ZyXEL ZyAIR G-5100 User Guide

Page 1
ZyAIR G-5100
Outdoor Dual-802.11g Wireless LAN Access Point &
Bridge

User’s Guide

Version 3.50
5/2005
Page 2
Page 3
ZyAIR G-5100 User’s Guide
Copyright © 2005 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Copyright 3
Page 4
ZyAIR G-5100 User’s Guide
Federal Communications Commission (FCC) Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause undesired operations.
FCC Warning
This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

Certifications

If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.
FCC Caution:
Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.
IMPORTANT NOTE:
FCC Radiation Exposure Statement:
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.
4 Certifications
Page 5
ZyAIR G-5100 User’s Guide
This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
Note: Antenna Warning! This device meets ETSI and FCC certification requirements
when using the included antennas or antenna connector cable. Only use the included antennas or antenna connector cable.
Canadian Note
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
Certifications
Go to www.zyxel.com
1 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
2 Select the certification you wish to view from this page.
Certifications 5
Page 6
ZyAIR G-5100 User’s Guide
For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information.
• Use ONLY the dedicated power supply for your device. Connect the power cord or power adaptor to the right supply voltage (110V AC in North America or 230V AC in Europe).
• Do NOT use the device if the power supply is damaged as it might cause electrocution.
• If the power supply is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power supply. Contact your local vendor to order a new power supply.
• Place cables carefully so that no one will step on them or stumble over them. Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord.
• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of electric shock from lightning.
• Do NOT expose your device to corrosive liquids.
• Do NOT store things on the device.
• Connect ONLY suitable accessories to the device.

Safety Warnings

6 Safety Warnings
Page 7
ZyAIR G-5100 User’s Guide

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
ZyXEL Limited Warranty 7
Page 8
ZyAIR G-5100 User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.

Customer Support

METHOD
LOCATION
CORPORATE HEADQUARTERS (WORLDWIDE)
CZECH REPUBLIC
DENMARK
FINLAND
FRANCE
GERMANY
NORTH AMERICA
NORWAY
SPAIN
SWEDEN
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
support@zyxel.com.tw +886-3-578-3942 www.zyxel.com
sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com
info@cz.zyxel.com +420 241 091 350 www.zyxel.cz ZyXEL Communications
info@cz.zyxel.com +420 241 091 359
support@zyxel.dk +45 39 55 07 00 www.zyxel.dk ZyXEL Communications A/S
sales@zyxel.dk +45 39 55 07 07
support@zyxel.fi +358-9-4780-8411 www.zyxel.fi ZyXEL Communications Oy
sales@zyxel.fi +358-9-4780 8448
i nf o @z y xe l .f r + 33 (0 ) 4 7 2 5 2 9 7 9 7 w ww .z y xe l . fr Z yX E L Fr a nc e
+33 (0)4 72 52 19 20
support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.
sales@zyxel.de +49-2405-6909-99
support@zyxel.com +1-800-255-4101
+1-714-632-0882
sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com
support@zyxel.no +47 22 80 61 80 www.zyxel.no ZyXEL Communications A/S
sales@zyxel.no +47 22 80 61 81
support@zyxel.es +34 902 195 420 www.zyxel.es ZyXEL Communications
sales@zyxel.es +34 913 005 345
support@zyxel.se +46 31 744 7700 www.zyxel.se ZyXEL Communications A/S
sales@zyxel.se +46 31 744 7701
A
WEB SITE
www.europe.zyxel.com
ftp.europe.zyxel.com
www.us.zyxel.com ZyXEL Communications Inc.
REGULAR MAIL
ZyXEL Communications Corp. 6 Innovation Road II
Sc ien ce P ar k Hsinchu 300 Ta iw a n
Czech s.r.o. Modranská 621 143 01 Praha 4 - Modrany Ceská Republika
Col um bu sv ej 5 2860 Soeborg Denmark
Mal mi nk aa ri 10 00700 Helsinki Finland
1 ru e d e s V er ge r s Ba t. 1 / C 69760 Limonest France
Adenauerstr. 20/A2 D-52146 Wuerselen Germany
1130 N. Miller St. Anaheim
CA 92806-2001 U.S.A.
Ni ls H ans en s ve i 13 0667 Oslo Norway
Arte, 21 5ª planta 28033 Madrid Spain
Sjöporten 4, 41764 Göteborg Sweden
8 Customer Support
Page 9
ZyAIR G-5100 User’s Guide
METHOD
LOCATION
UNITED KINGDOM
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
support@zyxel.co.uk +44 (0) 1344 303044
08707 555779 (UK only)
sales@zyxel.co.uk +44 (0) 1344 303034 ftp.zyxel.co.uk
A
WEB SITE
www.zyxel.co.uk ZyXEL Communications UK
a. “+” is the (prefix) number you enter to make an international telephone call.
REGULAR MAIL
Ltd.,11 The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK)
Customer Support 9
Page 10
ZyAIR G-5100 User’s Guide
10 Customer Support
Page 11
ZyAIR G-5100 User’s Guide

