ZyXEL ZyAIR G-5100 User Guide

Download

Page 1

ZyAIR G-5100

Outdoor Dual-802.11g Wireless LAN Access Point &

Bridge

User’s Guide

Version 3.50

5/2005

Page 2

Page 3

ZyAIR G-5100 User’s Guide

Copyright

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

Page 4

ZyAIR G-5100 User’s Guide

Federal Communications Commission (FCC) Interference Statement

This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

• This device may not cause harmful interference.

• This device must accept any interference received, including interference that may cause undesired operations.

FCC Warning

This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

Certifications

If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and the receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Notice 1

Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

FCC Caution:

Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.

IMPORTANT NOTE:

FCC Radiation Exposure Statement:

This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.

4 Certifications

Page 5

ZyAIR G-5100 User’s Guide

This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

Note: Antenna Warning! This device meets ETSI and FCC certification requirements

when using the included antennas or antenna connector cable. Only use the included antennas or antenna connector cable.

Canadian Note

This Class B digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.

Certifications

Go to www.zyxel.com

1 Select your product from the drop-down list box on the ZyXEL home page to go to that

product's page.

2 Select the certification you wish to view from this page.

Certifications 5

Page 6

ZyAIR G-5100 User’s Guide

For your safety, be sure to read and follow all warning notices and instructions.

• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information.

• Use ONLY the dedicated power supply for your device. Connect the power cord or power adaptor to the right supply voltage (110V AC in North America or 230V AC in Europe).

• Do NOT use the device if the power supply is damaged as it might cause electrocution.

• If the power supply is damaged, remove it from the power outlet.

• Do NOT attempt to repair the power supply. Contact your local vendor to order a new power supply.

• Place cables carefully so that no one will step on them or stumble over them. Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord.

• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of electric shock from lightning.

• Do NOT expose your device to corrosive liquids.

• Do NOT store things on the device.

• Connect ONLY suitable accessories to the device.

Safety Warnings

6 Safety Warnings

Page 7

ZyAIR G-5100 User’s Guide

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

ZyXEL Limited Warranty 7

Page 8

ZyAIR G-5100 User’s Guide

Please have the following information ready when you contact customer support.

• Product model and serial number.

• Warranty Information.

• Date that you received your device.

• Brief description of the problem and the steps you took to solve it.

Customer Support

METHOD

LOCATION

CORPORATE HEADQUARTERS (WORLDWIDE)

CZECH REPUBLIC

DENMARK

FINLAND

FRANCE

GERMANY

NORTH AMERICA

NORWAY

SPAIN

SWEDEN

SUPPORT E-MAIL TELEPHONE

SALES E-MAIL FAX FTP SITE

support@zyxel.com.tw +886-3-578-3942 www.zyxel.com

sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com

info@cz.zyxel.com +420 241 091 350 www.zyxel.cz ZyXEL Communications

info@cz.zyxel.com +420 241 091 359

support@zyxel.dk +45 39 55 07 00 www.zyxel.dk ZyXEL Communications A/S

sales@zyxel.dk +45 39 55 07 07

support@zyxel.fi +358-9-4780-8411 www.zyxel.fi ZyXEL Communications Oy

sales@zyxel.fi +358-9-4780 8448

i nf o @z y xe l .f r + 33 (0 ) 4 7 2 5 2 9 7 9 7 w ww .z y xe l . fr Z yX E L Fr a nc e

+33 (0)4 72 52 19 20

support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.

sales@zyxel.de +49-2405-6909-99

support@zyxel.com +1-800-255-4101

+1-714-632-0882

sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com

support@zyxel.no +47 22 80 61 80 www.zyxel.no ZyXEL Communications A/S

sales@zyxel.no +47 22 80 61 81

support@zyxel.es +34 902 195 420 www.zyxel.es ZyXEL Communications

sales@zyxel.es +34 913 005 345

support@zyxel.se +46 31 744 7700 www.zyxel.se ZyXEL Communications A/S

sales@zyxel.se +46 31 744 7701

WEB SITE

www.europe.zyxel.com

ftp.europe.zyxel.com

www.us.zyxel.com ZyXEL Communications Inc.

REGULAR MAIL

ZyXEL Communications Corp. 6 Innovation Road II

Sc ien ce P ar k Hsinchu 300 Ta iw a n

Czech s.r.o. Modranská 621 143 01 Praha 4 - Modrany Ceská Republika

Col um bu sv ej 5 2860 Soeborg Denmark

Mal mi nk aa ri 10 00700 Helsinki Finland

1 ru e d e s V er ge r s Ba t. 1 / C 69760 Limonest France

Adenauerstr. 20/A2 D-52146 Wuerselen Germany

1130 N. Miller St. Anaheim

CA 92806-2001 U.S.A.

Ni ls H ans en s ve i 13 0667 Oslo Norway

Arte, 21 5ª planta 28033 Madrid Spain

Sjöporten 4, 41764 Göteborg Sweden

8 Customer Support

Page 9

ZyAIR G-5100 User’s Guide

METHOD

LOCATION

UNITED KINGDOM

SUPPORT E-MAIL TELEPHONE

SALES E-MAIL FAX FTP SITE

support@zyxel.co.uk +44 (0) 1344 303044

08707 555779 (UK only)

sales@zyxel.co.uk +44 (0) 1344 303034 ftp.zyxel.co.uk

WEB SITE

www.zyxel.co.uk ZyXEL Communications UK

a. “+” is the (prefix) number you enter to make an international telephone call.

REGULAR MAIL

Ltd.,11 The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)

Customer Support 9

Page 10

ZyAIR G-5100 User’s Guide

10 Customer Support

Page 11

ZyAIR G-5100 User’s Guide

Copyright ..................................................................................................................3

Certifications ............................................................................................................4

Safety Warnings ....................................................................................................... 6

ZyXEL Limited Warranty.......................................................................................... 7

Customer Support.................................................................................................... 8

Table of Contents ................................................................................................... 11

List of Figures ........................................................................................................ 19

List of Tables .......................................................................................................... 23

Preface ....................................................................................................................27

Chapter 1

Getting to Know Your ZyAIR ................................................................................. 29

1.1 Introducing the ZyAIR ........................................................................................29

1.2 ZyAIR Features ..................................................................................................29

1.3 Applications for the ZyAIR ..................................................................................33

1.3.1 Access Point .............................................................................................33

1.3.2 AP + Bridge ..............................................................................................34

1.3.3 Bridge / Repeater ......................................................................................35

Chapter 2

Introducing the Web Configurator........................................................................ 37

2.1 Web Configurator Overview ...............................................................................37

2.2 Accessing the ZyAIR Web Configurator .............................................................37

2.3 Resetting the ZyAIR ...........................................................................................38

2.4 Navigating the ZyAIR Web Configurator ............................................................39

Chapter 3

Wizard Setup .......................................................................................................... 43

3.1 Wizard Setup Overview ......................................................................................43

3.2 Wizard Setup: General Setup ............................................................................43

3.3 Wizard Setup: Wireless LAN ..............................................................................44

3.4 Wizard Setup: IP Address Assignment ..............................................................46

3.5 Basic Setup Complete ........................................................................................47

Table of Contents 11

Page 12

ZyAIR G-5100 User’s Guide

Chapter 4

System Screens ..................................................................................................... 49

4.1 System Overview ...............................................................................................49

4.2 General Screen ..................................................................................................49

4.2.1 Domain Name ...........................................................................................49

4.2.2 DNS Server Address Assignment .............................................................49

4.3 Configuring General Setup .................................................................................50

4.4 Configuring Password ........................................................................................51

4.5 Configuring Time Setting ...................................................................................52

Chapter 5

Wireless LAN ......................................................................................................... 55

5.1 Introduction ........................................................................................................55

5.2 Wireless Security Overview ...............................................................................55

5.2.1 Encryption .................................................................................................55

5.2.2 Authentication ...........................................................................................55

5.2.3 Restricted Access .....................................................................................56

5.2.4 Hide ZyAIR Identity ...................................................................................56

5.2.5 Configuring Wireless LAN on the ZyAIR ...................................................56

5.3 Spanning Tree Protocol (STP) ...........................................................................57

5.3.1 Rapid STP ................................................................................................57

5.3.2 STP Terminology ......................................................................................57

5.3.3 How STP Works .......................................................................................58

5.3.4 STP Port States ........................................................................................58

5.4 WEP Encryption .................................................................................................58

5.5 Configuring the Wireless Screen ........................................................................58

5.5.1 Access Point Mode ...................................................................................59

5.5.2 Bridge/Repeater Mode ..............................................................................62

5.5.3 AP+Bridge Mode ......................................................................................65

5.6 Configuring MAC Filters .....................................................................................67

5.7 Configuring Roaming .........................................................................................69

5.7.1 Requirements for Roaming .......................................................................70

5.8 Introduction to WPA ...........................................................................................71

5.9 WPA-PSK Application Example .........................................................................71

5.10 WPA with RADIUS Application Example ..........................................................72

5.11 Wireless Client WPA Supplicants .....................................................................73

5.12 Configuring 802.1x and WPA ...........................................................................73

5.13 Authentication Required: 802.1x ......................................................................74

5.14 Authentication Required: WPA .........................................................................78

5.15 Authentication Required: WPA-PSK ................................................................79

12 Table of Contents

Page 13

ZyAIR G-5100 User’s Guide

Chapter 6

Internal RADIUS Server ......................................................................................... 81

6.1 Internal RADIUS Overview .................................................................................81

6.2 Internal RADIUS Server Setting .........................................................................82

6.3 Trusted AP Overview .........................................................................................84

6.4 Configuring Trusted AP ......................................................................................85

6.5 Trusted Users Overview .....................................................................................86

6.6 Configuring Trusted Users .................................................................................86

Chapter 7

VLAN ....................................................................................................................... 89

7.1 VLAN ..................................................................................................................89

7.1.1 Management VLAN ID ..............................................................................89

7.2 Configuring VLAN ..............................................................................................89

Chapter 8

IP Screen................................................................................................................. 91

8.1 Factory Ethernet Defaults ..................................................................................91

8.2 IP Address and Subnet Mask .............................................................................91

8.2.1 IP Address Assignment ............................................................................92

8.3 Configuring IP ....................................................................................................92

Chapter 9

Certificates.............................................................................................................. 95

9.1 Certificates Overview .........................................................................................95

9.1.1 Advantages of Certificates ........................................................................96

9.2 Self-signed Certificates ......................................................................................96

9.3 Configuration Summary .....................................................................................96

9.4 My Certificates ...................................................................................................96

9.5 Certificate File Formats ......................................................................................98

9.6 Importing a Certificate ........................................................................................99

9.7 Creating a Certificate .......................................................................................100

9.8 My Certificate Details .......................................................................................103

9.9 Trusted CAs .....................................................................................................106

9.10 Importing a Trusted CA’s Certificate ...............................................................108

9.11 Trusted CA Certificate Details ........................................................................109

Chapter 10

Log Screens.......................................................................................................... 113

10.1 Configuring View Log .....................................................................................113

10.2 Configuring Log Settings ................................................................................ 115

Table of Contents 13

Page 14

ZyAIR G-5100 User’s Guide

Chapter 11

Maintenance ......................................................................................................... 119

11.1 Maintenance Overview ................................................................................... 119

11.2 System Status Screen ....................................................................................119

11.2.1 System Statistics ...................................................................................120

11.3 Association List ..............................................................................................121

11.4 Channel Usage ...............................................................................................122

11.5 F/W Upload Screen ........................................................................................123

11.6 Configuration Screen ......................................................................................126

11.6.1 Backup Configuration ............................................................................127

11.6.2 Restore Configuration ..........................................................................128

11.6.3 Back to Factory Defaults .......................................................................129

11.7 Restart Screen ................................................................................................129

Chapter 12

Introducing the SMT ............................................................................................131

12.1 Introduction to the SMT ..................................................................................131

12.2 Accessing the SMT via the Console Port .......................................................131

12.2.1 Initial Screen .........................................................................................131

12.2.2 Entering the Password ..........................................................................132

12.3 Accessing the SMT via Telnet ........................................................................133

12.4 Navigating the SMT Interface .........................................................................133

12.4.1 System Management Terminal Interface Summary ..............................134

12.4.2 SMT Menus Overview ..........................................................................135

12.5 Changing the System Password ....................................................................136

Chapter 13

General Setup....................................................................................................... 137

