www.zyxel.com
NXC Series
NXC 2500/ 5500
NXC Controllers
Firmware Version 5.40
Edition 11, 06/2019
Handbook
Default Login Details
LAN Port IP Address |
https://192.168.1.1 |
User Name |
admin |
Password |
1234 |
Copyright © 2019 ZyXEL
Communications Corporation
1/309
www.zyxel.com
Contents |
|
Manage APs through NXC Controller.......................................................... |
8 |
1.1 How to Manage APs through NXC Controller ....................................... |
8 |
1.1.1 Configuration in the AP................................................................... |
9 |
1.1.2 Test the Result ................................................................................. |
10 |
1.1.3 What Could Go Wrong?............................................................... |
11 |
1.2 How to Enlarge Managed AP Number with License .......................... |
12 |
1.2.1 Device Registration ....................................................................... |
13 |
1.2.2 Service Registration ....................................................................... |
14 |
1.2.3 License Refresh............................................................................... |
14 |
1.2.4 Test the Result ................................................................................. |
15 |
Set up a Wireless Connection Environment .............................................. |
16 |
2.1 How to configure with the Wizard Setting............................................ |
16 |
2.1.1 How to configure the Wizard Setting with First login? .............. |
17 |
2.1.2 Test the Result ................................................................................. |
26 |
2.1.3 What Could Go Wrong?............................................................... |
28 |
2.2 How to Set WiFi Multiple SSID for Office Environment? ....................... |
29 |
2.2.1 When USG is DHCP Server for VLAN10 and VLAN20 ........................ |
29 |
2.2.1.1 Configure NXC’s Interface to Go to Internet ......................... |
30 |
2.2.1.2 Configure VLAN .......................................................................... |
31 |
2.2.1.3 Configure Security and SSID...................................................... |
33 |
2.2.1.4 Configure AP Profile to Broadcast SSID ................................... |
36 |
2.2.2 When NXC is DHCP Server for VLAN10 and VLAN20 ....................... |
37 |
2.2.2.2 Configure Interface ge1 to Go to Internet ............................. |
38 |
2.2.2.2 Configure VLAN .......................................................................... |
39 |
2.2.2.3 Set Policy Route .......................................................................... |
43 |
2.2.2.4 Configure Security and SSID...................................................... |
45 |
2.2.2.5 Configure AP Profile to Broadcast SSID ................................... |
48 |
2.2.3 Test the Result ................................................................................. |
49 |
2.2.4 What Could Go Wrong?............................................................... |
50 |
2.3 How to Set up Fail Over/Fall Back?...................................................... |
51 |
2.3.1 Configure Fail Over and Fall Back .............................................. |
52 |
2.3.2 Test the Result ................................................................................. |
53 |
2.3.3 What Could Go Wrong?............................................................... |
54 |
2.4 How to Set up Mesh to Extend Wireless Coverage?........................... |
55 |
|
2/309 |
www.zyxel.com
2.4.1 Configure ZyMesh Profile .............................................................. |
56 |
2.4.2 Configure Root AP and Repeater AP......................................... |
57 |
2.4.3 Test the Result ................................................................................. |
58 |
2.4.4 What Could Go Wrong?............................................................... |
59 |
2.5 How to Set up Seamless Wireless Roaming?....................................... |
61 |
2.5.1 Configure APs via AP Group ........................................................ |
62 |
2.5.2 Test the Result ................................................................................. |
65 |
2.5.3 What Could Go Wrong?............................................................... |
66 |
2.6 How to implement Wireless VoIP Best Practice (VoWiFi)? ................. |
68 |
2.6.1 Configure Interface....................................................................... |
69 |
2.6.2 Configure AP profile with Security, SSID and radio................... |
71 |
2.6.3 Configure AP Group...................................................................... |
74 |
2.6.4 Test the Result ................................................................................. |
75 |
2.6.5 What Could Go Wrong?............................................................... |
76 |
Optimize the Wireless Environment............................................................ |
79 |
3.1 How to Set up User Ratio of 2.4GHz and 5GHz to Avoid WiFi |
|
Congestion? ................................................................................................. |
79 |
3.1.1 Configure Band Select.................................................................. |
