Works
After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops.
STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed.
Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology.
5.4.4 STP Port States
STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops.
Table 15 STP Port States
PORT STATES DESCRIPTIONS
Disabled STP is disabled (default).
Blocking Only configuration and management BPDUs are received and processed.
ZyXEL NWA-3100 User’s Guide
73
Chapter 5 Wireless Configuration
Table 15 STP Port States
PORT STATES DESCRIPTIONS
Listening All BPDUs are received and processed.
Learning All BPDUs are received and processed. Information frames are submitted to the
Forwarding All BPDUs are received and processed. All information frames are received and
learning process but not forwarded.
forwarded.

5.5 Wireless Screen Overview

The following is a list of the screens you can configure on the ZyXEL Device.
1 Configure the ZyXEL Device to operate in AP, AP+Bridge, Bridge/Repeater or
MBSSID mode in the Wireless screen. You can also select an SSID Profile in the Wireless screen.
2 Use the SSID screens to view and edit SSID profiles. 3 Use the Security screen to configure wireless profiles. 4 Use the RADIUS screen to configure RADIUS authentication and accounting settings. 5 Use the Layer-2 Isolation screen to prevent wireless clients associated with your
ZyXEL Device from communicating with other wireless clients, APs, computers or routers in a network.
6 Use the MAC Filter screen to allow or restrict access to your wireless network based on
a client’s MAC address.