13.1 General Setup ................................................................................................137

13.1.1 Procedure To Configure Menu 1 ...........................................................137

Chapter 14

LAN Setup............................................................................................................. 139

14.1 LAN Setup ......................................................................................................139

14.2 TCP/IP Ethernet Setup ...................................................................................139

14.3 Wireless LAN Setup .......................................................................................140

14.3.1 Configuring MAC Address Filter ...........................................................143

14.3.2 Configuring Roaming ............................................................................144

14.3.3 Configuring Bridge Link ........................................................................146

Chapter 15

Dial-in User Setup ................................................................................................ 149

15.1 Dial-in User Setup ..........................................................................................149

14 Table of Contents

Page 15

ZyAIR G-5100 User’s Guide

Chapter 16

VLAN Setup .......................................................................................................... 151

16.1 VLAN Setup ...................................................................................................151

Chapter 17

SNMP Configuration ............................................................................................ 153

17.1 About SNMP ..................................................................................................153

17.2 Supported MIBs ............................................................................................154

17.3 SNMP Configuration ......................................................................................154

17.4 SNMP Traps ...................................................................................................155

Chapter 18

System Security ................................................................................................... 157

18.1 System Security .............................................................................................157

18.1.1 System Password .................................................................................157

18.1.2 Configuring External RADIUS Server ...................................................157

18.1.3 802.1x ...................................................................................................159

Chapter 19

System Information and Diagnosis .................................................................... 163

19.1 System Status ................................................................................................163

19.2 System Information ........................................................................................165

19.2.1 System Information ...............................................................................165

19.2.2 Console Port Speed ..............................................................................166

19.3 Log and Trace ................................................................................................166

19.3.1 Viewing Error Log .................................................................................167

19.4 Diagnostic ......................................................................................................167

Chapter 20

Firmware and Configuration File Maintenance ................................................. 169

20.1 Filename Conventions ...................................................................................169

20.2 Backup Configuration .....................................................................................170

20.2.1 Backup Configuration Using FTP .........................................................170

20.2.2 Using the FTP command from the DOS Prompt ..................................171

20.2.3 Backup Configuration Using TFTP .......................................................172

20.2.4 Example: TFTP Command ...................................................................172

20.2.5 Backup Via Console Port ......................................................................173

20.3 Restore Configuration ...................................................................................174

20.3.1 Restore Using FTP ...............................................................................174

20.4 Uploading Firmware and Configuration Files .................................................174

20.4.1 Firmware Upload ..................................................................................175

20.4.2 Configuration File Upload .....................................................................175

20.4.3 Using the FTP command from the DOS Prompt Example ...................176

Table of Contents 15

Page 16

ZyAIR G-5100 User’s Guide

20.4.4 TFTP File Upload ..................................................................................177

20.4.5 Example: TFTP Command ...................................................................177

20.4.6 Uploading Via Console Port ..................................................................178

20.4.7 Uploading Firmware File Via Console Port ...........................................178

20.4.8 Example Xmodem Firmware Upload Using HyperTerminal ..................178

20.4.9 Uploading Configuration File Via Console Port ....................................179

20.4.10 Example Xmodem Configuration Upload Using HyperTerminal .........180

Chapter 21

System Maintenance and Information ...............................................................181

21.1 Command Interpreter Mode ...........................................................................181

21.2 Time and Date Setting ....................................................................................182

21.2.1 Resetting the Time ................................................................................183

Chapter 22

Troubleshooting ................................................................................................... 185

22.1 Problems Starting Up the ZyAIR ....................................................................185

22.2 Problems with Console Port Access ..............................................................185

22.3 Problems with the Ethernet Interface .............................................................186

22.4 Problems with the Password ..........................................................................187

22.5 Problems with Telnet ......................................................................................187

22.6 Problems with the WLAN Interface ................................................................187

Appendix A

Specifications...................................................................................................... 189

Appendix B

Packaging Specifications.................................................................................... 197

Appendix C

Power over Ethernet Specifications................................................................... 199

Appendix D

Setting up Your Computer’s IP Address............................................................ 201

Appendix E

IP Subnetting ........................................................................................................ 213

Appendix F

Wireless LAN ........................................................................................................ 221

Appendix G

Outdoor Site Planning ......................................................................................... 235

Appendix H

Outdoor Installation Recommendations............................................................ 241

16 Table of Contents

Page 17

ZyAIR G-5100 User’s Guide

Appendix I

Command Interpreter........................................................................................... 245

Appendix J

Brute-Force Password Guessing Protection..................................................... 247

Appendix K

Log Descriptions.................................................................................................. 249

Index...................................................................................................................... 253

Table of Contents 17

Page 18

ZyAIR G-5100 User’s Guide

18 Table of Contents

Page 19

ZyAIR G-5100 User’s Guide

List of Figures

Figure 1 PoE Installation Example ......................................................................... 30

Figure 2 WDS Functionality Example .................................................................... 30

Figure 3 Access Point Application .......................................................................... 34

Figure 4 AP+Bridge Application ........................................................................... 34

Figure 5 Bridge Application .................................................................................... 35

Figure 6 Repeater Application ................................................................................ 36

Figure 7 Change Password Screen ....................................................................... 38

Figure 8 Replace Certificate Screen. ..................................................................... 38

Figure 9 Example Xmodem Upload ....................................................................... 39

Figure 10 The MAIN MENU Screen of the Web Configurator ................................ 40

Figure 11 Wizard: General Setup ........................................................................... 43

Figure 12 Wizard: Wireless LAN Setup .................................................................. 45

Figure 13 Wizard: IP Address Assignment ............................................................ 46

Figure 14 TCP/IP Warning Screen ......................................................................... 47

Figure 15 Close Browser Screen ........................................................................... 47

Figure 16 Wizard: Setup Complete ........................................................................ 48

Figure 17 System General ..................................................................................... 50

Figure 18 Password. .............................................................................................. 51

Figure 19 Time Setting ........................................................................................... 52

Figure 20 Wireless: Access Point .......................................................................... 59

Figure 21 Bridging Example ................................................................................... 62

Figure 22 Bridge Loop: Two Bridges Connected to Hub ........................................ 63

Figure 23 Bridge Loop: Bridge Connected to Wired LAN ...................................... 63

Figure 24 Wireless: Bridge/Repeater ..................................................................... 64

Figure 25 Wireless: AP+Bridge .............................................................................. 66

Figure 26 MAC Address Filter ................................................................................ 68

Figure 27 Roaming Example .................................................................................. 70

Figure 28 Roaming ................................................................................................. 71

Figure 29 WPA - PSK Authentication ..................................................................... 72

Figure 30 WPA with RADIUS Application Example ................................................ 73

Figure 31 Wireless LAN: 802.1x/WPA ................................................................... 74

Figure 32 Wireless LAN: 802.1x/WPA for 802.1x Protocol .................................... 75

Figure 33 Wireless LAN: 802.1x/WPA for WPA Protocol ....................................... 78

Figure 34 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol ............................... 79

Figure 35 ZyAIR Authenticates Wireless Stations .................................................. 81

Figure 36 ZyAIR Authenticates Trusted APs .......................................................... 82

Figure 37 Internal RADIUS Server Setting Screen ............................................... 83

Figure 38 Trusted AP Overview ............................................................................. 84

List of Figures 19

Page 20

ZyAIR G-5100 User’s Guide

Figure 39 Trusted AP Screen ................................................................................. 85

Figure 40 Trusted Users Screen ............................................................................ 87

Figure 41 VLAN ...................................................................................................... 90

Figure 42 IP Setup ................................................................................................ 93

Figure 43 Certificate Configuration Overview ........................................................ 96

Figure 44 My Certificates ....................................................................................... 97

Figure 45 My Certificate Import .............................................................................. 99

Figure 46 My Certificate Create ............................................................................. 101

Figure 47 My Certificate Details ............................................................................. 104

Figure 48 Trusted CAs ........................................................................................... 107

Figure 49 Trusted CA Import .................................................................................. 109

Figure 50 Trusted CA Details ................................................................................. 110

Figure 51 View Log ................................................................................................ 114

Figure 52 Log Settings ........................................................................................... 116

Figure 53 System Status ........................................................................................ 119

Figure 54 System Status: Show Statistics .............................................................. 120

Figure 55 Association List ...................................................................................... 121

Figure 56 Channel Usage ...................................................................................... 122

Figure 57 Firmware Upload .................................................................................... 124

Figure 58 Firmware Upload In Process .................................................................. 125

Figure 59 Network Temporarily Disconnected ....................................................... 125

Figure 60 Firmware Upload Error ........................................................................... 126

Figure 61 Configuration .......................................................................................... 127

Figure 62 Configuration Upload Successful ........................................................... 128

Figure 63 Network Temporarily Disconnected ....................................................... 128

Figure 64 Configuration Upload Error .................................................................... 129

Figure 65 Reset Warning Message ........................................................................ 129

Figure 66 Restart Screen ....................................................................................... 130

Figure 67 Initial Screen .......................................................................................... 132

Figure 68 Password Screen .................................................................................. 132

Figure 69 Login Screen .......................................................................................... 133

Figure 70 SMT Main Menu .................................................................................... 134

Figure 71 Menu 23.1 System Security: Change Password .................................... 136

Figure 72 Menu 1 General Setup ........................................................................... 137

Figure 73 Menu 3 LAN Setup ................................................................................ 139

Figure 74 Menu 3.2 TCP/IP Setup ......................................................................... 140

Figure 75 Menu 3.5 Wireless LAN Setup ............................................................... 141

Figure 76 Menu 3.5 Wireless LAN Setup ............................................................... 143

Figure 77 Menu 3.5.1 WLAN MAC Address Filter ................................................. 144

Figure 78 Menu 3.5 Wireless LAN Setup ............................................................... 145

Figure 79 Menu 3.5.2 - Roaming Configuration ..................................................... 145

Figure 80 Menu 3.5 Wireless LAN Setup ............................................................... 146

Figure 81 Menu 3.5.4 - Bridge Link Configuration ................................................. 147

20 List of Figures

Page 21

ZyAIR G-5100 User’s Guide

Figure 82 Menu 14- Dial-in User Setup .................................................................. 149

Figure 83 Menu 14.1- Edit Dial-in User .................................................................. 149

Figure 84 Menu 16 VLAN Setup ............................................................................ 151

Figure 85 SNMP Management Model .................................................................... 153

Figure 86 Menu 22 SNMP Configuration .............................................................. 154

Figure 87 Menu 23 System Security ...................................................................... 157

Figure 88 Menu 23 System Security ...................................................................... 157

Figure 89 Menu 23.2 System Security: RADIUS Server ........................................ 158

Figure 90 Menu 23 System Security ...................................................................... 159

Figure 91 Menu 23.4 System Security: IEEE802.1x .............................................. 160

Figure 92 Menu 24 System Maintenance .............................................................. 163

Figure 93 Menu 24.1 System Maintenance: Status ............................................... 164

Figure 94 Menu 24.2 System Information and Console Port Speed ...................... 165

Figure 95 Menu 24.2.1 System Information: Information ....................................... 165

Figure 96 Menu 24.2.2 System Maintenance: Change Console Port Speed ......... 166

Figure 97 Menu 24.3 System Maintenance: Log and Trace .................................. 167

Figure 98 Sample Error and Information Messages .............................................. 167

Figure 99 Menu 24.4 System Maintenance: Diagnostic ......................................... 168

Figure 100 Menu 24.5 Backup Configuration ......................................................... 170

Figure 101 FTP Session Example ......................................................................... 171

Figure 102 System Maintenance: Backup Configuration ....................................... 173

Figure 103 System Maintenance: Starting Xmodem Download Screen ................ 173

Figure 104 Backup Configuration Example ............................................................ 173

Figure 105 Successful Backup Confirmation Screen ............................................. 174

Figure 106 Menu 24.6 Restore Configuration ........................................................ 174

Figure 107 Menu 24.7 System Maintenance: Upload Firmware ............................ 175