Table of Contents

Copyright ..................................................................................................................3
Certifications ............................................................................................................4
Safety Warnings ....................................................................................................... 6
ZyXEL Limited Warranty.......................................................................................... 7
Customer Support.................................................................................................... 8
Table of Contents ................................................................................................... 11
List of Figures ........................................................................................................ 19
List of Tables .......................................................................................................... 23
Preface ....................................................................................................................27
Chapter 1
Getting to Know Your ZyAIR ................................................................................. 29
1.1 Introducing the ZyAIR ........................................................................................29
1.2 ZyAIR Features ..................................................................................................29
1.3 Applications for the ZyAIR ..................................................................................33
1.3.1 Access Point .............................................................................................33
1.3.2 AP + Bridge ..............................................................................................34
1.3.3 Bridge / Repeater ......................................................................................35
Chapter 2
Introducing the Web Configurator........................................................................ 37
2.1 Web Configurator Overview ...............................................................................37
2.2 Accessing the ZyAIR Web Configurator .............................................................37
2.3 Resetting the ZyAIR ...........................................................................................38
2.4 Navigating the ZyAIR Web Configurator ............................................................39
Chapter 3
Wizard Setup .......................................................................................................... 43
3.1 Wizard Setup Overview ......................................................................................43
3.2 Wizard Setup: General Setup ............................................................................43
3.3 Wizard Setup: Wireless LAN ..............................................................................44
3.4 Wizard Setup: IP Address Assignment ..............................................................46
3.5 Basic Setup Complete ........................................................................................47
Table of Contents 11
Page 12
ZyAIR G-5100 User’s Guide
Chapter 4
System Screens ..................................................................................................... 49
4.1 System Overview ...............................................................................................49
4.2 General Screen ..................................................................................................49
4.2.1 Domain Name ...........................................................................................49
4.2.2 DNS Server Address Assignment .............................................................49
4.3 Configuring General Setup .................................................................................50
4.4 Configuring Password ........................................................................................51
4.5 Configuring Time Setting ...................................................................................52
Chapter 5
Wireless LAN ......................................................................................................... 55
5.1 Introduction ........................................................................................................55
5.2 Wireless Security Overview ...............................................................................55
5.2.1 Encryption .................................................................................................55
5.2.2 Authentication ...........................................................................................55
5.2.3 Restricted Access .....................................................................................56
5.2.4 Hide ZyAIR Identity ...................................................................................56
5.2.5 Configuring Wireless LAN on the ZyAIR ...................................................56
5.3 Spanning Tree Protocol (STP) ...........................................................................57
5.3.1 Rapid STP ................................................................................................57
5.3.2 STP Terminology ......................................................................................57
5.3.3 How STP Works .......................................................................................58
5.3.4 STP Port States ........................................................................................58
5.4 WEP Encryption .................................................................................................58
5.5 Configuring the Wireless Screen ........................................................................58
5.5.1 Access Point Mode ...................................................................................59
5.5.2 Bridge/Repeater Mode ..............................................................................62
5.5.3 AP+Bridge Mode ......................................................................................65
5.6 Configuring MAC Filters .....................................................................................67
5.7 Configuring Roaming .........................................................................................69
5.7.1 Requirements for Roaming .......................................................................70
5.8 Introduction to WPA ...........................................................................................71
5.9 WPA-PSK Application Example .........................................................................71
5.10 WPA with RADIUS Application Example ..........................................................72
5.11 Wireless Client WPA Supplicants .....................................................................73
5.12 Configuring 802.1x and WPA ...........................................................................73
5.13 Authentication Required: 802.1x ......................................................................74
5.14 Authentication Required: WPA .........................................................................78
5.15 Authentication Required: WPA-PSK ................................................................79
12 Table of Contents
Page 13
ZyAIR G-5100 User’s Guide
Chapter 6
Internal RADIUS Server ......................................................................................... 81
6.1 Internal RADIUS Overview .................................................................................81
6.2 Internal RADIUS Server Setting .........................................................................82
6.3 Trusted AP Overview .........................................................................................84
6.4 Configuring Trusted AP ......................................................................................85
6.5 Trusted Users Overview .....................................................................................86
6.6 Configuring Trusted Users .................................................................................86
Chapter 7
VLAN ....................................................................................................................... 89
7.1 VLAN ..................................................................................................................89
7.1.1 Management VLAN ID ..............................................................................89
7.2 Configuring VLAN ..............................................................................................89
Chapter 8
IP Screen................................................................................................................. 91
8.1 Factory Ethernet Defaults ..................................................................................91
8.2 IP Address and Subnet Mask .............................................................................91
8.2.1 IP Address Assignment ............................................................................92
8.3 Configuring IP ....................................................................................................92
Chapter 9
Certificates.............................................................................................................. 95
9.1 Certificates Overview .........................................................................................95
9.1.1 Advantages of Certificates ........................................................................96
9.2 Self-signed Certificates ......................................................................................96
9.3 Configuration Summary .....................................................................................96
9.4 My Certificates ...................................................................................................96
9.5 Certificate File Formats ......................................................................................98
9.6 Importing a Certificate ........................................................................................99
9.7 Creating a Certificate .......................................................................................100
9.8 My Certificate Details .......................................................................................103
9.9 Trusted CAs .....................................................................................................106
9.10 Importing a Trusted CA’s Certificate ...............................................................108
9.11 Trusted CA Certificate Details ........................................................................109
Chapter 10
Log Screens.......................................................................................................... 113
10.1 Configuring View Log .....................................................................................113
10.2 Configuring Log Settings ................................................................................ 115
Table of Contents 13
Page 14
ZyAIR G-5100 User’s Guide