5.6 Configuring Wireless Settings

Click WIRELESS > Wireless. The screen varies depending upon the operating mode you select.
5.6.1 Access Point Mode
Select Access Point as the Operating Mode to display the screen as shown next.
74
ZyXEL NWA-3100 User’s Guide
Chapter 5 Wireless Configuration
Figure 38 Wireless: Access Point
The following table describes the general wireless LAN labels in this screen.
Table 16 Wireless: Access Point
LABEL DESCRIPTION
Operating Mode Select Access Point from the drop-down list.
802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyXEL Device.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyXEL Device.
Select 802.11b+g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced.
Select 802.11a to allow only IEEE 802.11a compliant WLAN devices to associate with the ZyXEL Device.
Super Mode Select this to improve data throughput on the WLAN by enabling fast frame and
packet bursting.
Choose Channel ID
Scan Click this button to have the ZyXEL Device automatically scan for and select the
RTS/CTS Threshold
Fragmentation Threshold
Output Power Set the output power of the ZyXEL Device in this field. If there is a high density of
Set the operating frequency/channel depending on your particular region. To manually set the ZyXEL Device to use a channel, select a channel from the drop-
down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
To have the ZyXEL Device automatically select a channel, click Scan instead.
channel with the least interference.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 256 and 2346.
The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2346.
APs in an area, decrease the output power of the ZyXEL Device to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25%, 12.5% or Minimum. See the product specifications for more information on your ZyXEL Device’s output power.
ZyXEL NWA-3100 User’s Guide
75
Chapter 5 Wireless Configuration
Table 16 Wireless: Access Point
LABEL DESCRIPTION
SSID Profile The SSID (Service Set IDentifier) identifies the Service Set with which a wireless
station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Select an SSID Profile from the drop-down list box.
Configure SSID profiles in the SSID screen (see Section 7.2 on page 100 for information on configuring SSID).
Note: If you are configuring the ZyXEL Device from a computer
Enable Breathing LED
Enable Spanning Tree Control (STP)
Roaming Active Roaming allows wireless stations to switch from one access point to another as
Select this check box to enable the “breathing” LED, also known as the ZyAIR LED. The blue ZyAIR LED is on when the ZyXEL Device is receiving power and blinks (or
breathes) when data is being transmitted to and from its wireless stations. Clear the check box to turn this LED off even when the ZyXEL Device is on and
data is being transmitted and received.
(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP ­compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the ZyXEL Device.
they move from one coverage area to another. Select this checkbox to enable roaming on the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet.
connected to the wireless LAN and you change the ZyXEL Device’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device’s new settings.
Note: All APs on the same subnet and the wireless stations
must have the same SSID to allow roaming.
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
5.6.2 Bridge/Repeater Mode
The ZyXEL Device can act as a wireless network bridge and establish wireless links with other APs. You need to know the MAC address of the peer device, which also must be in bridge mode.
The ZyXEL Device can establish up to five wireless links with other APs.
In the example below, when both ZyXEL Devices are in Bridge/Repeater mode, they form a WDS (Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers in LAN 2.
76
ZyXEL NWA-3100 User’s Guide
Chapter 5 Wireless Configuration
Figure 39 Bridging Example
Be careful to avoid bridge loops when you enable bridging in the ZyXEL Device. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem:
• If two or more ZyXEL Devices (in bridge mode) are connected to the same hub.
Figure 40 Bridge Loop: Two Bridges Connected to Hub
• If your ZyXEL Device (in bridge mode) is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN.
ZyXEL NWA-3100 User’s Guide
77
Chapter 5 Wireless Configuration
Figure 41 Bridge Loop: Bridge Connected to Wired LAN
To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyXEL Device is not set to bridge mode while connected to both wired and wireless segments of the same LAN.
To have the ZyXEL Device act as a wireless bridge only, click WIRELESS > Wireless and select Bridge/Repeater as the Operating Mode.
Figure 42 Wireless: Bridge/Repeater
78
ZyXEL NWA-3100 User’s Guide
Chapter 5 Wireless Configuration
The following table describes the bridge labels in this screen.
Table 17 Wireless: Bridge/Repeater
LABEL DESCRIPTIONS
Operating Mode Select Bridge/Repeater in this field.
802.11 mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyXEL Device.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyXEL Device.
Select 802.11b+g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced.
Select 802.11a to allow only IEEE 802.11a compliant WLAN devices to associate with the ZyXEL Device.
Choose Channel ID Set the operating frequency/channel depending on your particular region.
To manually set the ZyXEL Device to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
To have the ZyXEL Device automatically select a channel, click Scan instead.
RTS/CTS Threshold (Request To Send) The threshold (number of bytes) for enabling RTS/CTS
handshake. Data with its frame size larger than this value will perform the RTS/ CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 256 and 2346.
Fragmentation Threshold
Output Power Set the output power of the ZyXEL Device in this field. If there is a high density
Enable WDS Security Select the check box to enable WDS on your ZyXEL Device. A Wireless
The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2346.
of APs in an area, decrease the output power of the ZyXEL Device to reduce interference with other APs. Select from 100% (Full Power), 50%, 25%, 12.5% and Minimum. See the product specifications for more information on your ZyXEL Device’s output power.
Distribution System (WDS) is a wireless connection between two or more APs. If you do not select the check box, traffic between APs is not encrypted.
When you select the check box, you are prompted to type a Pre-Shared Key (PSK). The ZyXEL Device uses TKIP to encrypt traffic on the WDS between APs.
# This is the index number of the bridge connection.
Active Select the check box to enable the bridge connection. Otherwise, clear the
Remote Bridge MAC Address
PSK Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including
See Table 16 on page 75 for information on the other labels in this screen.
ZyXEL NWA-3100 User’s Guide
Note: Other APs must use the same encryption method to
enable WDS.
check box to disable it.
Type the MAC address of the peer device in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
spaces and symbols).
79
Chapter 5 Wireless Configuration
5.6.3 AP+Bridge Mode
Select AP+Bridge as the Operating Mode in the WIRELESS > Wireless screen to have the ZyXEL Device function as a bridge and access point simultaneously. See the section on applications for more information.
Figure 43 Wireless: AP+Bridge
See the tables describing the fields in the Access Point and Bridge/Repeater operating modes for descriptions of the fields in this screen.
5.6.4 MBSSID Mode
Select MBSSID as the Operating Mode to display the screen. Refer to Chapter 7 on page 97 for configuration and detailed information. See Chapter 6 on page 81 for details on the security settings.
80
ZyXEL NWA-3100 User’s Guide
CHAPTER 6

Wireless Security Configuration

This chapter describes how to use the Security and RADIUS screens to configure wireless security on your ZyXEL Device.