Figure 108 Menu 24.7.1 System Maintenance: Upload System Firmware ............ 175

Figure 109 Menu 24.7.2 System Maintenance: Upload System Configuration File 176

Figure 110 FTP Session Example .......................................................................... 177

Figure 111 Menu 24.7.1 as Seen Using the Console Port ..................................... 178

Figure 112 Example Xmodem Upload ................................................................... 179

Figure 113 Menu 24.7.2 as Seen Using the Console Port .................................... 179

Figure 114 Example Xmodem Upload ................................................................... 180

Figure 115 Menu 24 System Maintenance ............................................................. 181

Figure 116 Valid CI Commands .............................................................................. 182

Figure 117 Menu 24.10 System Maintenance: Time and Date Setting .................. 182

Figure 118 Inspection Cosmetic and Function ....................................................... 194

Figure 119 WIndows 95/98/Me: Network: Configuration ........................................ 202

Figure 120 Windows 95/98/Me: TCP/IP Properties: IP Address ............................ 203

Figure 121 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............... 204

Figure 122 Windows XP: Start Menu ..................................................................... 205

Figure 123 Windows XP: Control Panel ................................................................. 205

Figure 124 Windows XP: Control Panel: Network Connections: Properties .......... 206

List of Figures 21

Page 22

ZyAIR G-5100 User’s Guide

Figure 125 Windows XP: Local Area Connection Properties ................................. 206

Figure 126 Windows XP: Internet Protocol (TCP/IP) Properties ............................ 207

Figure 127 Windows XP: Advanced TCP/IP Properties ......................................... 208

Figure 128 Windows XP: Internet Protocol (TCP/IP) Properties ............................ 209

Figure 129 Macintosh OS 8/9: Apple Menu ........................................................... 210

Figure 130 Macintosh OS 8/9: TCP/IP ................................................................... 210

Figure 131 Macintosh OS X: Apple Menu .............................................................. 211

Figure 132 Macintosh OS X: Network .................................................................... 212

Figure 133 Peer-to-Peer Communication in an Ad-hoc Network ........................... 221

Figure 134 Basic Service Set ................................................................................. 222

Figure 135 Infrastructure WLAN ............................................................................ 223

Figure 136 RTS/CTS ............................................................................................ 224

Figure 137 EAP Authentication .............................................................................. 227

Figure 138 WEP Authentication Steps ................................................................... 230

Figure 139 Roaming Example ................................................................................ 233

22 List of Figures

Page 23

ZyAIR G-5100 User’s Guide

List of Tables

Table 1 IEEE 802.11g ............................................................................................ 31

Table 2 IEEE 802.11b ............................................................................................ 31

Table 3 Screens Summary .................................................................................... 40

Table 4 Wizard: General Setup ............................................................................. 44

Table 5 Wizard: Wireless LAN Setup .................................................................... 45

Table 6 Wizard: IP Address Assignment ............................................................... 46

Table 7 System General Setup ............................................................................. 50

Table 8 Password .................................................................................................. 52

Table 9 Time Setting .............................................................................................. 53

Table 10 ZyAIR Wireless Security Levels ............................................................. 56

Table 11 STP Path Costs ...................................................................................... 57

Table 12 STP Port States ...................................................................................... 58

Table 13 Wireless: Access Point ........................................................................... 60

Table 14 Wireless: Bridge/Repeater ...................................................................... 64

Table 15 MAC Address Filter ................................................................................ 68

Table 16 Roaming ................................................................................................. 71

Table 17 Wireless LAN: 802.1x/WPA .................................................................... 74

Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol ..................................... 76

Table 19 Wireless LAN: 802.1x/WPA for WPA Protocol ........................................ 79

Table 20 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol ............................... 80

Table 21 Internal RADIUS Server Screens Overview ........................................... 82

Table 22 My Certificates ........................................................................................ 83

Table 23 Trusted AP .............................................................................................. 85

Table 24 Trusted Users ......................................................................................... 87

Table 25 VLAN ...................................................................................................... 90

Table 26 Private IP Address Ranges .................................................................... 92

Table 27 IP Setup .................................................................................................. 93

Table 28 My Certificates ........................................................................................ 97

Table 29 My Certificate Import .............................................................................. 100

Table 30 My Certificate Create .............................................................................. 101

Table 31 My Certificate Details .............................................................................. 105

Table 32 Trusted CAs ............................................................................................ 107

Table 33 Trusted CA Import .................................................................................. 109

Table 34 Trusted CA Details .................................................................................. 111

Table 35 View Log ................................................................................................. 114

Table 36 Log Settings ............................................................................................ 116

Table 37 System Status ......................................................................................... 119

Table 38 System Status: Show Statistics .............................................................. 120

List of Tables 23

Page 24

ZyAIR G-5100 User’s Guide

Table 39 Association List ....................................................................................... 122

Table 40 Channel Usage ....................................................................................... 123

Table 41 Firmware Upload .................................................................................... 124

Table 42 Restore Configuration ............................................................................. 128

Table 43 Main Menu Commands .......................................................................... 133

Table 44 Main Menu Summary ............................................................................. 134

Table 45 SMT Menus Overview ............................................................................ 135

Table 46 Menu 1 General Setup ........................................................................... 138

Table 47 Menu 3.2 TCP/IP Setup .......................................................................... 140

Table 48 Menu 3.5 Wireless LAN Setup ............................................................... 141

Table 49 Menu 3.5.1 WLAN MAC Address Filter .................................................. 144

Table 50 Menu 3.5.2 - Roaming Configuration ..................................................... 146

Table 51 Menu 3.5.4 Bridge Link Configuration .................................................... 147

Table 52 Menu 14.1- Edit Dial-in User .................................................................. 150

Table 53 Menu 16 VLAN Setup ............................................................................. 151

Table 54 Menu 22 SNMP Configuration ................................................................ 155

Table 55 SNMP Traps ........................................................................................... 155

Table 56 Ports and Interface Types ....................................................................... 155

Table 57 Menu 23.2 System Security: RADIUS Server ........................................ 158

Table 58 Menu 23.4 System Security: IEEE802.1x ............................................... 160

Table 59 Menu 24.1 System Maintenance: Status ................................................ 164

Table 60 Menu 24.2.1 System Maintenance: Information ..................................... 166

Table 61 Menu 24.4 System Maintenance Menu: Diagnostic ............................... 168

Table 62 Filename Conventions ............................................................................ 170

Table 63 General Commands for Third Party FTP Clients .................................... 171

Table 64 General Commands for Third Party TFTP Clients ................................. 172

Table 65 System Maintenance: Time and Date Setting ........................................ 183

Table 66 Troubleshooting the Start-Up of Your ZyAIR ........................................... 185

Table 67 Troubleshooting Console Port Access .................................................... 185

Table 68 Troubleshooting the Ethernet Interface .................................................. 186

Table 69 Troubleshooting the Password ............................................................... 187

Table 70 Troubleshooting Telnet ........................................................................... 187

Table 71 Troubleshooting the WLAN Interface ...................................................... 187

Table 72 Device Specifications .............................................................................. 189

Table 73 Performance ........................................................................................... 189

Table 74 Firmware Features ................................................................................. 190

Table 75 Environmental Conditions ....................................................................... 191

Table 76 Inspection Channel (CH1, CH7, CH13) .................................................. 191

Table 77 Hardware Specifications ......................................................................... 191

Table 78 Radio Specifications ............................................................................... 192

Table 79 Rx Sensitivity (@ FER = 0.08) ................................................................ 192

Table 80 Transmitting System ............................................................................... 193

Table 81 Receiving System ................................................................................... 193

24 List of Tables

Page 25

ZyAIR G-5100 User’s Guide

Table 82 Current Consumption ............................................................................. 193

Table 83 Approvals ................................................................................................ 194

Table 84 Packaging Specifications ........................................................................ 197

Table 85 Mounting Hardware Specifications ......................................................... 197

Table 86 Power over Ethernet Injector Specifications .......................................... 199

Table 87 Power over Ethernet Injector RJ-45 Port Pin Assignments .................... 199

Table 88 Classes of IP Addresses ........................................................................ 213

Table 89 Allowed IP Address Range By Class ...................................................... 214

Table 90 “Natural” Masks ..................................................................................... 214

Table 91 Alternative Subnet Mask Notation .......................................................... 215

Table 92 Two Subnets Example ............................................................................ 215

Table 93 Subnet 1 ................................................................................................. 216

Table 94 Subnet 2 ................................................................................................. 216

Table 95 Subnet 1 ................................................................................................. 217

Table 96 Subnet 2 ................................................................................................. 217

Table 97 Subnet 3 ................................................................................................. 217

Table 98 Subnet 4 ................................................................................................. 218

Table 99 Eight Subnets ......................................................................................... 218

Table 100 Class C Subnet Planning ...................................................................... 218

Table 101 Class B Subnet Planning ...................................................................... 219

Table 102 IEEE802.11g ......................................................................................... 225

Table 103 Comparison of EAP Authentication Types ............................................ 231

Table 104 Wireless Security Relational Matrix ...................................................... 232

Table 105 Brute-Force Password Guessing Protection Commands ..................... 247

Table 106 System Maintenance Logs ................................................................... 249

Table 107 ICMP Notes .......................................................................................... 249

Table 108 Sys log .................................................................................................. 250

Table 109 Log Categories and Available Settings ................................................. 251

List of Tables 25

Page 26

ZyAIR G-5100 User’s Guide

26 List of Tables

Page 27

ZyAIR G-5100 User’s Guide

Preface

Congratulations on your purchase of the ZyAIR G-5100 Outdoor 802.11g Business Access Point/Bridge/Repeater.

The ZyAIR is an Access Point (AP) through which wireless stations can communicate and/or access a wired network. The ZyAIR can also function as a wireless network bridge/repeater and establish wireless links with other APs.

The ZyAIR also supports both AP and bridge connections at the same time.

Your ZyAIR is easy to install and configure.

Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com American products.

About This User's Guide

for global products, or at www.us.zyxel.com for North

This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the System Management Terminal (SMT). The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this guide contain background information solely on features not configurable by web configurator

Note: Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your ZyAIR. Not all features can be configured through all interfaces.

Getting to Know Your ZyAIR

This chapter introduces the main features and applications of the ZyAIR.

1.1 Introducing the ZyAIR

The ZyAIR G-5100 is an enterprise level, outdoor IEEE 802.11g compliant business access point, bridge and repeater with excellent wireless performance. Wireless Distribution System (WDS) support provides flexibility in building an extended wireless network with bridge and repeater applications. IEEE 802.1x, Wi-Fi Protected Access, WEP data encryption and MAC address filtering offer highly secured wireless connectivity.

Rugged die-cast, watertight construction, built-in lightening protection, and grounding make the ZyAIR perfect for outdoors applications.

ZyAIR G-5100 User’s Guide

CHAPTER 1

It is easy to install and configure the ZyAIR. The web-based configurator allows remote configuration and management of your ZyAIR. The Power over Ethernet (PoE) feature means that power can be delivered to the ZyAIR over an Ethernet line. This allows you to mount the ZyAIR in areas where there are no nearby power sources.

1.2 ZyAIR Features

The following sections describe the features of the ZyAIR

10/100M Auto-negotiating Ethernet/Fast Ethernet Interface

This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.

Power over Ethernet (PoE)

Power over Ethernet (PoE) is the ability to provide power to your ZyAIR via an 8-pin CAT 5 Ethernet cable, eliminating the need for a nearby power source. The ZyAIR G-5100 includes a special high current power injector that allows the ZyAIR to be located farther away. This feature allows increased flexibility in the locating of your ZyAIR.

Chapter 1 Getting to Know Your ZyAIR 29

Page 30

ZyAIR G-5100 User’s Guide

Figure 1 PoE Installation Example

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.

WDS Functionality

A Distribution System (DS) is a wired connection between two or more APs, while a Wireless Distribution System (WDS) is a wireless connection. Your ZyAIR supports WDS, providing a cost-effective solution for wireless network expansion. The ZyAIR supports up to five wireless links with other APs.