80 |
3.1.2 Test the Result ................................................................................. |
83 |
3.1.3 What Could Go Wrong?............................................................... |
84 |
3.2 How to Set up RSSI Threshold to Avoid Low Rate User Connection |
|
Affected Wireless Performance?................................................................ |
85 |
3.2.1 Configure Radio Setting for RSSI Threshold ................................ |
86 |
3.2.2 Apply Radio with RSSI Threshold .................................................. |
87 |
3.2.3 Test the Result ................................................................................. |
88 |
3.3 How to Set up Rate Limiting for Bandwidth Control? .......................... |
89 |
3.3.1 Configure Rate Limiting ................................................................ |
90 |
3.3.2 Apply Rate Limiting to Management AP ................................... |
91 |
3.3.3 Test the Result ................................................................................. |
92 |
3.4 How to Share AP loading to Optimize Wireless Performance? ......... |
93 |
3.4.1 Configure Load Balance to “by Station Number” ................... |
94 |
3.4.2 Configure Load Balance to “by Traffic Level” .......................... |
95 |
3.4.3 Configure Load Balance to “by Smart Classroom” ................. |
96 |
3.4.4 Test the Result ................................................................................. |
97 |
3.4.5 What Could Go Wrong?............................................................... |
99 |
Secure the Wireless Environment - 802.1x............................................... |
100 |
|
3/309 |
www.zyxel.com
4.1 How to Configure 802.1x to Secure the Wireless Environment with an
External RADIUS Server? ............................................................................ |
100 |
4.1.1 Configure Radius Server Setting ................................................ |
101 |
4.1.2 Configure AP Profile .................................................................... |
102 |
4.1.3 Test the Result ............................................................................... |
104 |
4.1.4 What Could Go Wrong ............................................................... |
109 |
4.2 How to Configure 802.1x to Secure the Wireless Environment with an |
|
External AD Server? ................................................................................... |
110 |
4.2.1 Configure AD Server Setting....................................................... |
111 |
4.2.2 Configure AP Profile .................................................................... |
114 |
4.2.3 Test the Result ............................................................................... |
116 |
4.2.4 What Could Go Wrong ............................................................... |
121 |
4.3 How to Configure 802.1x to Secure the Wireless Environment with an |
|
External LDAP Server?................................................................................ |
122 |
4.3.1 Configure LDAP Server Setting................................................... |
123 |
4.3.2 Configure AP Profile .................................................................... |
125 |
4.3.3 Test the Result ............................................................................... |
127 |
4.3.4 What Could Go Wrong ............................................................... |
128 |
4.4 How to Configure 802.1x to Secure the Wireless Environment with an |
|
Internal RADIUS in NXC?............................................................................ |
129 |
4.4.1 Configure Authentication Method Setting .............................. |
130 |
4.4.2 Configure AP Profile .................................................................... |
132 |
4.4.3 Test the Result ............................................................................... |
134 |
4.5 How to Configure 802.1x to secure the Wireless Environment with |
|
Dynamic VLAN by Using External AAA server? ...................................... |
137 |
4.5.1 Configure Interface..................................................................... |
138 |
4.5.2 Configure AP Profile .................................................................... |
143 |
4.5.3 Configure AAA Server Setting.................................................... |
145 |
Topic: Dynamic VLAN by radius attribute.................................. |
152 |
4.5.4 Test the Result ............................................................................... |
162 |
4.5.4.2 Dynamic VLAN by External User Group................................. |
164 |
4.5.5 What Could Go Wrong ............................................................... |
166 |
4.6 How to Configure 802.1x EAP-TLS to Secure the Wireless Environment |
|
with Self-Signed Certificate? .................................................................... |
167 |
4.6.1 Configure Certificate .................................................................. |
168 |
4.6.2 Configure AP profile .................................................................... |
172 |
|
4/309 |
www.zyxel.com
4.6.3 Test the Result ............................................................................... |