Chapter 11
Maintenance ......................................................................................................... 119
11.1 Maintenance Overview ................................................................................... 119
11.2 System Status Screen ....................................................................................119
11.2.1 System Statistics ...................................................................................120
11.3 Association List ..............................................................................................121
11.4 Channel Usage ...............................................................................................122
11.5 F/W Upload Screen ........................................................................................123
11.6 Configuration Screen ......................................................................................126
11.6.1 Backup Configuration ............................................................................127
11.6.2 Restore Configuration ..........................................................................128
11.6.3 Back to Factory Defaults .......................................................................129
11.7 Restart Screen ................................................................................................129
Chapter 12
Introducing the SMT ............................................................................................131
12.1 Introduction to the SMT ..................................................................................131
12.2 Accessing the SMT via the Console Port .......................................................131
12.2.1 Initial Screen .........................................................................................131
12.2.2 Entering the Password ..........................................................................132
12.3 Accessing the SMT via Telnet ........................................................................133
12.4 Navigating the SMT Interface .........................................................................133
12.4.1 System Management Terminal Interface Summary ..............................134
12.4.2 SMT Menus Overview ..........................................................................135
12.5 Changing the System Password ....................................................................136
Chapter 13
General Setup....................................................................................................... 137
13.1 General Setup ................................................................................................137
13.1.1 Procedure To Configure Menu 1 ...........................................................137
Chapter 14
LAN Setup............................................................................................................. 139
14.1 LAN Setup ......................................................................................................139
14.2 TCP/IP Ethernet Setup ...................................................................................139
14.3 Wireless LAN Setup .......................................................................................140
14.3.1 Configuring MAC Address Filter ...........................................................143
14.3.2 Configuring Roaming ............................................................................144
14.3.3 Configuring Bridge Link ........................................................................146
Chapter 15
Dial-in User Setup ................................................................................................ 149
15.1 Dial-in User Setup ..........................................................................................149
14 Table of Contents
Page 15
ZyAIR G-5100 User’s Guide
Chapter 16
VLAN Setup .......................................................................................................... 151
16.1 VLAN Setup ...................................................................................................151
Chapter 17
SNMP Configuration ............................................................................................ 153
17.1 About SNMP ..................................................................................................153
17.2 Supported MIBs ............................................................................................154
17.3 SNMP Configuration ......................................................................................154
17.4 SNMP Traps ...................................................................................................155
Chapter 18
System Security ................................................................................................... 157
18.1 System Security .............................................................................................157
18.1.1 System Password .................................................................................157
18.1.2 Configuring External RADIUS Server ...................................................157
18.1.3 802.1x ...................................................................................................159
Chapter 19
System Information and Diagnosis .................................................................... 163
19.1 System Status ................................................................................................163
19.2 System Information ........................................................................................165
19.2.1 System Information ...............................................................................165
19.2.2 Console Port Speed ..............................................................................166
19.3 Log and Trace ................................................................................................166
19.3.1 Viewing Error Log .................................................................................167
19.4 Diagnostic ......................................................................................................167
Chapter 20
Firmware and Configuration File Maintenance ................................................. 169
20.1 Filename Conventions ...................................................................................169
20.2 Backup Configuration .....................................................................................170
20.2.1 Backup Configuration Using FTP .........................................................170
20.2.2 Using the FTP command from the DOS Prompt ..................................171
20.2.3 Backup Configuration Using TFTP .......................................................172
20.2.4 Example: TFTP Command ...................................................................172
20.2.5 Backup Via Console Port ......................................................................173
20.3 Restore Configuration ...................................................................................174
20.3.1 Restore Using FTP ...............................................................................174
20.4 Uploading Firmware and Configuration Files .................................................174
20.4.1 Firmware Upload ..................................................................................175
20.4.2 Configuration File Upload .....................................................................175
20.4.3 Using the FTP command from the DOS Prompt Example ...................176
Table of Contents 15
Page 16
ZyAIR G-5100 User’s Guide
20.4.4 TFTP File Upload ..................................................................................177
20.4.5 Example: TFTP Command ...................................................................177
20.4.6 Uploading Via Console Port ..................................................................178
20.4.7 Uploading Firmware File Via Console Port ...........................................178
20.4.8 Example Xmodem Firmware Upload Using HyperTerminal ..................178
20.4.9 Uploading Configuration File Via Console Port ....................................179
20.4.10 Example Xmodem Configuration Upload Using HyperTerminal .........180
Chapter 21
System Maintenance and Information ...............................................................181
21.1 Command Interpreter Mode ...........................................................................181
21.2 Time and Date Setting ....................................................................................182
21.2.1 Resetting the Time ................................................................................183
Chapter 22
Troubleshooting ................................................................................................... 185
22.1 Problems Starting Up the ZyAIR ....................................................................185
22.2 Problems with Console Port Access ..............................................................185
22.3 Problems with the Ethernet Interface .............................................................186
22.4 Problems with the Password ..........................................................................187
22.5 Problems with Telnet ......................................................................................187
22.6 Problems with the WLAN Interface ................................................................187
Appendix A
Specifications...................................................................................................... 189
Appendix B
Packaging Specifications.................................................................................... 197
Appendix C
Power over Ethernet Specifications................................................................... 199
Appendix D
Setting up Your Computer’s IP Address............................................................ 201
Appendix E
IP Subnetting ........................................................................................................ 213
Appendix F
Wireless LAN ........................................................................................................ 221
Appendix G
Outdoor Site Planning ......................................................................................... 235
Appendix H
Outdoor Installation Recommendations............................................................ 241
16 Table of Contents
Page 17
ZyAIR G-5100 User’s Guide
Appendix I
Command Interpreter........................................................................................... 245
Appendix J
Brute-Force Password Guessing Protection..................................................... 247
Appendix K
Log Descriptions.................................................................................................. 249
Index...................................................................................................................... 253
Table of Contents 17
Page 18
ZyAIR G-5100 User’s Guide
18 Table of Contents
Page 19
ZyAIR G-5100 User’s Guide