Figure 2 WDS Functionality Example

30 Chapter 1 Getting to Know Your ZyAIR

Page 31

ZyAIR G-5100 User’s Guide

IEEE 802.11g Wireless LAN Standard

The ZyAIR complies with the IEEE 802.11g wireless standard. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows. The modulation technique defines how bits are encoded onto radio waves.

Table 1 IEEE 802.11g

DATA RATE (MBPS) MODULATION

6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)

Note: The ZyAIR may be prone to RF (Radio Frequency) interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices, and other wireless LANs.

IEEE 802.11b Wireless LAN Standard

The ZyAIR also fully complies with the IEEE 802.11b standard. This means an IEEE 802.11b radio card can interface directly with an IEEE 802.11g device (and vice versa) at 11 Mbps or lower depending on range.

The IEEE 802.11b data rate and corresponding modulation techniques are shown in the table below.

Table 2 IEEE 802.11b

DATA RATE (MBPS) MODULATION

1 DBPSK (Differential Binary Phase Shift Keyed)

2 DQPSK (Differential Quadrature Phase Shift Keying)

5.5 / 11 CCK (Complementary Code Keying)

STP (Spanning Tree Protocol) / RSTP (Rapid STP)

(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your network to ensure that only one path exists between any two stations on the network.

SSL Passthrough

SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https” instead of “http”. The ZyAIR allows SSL connections to take place through the ZyAIR.

Chapter 1 Getting to Know Your ZyAIR 31

Page 32

ZyAIR G-5100 User’s Guide

VPN Passthrough

VPN (Virtual Private Network) connections use data encryption to provide secure communications over unsecure networks (like the Internet). The ZyAIR allows VPN connections to go through it.

Wireless LAN MAC Address Filtering

Your ZyAIR checks the MAC address of the wireless station against a list of allowed or denied MAC addresses.

WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

IEEE 802.1x Network Security

The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. This allows you to use a RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server to authenticate users.

Embedded RADIUS Server

The ZyAIR’s embedded RADIUS server eliminates the need to purchase and maintain a standalone external RADIUS server. Use the embedded RADIUS server to authenticate up to 32 users. You can also use an external RADIUS server to authenticate a potentially unlimited number of users.

Backup RADIUS Server

You can configure the ZyAIR to use backup external RADIUS servers and accounting servers in case the primary external RADIUS or accounting server does not respond.

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).

Full Network Management

The web configurator is an HTML-based management interface that allows easy setup and management via Internet browser. Most functions of the ZyAIR are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator over a telnet connection.

32 Chapter 1 Getting to Know Your ZyAIR

Page 33

ZyAIR G-5100 User’s Guide

Logging and Tracing

• Built-in message logging and packet tracing.

• Syslog facility support.

Embedded FTP and TFTP Servers

The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration.

Wireless Association List

With the wireless association list, you can see the list of the wireless stations that are currently using the ZyAIR to access your wired network.

Wireless LAN Channel Usage

The Wireless Channel Usage screen displays which radio channels are being used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR.

1.3 Applications for the ZyAIR

The ZyAIR can be configured using the following WLAN operating modes

1 AP

2 AP+Bridge

3 Bridge/Repeater

Applications for each operating mode are shown below.

1.3.1 Access Point

The ZyAIR is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyAIR is shown as follows. Stations A, B and C can access the wired network through the ZyAIRs.

Chapter 1 Getting to Know Your ZyAIR 33

Page 34

ZyAIR G-5100 User’s Guide

Figure 3 Access Point Application

1.3.2 AP + Bridge

In AP+Bridge mode, the ZyAIR supports both AP connections (A and B can connect to the wired network through X) and bridge connections (X can communicate with Y) at the same time.

Figure 4 AP+Bridge Application

34 Chapter 1 Getting to Know Your ZyAIR

Page 35

1.3.3 Bridge / Repeater

The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. In bridge mode, the ZyAIRs (see A and B in Figure 5 on page 35) are connected to independent wired networks and have a bridge (A can communicate with B) connection at the same time. A ZyAIR without a wired connection can act as a repeater (see C in Figure 6 on page 36).

Figure 5 Bridge Application

ZyAIR G-5100 User’s Guide

Chapter 1 Getting to Know Your ZyAIR 35

Page 36

ZyAIR G-5100 User’s Guide

Figure 6 Repeater Application

36 Chapter 1 Getting to Know Your ZyAIR

Page 37

Introducing the Web

This chapter describes how to access the ZyAIR web configurator and provides an overview of its screens.

2.1 Web Configurator Overview

The embedded web configurator allows you to manage the ZyAIR from anywhere through a browser such as Microsoft Internet Explorer. Use Internet Explorer 6.0 and later versions with JavaScript enabled.

ZyAIR G-5100 User’s Guide

CHAPTER 2

Configurator

It is recommended that you set your screen resolution to 1024 by 768 pixels.

2.2 Accessing the ZyAIR Web Configurator

1 Make sure your ZyAIR hardware is properly connected (refer to the Quick Start Guide).

2 Prepare your computer/computer network to connect to the ZyAIR (refer to Appendix D

on page 201).

3 Launch your web browser.

4 Type "192.168.1.2" (the default IP address of the ZyAIR) as the URL.

5 Type "1234" (default) as the password and click Login. In some versions, the default

password appears automatically - if this is the case, click Login.

6 You should see a screen asking you to change your password (highly recommended) as

shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore to allow access without password change.

Chapter 2 Introducing the Web Configurator 37

Page 38

ZyAIR G-5100 User’s Guide

Figure 7 Change Password Screen

7 Click Apply in the Replace Certificate screen to create a certificate using your ZyAIR’s

MAC address that will be specific to this device.

Figure 8 Replace Certificate Screen.

8 You should now see the MAIN MENU screen (see Figure 10 on page 40).

Note: The management session automatically times out when the time period set in

the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyAIR if this happens to you.

2.3 Resetting the ZyAIR

If you forget your password or cannot access the ZyAIR, you will need to reload the factorydefault configuration file. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously. The password will be reset to “1234” and the IP address will be reset to 192.168.1.2.

Do the following to erase the current configuration and restore factory defaults.

38 Chapter 2 Introducing the Web Configurator

Page 39

ZyAIR G-5100 User’s Guide

Obtain the default configuration file, unzip it and save it in a folder. Use a console cable to connect a computer with terminal emulation software to the ZyAIR’s console port. Turn the ZyAIR off and then on to begin a session. When you turn on the ZyAIR again, you will see the initial screen. When you see the message “Press any key to enter Debug Mode within 3 seconds” press a key to enter debug mode.

To upload the configuration file, do the following:

1 Type “atlc” after the Enter Debug Mode message.

2 Wait for the Starting XMODEM upload message before activating XMODEM upload on

your terminal.

3 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer,

then Send File to display the following screen.

Figure 9 Example Xmodem Upload

Type the configuration file’s location, or click Browse to search for it.

4 After a successful configuration file upload, type “atgo” to restart the ZyAIR.

The ZyAIR is now reinitialized with a default configuration file including the default password of “1234” and IP address of 192.168.1.2.

2.4 Navigating the ZyAIR Web Configurator

The following summarizes how to navigate the web configurator from the MAIN MENU screen.

Note: Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help.

The icon does not appear in the MAIN MENU screen.

Choose the Xmodem protocol.

Then click Send.

Chapter 2 Introducing the Web Configurator 39

Page 40

ZyAIR G-5100 User’s Guide

Figure 10 The MAIN MENU Screen of the Web Configurator

Use submenus to configure ZyAIR features.

Click LOGOUT at any time to exit the web configurator.

The following table describes the sub-menus.

Table 3 Screens Summary

LINK TAB FUNCTION

WIZARD SETUP Click WIZARD SETUP for initial configuration including general

setup, wireless LAN setup and IP address assignment.

SYSTEM General This screen contains administrative and system-related

Password Use this screen to change your password.

Time Setting Use this screen to change your ZyAIR’s time and date settings.

WIRELESS Wireless Use this screen to configure the wireless LAN settings and WLAN

MAC Filter Use this screen to change MAC filter settings on the ZyAIR

Roaming Use this screen to configure the ZyAIR to allow wireless users to

802.1x/WPA Use this screen to configure wireless LAN security.

IP IP Use this screen to configure IP address settings.

information.

authentication/security settings.

roam seamlessly between APs that are within the same subnet.

40 Chapter 2 Introducing the Web Configurator

Page 41

ZyAIR G-5100 User’s Guide

Table 3 Screens Summary (continued)

LINK TAB FUNCTION

AUTH. SERVER Setting Configure this screen to use the internal server to authenticate

wireless users.

Trusted AP Configure this screen to allow specified AP’s to communicate with

the ZyAIR.

Trusted Users Use this screen to configure the local user account(s) on the

ZyAIR.

CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage

certificates and certification requests.

Trusted CAs Use this screen to view and manage the list of the trusted CAs.

LOGS View Log Use this screen to view the logs for the categories that you

selected.

Log Settings Use this screen to change your ZyAIR’s log settings.

MAINTENANCE Status This screen contains administrative and system-related

information.

Association List

Channel Usage

F/W Upload Use this screen to upload firmware to your ZyAIR

Configuration Use this screen to backup and restore the configuration or reset

Restart This screen allows you to reboot the ZyAIR without turning the

LOGOUT Click LOGOUT to exit the web configurator.

Use this screen to view a list of wireless clients that are connected to the ZyAIR.

Use this screen to see which APs are using which wireless channels within range of your ZyAIR.

the factory defaults to your ZyAIR.

power off.

Chapter 2 Introducing the Web Configurator 41

Page 42

ZyAIR G-5100 User’s Guide

42 Chapter 2 Introducing the Web Configurator

Page 43

This chapter provides information on the WIZARD SETUP screens in the web configurator.

3.1 Wizard Setup Overview

The web configurator’s setup wizard helps you configure your ZyAIR for wireless stations to access your wired LAN.

Note: Click Next in each screen to continue or click Back to return to the previous screen.

Your settings are not saved when you click Back.

ZyAIR G-5100 User’s Guide

CHAPTER 3

Wizard Setup

3.2 Wizard Setup: General Setup

General Setup contains administrative and system-related information.

Figure 11 Wizard: General Setup

The following table describes the labels in this screen.

Chapter 3 Wizard Setup 43

Page 44

ZyAIR G-5100 User’s Guide

Table 4 Wizard: General Setup

LABEL DESCRIPTION

System Name It is recommended you type your computer's "Computer name".

Domain Name This is not a required field. Leave this field blank or enter the domain name here

Next Click Next to proceed to the next screen.

In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.

In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.

In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyAIR System Name.

This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

if you know it.

3.3 Wizard Setup: Wireless LAN

Use this wizard screen to configure one of the ZyAIR’s two wireless LAN (WLAN) adapters to function as an AP (WLAN 1 is recommended). Use the ADVANCED WIRELESS screens to configure a WLAN adapter for bridge/repeater functions.

Note: The wireless clients and ZyAIR must use the same SSID, channel ID and WEP encryption key (if you enable WEP) for wireless communication.

44 Chapter 3 Wizard Setup

Page 45

Figure 12 Wizard: Wireless LAN Setup

ZyAIR G-5100 User’s Guide

The following table describes the labels in this screen.

Table 5 Wizard: Wireless LAN Setup

LABEL DESCRIPTION

Wireless LAN Setup

WLAN Adapter Select which WLAN adapter you want to configure (WLAN 1 recommended).

Name (SSID) Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the

wireless LAN. If you change this field on the ZyAIR, make sure all wireless stations use the

same Name (SSID) in order to access the network.

Choose Channel ID To manually set the ZyAIR to use a channel, select the channel from the drop-

Scan Click this button to have the ZyAIR automatically scan for and select a channel

WEP Encryption Select Disable allows all wireless computers to communicate with the access

ASCII Select this option in order to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.

down list box. To have the ZyAIR automatically select a channel, click Scan instead.

with the least interference.

points without any data encryption. Select 64-bit WEP or 128-bit WEP to use data encryption.

Note: Use the ADVANCED WIRELESS screens to configure stronger

types of security (such as WPA).

The preceding 0x is entered automatically.