6.1 Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.
Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by MAC address and hiding the ZyXEL Device’s identity.
6.1.1 Encryption
• Use WPA(2) security if you have WPA(2)-aware wireless clients and a RADIUS server. WPA has user authentication and improved data encryption over WEP.
• Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server.
• If you don’t have WPA(2)-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security at a throughput trade-off. You can manually enter 64-bit, 128­bit or 152-bit WEP keys.
6.1.2 Restricted Access
The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association).
6.1.3 Hide Identity
If you hide the SSID, then the ZyXEL Device cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyXEL Device may be inconvenience for some valid WLAN clients.
6.1.4 WEP Encryption
WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key.
ZyXEL NWA-3100 User’s Guide
81
Chapter 6 Wireless Security Configuration
Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 152-bit WEP keys but only one key can be enabled at any one time.

6.2 802.1x Overview

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using an external RADIUS server.

6.3 EAP Authentication Overview

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.
The type of authentication you use depends on the RADIUS server or the AP. The ZyXEL Device supports EAP-TLS, EAP-TTLS, EAP-MD5 and PEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the common types.
The following figure shows an overview of authentication when you specify a RADIUS server on your access point.
Figure 44 EAP Authentication
The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.
1 The wireless station sends a “start” message to the ZyXEL Device. 2 The ZyXEL Device sends a “request identity” message to the wireless station for
identity information.
3 The wireless station replies with identity information, including username and password. 4 The RADIUS server checks the user information against its user profile database and
determines whether or not to authenticate the wireless station.

6.4 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA 2 (IEEE
802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.
82
ZyXEL NWA-3100 User’s Guide
Key differences between WPA(2) and WEP are improved data encryption and user authentication.
6.4.1 User Authentication
WPA or WPA2 applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database.
If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2 -Pre-Shared Key), which only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN.
If the AP or the wireless clients do not support WPA2, use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.
Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.
Chapter 6 Wireless Security Configuration
6.4.2 Encryption
Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption.
Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.
WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network.
ZyXEL NWA-3100 User’s Guide
83
Chapter 6 Wireless Security Configuration
The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to­use, consistent, single, alphanumeric password.
6.4.3 WPA(2)-PSK Application Example
A WPA(2)-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).
2 The AP checks each wireless client's password and (only) allows it to join the network if
the password matches.
3 The AP derives and distributes keys to the wireless clients. 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data
exchanged between them.
Figure 45 WPA(2)-PSK Authentication

6.5 WPA(2) with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. “A” is the RADIUS server. “DS” is the distribution system.
1 The AP passes the wireless client’s authentication request to the RADIUS server. 2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then
sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
84
ZyXEL NWA-3100 User’s Guide
Chapter 6 Wireless Security Configuration
Figure 46 WPA(2) with RADIUS Application Example

6.6 Security Modes

The following table describes the security modes you can configure.
Table 18 Security Modes
SECURITY MODE DESCRIPTION
None Select this to have no data encryption.
WEP Select this to use WEP encryption.
802.1x-Only Select this to use 802.1x authentication with no data encryption.
802.1x-Static64 Select this to use 802.1x authentication with a static 64bit WEP key and an
802.1x-Static128 Select this to use 802.1x authentication with a static 128bit WEP key and
WPA Select this to use WPA.
WPA-PSK Select this to use WPA with a pre-shared key.
WPA2 Select this to use WPA2.
WPA2-MIX Select this to use either WPA2 or WPA depending on which security mode
WPA2-PSK Select this to use WPA2 with a pre-shared key.
WPA2-PSK-MIX Select this to use either WPA-PSK or WPA2-PSK depending on which
authentication server.
an authentication server.
the wireless client uses.
security mode the wireless client uses.
ZyXEL NWA-3100 User’s Guide
85
Chapter 6 Wireless Security Configuration

6.7 Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it.
The Funk Software's Odyssey client is bundled free (at the time of writing) with the client wireless adaptor(s).