List of Figures

Figure 1 PoE Installation Example ......................................................................... 30
Figure 2 WDS Functionality Example .................................................................... 30
Figure 3 Access Point Application .......................................................................... 34
Figure 4 AP+Bridge Application ........................................................................... 34
Figure 5 Bridge Application .................................................................................... 35
Figure 6 Repeater Application ................................................................................ 36
Figure 7 Change Password Screen ....................................................................... 38
Figure 8 Replace Certificate Screen. ..................................................................... 38
Figure 9 Example Xmodem Upload ....................................................................... 39
Figure 10 The MAIN MENU Screen of the Web Configurator ................................ 40
Figure 11 Wizard: General Setup ........................................................................... 43
Figure 12 Wizard: Wireless LAN Setup .................................................................. 45
Figure 13 Wizard: IP Address Assignment ............................................................ 46
Figure 14 TCP/IP Warning Screen ......................................................................... 47
Figure 15 Close Browser Screen ........................................................................... 47
Figure 16 Wizard: Setup Complete ........................................................................ 48
Figure 17 System General ..................................................................................... 50
Figure 18 Password. .............................................................................................. 51
Figure 19 Time Setting ........................................................................................... 52
Figure 20 Wireless: Access Point .......................................................................... 59
Figure 21 Bridging Example ................................................................................... 62
Figure 22 Bridge Loop: Two Bridges Connected to Hub ........................................ 63
Figure 23 Bridge Loop: Bridge Connected to Wired LAN ...................................... 63
Figure 24 Wireless: Bridge/Repeater ..................................................................... 64
Figure 25 Wireless: AP+Bridge .............................................................................. 66
Figure 26 MAC Address Filter ................................................................................ 68
Figure 27 Roaming Example .................................................................................. 70
Figure 28 Roaming ................................................................................................. 71
Figure 29 WPA - PSK Authentication ..................................................................... 72
Figure 30 WPA with RADIUS Application Example ................................................ 73
Figure 31 Wireless LAN: 802.1x/WPA ................................................................... 74
Figure 32 Wireless LAN: 802.1x/WPA for 802.1x Protocol .................................... 75
Figure 33 Wireless LAN: 802.1x/WPA for WPA Protocol ....................................... 78
Figure 34 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol ............................... 79
Figure 35 ZyAIR Authenticates Wireless Stations .................................................. 81
Figure 36 ZyAIR Authenticates Trusted APs .......................................................... 82
Figure 37 Internal RADIUS Server Setting Screen ............................................... 83
Figure 38 Trusted AP Overview ............................................................................. 84
List of Figures 19
Page 20
ZyAIR G-5100 User’s Guide
Figure 39 Trusted AP Screen ................................................................................. 85
Figure 40 Trusted Users Screen ............................................................................ 87
Figure 41 VLAN ...................................................................................................... 90
Figure 42 IP Setup ................................................................................................ 93
Figure 43 Certificate Configuration Overview ........................................................ 96
Figure 44 My Certificates ....................................................................................... 97
Figure 45 My Certificate Import .............................................................................. 99
Figure 46 My Certificate Create ............................................................................. 101
Figure 47 My Certificate Details ............................................................................. 104
Figure 48 Trusted CAs ........................................................................................... 107
Figure 49 Trusted CA Import .................................................................................. 109
Figure 50 Trusted CA Details ................................................................................. 110
Figure 51 View Log ................................................................................................ 114
Figure 52 Log Settings ........................................................................................... 116
Figure 53 System Status ........................................................................................ 119
Figure 54 System Status: Show Statistics .............................................................. 120
Figure 55 Association List ...................................................................................... 121
Figure 56 Channel Usage ...................................................................................... 122
Figure 57 Firmware Upload .................................................................................... 124
Figure 58 Firmware Upload In Process .................................................................. 125
Figure 59 Network Temporarily Disconnected ....................................................... 125
Figure 60 Firmware Upload Error ........................................................................... 126
Figure 61 Configuration .......................................................................................... 127
Figure 62 Configuration Upload Successful ........................................................... 128
Figure 63 Network Temporarily Disconnected ....................................................... 128
Figure 64 Configuration Upload Error .................................................................... 129
Figure 65 Reset Warning Message ........................................................................ 129
Figure 66 Restart Screen ....................................................................................... 130
Figure 67 Initial Screen .......................................................................................... 132