Chapter 3 Wizard Setup 45

Page 46

ZyAIR G-5100 User’s Guide

Table 5 Wizard: Wireless LAN Setup

LABEL DESCRIPTION

Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless

stations must use the same WEP key. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal

characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal

characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one

time. The default key is key 1.

Back Click Back to return to the previous screen.

Next Click Next to continue.

3.4 Wizard Setup: IP Address Assignment

Use this wizard screen to configure IP address assignment for the ZyAIR.

Figure 13 Wizard: IP Address Assignment

The following table describes the labels in this screen.

Table 6 Wizard: IP Address Assignment

LABEL DESCRIPTION

IP Address Assignment

Get automatically from DHCP

Select this option to have the ZyAIR use a dynamically assigned IP address from a DHCP server.

Note: You must know the IP address assigned to the ZyAIR (by the DHCP server) to access the ZyAIR again.

Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select

this option, fill in the fields below.

46 Chapter 3 Wizard Setup

Page 47

Table 6 Wizard: IP Address Assignment

LABEL DESCRIPTION

IP Address Enter the IP address of your ZyAIR in dotted decimal notation.

Note: If you changed the ZyAIR's IP address, you must use the new IP address if you want to access the web configurator again.

IP Subnet Mask Type the subnet mask.

Gateway IP Address Type the IP address of the gateway. The gateway is an immediate neighbor

of your ZyAIR that will forward the packet to the destination. The gateway must be a router on the same segment as your ZyAIR's LAN or WAN port.

Back Click Back to return to the previous screen.

Finish Click Finish to proceed to complete the Wizard setup.

3.5 Basic Setup Complete

When you click Finish in the Wizard IP Address Assignment screen, a warning window displays as shown. Click OK to close the window. Log into the web configurator again using the new IP address if you change the default IP address (192.168.1.2).

ZyAIR G-5100 User’s Guide

Figure 14 TCP/IP Warning Screen

The following screen displays prompting you to close the web browser.

Figure 15 Close Browser Screen

Click Ye s to close the web configurator. Otherwise, click No to use the ADVANCED screens to configure other features (the congratulations screen shows next).

Chapter 3 Wizard Setup 47

Page 48

ZyAIR G-5100 User’s Guide

Figure 16 Wizard: Setup Complete

Well done! You have set up your ZyAIR to operate on your network and access the Internet.

48 Chapter 3 Wizard Setup

Page 49

This section provides information on general system setup.

4.1 System Overview

This chapter describes how to configure the ZyAIR’s general, DNS, password and time settings.

4.2 General Screen

The General screen contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".

• In Windows 95/98 click Start, Settings, Control Panel, Network. Click the

Identification tab, note the entry for the Computer Name field and enter it as the System Name.

• In Windows 2000, click Start, Settings and Control Panel and then double-click

System. Click the Network Identification tab and then the Properties button. Note the

entry for the Computer name field and enter it as the System Name.

• In Windows XP, click Start, My Computer, View system information and then click

the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyAIR System Name.

ZyAIR G-5100 User’s Guide

CHAPTER 4

System Screens

4.2.1 Domain Name

You can manually enter a domain name or the ZyAIR can get it automatically by DHCP.

4.2.2 DNS Server Address Assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.

You can manually configure DNS server addresses if you know them or the ZyAIR can receive them automatically through DHCP.

Chapter 4 System Screens 49

Page 50

ZyAIR G-5100 User’s Guide

4.3 Configuring General Setup

Click the SYSTEM link under ADVANCED to open the General screen.

Figure 17 System General

The following table describes the labels in this screen.

Table 7 System General Setup

LABEL DESCRIPTION

General Setup

System Name Type a descriptive name to identify the ZyAIR in the Ethernet network.

This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

Domain Name This is not a required field. Leave this field blank or enter the domain name

here if you know it.

Administrator Inactivity Timer

System DNS Servers

Type how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out.

The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.

A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).

50 Chapter 4 System Screens

Page 51

Table 7 System General Setup (continued)

LABEL DESCRIPTION

ZyAIR G-5100 User’s Guide

First DNS Server Second DNS Server Third DNS Server

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to reload the previous configuration for this screen.

Select From DHCP if your ISP dynamically assigns DNS server information. The field to the right displays the (read-only) DNS server IP address that the DHCP assigns.

Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply.

Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.

The default setting is None.

4.4 Configuring Password

To change your ZyAIR’s password (recommended), click the SYSTEM link under ADVANCED and then the Password tab. The screen appears as shown. This screen allows

you to change the ZyAIR’s password.

If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See

Section 2.3 on page 38 for details.

Figure 18 Password.

The following table describes the labels in this screen.

Chapter 4 System Screens 51

Page 52

ZyAIR G-5100 User’s Guide

Table 8 Password

LABEL DESCRIPTIONS

Old Password Type in your existing system password (1234 is the default password).

New Password Type your new system password (up to 31 characters). Note that as you type a

password, the screen displays an asterisk (*) for each character you type.

Retype to Confirm Retype your new system password for confirmation.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to reload the previous configuration for this screen.

4.5 Configuring Time Setting

To change your ZyAIR’s time and date, click the SYSTEM link under ADVANCED and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone.

Figure 19 Time Setting

52 Chapter 4 System Screens

Page 53

ZyAIR G-5100 User’s Guide

The following table describes the labels in this screen.

Table 9 Time Setting

LABEL DESCRIPTION

Time Protocol Select the time service protocol that your time server uses. Not all time servers

support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.

The main difference between them is the format.

Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of

seconds since 1970/1/1 at 0:0:0. NTP (RFC 1305), is similar to Time (RFC 868). Select Manual to enter the time and date manually.

Time Server Address Enter the IP address or the URL of your time server. Check with your ISP/

Current Time (hh:mm:ss)

New Time (hh:mm:ss) This field displays the last updated time from the time server.

Current Date (yyyy/ mm/dd)

New Date (yyyy/mm/ dd)

Time Zone Choose the time zone of your location. This will set the time difference

Daylight Savings Select this option if you use daylight saving time. Daylight saving is a period

Start Date (mm-dd) Enter the month and day that your daylight-saving time starts on if you

End Date (mm-dd) Enter the month and day that your daylight-saving time ends on if you selected

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to reload the previous configuration for this screen.

network administrator if you are unsure of this information.

This field displays the time of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the time with the time

server.

When you select None in the Time Protocol field, enter the new time in this field and then click Apply.

This field displays the date of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the date with the time

server.

This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this

field and then click Apply.

between your time zone and Greenwich Mean Time (GMT).

from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.

selected Daylight Savings.

Daylight Savings.

Chapter 4 System Screens 53

Page 54

ZyAIR G-5100 User’s Guide

54 Chapter 4 System Screens

Page 55

This chapter discusses how to configure wireless LAN.

5.1 Introduction

A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.

Note: See the WLAN appendix for more detailed information on WLANs.

ZyAIR G-5100 User’s Guide

CHAPTER 5

Wireless LAN

5.2 Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.

Wireless security methods available on the ZyAIR are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyAIR identity.

5.2.1 Encryption

• Use WPA security if you have WPA-aware wireless clients and a RADIUS server. WPA

has user authentication and improved data encryption over WEP.

• Use WPA-PSK if you have WPA-aware wireless clients but no RADIUS server.

• If you don’t have WPA-aware wireless clients, then use WEP key encrypting. A higher

bit key offers better security at a throughput trade-off.

5.2.2 Authentication

WPA has user authentication and you can also configure IEEE 802.1x to use the built-in database (Local User Database) or a RADIUS server to authenticate wireless clients before joining your network.

• Use RADIUS authentication if you have a RADIUS server. See the appendices for

information on protocols used when a client authenticates with a RADIUS server via the ZyAIR.

Chapter 5 Wireless LAN 55

Page 56

ZyAIR G-5100 User’s Guide

• Use the Local User Database if you have less than 32 wireless clients in your network.

The ZyAIR uses MD5 encryption when a client authenticates with the Local User Database

5.2.3 Restricted Access

The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association).

5.2.4 Hide ZyAIR Identity

If you hide the SSID, then the ZyAIR cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyAIR may be inconvenience for some valid WLAN clients. If you don’t hide the ESSID, at least you should change the default one.

5.2.5 Configuring Wireless LAN on the ZyAIR

1 Configure the ESSID and WEP in the Wireless screen.

2 Use the MAC Filter screen to restrict access to your wireless network by MAC address.

3 Configure WPA or WPA-PSK in the 802.1x/WPA screen. You can also configure

802.1x wireless client authentication in the 802.1x/WPA screen.

4 Configure the RADIUS settings in the AUTH. SERVER screens.

The following table shows the relative effectiveness of these wireless security methods available on your ZyAIR.

Table 10 ZyAIR Wireless Security Levels

Security Level Security Type

Least Secure

Most Secure

Unique SSID (Default)

Unique SSID with Hide SSID Enabled

MAC Address Filtering

WEP Encryption

IEEE802.1x EAP with RADIUS Server Authentication

Wi-Fi Protected Access (WPA)

Note: You must enable the same wireless security settings on the ZyAIR and on all

wireless clients that you want to associate with it.

If you do not enable any wireless security on your ZyAIR, your network is accessible to any wireless networking device that is within range.

56 Chapter 5 Wireless LAN

Page 57

5.3 Spanning Tree Protocol (STP)

STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network.

5.3.1 Rapid STP

The ZyAIR uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding.

5.3.2 STP Terminology

The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value (MAC address).

ZyAIR G-5100 User’s Guide

Path cost is the cost of transmitting a frame onto a LAN through that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the next table.

Table 11 STP Path Costs

LINK SPEED

Path Cost 4Mbps 250 100 to 1000 1 to 65535

Path Cost 10Mbps 100 50 to 600 1 to 65535

Path Cost 16Mbps 62 40 to 400 1 to 65535

Path Cost 100Mbps 19 10 to 60 1 to 65535

Path Cost 1Gbps 4 3 to 10 1 to 65535

Path Cost 10Gbps 2 1 to 5 1 to 65535

RECOMMENDED VALUE

RECOMMENDED RANGE

ALLOWED RANGE

On each bridge, the root port is the port through which this bridge communicates with the root. It is the port on this switch with the lowest path cost to the root (the root path cost). If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network.

For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN.

Chapter 5 Wireless LAN 57

Page 58

ZyAIR G-5100 User’s Guide

5.3.3 How STP Works

After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops.

STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed.

Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology.

5.3.4 STP Port States

STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops.

Table 12 STP Port States

PORT STATES DESCRIPTIONS

Disabled STP is disabled (default).

Blocking Only configuration and management BPDUs are received and processed.

Listening All BPDUs are received and processed.

Learning All BPDUs are received and processed. Information frames are submitted to the

learning process but not forwarded.

Forwarding All BPDUs are received and processed. All information frames are received and

forwarded.

5.4 WEP Encryption

WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key.

5.5 Configuring the Wireless Screen

Click the WIRELESS link under ADVANCED to display the Wireless screen. The screen varies depending upon the operating mode you select.

58 Chapter 5 Wireless LAN

Page 59

5.5.1 Access Point Mode

Select Access Point in the Operating Mode drop-down list box to display the screen as shown next.

Figure 20 Wireless: Access Point

ZyAIR G-5100 User’s Guide

The following table describes the general wireless LAN labels in this screen.

Chapter 5 Wireless LAN 59

Page 60

ZyAIR G-5100 User’s Guide

Table 13 Wireless: Access Point

LABEL DESCRIPTION

WLAN Adapter Select which WLAN adapter you want to configure.

Operating Mode Select the operating mode from the drop-down list. The options are Access Point,

Name (SSID) (Service Set IDentity) The SSID identifies the Service Set with which a wireless

Hide Name (SSID)

Choose Channel IDSet the operating frequency/channel depending on your particular region.

Scan Click this button to have the ZyAIR automatically scan for and select a channel with

RTS/CTS Threshold

Fragmentation Threshold

WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized

Authentication Method

It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.

Bridge/Repeater and AP+Bridge.

station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.

Note: If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s SSID or WEP settings, you will lose your wireless connection when you click Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.

Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through passive scanning using a site survey tool.

To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.

To have the ZyAIR automatically select a channel, click Scan instead.

the least interference.