6.8 Wireless Security Effectiveness

The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device. EAP (Extensible Authentication Protocol) is used for authentication and utilizes static WEP key exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server either on the WAN or your LAN to provide authentication service for wireless stations.
Table 19 Wireless Security Levels
SECURITY LEVEL
Least S e c u r e
Most Secure
SECURITY TYPE
Unique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
WPA2
If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device within range.

6.9 Configuring Security

" The following screens are configurable only in Access Point, AP+Bridge and
MBSSID operating modes only.
Use the Security screen to create secure profiles. A security profile is a group of configuration settings which can be assigned to an SSID profile in the SSID configuration screen.
You can configure up to 16 security profiles.
86
ZyXEL NWA-3100 User’s Guide
Chapter 6 Wireless Security Configuration
To change your ZyXEL Device’s wireless security settings, click WIRELESS > Security.
Figure 47 Security
The following table describes the labels in this screen.
Table 20 Security
LABEL DESCRIPTION
Index This is the index number of the security profile address.
Profile Name This field displays a name given to a security profile in the Security
Security Mode This field displays the security mode this security profile uses.
Edit Select an entry from the list and click Edit to configure security settings for that
The next screen varies according to the Security Mode you select.
6.9.1 Security: WEP
Select WEP in the Security Mode field to display the following screen.
configuration screen.
profile.
ZyXEL NWA-3100 User’s Guide
87
Chapter 6 Wireless Security Configuration
Figure 48 Security: WEP
The following table describes the labels in this screen.
Table 21 Security: WEP
LABEL DESCRIPTION
Name Type a name to identify this security profile.
Security Mode Choose WEP in this field.
WEP Encryption Select Disable to allow wireless stations to communicate with the access points
Authentication Method
ASCII Select this option to enter ASCII characters as the WEP keys.
Hex Select this option to enter hexadecimal characters as the WEP keys.
Key 1 to Key 4
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
without any data encryption. Select 64-bit WEP, 128-bit WEP or 152-bit WEP to enable data encryption.
Select Auto, Open System or Shared Key from the drop-down list box. The default setting is Auto.
The preceding “0x” is entered automatically.
The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission.
If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F").
If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F").
If you chose 152-bit WEP, then enter 16 ASCII characters or 32 hexadecimal characters ("0-9", "A-F").
You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.
6.9.2 Security: 802.1x Only
Select 802.1x Only in the Security Mode field to display the following screen.
88
ZyXEL NWA-3100 User’s Guide
Chapter 6 Wireless Security Configuration
Figure 49 Security: 802.1x Only
The following table describes the labels in this screen.
Table 22 Security: 802.1x Only
LABEL DESCRIPTION
Name Type a name to identify this security profile.
Security Mode Choose 802.1x Only in this field.
ReAuthentication Timer
Specify how often wireless stations have to resend user names and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
Note: If wireless station authentication is done using a
RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless
network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again.
This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.
The default time interval is 3600 seconds (or 1 hour).
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
6.9.3 Security: 802.1x Static 64-bit, 802.1x Static 128-bit
Select 802.1x Static 64 or 802.1x Static 128 in the Security Mode field to display the following screen.
ZyXEL NWA-3100 User’s Guide
89
Chapter 6 Wireless Security Configuration
Figure 50 Security: 802.1x Static 64-bit, 802.1x Static 128-bit
The following table describes the labels in this screen.
Table 23 Security: 802.1x Static 64-bit, 802.1x Static 128-bit
LABEL DESCRIPTION
Name Type a name to identify this security profile.
Security Mode Choose 802.1x Static 64 or 802.1x Static 128 in this field.
ASCII Select this option to enter ASCII characters as the WEP keys.
Hex Select this option to enter hexadecimal characters as the WEP keys.The
Key 1 to Key 4 If you chose 802.1x Static 64, then enter any 5 characters (ASCII string) or 10
ReAuthentication Timer
preceding “0x” is entered automatically.
hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. If you chose 802.1x Static 128-bit, then enter 13 characters (ASCII string) or 26
hexadecimal characters ("0-9", "A-F") preceded by 0x for each key. There are four data encryption keys to secure your data from eavesdropping by
unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless stations.
The preceding “0x” is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.
Specify how often wireless stations have to resend user names and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
90
Note: If wireless station authentication is done using a
RADIUS server, the reauthentication timer on the RADIUS server has priority.
ZyXEL NWA-3100 User’s Guide
Table 23 Security: 802.1x Static 64-bit, 802.1x Static 128-bit
LABEL DESCRIPTION
Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
6.9.4 Security: WPA