Figure 68 Password Screen .................................................................................. 132
Figure 69 Login Screen .......................................................................................... 133
Figure 70 SMT Main Menu .................................................................................... 134
Figure 71 Menu 23.1 System Security: Change Password .................................... 136
Figure 72 Menu 1 General Setup ........................................................................... 137
Figure 73 Menu 3 LAN Setup ................................................................................ 139
Figure 74 Menu 3.2 TCP/IP Setup ......................................................................... 140
Figure 75 Menu 3.5 Wireless LAN Setup ............................................................... 141
Figure 76 Menu 3.5 Wireless LAN Setup ............................................................... 143
Figure 77 Menu 3.5.1 WLAN MAC Address Filter ................................................. 144
Figure 78 Menu 3.5 Wireless LAN Setup ............................................................... 145
Figure 79 Menu 3.5.2 - Roaming Configuration ..................................................... 145
Figure 80 Menu 3.5 Wireless LAN Setup ............................................................... 146
Figure 81 Menu 3.5.4 - Bridge Link Configuration ................................................. 147
20 List of Figures
Page 21
ZyAIR G-5100 User’s Guide
Figure 82 Menu 14- Dial-in User Setup .................................................................. 149
Figure 83 Menu 14.1- Edit Dial-in User .................................................................. 149
Figure 84 Menu 16 VLAN Setup ............................................................................ 151
Figure 85 SNMP Management Model .................................................................... 153
Figure 86 Menu 22 SNMP Configuration .............................................................. 154
Figure 87 Menu 23 System Security ...................................................................... 157
Figure 88 Menu 23 System Security ...................................................................... 157
Figure 89 Menu 23.2 System Security: RADIUS Server ........................................ 158
Figure 90 Menu 23 System Security ...................................................................... 159
Figure 91 Menu 23.4 System Security: IEEE802.1x .............................................. 160
Figure 92 Menu 24 System Maintenance .............................................................. 163
Figure 93 Menu 24.1 System Maintenance: Status ............................................... 164
Figure 94 Menu 24.2 System Information and Console Port Speed ...................... 165
Figure 95 Menu 24.2.1 System Information: Information ....................................... 165
Figure 96 Menu 24.2.2 System Maintenance: Change Console Port Speed ......... 166
Figure 97 Menu 24.3 System Maintenance: Log and Trace .................................. 167
Figure 98 Sample Error and Information Messages .............................................. 167
Figure 99 Menu 24.4 System Maintenance: Diagnostic ......................................... 168
Figure 100 Menu 24.5 Backup Configuration ......................................................... 170
Figure 101 FTP Session Example ......................................................................... 171
Figure 102 System Maintenance: Backup Configuration ....................................... 173
Figure 103 System Maintenance: Starting Xmodem Download Screen ................ 173
Figure 104 Backup Configuration Example ............................................................ 173
Figure 105 Successful Backup Confirmation Screen ............................................. 174
Figure 106 Menu 24.6 Restore Configuration ........................................................ 174
Figure 107 Menu 24.7 System Maintenance: Upload Firmware ............................ 175
Figure 108 Menu 24.7.1 System Maintenance: Upload System Firmware ............ 175
Figure 109 Menu 24.7.2 System Maintenance: Upload System Configuration File 176
Figure 110 FTP Session Example .......................................................................... 177
Figure 111 Menu 24.7.1 as Seen Using the Console Port ..................................... 178
Figure 112 Example Xmodem Upload ................................................................... 179
Figure 113 Menu 24.7.2 as Seen Using the Console Port .................................... 179
Figure 114 Example Xmodem Upload ................................................................... 180
Figure 115 Menu 24 System Maintenance ............................................................. 181
Figure 116 Valid CI Commands .............................................................................. 182
Figure 117 Menu 24.10 System Maintenance: Time and Date Setting .................. 182
Figure 118 Inspection Cosmetic and Function ....................................................... 194
Figure 119 WIndows 95/98/Me: Network: Configuration ........................................ 202
Figure 120 Windows 95/98/Me: TCP/IP Properties: IP Address ............................ 203
Figure 121 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............... 204
Figure 122 Windows XP: Start Menu ..................................................................... 205
Figure 123 Windows XP: Control Panel ................................................................. 205
Figure 124 Windows XP: Control Panel: Network Connections: Properties .......... 206
List of Figures 21
Page 22
ZyAIR G-5100 User’s Guide
Figure 125 Windows XP: Local Area Connection Properties ................................. 206
Figure 126 Windows XP: Internet Protocol (TCP/IP) Properties ............................ 207
Figure 127 Windows XP: Advanced TCP/IP Properties ......................................... 208
Figure 128 Windows XP: Internet Protocol (TCP/IP) Properties ............................ 209
Figure 129 Macintosh OS 8/9: Apple Menu ........................................................... 210
Figure 130 Macintosh OS 8/9: TCP/IP ................................................................... 210
Figure 131 Macintosh OS X: Apple Menu .............................................................. 211
Figure 132 Macintosh OS X: Network .................................................................... 212
Figure 133 Peer-to-Peer Communication in an Ad-hoc Network ........................... 221
Figure 134 Basic Service Set ................................................................................. 222
Figure 135 Infrastructure WLAN ............................................................................ 223
Figure 136 RTS/CTS ............................................................................................ 224
Figure 137 EAP Authentication .............................................................................. 227
Figure 138 WEP Authentication Steps ................................................................... 230
Figure 139 Roaming Example ................................................................................ 233
22 List of Figures
Page 23
ZyAIR G-5100 User’s Guide