(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 0 and 2432.

The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 800 and 2432.

wireless stations from accessing data transmitted over the wireless network. Select Disable to allow wireless stations to communicate with the access points

without any data encryption. Select 64-bit WEP or 128-bit WEP to enable data encryption.

If you use WEP encryption, select Auto, Open System or Shared Key from the drop-down list box.

60 Chapter 5 Wireless LAN

Page 61

ZyAIR G-5100 User’s Guide

Table 13 Wireless: Access Point (continued)

LABEL DESCRIPTION

Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters

(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.

There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless stations.

The preceding “0x” is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.

Enable IntraBSS Traffic

Enable Spanning Tree Protocol (STP)

Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs within

Preamble Preamble is used to signal that data is coming to the receiver.

Intra-BSS traffic is traffic between wireless stations in the same BSS. Enable Intra-BSS traffic to allow wireless stations connected to the ZyAIR to

communicate with each other. Disable Intra-BSS traffic to only allow wireless stations to communicate with the

wired network, not with each other.

(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the ZyAIR.

an area, decrease the output power of the ZyAIR to reduce interference with other APs. The options are 100% (Full Power), 50%, 25% or 12.5%. The power output at full power is 18 ± 2 dBm.

Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11b compliant wireless adapters support long preamble, but not all support short preamble.

Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks. Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications.

Select Dynamic to have the ZyAIR automatically use short preamble when all wireless clients support it, otherwise the ZyAIR uses long preamble.

Note: The ZyAIR and the wireless stations MUST use the same preamble mode in order to communicate.

802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to

Max. Frame Burst

associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to

associate with the ZyAIR. Select Mixed to allow either IEEE 802.11b or IEEE 802.11g compliant WLAN

devices to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.

Enable Maximum Frame Burst to help eliminate collisions in mixed-mode networks (networks with both IEEE 802.11g and IEEE 802.11b traffic) and enhance the performance of both pure IEEE 802.11g and mixed IEEE 802.11b/g networks. Maximum Frame Burst sets the maximum time, in microseconds, that the ZyAIR transmits IEEE 802.11g wireless traffic only.

Type the maximum frame burst between 0 and 1800 (650, 1000 or 1800 recommended). Enter 0 to disable this feature.

Chapter 5 Wireless LAN 61

Page 62

ZyAIR G-5100 User’s Guide

Table 13 Wireless: Access Point (continued)

LABEL DESCRIPTION

VLAN ID The ZyAIR supports IEEE 802.1 tagged VLAN for partioning a physical network into

multiple logical networks. Enter a number from 1 to 4094 to set the VLAN ID tag that the ZyAIR adds to the Ethernet frames that this WLAN adapter receives from wireless clients or other APs.

Use the VLAN screen to enable or disable the ZyAIR’s VLAN feature.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

5.5.2 Bridge/Repeater Mode

The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. You need to know the MAC address of the peer device, which also must be in bridge mode.

The ZyAIR can establish wireless links with other APs.

In the example below, when both ZyAIRs are in Bridge/Repeater mode, they form a WDS (Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers in LAN 2.

Figure 21 Bridging Example

Be careful to avoid bridge loops when you enable bridging in the ZyAIR. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem:

If two or more ZyAIRs (in bridge mode) are connected to the same hub as shown next.

62 Chapter 5 Wireless LAN

Page 63

ZyAIR G-5100 User’s Guide

Figure 22 Bridge Loop: Two Bridges Connected to Hub

If your ZyAIR (in bridge mode) is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN as shown next.

Figure 23 Bridge Loop: Bridge Connected to Wired LAN

To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyAIR is not set to bridge mode while connected to both wired and wireless segments of the same LAN.

Click the WIRELESS link under ADVANCED. Select Bridge/Repeater in the Operating Mode drop-down list box to have the ZyAIR act as a wireless bridge only.

Chapter 5 Wireless LAN 63

Page 64

ZyAIR G-5100 User’s Guide

Figure 24 Wireless: Bridge/Repeater

The following table describes the labels in this screen that are specific to bridge/repeater mode.

Table 14 Wireless: Bridge/Repeater

LABEL DESCRIPTIONS

WLAN Adapter Select which WLAN adapter you want to configure.

It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.

Operating Mode Select Bridge/Repeater in this field to display the screen shown above.

Enable WDS Security A Wireless Distribution System (WDS) is a wireless connection between two or

more APs. Select the check box to use TKIP to encrypt traffic on the WDS between APs. When you enable WDS security, type a Pre-Shared Key (PSK) for each link.

Note: Other APs must use the same encryption method in order to communicate with the ZyAIR when you enable WDS security.

# This is the index number of the bridge connection.

Active Select the check box to enable the bridge connection. Otherwise, clear the

check box to disable it.

64 Chapter 5 Wireless LAN

Page 65

Table 14 Wireless: Bridge/Repeater (continued)

LABEL DESCRIPTIONS

ZyAIR G-5100 User’s Guide

Remote Bridge MAC Address

PSK Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including

Enable Spanning Tree Protocol (STP)

5.5.3 AP+Bridge Mode

Click the WIRELESS link under ADVANCED. Select AP+Bridge in the Operating Mode drop-down list box to display the screen as shown next. In this screen, you can configure the ZyAIR to function as an AP and bridge simultaneously. See the section on ZyAIR applications for more information.

Type the MAC address of the peer device in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.

spaces and symbols). When the ZyAIR is in Bridge/Repeater mode, you don’t have to enter a pre-

shared key, but the traffic between devices won’t be encrypted if you don’t. The peer bridge must use the same pre-shared key and encryption method.

Select the check box to activate STP on the ZyAIR.

Chapter 5 Wireless LAN 65

Page 66

ZyAIR G-5100 User’s Guide

Figure 25 Wireless: AP+Bridge

See Table 13 on page 60 and Table 14 on page 64 descriptions of the fields in the Access Point and Bridge/Repeater operating modes for descriptions of the fields in this screen.

66 Chapter 5 Wireless LAN

Page 67

When you enable WEP encryption, you can also specify MAC addresses and pre-shared keys of peer bridges in order to use TKIP (see Appendix F on page 221 for more on TKIP) to encrypt traffic between the bridges.

Note: The following screens are configurable only in Access Point and AP+Bridge operating modes.

5.6 Configuring MAC Filters

The MAC filter screen allows you to configure the ZyAIR to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the ZyAIR (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure this screen.

To change your ZyAIR’s MAC filter settings, click the WIRELESS link under ADVANCED and then the MAC Filter tab. The screen appears as shown.

ZyAIR G-5100 User’s Guide

Note: Be careful not to list your computer’s MAC address and set the Action field to

Deny Association when managing the ZyAIR via a wireless connection. This

would lock you out.

Chapter 5 Wireless LAN 67

Page 68

ZyAIR G-5100 User’s Guide

Figure 26 MAC Address Filter

The following table describes the labels in this screen.

Table 15 MAC Address Filter

LABEL DESCRIPTION

WLAN Adapter Select the WLAN adapter for which you want to configure MAC address filtering.

Active Select Yes from the drop down list box to enable MAC address filtering.

68 Chapter 5 Wireless LAN

Page 69

Table 15 MAC Address Filter (continued)

LABEL DESCRIPTION

Filter Action Define the filter action for the list of MAC addresses in the MAC address filter

table. Select Deny Association to block access to the router, MAC addresses not

listed will be allowed to access the router. Select Allow Association to permit access to the router, MAC addresses not

listed will be denied access to the router.

MAC Address Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless

station that are allowed or denied access to the ZyAIR in these address fields.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

5.7 Configuring Roaming

A wireless station is a device with an IEEE 802.11b or an IEEE 802.11g compliant wireless interface. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.

ZyAIR G-5100 User’s Guide

In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.

The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in Figure 27 on page 70.

With roaming, a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN.

Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas. Wireless stations can still associate with other APs even if you disable roaming. Enabling roaming ensures correct traffic forwarding (bridge tables are updated) and maximum AP efficiency. The AP deletes records of wireless stations that associate with other APs (Non-ZyXEL APs may not be able to perform this). IEEE 802.1x authentication information is not exchanged (at the time of writing).

Chapter 5 Wireless LAN 69

Page 70

ZyAIR G-5100 User’s Guide

Figure 27 Roaming Example

The steps below describe the roaming process.

1 As wireless station Y moves from the coverage area of access point AP 1 to that of access

point

2 AP 2, it scans and uses the signal of access point AP 2.

3 Access point AP 2 acknowledges the presence of wireless station Y and relays this

information to access point AP 1 through the wired LAN.

4 Access point AP 1 updates the new position of wireless station.

5 Wireless station Y sends a request to access point AP 2 for reauthentication.

5.7.1 Requirements for Roaming

The following requirements must be met in order for wireless stations to roam between the coverage areas.

1 All the access points must be on the same subnet and configured with the same SSID.

2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point,

the new access point must have the user profile for the wireless station.

3 The adjacent access points should use different radio channels when their coverage areas

overlap.

4 All access points must use the same port number to relay roaming information.

5 The access points must be connected to the Ethernet and be able to get IP addresses from

a DHCP server if using dynamic IP address assignment.

70 Chapter 5 Wireless LAN

Page 71

ZyAIR G-5100 User’s Guide

To enable roaming on your ZyAIR, click the WIRELESS link under ADVANCED and then the Roaming tab. The screen appears as shown.

Figure 28 Roaming

The following table describes the labels in this screen.

Table 16 Roaming

LABEL DESCRIPTION

Active Select Yes from the drop-down list box to enable roaming on the ZyAIR if you

have two or more APs on the same subnet.

Note: All APs on the same subnet and the wireless stations must have the same SSID to allow roaming.

Port Enter the port number to communicate roaming information between access

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

points. The port number must be the same on all access points. The default is

3517. Make sure this port is not used by other services.

5.8 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.

5.9 WPA-PSK Application Example

A WPA-PSK application looks as follows.

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key

(PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).

Chapter 5 Wireless LAN 71

Page 72

ZyAIR G-5100 User’s Guide

2 The AP checks each client’s password and (only) allows it to join the network if it

matches its password.

3 The AP derives and distributes keys to the wireless clients.

4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged

between them.

Figure 29 WPA - PSK Authentication

5.10 WPA with RADIUS Application Example

This example is for using WPA with an external RADIUS server. You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA application example with an external RADIUS server looks as follows. “A” is the RADIUS server. “DS” is the distribution system.

1 The AP passes the wireless client’s authentication request to the RADIUS server.

2 The RADIUS server then checks the user's identification against its database and grants

or denies network access accordingly.

3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then

sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

72 Chapter 5 Wireless LAN

Page 73

Figure 30 WPA with RADIUS Application Example

ZyAIR G-5100 User’s Guide

5.11 Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.

The Funk Software's Odyssey client is bundled free (at the time of writing) with some of ZyXEL’s client wireless adapter(s).

5.12 Configuring 802.1x and WPA

To change your ZyAIR’s authentication settings, click the WIRELESS link under ADVANCED and then the 802.1x/WPA tab. The screen varies by the key management

protocol you select. The WPA function is not available on all ZyAIR models.

Chapter 5 Wireless LAN 73

Page 74

ZyAIR G-5100 User’s Guide

You see the next screen when you select No Access Allowed or No Authentication Required in the Wireless Port Control field.

Figure 31 Wireless LAN: 802.1x/WPA

The following table describes the labels in this screen.

Table 17 Wireless LAN: 802.1x/WPA

LABEL DESCRIPTION

Wireless Port Control

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

To control wireless stations access to the wired network, select a control method from the drop-down list box. Choose from No Access Allowed, No

Authentication Required and Authentication Required. No Access Allowed blocks all wireless stations access to the wired network. No Authentication Required allows all wireless stations access to the wired

network without entering usernames and passwords. This is the default setting. Authentication Required means that all wireless stations have to enter

usernames and passwords before access to the wired network is allowed. Select Authentication Required to configure Key Management Protocol and

other related fields.

5.13 Authentication Required: 802.1x

Select Authentication Required in the Wireless Port Control field and 802.1x in the Key Management Protocol field to display the next screen.