Select WPA in the Security Mode field to display the following screen.
Chapter 6 Wireless Security Configuration
network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again.
This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.
The default time interval is 3600 seconds (or 1 hour).
Figure 51 Security: WPA
The following table describes the labels in this screen.
Table 24 Security: WPA
LABEL DESCRIPTION
Name Type a name to identify this security profile.
Security Mode Choose WPA in this field.
ReAuthentication Timer
Specify how often wireless stations have to resend user names and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
Note: If wireless station authentication is done using a
RADIUS server, the reauthentication timer on the RADIUS server has priority.
ZyXEL NWA-3100 User’s Guide
91
Chapter 6 Wireless Security Configuration
Table 24 Security: WPA
LABEL DESCRIPTION
Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless
network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again.
This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.
The default time interval is 3600 seconds (or 1 hour).
Group Key Update Timer
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK mode. The ZyXEL Device default is 1800 seconds (30 minutes).
6.9.5 Security: WPA2 or WPA2-MIX
Select WPA2 or WPA2-MIX in the Security Mode field to display the following screen.
Figure 52 Security:WPA2 or WPA2-MIX
The following table describes the labels not previously discussed
Table 25 Security: WPA2 or WPA2-MIX
LABEL DESCRIPTIONS
Name Type a name to identify this security profile.
Security Mode Choose WPA2 or WPA2-MIX in this field.
92
ZyXEL NWA-3100 User’s Guide
Chapter 6 Wireless Security Configuration
Table 25 Security: WPA2 or WPA2-MIX
LABEL DESCRIPTIONS
ReAuthentication Timer
Specify how often wireless stations have to resend usernames and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
Note: If wireless station authentication is done using a
RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless
network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again.
This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.
The default time interval is 3600 seconds (or 1 hour).
Group Key Update Timer
PMK Cache When a wireless client moves from one AP’s coverage area to another, it performs
Pre­Authentication
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK mode. The ZyXEL Device‘s default is 1800 seconds (30 minutes).
an authentication procedure (exchanging security information) with the new AP. Instead of re-authenticating a client each time it returns to the AP’s coverage area, which can cause delays to time-sensitive applications, the AP and the client can store (or “cache”) and use information about their previous authentication. Select Enable to allow PMK caching, or Disable to switch this feature off.
Pre-authentication allows a wireless client to perform authentication with a different AP from the one to which it is currently connected, before moving into the new AP’s coverage area. This speeds up roaming. Select Enable to allow pre­authentication, or Disable to switch it off.
6.9.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX
Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen.
ZyXEL NWA-3100 User’s Guide
93
Chapter 6 Wireless Security Configuration
Figure 53 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX
The following table describes the labels not previously discussed
Table 26 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX
LABEL DESCRIPTION
Name Type a name to identify this security profile.
Security Mode Choose WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in this field.
Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only
ReAuthentication Timer
difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
Specify how often wireless stations have to resend usernames and passwords in order to stay connected.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
Note: If wireless station authentication is done using a
RADIUS server, the reauthentication timer on the RADIUS server has priority.
Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wireless
network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again. Some wireless clients may prompt users for a username and password; other clients may use saved login credentials. In either case, there is usually a short delay while the wireless client logs in to the wireless network again.
This value is usually smaller when the wireless network is keeping track of how much time each wireless station is connected to the wireless network (for example, using an authentication server). If the wireless network is not keeping track of this information, you can usually set this value higher to reduce the number of delays caused by logging in again.
The default time interval is 3600 seconds (or 1 hour).
Group Key Update Timer
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
The Group Key Update Timer is the rate at which the AP sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the group key for an AP and all stations in a WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK mode. The ZyXEL Device’s default is 1800 seconds (30 minutes).
94
ZyXEL NWA-3100 User’s Guide

6.10 Introduction to RADIUS

RADIUS is based on a client-sever model that supports authentication and accounting, where the access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks, among others:
• Authentication Determines the identity of the users.
• Accounting Keeps track of the client’s network activity.