List of Tables

Table 1 IEEE 802.11g ............................................................................................ 31
Table 2 IEEE 802.11b ............................................................................................ 31
Table 3 Screens Summary .................................................................................... 40
Table 4 Wizard: General Setup ............................................................................. 44
Table 5 Wizard: Wireless LAN Setup .................................................................... 45
Table 6 Wizard: IP Address Assignment ............................................................... 46
Table 7 System General Setup ............................................................................. 50
Table 8 Password .................................................................................................. 52
Table 9 Time Setting .............................................................................................. 53
Table 10 ZyAIR Wireless Security Levels ............................................................. 56
Table 11 STP Path Costs ...................................................................................... 57
Table 12 STP Port States ...................................................................................... 58
Table 13 Wireless: Access Point ........................................................................... 60
Table 14 Wireless: Bridge/Repeater ...................................................................... 64
Table 15 MAC Address Filter ................................................................................ 68
Table 16 Roaming ................................................................................................. 71
Table 17 Wireless LAN: 802.1x/WPA .................................................................... 74
Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol ..................................... 76
Table 19 Wireless LAN: 802.1x/WPA for WPA Protocol ........................................ 79
Table 20 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol ............................... 80
Table 21 Internal RADIUS Server Screens Overview ........................................... 82
Table 22 My Certificates ........................................................................................ 83
Table 23 Trusted AP .............................................................................................. 85
Table 24 Trusted Users ......................................................................................... 87
Table 25 VLAN ...................................................................................................... 90
Table 26 Private IP Address Ranges .................................................................... 92
Table 27 IP Setup .................................................................................................. 93
Table 28 My Certificates ........................................................................................ 97
Table 29 My Certificate Import .............................................................................. 100
Table 30 My Certificate Create .............................................................................. 101
Table 31 My Certificate Details .............................................................................. 105
Table 32 Trusted CAs ............................................................................................ 107
Table 33 Trusted CA Import .................................................................................. 109
Table 34 Trusted CA Details .................................................................................. 111
Table 35 View Log ................................................................................................. 114
Table 36 Log Settings ............................................................................................ 116
Table 37 System Status ......................................................................................... 119
Table 38 System Status: Show Statistics .............................................................. 120
List of Tables 23
Page 24
ZyAIR G-5100 User’s Guide
Table 39 Association List ....................................................................................... 122
Table 40 Channel Usage ....................................................................................... 123
Table 41 Firmware Upload .................................................................................... 124
Table 42 Restore Configuration ............................................................................. 128
Table 43 Main Menu Commands .......................................................................... 133
Table 44 Main Menu Summary ............................................................................. 134
Table 45 SMT Menus Overview ............................................................................ 135
Table 46 Menu 1 General Setup ........................................................................... 138
Table 47 Menu 3.2 TCP/IP Setup .......................................................................... 140
Table 48 Menu 3.5 Wireless LAN Setup ............................................................... 141
Table 49 Menu 3.5.1 WLAN MAC Address Filter .................................................. 144
Table 50 Menu 3.5.2 - Roaming Configuration ..................................................... 146
Table 51 Menu 3.5.4 Bridge Link Configuration .................................................... 147
Table 52 Menu 14.1- Edit Dial-in User .................................................................. 150
Table 53 Menu 16 VLAN Setup ............................................................................. 151
Table 54 Menu 22 SNMP Configuration ................................................................ 155
Table 55 SNMP Traps ........................................................................................... 155
Table 56 Ports and Interface Types ....................................................................... 155
Table 57 Menu 23.2 System Security: RADIUS Server ........................................ 158
Table 58 Menu 23.4 System Security: IEEE802.1x ............................................... 160
Table 59 Menu 24.1 System Maintenance: Status ................................................ 164
Table 60 Menu 24.2.1 System Maintenance: Information ..................................... 166
Table 61 Menu 24.4 System Maintenance Menu: Diagnostic ............................... 168
Table 62 Filename Conventions ............................................................................ 170
Table 63 General Commands for Third Party FTP Clients .................................... 171
Table 64 General Commands for Third Party TFTP Clients ................................. 172
Table 65 System Maintenance: Time and Date Setting ........................................ 183
Table 66 Troubleshooting the Start-Up of Your ZyAIR ........................................... 185
Table 67 Troubleshooting Console Port Access .................................................... 185
Table 68 Troubleshooting the Ethernet Interface .................................................. 186
Table 69 Troubleshooting the Password ............................................................... 187
Table 70 Troubleshooting Telnet ........................................................................... 187
Table 71 Troubleshooting the WLAN Interface ...................................................... 187
Table 72 Device Specifications .............................................................................. 189
Table 73 Performance ........................................................................................... 189
Table 74 Firmware Features ................................................................................. 190
Table 75 Environmental Conditions ....................................................................... 191
Table 76 Inspection Channel (CH1, CH7, CH13) .................................................. 191
Table 77 Hardware Specifications ......................................................................... 191
Table 78 Radio Specifications ............................................................................... 192
Table 79 Rx Sensitivity (@ FER = 0.08) ................................................................ 192
Table 80 Transmitting System ............................................................................... 193
Table 81 Receiving System ................................................................................... 193
24 List of Tables
Page 25
ZyAIR G-5100 User’s Guide
Table 82 Current Consumption ............................................................................. 193
Table 83 Approvals ................................................................................................ 194
Table 84 Packaging Specifications ........................................................................ 197
Table 85 Mounting Hardware Specifications ......................................................... 197
Table 86 Power over Ethernet Injector Specifications .......................................... 199
Table 87 Power over Ethernet Injector RJ-45 Port Pin Assignments .................... 199
Table 88 Classes of IP Addresses ........................................................................ 213
Table 89 Allowed IP Address Range By Class ...................................................... 214
Table 90 “Natural” Masks ..................................................................................... 214
Table 91 Alternative Subnet Mask Notation .......................................................... 215
Table 92 Two Subnets Example ............................................................................ 215
Table 93 Subnet 1 ................................................................................................. 216
Table 94 Subnet 2 ................................................................................................. 216
Table 95 Subnet 1 ................................................................................................. 217
Table 96 Subnet 2 ................................................................................................. 217
Table 97 Subnet 3 ................................................................................................. 217
Table 98 Subnet 4 ................................................................................................. 218
Table 99 Eight Subnets ......................................................................................... 218
Table 100 Class C Subnet Planning ...................................................................... 218
Table 101 Class B Subnet Planning ...................................................................... 219
Table 102 IEEE802.11g ......................................................................................... 225
Table 103 Comparison of EAP Authentication Types ............................................ 231
Table 104 Wireless Security Relational Matrix ...................................................... 232
Table 105 Brute-Force Password Guessing Protection Commands ..................... 247
Table 106 System Maintenance Logs ................................................................... 249
Table 107 ICMP Notes .......................................................................................... 249
Table 108 Sys log .................................................................................................. 250
Table 109 Log Categories and Available Settings ................................................. 251
List of Tables 25
Page 26
ZyAIR G-5100 User’s Guide
26 List of Tables
Page 27
ZyAIR G-5100 User’s Guide