74 Chapter 5 Wireless LAN

Page 75

Figure 32 Wireless LAN: 802.1x/WPA for 802.1x Protocol

ZyAIR G-5100 User’s Guide

Chapter 5 Wireless LAN 75

Page 76

ZyAIR G-5100 User’s Guide

The following table describes the labels in this screen.

Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol

LABEL DESCRIPTION

Wireless Port Control

ReAuthentication Timer (In Seconds)

Idle Timeout (In Seconds)

Key Management Protocol

Dynamic WEP Key Exchange

Authentication Databases

Internal RADIUS Server

External RADIUS Server

To control wireless stations access to the wired network, select a control method from the drop-down list box. Choose from No Authentication Required,

Authentication Required and No Access Allowed. No Authentication Required allows all wireless stations access to the wired

network without entering usernames and passwords. This is the default setting. Authentication Required means that all wireless stations have to enter

usernames and passwords before access to the wired network is allowed. No Access Allowed blocks all wireless stations access to the wired network. The following fields are only available when you select Authentication Required.

Specify how often wireless stations have to reenter usernames and passwords in order to stay connected. This field is activated only when you select Authentication Required in the Wireless Port Control field.

Enter a time interval between 10 and 9999 seconds. The default time interval is

1800 seconds (30 minutes).

Note: If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has priority.

The ZyAIR automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.

This field is activated only when you select Authentication Required in the Wireless Port Control field. The default time interval is 3600 seconds (or 1 hour).

Choose 802.1x from the drop-down list.

This field is activated only when you select Authentication Required in the Wireless Port Control field.

Select Disable to allow wireless stations to communicate with the access points without using dynamic WEP key exchange.

Select 64-bit WEP or 128-bit WEP to enable data encryption. This field is not available when you set Key Management Protocol to WPA or

WPA-PSK.

The authentication database contains wireless station login information.

Select this radio button to use the ZyAIR’s Internal RADIUS Server. Select the MD5 radio button to use this EAP authentication type to authenticate

other APs or wireless clients in other wireless networks. Select the PEAP radio button to use this EAP authentication type to authenticate

other APs or wireless clients in other wireless networks. Use the drop-down list box to select Disable, 64-bit WEP or 128-bit WEP for Dynamic WEP Exchange.

Note: MD5 cannot be used with Dynamic WEP Key Exchange.

Select the radio button to use an external radius server to authenticate the ZyAIR’s wireless clients.

Configure the server(s) details in the following fields.

76 Chapter 5 Wireless LAN

Page 77

ZyAIR G-5100 User’s Guide

Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol (continued)

LABEL DESCRIPTION

Authentication Server /Alternate

The ZyAIR will make three attempts to authenticate wireless users using the authentication server before attempting to use the alternate authentication server.

Requests can be issued from the client interface to use the alternate authentication server. The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field.

Note: You can use the command line interface to configure the ZyAIR to use up to four alternate authentication servers.

Active Select Active to enable user authentication through this external authentication

server. Clear the Active check box to not use this to not perform user authentication

through this external authentication server.

Server IP Address Enter the IP address of the external authentication server in dotted decimal

notation.

Port Number Enter the port number of the external authentication server. The default port

number is 1812. You need not change this value unless your network administrator instructs you to

do so with additional information.

Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared

between the external authentication server and the ZyAIR. The key must be the same on the external authentication server and your ZyAIR.

The key is not sent over the network.

Accounting Server /Alternate

The ZyAIR will make three attempts to communicate with the accounting server before attempting to use the alternate accounting server.

Note: You can use the command line interface to configure the ZyAIR to use up to four alternate accounting servers.

Active Select Active to enable user accounting through this external accounting server.

Clear the Active check box to not use this to not perform user accounting through this external accounting server.

Server IP Address Enter the IP address of the external accounting server in dotted decimal notation.

Port Number Enter the port number of the external accounting server. The default port number is

1813. You need not change this value unless your network administrator instructs you to

do so with additional information.

Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared

between the external accounting server and the ZyAIR. The key must be the same on the external accounting server and your ZyAIR. The

key is not sent over the network.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Note: If you enable the ZyAIR’s internal RADIUS server, configure trusted user accounts in the AUTH SERVER Trusted Users screen.

Chapter 5 Wireless LAN 77

Page 78

ZyAIR G-5100 User’s Guide

5.14 Authentication Required: WPA

Select Authentication Required in the Wireless Port Control field and WPA in the Key Management Protocol field to display the next screen.

Figure 33 Wireless LAN: 802.1x/WPA for WPA Protocol

The following table describes the labels not previously discussed.

78 Chapter 5 Wireless LAN

Page 79

Table 19 Wireless LAN: 802.1x/WPA for WPA Protocol

LABEL DESCRIPTIONS

ZyAIR G-5100 User’s Guide

Key Management Protocol

WPA Mixed Mode The ZyAIR can operate in WPA Mixed Mode, which supports both clients running

WPA Group Key Update Timer

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Choose WPA in this field.

WPA and clients running dynamic WEP key exchange with IEEE 802.1x in the same Wi-Fi network.

Select Enable to activate WPA mixed mode. Otherwise, select Disable.

The WPA Group Key Update Timer is the rate at which the AP (if using WPA- PSK key management) or RADIUS server (if using WPA key management) sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the WPA Group Key Update Timer is also supported in WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).

5.15 Authentication Required: WPA-PSK

Select Authentication Required in the Wireless Port Control field and WPA-PSK in the Key Management Protocol field to display the next screen.

Figure 34 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol

Chapter 5 Wireless LAN 79

Page 80

ZyAIR G-5100 User’s Guide

The following table describes the labels not previously discussed.

Table 20 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol

LABEL DESCRIPTION

Key Management Protocol

Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Choose WPA-PSK in this field.

difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.

Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).

80 Chapter 5 Wireless LAN

Page 81

Internal RADIUS Server

The ZyAIR can use its internal RADIUS server to authenticate wireless clients. It can also serve as a RADIUS server to authenticate other APs and their wireless clients. For more background information on RADIUS, see the Introduction to RADIUS section.

6.1 Internal RADIUS Overview

The ZyAIR has a built-in RADIUS server that can authenticate wireless clients or other APs (that are configured as trusted APs).

The ZyAIR can function as an AP and as a RADIUS server at the same time.

ZyAIR G-5100 User’s Guide

CHAPTER 6

PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection. See the appendices for more information on the types of EAP authentication and the internal RADIUS authentication method used in your ZyAIR.

Figure 35 ZyAIR Authenticates Wireless Stations

Chapter 6 Internal RADIUS Server 81

Page 82

ZyAIR G-5100 User’s Guide

Figure 36 ZyAIR Authenticates Trusted APs

Table 21 Internal RADIUS Server Screens Overview

LABEL DESCRIPTION

ZyAIR as a RADIUS server

Trusted AP’s

Setting Use the Setting screen to turn the ZyAIR’s internal RADIUS server off or on

and to view information about the ZyAIR’s certificates.

Trusted AP Use the Trusted AP screen to specify APs as trusted APs so they can use the

ZyAIR’s internal RADIUS server to authenticate wireless clients. You can set up to 31 trusted AP’s.

Trusted Users Use the Trusted Users screen to configure a list of wireless client user names

and passwords for the ZyAIR to authenticate. The ZyAIR internal RADIUS server can authenticate up to 32 wireless clients.

6.2 Internal RADIUS Server Setting

The INTERNAL RADIUS SERVER Setting screen displays information about certificates. The certificates are used by wireless clients to authenticate the RADIUS server. Information matching the certificate is held on the wireless clients utility, for example, Funk Software’s Odyssey client. A password and user name on the utility must match the Trusted Users list so that the RADIUS server can be authenticated.

Note: The internal RADIUS server does not support domain accounts (DOMAIN/ user). When you configure your Windows XP SP2 MS-CHAPv2 settings, deselect the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only, do not specify a domain.

Wireless Zero Configuration PEAP/

Click the AUTH SERVER link under ADVANCED and then the Setting tab. The screen appears as shown.

82 Chapter 6 Internal RADIUS Server

Page 83

Figure 37 Internal RADIUS Server Setting Screen

The following table describes the labels in this screen.

ZyAIR G-5100 User’s Guide

Table 22 My Certificates

LABEL DESCRIPTION

Active Select the Active check box to have the ZyAIR use its internal RADIUS server to

authenticate wireless clients or other APs.

# This field displays the certificate index number. The certificates are listed in

alphabetical order. Use the CERTIFICATES screens to manage certificates. The internal RADIUS server uses one of the certificates listed in this screen to authenticate each wireless client. The exact certificate used, depends on the certificate information configured on the wireless client.

Name This field displays the name used to identify this certificate. It is recommended that

you give each certificate a unique name. auto_generated_self_signed_cert is the factory default certificate common to all

ZyAIR’s that use certificates.

Note: ZyXEL recommends that you replace the factory default certificate with one that uses your ZyAIR's MAC address. Do this when you first log in to the ZyAIR or in the CERTIFICATES My Certificates screen.

Type This field displays what kind of certificate this is.

REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.

SELF represents a self-signed certificate. *SELF represents the default self-signed certificate, which the ZyAIR uses to sign

imported trusted remote host certificates. CERT represents a certificate issued by a certification authority.

Subject This field displays identifying information about the certificate’s owner, such as CN

(Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.

Chapter 6 Internal RADIUS Server 83

Page 84

ZyAIR G-5100 User’s Guide

Table 22 My Certificates (continued)

LABEL DESCRIPTION

Issuer This field displays identifying information about the certificate’s issuing certification

authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.

Valid From This field displays the date that the certificate becomes applicable. The text

displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.

Valid To This field displays the date that the certificate expires. The text displays in red and

includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.

Apply Click Apply to have the ZyAIR use certificates to authenticate wireless clients.

Reset Click Reset to start configuring this screen afresh.

6.3 Trusted AP Overview

A trusted AP is an AP that uses the ZyAIR’s internal RADIUS server to authenticate its wireless clients. Each wireless client must have a user name and password configured in the Trusted Users screen.

The following figure shows how this is done in two phases.

Figure 38 Trusted AP Overview

ZyAIR RADIUS Server Wireless clients. You can

Trusted AP’s

authenticate a maximum of 32 wireless clients using the ZyAIR’s RADIUS server, irrespective of the amount of trusted AP’s configured on the ZyAIR

1 Configure an IP address and shared secret in the Trust ed AP database to authenticate an

AP as a trusted AP.

84 Chapter 6 Internal RADIUS Server

Page 85

2 Configure wireless client user names and passwords in the Trusted Users database to use

a trusted AP as a relay between the ZyAIR’s internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the ZyAIR’s internal RADIUS server.

6.4 Configuring Trusted AP

To specify APs as trusted APs so they can use the ZyAIR’s internal RADIUS server to authenticate wireless clients, click the AUTH SERVER link under ADVANCED and then the Trusted AP tab. The screen appears as shown.

Figure 39 Trusted AP Screen

ZyAIR G-5100 User’s Guide

The following table describes the labels in this screen.

Table 23 Trusted AP

LABEL DESCRIPTION

# This field displays the trusted AP index number.

Active Select this check box to have the ZyAIR use the IP Address and Shared Secret to

authenticate a trusted AP.

Chapter 6 Internal RADIUS Server 85

Page 86

ZyAIR G-5100 User’s Guide

Table 23 Trusted AP

LABEL DESCRIPTION

IP Address Type the IP address of the trusted AP in dotted decimal notation.

Shared Secret Enter a password (up to 31 alphanumeric characters, no spaces) as the key for

encrypting communications between the AP and the ZyAIR. The key is not sent over the network. This key must be the same on the AP and the ZyAIR.

Both the ZyAIR’s IP address and this shared secret must also be configured in the “external RADIUS” server fields of the trusted AP.

Note: The first trusted AP fields are for the ZyAIR itself. Use SMT menu 23.2 to configure them.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

6.5 Trusted Users Overview

A trusted user entry consists of a wireless client user name and password

6.6 Configuring Trusted Users

To configure trusted user entries, click the AUTH SERVER link under ADVANCED and then the Trusted Users tab. The screen appears as shown.