174 |
4.6.4 What Could Go Wrong?............................................................. |
177 |
4.7 How to Configure 802.1x EAP-TLS to Secure the Wireless Environment |
|
with Third-party CA Certificate? ............................................................... |
179 |
4.7.1 Configure Certificate .................................................................. |
180 |
4.7.2 Configure AP profile .................................................................... |
185 |
4.7.3 Configure Auth. Server................................................................ |
187 |
4.7.4 Test the Result ............................................................................... |
188 |
4.7.5 What Could Go Wrong?............................................................. |
191 |
Secure the Wireless Environment – Captive portal................................. |
192 |
5.1 How to Configure Captive Portal Redirect on Controller?............... |
192 |
5.1.1 Configure Authentication Method Setting .............................. |
194 |
5.1.2 Configure Captive Portal ........................................................... |
195 |
5.1.3 Configure AP Profile when USG is the Gateway..................... |
197 |
5.1.4 Configure AP Profile when NXC is the Gateway .................... |
199 |
5.1.5 Test the Result ............................................................................... |
203 |
5.1.6 What Could Go Wrong ............................................................... |
205 |
5.2 How to Configure Captive Portal Redirect on AP? ........................... |
206 |
5.2.1 Configure AP Profile and User.................................................... |
207 |
5.2.2 Configure Captive Portal ........................................................... |
209 |
5.2.3 Broadcast SSlD.............................................................................. |
211 |
5.2.4 Test the Result ............................................................................... |
212 |
5.2.5 What Could Go Wrong ............................................................... |
213 |
5.3 How to Configure Captive Portal with QR Code?............................. |
214 |
5.3.1 Configure AP Profile .................................................................... |
215 |
5.3.2 Configure VLAN ........................................................................... |
217 |
5.3.3 Create Assistance Account ....................................................... |
219 |
5.3.4 Set Guest Address & Zone .......................................................... |
220 |
5.3.5 Configure Captive Portal ........................................................... |
221 |
5.3.6 Broadcast SSlD.............................................................................. |
224 |
5.3.7 Test the Result ............................................................................... |
225 |
5.3.8 What Could Go Wrong ............................................................... |
227 |
5.4 How to Configure Captive Portal with External Webserver? ........... |
229 |
5.4.1 Configure Interface..................................................................... |
230 |
5.4.2 Configure Authentication Method Setting & Address........... |
233 |
5.4.3 Configure Captive Portal ........................................................... |
235 |
|
5/309 |
www.zyxel.com
5.4.4 |
Configure AP Profile .................................................................... |
237 |
5.4.5 Test the Result ............................................................................... |
238 |
|
5.4.6 What Could Go Wrong ............................................................... |
239 |
|
5.5 How to Configure Multiple Captive Portals for different users? ....... |
240 |
|
5.5.1 Configure AP Profile and User.................................................... |
241 |
|
5.5.2 Configure Captive Portal ........................................................... |
243 |
|
5.5.3 Broadcast SSlD.............................................................................. |
246 |
|
5.5.4 Test the Result ............................................................................... |
248 |
|
5.5.5 What Could Go Wrong ............................................................... |
250 |
|
Secure the Wireless Environment – Others .............................................. |
251 |
|
6.1 How to Configure MAC Authentication?........................................... |
251 |
|
6.1.1 Configure AP Profile .................................................................... |
252 |
|
6.1.2 Configure User/Group Profile..................................................... |
253 |
|
6.1.3 Configure Authentication Method Setting .............................. |
254 |
|
6.1.4 Configure AP Group Profile ........................................................ |
255 |
|
6.1.5 Test the Result ............................................................................... |
256 |
|
6.2 MAC Authentication fallback to Captive Portal?............................. |
258 |
|
6.2.1 Configure AP Profile .................................................................... |
259 |
|
6.2.2 Configure User/Group Profile..................................................... |
260 |
|