Preface

Congratulations on your purchase of the ZyAIR G-5100 Outdoor 802.11g Business Access Point/Bridge/Repeater.
The ZyAIR is an Access Point (AP) through which wireless stations can communicate and/or access a wired network. The ZyAIR can also function as a wireless network bridge/repeater and establish wireless links with other APs.
The ZyAIR also supports both AP and bridge connections at the same time.
Your ZyAIR is easy to install and configure.
Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com American products.
About This User's Guide
for global products, or at www.us.zyxel.com for North
This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the System Management Terminal (SMT). The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this guide contain background information solely on features not configurable by web configurator
Note: Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your ZyAIR. Not all features can be configured through all interfaces.
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. They contain connection information and instructions on getting started.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com support documentation.
Preface 27
for an online glossary of networking terms and additional
Page 28
ZyAIR G-5100 User’s Guide
User Guide Feedback
Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field choices are in Bold Arial font. Command and arrow keys are enclosed in square brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for “that is” or “in other words” throughout this manual.
• The ZyAIR G-5100 may be referred to simply as the ZyAIR in the user’s guide.
Graphics Icons Key
ZyAIR Computer Notebook computer
Server Modem Switch
Router Wireless Signal
28 Preface
Page 29

Getting to Know Your ZyAIR

This chapter introduces the main features and applications of the ZyAIR.

1.1 Introducing the ZyAIR

The ZyAIR G-5100 is an enterprise level, outdoor IEEE 802.11g compliant business access point, bridge and repeater with excellent wireless performance. Wireless Distribution System (WDS) support provides flexibility in building an extended wireless network with bridge and repeater applications. IEEE 802.1x, Wi-Fi Protected Access, WEP data encryption and MAC address filtering offer highly secured wireless connectivity.
Rugged die-cast, watertight construction, built-in lightening protection, and grounding make the ZyAIR perfect for outdoors applications.
ZyAIR G-5100 User’s Guide
CHAPTER 1
It is easy to install and configure the ZyAIR. The web-based configurator allows remote configuration and management of your ZyAIR. The Power over Ethernet (PoE) feature means that power can be delivered to the ZyAIR over an Ethernet line. This allows you to mount the ZyAIR in areas where there are no nearby power sources.

1.2 ZyAIR Features

The following sections describe the features of the ZyAIR
10/100M Auto-negotiating Ethernet/Fast Ethernet Interface
This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
Power over Ethernet (PoE)
Power over Ethernet (PoE) is the ability to provide power to your ZyAIR via an 8-pin CAT 5 Ethernet cable, eliminating the need for a nearby power source. The ZyAIR G-5100 includes a special high current power injector that allows the ZyAIR to be located farther away. This feature allows increased flexibility in the locating of your ZyAIR.
Chapter 1 Getting to Know Your ZyAIR 29
Page 30
ZyAIR G-5100 User’s Guide
Figure 1 PoE Installation Example
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.
WDS Functionality
A Distribution System (DS) is a wired connection between two or more APs, while a Wireless Distribution System (WDS) is a wireless connection. Your ZyAIR supports WDS, providing a cost-effective solution for wireless network expansion. The ZyAIR supports up to five wireless links with other APs.
Figure 2 WDS Functionality Example
30 Chapter 1 Getting to Know Your ZyAIR
Page 31
ZyAIR G-5100 User’s Guide
IEEE 802.11g Wireless LAN Standard
The ZyAIR complies with the IEEE 802.11g wireless standard. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows. The modulation technique defines how bits are encoded onto radio waves.
Table 1 IEEE 802.11g
DATA RATE (MBPS) MODULATION
6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)
Note: The ZyAIR may be prone to RF (Radio Frequency) interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices, and other wireless LANs.
IEEE 802.11b Wireless LAN Standard
The ZyAIR also fully complies with the IEEE 802.11b standard. This means an IEEE 802.11b radio card can interface directly with an IEEE 802.11g device (and vice versa) at 11 Mbps or lower depending on range.
The IEEE 802.11b data rate and corresponding modulation techniques are shown in the table below.
Table 2 IEEE 802.11b
DATA RATE (MBPS) MODULATION
1 DBPSK (Differential Binary Phase Shift Keyed)
2 DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11 CCK (Complementary Code Keying)
STP (Spanning Tree Protocol) / RSTP (Rapid STP)
(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your network to ensure that only one path exists between any two stations on the network.
SSL Passthrough
SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https” instead of “http”. The ZyAIR allows SSL connections to take place through the ZyAIR.
Chapter 1 Getting to Know Your ZyAIR 31
Page 32
ZyAIR G-5100 User’s Guide
VPN Passthrough
VPN (Virtual Private Network) connections use data encryption to provide secure communications over unsecure networks (like the Internet). The ZyAIR allows VPN connections to go through it.
Wireless LAN MAC Address Filtering
Your ZyAIR checks the MAC address of the wireless station against a list of allowed or denied MAC addresses.
WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.
IEEE 802.1x Network Security
The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. This allows you to use a RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server to authenticate users.
Embedded RADIUS Server
The ZyAIR’s embedded RADIUS server eliminates the need to purchase and maintain a standalone external RADIUS server. Use the embedded RADIUS server to authenticate up to 32 users. You can also use an external RADIUS server to authenticate a potentially unlimited number of users.
Backup RADIUS Server
You can configure the ZyAIR to use backup external RADIUS servers and accounting servers in case the primary external RADIUS or accounting server does not respond.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).
Full Network Management
The web configurator is an HTML-based management interface that allows easy setup and management via Internet browser. Most functions of the ZyAIR are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator over a telnet connection.
32 Chapter 1 Getting to Know Your ZyAIR
Page 33
ZyAIR G-5100 User’s Guide
Logging and Tracing
• Built-in message logging and packet tracing.
• Syslog facility support.
Embedded FTP and TFTP Servers
The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration.
Wireless Association List
With the wireless association list, you can see the list of the wireless stations that are currently using the ZyAIR to access your wired network.
Wireless LAN Channel Usage
The Wireless Channel Usage screen displays which radio channels are being used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR.