86 Chapter 6 Internal RADIUS Server

Page 87

Figure 40 Trusted Users Screen

ZyAIR G-5100 User’s Guide

The following table describes the labels in this screen.

Table 24 Trusted Users

LABEL DESCRIPTION

# This field displays the trusted user index number.

Active Select this check box to have the ZyAIR authenticate wireless clients with the same

user name and password activated on their wireless utilities.

User Name Enter the user name for this user account. This name can be up to 31 alphanumeric

characters long, including spaces. The wireless client’s utility must use this name as its login name.

Password

Type a password (up to 31 ASCII characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type.

The password on the wireless client’s utility must be the same as this password.

Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Chapter 6 Internal RADIUS Server 87

Page 88

ZyAIR G-5100 User’s Guide

88 Chapter 6 Internal RADIUS Server

Page 89

This chapter discusses how to configure VLAN on the ZyAIR

7.1 VLAN

A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Stations on a logical network can belong to one or more groups. Only stations within the same group can talk to each other.

The ZyAIR supports IEEE 802.1q VLAN tagging. Tagged VLAN uses an explicit tag (VLAN ID) in the MAC header of a frame to identify VLAN membership. The ZyAIR can identify VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames.

ZyAIR G-5100 User’s Guide

CHAPTER 7

VLAN

7.1.1 Management VLAN ID

The management VLAN ID identifies the “management VLAN”. A computer must be a member of this “management VLAN” in order to access and manage the ZyAIR. A computer that is not a member of this VLAN, then that device cannot manage the ZyAIR.

If no devices are in the management VLAN, then you will only be able to access the ZyAIR through the console port (not through the network).

7.2 Configuring VLAN

Click ADVANCED and then VLAN. The screen appears as shown next.

Chapter 7 VLAN 89

Page 90

ZyAIR G-5100 User’s Guide

Figure 41 VLAN

The following table describes the labels in this screen.

Table 25 VLAN

LABEL DESCRIPTION

Enable VLAN Tagging Select this check box to turn on VLAN tagging.

Use the Wireless screen to set the VLAN ID tag that the ZyAIR adds to the Ethernet frames that a WLAN adapter receives from wireless clients or APs.

Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group. Your management

computer must belong to this VLAN group in order to manage the ZyAIR. This can be done in the following ways:

• The management computer could be a wireless client of the ZyAIR if the ZyAIR’s WLAN adapter is set to add the add the management VLAN ID tag to Ethernet frames received from wireless clients.

• The management computer could be on the wired network, behind a VLAN-aware switch that is configured to add the management VLAN ID tag to Ethernet frames from the computer before sending them to ZyAIR.

Note: Mail and FTP servers must have the same management VLAN ID to communicate with the ZyAIR.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

90 Chapter 7 VLAN

Page 91

This chapter discusses how to configure IP on the ZyAIR

8.1 Factory Ethernet Defaults

The Ethernet parameters of the ZyAIR are preset in the factory with the following values:

1 IP address of 192.168.1.2

2 Subnet mask of 255.255.255.0 (24 bits)

These parameters should work for the majority of installations.

ZyAIR G-5100 User’s Guide

CHAPTER 8

IP Screen

8.2 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.2, for your ZyAIR, but make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyAIR unless you are instructed to do otherwise.

Chapter 8 IP Screen 91

Page 92

ZyAIR G-5100 User’s Guide

8.2.1 IP Address Assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.

Table 26 Private IP Address Ranges

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.

8.3 Configuring IP

Click ADVANCED and then IP to display the screen shown next.

92 Chapter 8 IP Screen

Page 93

Figure 42 IP Setup

The following table describes the labels in this screen.

Table 27 IP Setup

ZyAIR G-5100 User’s Guide

LABEL DESCRIPTION

IP Address Assignment

Get automatically from DHCP

Select this option to have the ZyAIR use a dynamically assigned IP address from a DHCP server.

Note: You must know the IP address assigned to the ZyAIR (by the DHCP server) to access the ZyAIR again.

Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select

this option, fill in the fields below.

IP Address Enter the IP address of your ZyAIR in dotted decimal notation.

Note: If you change the ZyAIR's IP address, you must use the new IP address if you want to access the web configurator again.

IP Subnet Mask Type the subnet mask.

Gateway IP Address Type the IP address of the gateway. The gateway is a router or switch on the

same network segment as the ZyAIR. The gateway helps forward packets to their destinations. Leave this field as 0.0.0.0 if you do not know it.

Apply Click Apply to save your changes back to the ZyAIR.

Reset Click Reset to begin configuring this screen afresh.

Chapter 8 IP Screen 93

Page 94

ZyAIR G-5100 User’s Guide

94 Chapter 8 IP Screen

Page 95

This chapter gives background information about public-key certificates and explains how to use them.

9.1 Certificates Overview

The ZyAIR can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.

A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyAIR to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority.

ZyAIR G-5100 User’s Guide

CHAPTER 9

Certificates

In public-key encryption and decryption, each host has two keys. One key is public and can be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows.

1 Tim wants to send a private message to Jenny. Tim generates a public key pair. What is

encrypted with one key can only be decrypted using the other.

2 Tim keeps the private key and makes the public key openly available.

3 Tim uses his private key to encrypt the message and sends it to Jenny.

4 Jenny receives the message and uses Tim’s public key to decrypt it.

5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s

public key to decrypt the message.

The ZyAIR uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyAIR does not trust a certificate if any certificate on its path has expired or been revoked.

Chapter 9 Certificates 95

Page 96

ZyAIR G-5100 User’s Guide

9.1.1 Advantages of Certificates

Certificates offer the following benefits.

• The ZyAIR only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.

• Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

9.2 Self-signed Certificates

Until public-key infrastructure becomes more mature, it may not be available in some areas. You can have the ZyAIR act as a certification authority and sign its own certificates.

9.3 Configuration Summary

This section summarizes how to manage certificates on the ZyAIR.

Figure 43 Certificate Configuration Overview

Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyAIRs’ CA-signed certificates.

Use the Trusted CA screens to save CA certificates to the ZyAIR.

9.4 My Certificates

Click CERTIFICATES, My Certificates to open the ZyAIR’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. See the following figure.

96 Chapter 9 Certificates

Page 97

Figure 44 My Certificates

ZyAIR G-5100 User’s Guide

The following table describes the labels in this screen.

Table 28 My Certificates

LABEL DESCRIPTION

PKI Storage Space in Use

Replace This button displays when the ZyAIR has the factory default certificate. The factory

# This field displays the certificate index number. The certificates are listed in

Name This field displays the name used to identify this certificate. It is recommended that

This bar displays the percentage of the ZyAIR’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.

default certificate is common to all ZyAIRs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyAIR's MAC address.

alphabetical order.

you give each certificate a unique name.

Chapter 9 Certificates 97

Page 98

ZyAIR G-5100 User’s Guide

Table 28 My Certificates (continued)

LABEL DESCRIPTION

Type This field displays what kind of certificate this is.

Subject This field displays identifying information about the certificate’s owner, such as CN

Issuer This field displays identifying information about the certificate’s issuing certification

Valid From This field displays the date that the certificate becomes applicable. The text

Valid To This field displays the date that the certificate expires. The text displays in red and

Details Select a certificate’s radio button and click Details to open a screen with an in-

Create Click Create to go to the screen where you can have the ZyAIR generate a

Import Click Import to open a screen where you can save the certificate that you have

Delete Select a certificate’s radio button and click Delete to remove the certificate.

Refresh Click Refresh to display the current validity status of the certificates.

SELF represents a self-signed certificate. *SELF represents the default self-signed certificate, which the ZyAIR uses to sign

imported trusted remote host certificates. CERT represents a certificate issued by a certification authority.

(Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.

authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.

displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.

includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.

depth list of information about the certificate.

certificate or a certification request.

enrolled from a certification authority from your computer to the ZyAIR.

A window displays asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features is configured to use. Do the following to delete a certificate that shows *SELF in the Typ e field.

1. Make sure that no features are configured to use the *SELF certificate.

2. Select the radio button of another self-signed certificate and click Details (see the description on the Create button if you need to create a self-signed certificate).

3. Select the Default self-signed certificate which signs the imported remote host certificates check box.

4. Click Apply to save the changes and return to the My Certificates screen.

5. The certificate that originally showed *SELF displays SELF and you can delete it now.

Subsequent certificates move up by one when you take this action.

9.5 Certificate File Formats

The certification authority certificate that you want to import has to be in one of these file formats:

98 Chapter 9 Certificates

Page 99

• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.

• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.

• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. The ZyAIR currently allows the importation of a PKS#7 file that contains a single certificate.

• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form.

9.6 Importing a Certificate

Click CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the

ZyAIR, see the following figure.

Note: 1. You can only import a certificate that matches a corresponding certification request that was generated by the ZyAIR.

Note: 2. The certificate you import replaces the corresponding request in the My Certificates screen. Note: 3. You must remove any spaces from the certificate’s filename before you can

import it.

ZyAIR G-5100 User’s Guide

Figure 45 My Certificate Import

The following table describes the labels in this screen.

Chapter 9 Certificates 99

Page 100

ZyAIR G-5100 User’s Guide

Table 29 My Certificate Import

LABEL DESCRIPTION

File Path Type in the location of the file you want to upload in this field or click Browse to find it.

Browse Click Browse to find the certificate file you want to upload.

Apply Click Apply to save the certificate on the ZyAIR.

Cancel Click Cancel to quit and return to the My Certificates screen.

9.7 Creating a Certificate

Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyAIR create a self-signed certificate, enroll a

certificate with a certification authority or generate a certification request, see the following figure.

100 Chapter 9 Certificates

ZyXEL ZyAIR G-5100 User Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

User’s Guide

Copyright

Certifications

Safety Warnings

ZyXEL Limited Warranty

Customer Support

Table of Contents

List of Figures

List of Tables

Preface

Getting to Know Your ZyAIR

1.1 Introducing the ZyAIR

1.2 ZyAIR Features

1.3 Applications for the ZyAIR

1.3.1 Access Point

1.3.2 AP + Bridge

1.3.3 Bridge / Repeater

2.1 Web Configurator Overview

2.2 Accessing the ZyAIR Web Configurator

2.3 Resetting the ZyAIR

2.4 Navigating the ZyAIR Web Configurator

3.1 Wizard Setup Overview

Wizard Setup

3.2 Wizard Setup: General Setup

3.3 Wizard Setup: Wireless LAN

3.4 Wizard Setup: IP Address Assignment

3.5 Basic Setup Complete

4.1 System Overview

4.2 General Screen

System Screens

4.2.1 Domain Name

4.2.2 DNS Server Address Assignment

4.3 Configuring General Setup

4.4 Configuring Password

4.5 Configuring Time Setting

5.1 Introduction

Wireless LAN

5.2 Wireless Security Overview

5.2.1 Encryption

5.2.2 Authentication

5.2.3 Restricted Access

5.2.4 Hide ZyAIR Identity

5.2.5 Configuring Wireless LAN on the ZyAIR

5.3 Spanning Tree Protocol (STP)

5.3.1 Rapid STP

5.3.2 STP Terminology

5.3.3 How STP Works

5.3.4 STP Port States

5.4 WEP Encryption

5.5 Configuring the Wireless Screen

5.5.1 Access Point Mode

5.5.2 Bridge/Repeater Mode

5.5.3 AP+Bridge Mode

5.6 Configuring MAC Filters

5.7 Configuring Roaming

5.7.1 Requirements for Roaming

5.8 Introduction to WPA

5.9 WPA-PSK Application Example

5.10 WPA with RADIUS Application Example

5.11 Wireless Client WPA Supplicants

5.12 Configuring 802.1x and WPA

5.13 Authentication Required: 802.1x

5.14 Authentication Required: WPA

5.15 Authentication Required: WPA-PSK

Internal RADIUS Server

6.1 Internal RADIUS Overview

6.2 Internal RADIUS Server Setting

6.3 Trusted AP Overview

6.4 Configuring Trusted AP

6.5 Trusted Users Overview

6.6 Configuring Trusted Users

7.1 VLAN

VLAN

7.1.1 Management VLAN ID

7.2 Configuring VLAN

8.1 Factory Ethernet Defaults