6.11 Configuring RADIUS

Use RADIUS if you want to authenticate wireless users using an external server.
You can configure up to four RADIUS server profiles. Each profile also has one backup authentication server and a backup accounting server. These profiles can be assigned to an SSID profile in the SSID configuration screen
To set up your ZyXEL Device’s RADIUS server settings, click WIRELESS > RADIUS. The screen appears as shown.
Chapter 6 Wireless Security Configuration
Figure 54 RADIUS
The following table describes the labels in this screen.
Table 27 RADIUS
LABEL DESCRIPTION
Index Select the RADIUS profile you want to configure from the drop-down list box.
Profile Name Type a name for the RADIUS profile associated with the Index number above.
Primary Configure the fields below to have user authentication and accounting through
external servers.
ZyXEL NWA-3100 User’s Guide
95
Chapter 6 Wireless Security Configuration
Table 27 RADIUS
LABEL DESCRIPTION
Backup If the ZyXEL Device cannot communicate with the Primary accounting server,
you can have the ZyXEL Device use a Backup RADIUS server. Make sure the Active check boxes are selected if you want to use backup servers.
The ZyXEL Device will attempt to communicate three times before using the Backup servers. Requests can be issued from the client interface to use the backup server. The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen.
Active Select the check box to enable user authentication through an external
authentication server.
RADIUS Server IP Address
RADIUS Server Port Enter the port number of the external authentication server. The default port
Share Secret Enter a password (up to 128 alphanumeric characters) as the key to be
Active Select the check box to enable user accounting through an external
Accounting Server IP Address
Accounting Server Port
Share Secret Enter a password (up to 128 alphanumeric characters) as the key to be
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.
Enter the IP address of the external authentication server in dotted decimal notation.
number is 1812. You need not change this value unless your network administrator instructs you to do so.
shared between the external authentication server and the ZyXEL Device. The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network.
authentication server.
Enter the IP address of the external accounting server in dotted decimal notation.
Enter the port number of the external accounting server. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
shared between the external accounting server and the ZyXEL Device. The key must be the same on the external accounting server and your ZyXEL Device. The key is not sent over the network.
96
ZyXEL NWA-3100 User’s Guide
CHAPTER 7

MBSSID and SSID

This chapter describes how to configure and use your ZyXEL Device’s MBSSID mode and configure SSID profiles.