6.2.3 Configure Authentication Method Setting .............................. |
261 |
|
6.2.4 Configure Captive Portal Setting .............................................. |
262 |
|
6.2.5 Configure AP Group Profile ........................................................ |
264 |
|
6.2.6 Test the Result ............................................................................... |
265 |
|
6.2.7 What Could Go Wrong ............................................................... |
269 |
|
6.3 How to Defect the Rogue AP? ............................................................ |
270 |
|
6.3.1 Configure AP to Monitor Mode ................................................. |
271 |
|
6.3.2 Detected Devices and Containment ...................................... |
272 |
|
6.3.3 Test the Result ............................................................................... |
273 |
|
6.4 How to monitor the traffic and stations on web GUI? ...................... |
274 |
|
Maintain NXC Controller ........................................................................... |
276 |
|
7.1 How to Do Firmware upgrade ............................................................ |
276 |
|
7.1.1 Firmware from GUI? .......................................................................... |
277 |
|
7.1.1.1 Firmware Upgrade on GUI....................................................... |
278 |
|
7.1.1.2 Test the Result ............................................................................ |
279 |
|
7.1.1.3 What Could Go Wrong ............................................................ |
280 |
|
7.1.2 Firmware from FTP? ........................................................................... |
281 |
|
|
|
6/309 |
www.zyxel.com
7.1.2.1 Firmware Upgrade on GUI....................................................... |
282 |
7.1.2.2 Test the Result ............................................................................ |
284 |
7.1.2.3 What Could Go Wrong ............................................................ |
285 |
7.2 How to Reset the Controller/AP? ........................................................ |
286 |
7.2.1 Reset to Default from GUI........................................................... |
287 |
7.2.2 Reset to Default from Hardware ............................................... |
288 |
7.2.3 Test the Result ............................................................................... |
289 |
7.3 How to upgrade the firmware for AP via NXC? ................................ |
290 |
7.3.1 How to Change the Updating Method for the AP as Manual?..... |
291 |
7.3.1.1 Change the Updating Method via GUI ................................ |
291 |
7.3.1.2 Test the Result ............................................................................ |
292 |
7.3.2 How to upgrade the specific AP firmware manually? .................. |
293 |
7.3.2.1 Upgrade the AP firmware via GUI.......................................... |
293 |
7.3.2.2 Test the Result ............................................................................ |
294 |
7.3.2.3 What Could Go Wrong ............................................................ |
295 |
7.3.3 How to upgrade the firmware for AP group? ................................. |
296 |
7.3.3.1 Upgrade the firmware for AP group via GUI ........................ |
296 |
7.3.3.2 Test the Result ............................................................................ |
297 |
7.3.3.3 What Could Go Wrong ............................................................ |
297 |
7.4 How to Upgrade the AP firmware via cloud? ................................... |
298 |
7.4.1 Upgrade the firmware for AP group via GUI ........................... |
298 |
7.4.2 Test the Result ............................................................................... |
300 |
7.4.3 What Could Go Wrong ............................................................... |
300 |
Trouble Shooting ........................................................................................ |
301 |
8.1 How to Collect the Diagnostic Info? .................................................. |
301 |
8.1.1 Collect Diagnostic Info ............................................................... |
302 |
8.1.2 Test the Result ............................................................................... |
304 |
8.2 How to Configure the E-mail Settings for Sending Logs? ................. |
305 |
8.2.1 Configure Log & Report.............................................................. |
306 |
8.2.2 Test the Result ............................................................................... |
308 |
7/309
www.zyxel.com
Manage APs through NXC Controller
1.1 How to Manage APs through NXC Controller
This example shows how to use the NXC controller to manage APs via manual setting, DHCP option 138 and broadcast. In this case shown as below, there are two subnets in the environment. The APs can find NXC controller in the same subnet via broadcasting without any settings. The APs in different subnet can find NXC controller by manually setting NXC controller’s IP or DHCP option 138 in DHCP server.
Figure 1.1 Manage APs through NXC Controller
Note:
All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC5500 (Firmware Version: 5.40), GS2210-8HP (Firmware Version: V4.30).