7.1 Wireless LAN Infrastructures

See the Wireless LAN chapter for some basic WLAN scenarios and terminology.
7.1.1 MBSSID
Traditionally, you needed to use different APs to configure different Basic Service Sets (BSSs). As well as the cost of buying extra APs, there was also the possibility of channel interference. The ZyXEL Device’s MBSSID (Multiple Basic Service Set IDentifier) function allows you to use one access point to provide several BSSs simultaneously. You can then assign varying levels of privilege to different SSIDs.
Wireless stations can use different BSSIDs to associate with the same AP.
7.1.2 Notes on Multiple BSS
• A maximum of eight BSSs are allowed on one AP simultaneously.
• You must use different WEP keys for different BSSs. If two stations have different BSSIDs (they are in different BSSs), but have the same WEP keys, they may hear each other’s communications (but not communicate with each other).
• MBSSID should not replace but rather be used in conjunction with 802.1x security.
7.1.3 Multiple BSS Example
Refer to the applications section for more information.
7.1.4 Multiple BSS with VLAN Example
In this example, VLAN 2 includes the computers in BSS1 and LAN 1. Computers in BSS2 and LAN 2 belong to VLAN 2. Users in BSS1 are limited to accessing the resources on LAN 1 and similarly users in BSS2 may only access resources on LAN 2. VLAN 2 is the management VLAN.
The switch adds PVID (Port VLAN IDentity) tags to incoming frames that don’t already have tags (on switch ports where PVID is enabled).
ZyXEL NWA-3100 User’s Guide
97
Chapter 7 MBSSID and SSID
Figure 55 Multiple BSS with VLAN Example
7.1.5 Configuring Multiple BSSs
Click WIRELESS > Wireless and select MBSSID in the Operating Mode drop-down list box to display the screen as shown.
Figure 56 Wireless: Multiple BSS
98
ZyXEL NWA-3100 User’s Guide
Chapter 7 MBSSID and SSID
The following table describes the labels in this screen.
Table 28 Wireless: Multiple BSS
LABEL DESCRIPTION
Operating Mode Select MBSSID in this field to display the screen as shown
802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyXEL Device.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyXEL Device.
Select 802.11b+g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced.
Select 802.11a to allow only IEEE 802.11a compliant WLAN devices to associate with the ZyXEL Device.
Super Mode Select this to improve data throughput on the WLAN by enabling fast frame
Choose Channel ID Set the operating frequency/channel depending on your particular region. To
Scan Click this button to have the ZyXEL Device automatically select the wireless
RTS/CTS Threshold The threshold (number of bytes) for enabling RTS/CTS handshake. Data with
Fragmentation Threshold
Output Power Set the output power of the ZyXEL Device in this field. If there is a high
Select SSID Profile An SSID profile is the set of parameters relating to one of the ZyXEL Device’s
and packet bursting.
manually set the ZyXEL Device to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network. To have the ZyXEL Device automatically select a channel, click Scan instead.
channel with the lowest interference.
a frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 800 and 2346.
The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 256 and 2346.
density of APs in an area, decrease the output power to reduce interference with other APs. Select one of the following 100%(Full Power), 50%, 25%,
12.5% or Minimum. See the product specifications for more information on your ZyXEL Device’s output power.
BSSs. The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating with the access point (AP) must have the same SSID.
Index Select the check box to activate an SSID profile.
ZyXEL NWA-3100 User’s Guide
Note: If you are configuring the ZyXEL Device from a
computer connected to the wireless LAN and you change the ZyXEL Device’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device’s new settings.
99
Chapter 7 MBSSID and SSID
Table 28 Wireless: Multiple BSS
LABEL DESCRIPTION
Profile Select the profile(s) of the SSIDs you want to use in your wireless network.
Enable Breathing LED Select this check box to enable the Breathing LED, also known as the ZyAIR
Enable Spanning Tree Control (STP)
Roaming Active Roaming allows wireless stations to switch from one access point to another
You can have up to eight BSSs running on the ZyXEL Device simultaneously, one of which is always the pre-configured VoIP_SSID profile and another of which is always the pre-configured Guest_SSID profile.
Configure SSID profiles in the SSID screen.
LED. The blue ZyAIR LED is on when the ZyXEL Device is on and blinks (or
breathes) when data is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyXEL Device is on
and data is being transmitted/received.
(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP ­compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the ZyXEL Device.
as they move from one coverage area to another. Select this checkbox to enable roaming on the ZyXEL Device if you have two or more ZyXEL Devices on the same subnet.
Apply Click Apply to save your changes.
Reset Click Reset to begin configuring this screen afresh.

7.2 SSID

When the ZyXEL Device is set to Access Point, AP+Bridge or MBSSID mode, you need to choose the SSID profile(s) you want to use in your wireless network (see Section 5.5 on page
74 for more information on operating modes).
Use the WIRELESS > SSID screen to see information about the SSID profiles on the ZyXEL Device, and use the WIRELESS > SSID > Edit screen to configure the SSID profiles.
7.2.1 The SSID Screen
Click WIRELESS > SSID to display the screen as shown.
Note: All APs on the same subnet and the wireless stations
must have the same SSID to allow roaming.
100
ZyXEL NWA-3100 User’s Guide
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use