8/309
www.zyxel.com
1.1.1Configuration in the AP
1In the same subnet (for AP1 and AP2), the APs don’t need to do any setting. The APs can find the NXC controller via broadcast and NXC controller always accepts APs to managed list by default. The NXC controller manages the APs without any setting.
2In the different subnet (for AP3 and AP4), the APs need to set the NXC controller’s IP manually. Go to CONFIGURATION > Network > AC Discovery, set Discovery Setting to Manual and set the NXC controller’s IP 192.168.1.55 to Primary static AC IP. Click Apply to apply the setting.
3Or, you can use DHCP option 138 in the DHCP server for the APs which are in the different subnet from NXC controller.
9/309
www.zyxel.com
1.1.2Test the Result
1When the APs and the NXC controller are in the same subnet, the NXC controller manages the APs without any settings. The result is visible in MONITOR > Wireless > AP Information > AP List.
2When the APs and the NXC controller are in the different subnets, the APs can find NXC controller through manually setting NXC controller’s IP or DHCP option 138. After the APs find the NXC controller, the NXC controller can manage the APs. The result is visible in MONITOR > Wireless > AP Information > AP List.
10/309
www.zyxel.com
1.1.3What Could Go Wrong?
1To make sure the NXC controller goes to correct traffic routing, please remember to set up the gateway in NXC controller.
2When you use the manual NXC controller IP or DHCP option 138, please make sure the NXC controller’s IP is correct so that the APs can find the NXC controller.
11/309
www.zyxel.com
1.2 How to Enlarge Managed AP Number with License
This example shows how to enlarge managed AP number with license. The default managed AP number for NXC2500 is 8 units and NXC5500 is 64 units. If you want to control more than default managed units, it’s necessary to import the license to enlarge managed AP number.
Figure 1.2 Enlarge Managed AP Number
Note:
All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC2500 (Firmware Version: 5.40), GS2210-8HP (Firmware Version: V4.30).
12/309
www.zyxel.com
1.2.1Device Registration
1Click the hyperlink on NXC controller’s GUI to connect portal.myzyxel.com in CONFIGURATION > Licensing > Registration.
2After log in the registration portal, click the Device Registration to register a device by filling in the MAC Address and Serial Number. Click Submit.
3Click Next to activate security services on the device, and click Close in next step.
13/309
www.zyxel.com
1.2.2Service Registration
1Click Service Registration and fill in the License Key. Click
Submit to register the license key.
2Click Service Management, and click the Link. Select a device, and then click Submit to activate the license key for the selected device.
1.2.3License Refresh
1Click Service License Refresh in below path of NXC controller web GUI. Go to CONFIGURATION > Licensing >
Registration.
14/309
www.zyxel.com
1.2.4Test the Result
1The Count of Managed AP number changes from 8 to 16 in CONFIGURATION > Licensing > Registration.
15/309
www.zyxel.com
Set up a Wireless Connection Environment
2.1 How to configure with the Wizard Setting.
This example shows how to get start with Wizard. It will be easier to complete the deployment configuration of the AP and the NXC. The Wizard setting includes Uplink Connection, VLAN Setting and AP Profile. The NXC will be the DHCP server for the stations, and all the guest stations must pass the captive portal authentication. NXC5500 does not support Wizard Setting now.
Figure 2.1 Add configuration via Wizard settings.
Note:
All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG210 (Firmware Version: V4.30), GS2210 (Firmware Version: V4.50), NXC2500 (Firmware Version: 5.40)
16/309
www.zyxel.com
2.1.1How to configure the Wizard Setting with First login?
1Change the Password Setting to the private one. Configure the correct Time Setting. Enable Daylight Saving if needed. Click Next.
2Configure the Uplink Connection which will be connected to the USG as 10.214.30.33/24, and the gateway is USG LAN IP address 10.214.30.1. Add the DNS server as 8.8.8.8. Configure the Management VLAN to manage AP. The default setting IP address is 172.16.1.1/24 and enable DHCP server. Click Next.
17/309
www.zyxel.com
3Add VLAN interfaces for Employee and Guest.
a.Add Interface for Guest. Click Add to create a service VLAN for guests.
18/309
www.zyxel.com
b.Set the configuration as below:
Tagged VLAN ID:10,
Guest VLAN is Enable. (Guest VLAN: This field displays if this is a guest VLAN and if the captive portal feature is enabled.)
Restrict Intranet Access: Enable
(Restrict Intranet Access: define the local networks to which wireless clients cannot have access)
Captive Portal: Enable.
Create Dynamic Guest Manager: fill in the guest manager information.
Fill in the IP address, Subnet Mask, and DHCP setting. Click OK.
19/309
www.zyxel.com
c.Add Interface for Employee. Click Add to create a service VLAN for guests.
d.Set the configuration as below:
Tagged VLAN ID: 20
Fill in the IP address, Subnet Mask, and DHCP setting. Click OK.
20/309
www.zyxel.com
e. Click Next.
4Configure the SSID profile.
a.Edit the SSID profile for Guest
Double click the SSID profile to modify the configuration.
21/309
www.zyxel.com
b.Edit the first SSID Profile for Guest VLAN.
Wireless Name (SSID): Guest
Guest VLAN: Enable (it will fill in the Guest VLAN setting automatically.)
Security Mode: WPA2 Pre-Shared Key: 12345678 Click OK.
22/309
www.zyxel.com
c.Edit the second SSID Profile for Employee. Double click the SSID profile to modify the configuration.
d.Set the configuration as below:
Tagged VLAN ID: 20 Security Mode: WPA2 Pre-Shared Key: 1357924680 Click OK.
23/309
www.zyxel.com
e. Click Next.
5Modify the Radio setting for the AP. Adjust the Output Power for both of the channels, and Channel Width for 5GHz.
24/309
www.zyxel.com
6Get the Summary page and confirm if all of the configurations can match to the environment. If yes, click Save.
If not, click Prev to modify the setting.
7Here is the page after click Save from item 6. Click OK. And refresh the browser to re-login.
25/309
www.zyxel.com
2.1.2 Test the Result
Connect NXC P1 to USG LAN, and NXC P2 to Switch. And connect AP to the Switch.
1 Login with guest-manager account.
2Dynamic Guest User Group: Wiz_Dynamic_Guest Click Apply.
3User a station connect to the SSID “Guest” and login with the Guest account. Monitor the account via the Monitor > System Status > Login Users > Login Users.
26/309
www.zyxel.com
4 Use a station to connect to the SSID “Employee”.
27/309
www.zyxel.com
2.1.3What Could Go Wrong?
1The object which is created by the Wizard cannot be deleted via the web GUI. It must be modified via the Wizard setting again.
2If there is VLAN ID for the management VLAN, remember to add VLAN on the switch.
28/309
www.zyxel.com
2.2 How to Set WiFi Multiple SSID for Office Environment?
2.2.1 When USG is DHCP Server for VLAN10 and VLAN20
The example instructs how to configure VLANs and set different VLANs for different SSIDs in NXC. In this example, USG is the only DHCP server in the environment, and NXC only needs to set VLAN for passing traffic. In this example, we configure interfaces, set VLANs, create security and SSID profiles, and then configure AP profiles for managed APs.
Figure 2.2.1 Set Different VLANs for Different SSIDs When USG is DHCP Server
Note:
All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG20v2 (Firmware Version: V4.15), NXC5500 (Firmware Version: 5.40), GS2210-8HP (Firmware Version: V4.30).
29/309
www.zyxel.com
2.2.1.1Configure NXC’s Interface to Go to Internet
1Connect NXC controller to USG LAN port. In the USG, all LAN ports are DHCP server for interface LAN, VLAN10, VLAN20, and all the stations connected to APs get an IP from the USG.
2In the NXC, go to CONFIGURATION > Network > Interface > VLAN to set the NXC's IP address to be in the same subnet as the USG's LAN IP and have the USG act as the gateway. Double click vlan0 to edit IP Address Assignment section. Click OK.
30/309