1.3 Applications for the ZyAIR

The ZyAIR can be configured using the following WLAN operating modes
1 AP
2 AP+Bridge
3 Bridge/Repeater
Applications for each operating mode are shown below.

1.3.1 Access Point

The ZyAIR is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyAIR is shown as follows. Stations A, B and C can access the wired network through the ZyAIRs.
Chapter 1 Getting to Know Your ZyAIR 33
Page 34
ZyAIR G-5100 User’s Guide
Figure 3 Access Point Application

1.3.2 AP + Bridge

In AP+Bridge mode, the ZyAIR supports both AP connections (A and B can connect to the wired network through X) and bridge connections (X can communicate with Y) at the same time.
Figure 4 AP+Bridge Application
34 Chapter 1 Getting to Know Your ZyAIR
Page 35

1.3.3 Bridge / Repeater

The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. In bridge mode, the ZyAIRs (see A and B in Figure 5 on page 35) are connected to independent wired networks and have a bridge (A can communicate with B) connection at the same time. A ZyAIR without a wired connection can act as a repeater (see C in Figure 6 on page 36).
Figure 5 Bridge Application
ZyAIR G-5100 User’s Guide
Chapter 1 Getting to Know Your ZyAIR 35
Page 36
ZyAIR G-5100 User’s Guide
Figure 6 Repeater Application
36 Chapter 1 Getting to Know Your ZyAIR
Page 37
Introducing the Web
This chapter describes how to access the ZyAIR web configurator and provides an overview of its screens.

2.1 Web Configurator Overview

The embedded web configurator allows you to manage the ZyAIR from anywhere through a browser such as Microsoft Internet Explorer. Use Internet Explorer 6.0 and later versions with JavaScript enabled.
ZyAIR G-5100 User’s Guide
CHAPTER 2
Configurator
It is recommended that you set your screen resolution to 1024 by 768 pixels.

2.2 Accessing the ZyAIR Web Configurator

1 Make sure your ZyAIR hardware is properly connected (refer to the Quick Start Guide).
2 Prepare your computer/computer network to connect to the ZyAIR (refer to Appendix D
on page 201).
3 Launch your web browser.
4 Type "192.168.1.2" (the default IP address of the ZyAIR) as the URL.
5 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
6 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore to allow access without password change.
Chapter 2 Introducing the Web Configurator 37
Page 38
ZyAIR G-5100 User’s Guide
Figure 7 Change Password Screen
7 Click Apply in the Replace Certificate screen to create a certificate using your ZyAIR’s
MAC address that will be specific to this device.
Figure 8 Replace Certificate Screen.
8 You should now see the MAIN MENU screen (see Figure 10 on page 40).
Note: The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyAIR if this happens to you.

2.3 Resetting the ZyAIR

If you forget your password or cannot access the ZyAIR, you will need to reload the factory­default configuration file. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously. The password will be reset to “1234” and the IP address will be reset to 192.168.1.2.
Do the following to erase the current configuration and restore factory defaults.
38 Chapter 2 Introducing the Web Configurator
Page 39
ZyAIR G-5100 User’s Guide
Obtain the default configuration file, unzip it and save it in a folder. Use a console cable to connect a computer with terminal emulation software to the ZyAIR’s console port. Turn the ZyAIR off and then on to begin a session. When you turn on the ZyAIR again, you will see the initial screen. When you see the message “Press any key to enter Debug Mode within 3 seconds” press a key to enter debug mode.
To upload the configuration file, do the following:
1 Type “atlc” after the Enter Debug Mode message.
2 Wait for the Starting XMODEM upload message before activating XMODEM upload on
your terminal.
3 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer,
then Send File to display the following screen.
Figure 9 Example Xmodem Upload
Type the configuration file’s location, or click Browse to search for it.
4 After a successful configuration file upload, type “atgo” to restart the ZyAIR.
The ZyAIR is now reinitialized with a default configuration file including the default password of “1234” and IP address of 192.168.1.2.

2.4 Navigating the ZyAIR Web Configurator

The following summarizes how to navigate the web configurator from the MAIN MENU screen.
Note: Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help.
The icon does not appear in the MAIN MENU screen.
Choose the Xmodem protocol.
Then click Send.
Chapter 2 Introducing the Web Configurator 39
Page 40
ZyAIR G-5100 User’s Guide
Figure 10 The MAIN MENU Screen of the Web Configurator
Use submenus to configure ZyAIR features.
Click LOGOUT at any time to exit the web configurator.
The following table describes the sub-menus.
Table 3 Screens Summary
LINK TAB FUNCTION
WIZARD SETUP Click WIZARD SETUP for initial configuration including general
setup, wireless LAN setup and IP address assignment.
SYSTEM General This screen contains administrative and system-related
Password Use this screen to change your password.
Time Setting Use this screen to change your ZyAIR’s time and date settings.
WIRELESS Wireless Use this screen to configure the wireless LAN settings and WLAN
MAC Filter Use this screen to change MAC filter settings on the ZyAIR
Roaming Use this screen to configure the ZyAIR to allow wireless users to
802.1x/WPA Use this screen to configure wireless LAN security.
IP IP Use this screen to configure IP address settings.
information.
authentication/security settings.
roam seamlessly between APs that are within the same subnet.
40 Chapter 2 Introducing the Web Configurator
Page 41
ZyAIR G-5100 User’s Guide
Table 3 Screens Summary (continued)
LINK TAB FUNCTION
AUTH. SERVER Setting Configure this screen to use the internal server to authenticate
wireless users.
Trusted AP Configure this screen to allow specified AP’s to communicate with
the ZyAIR.
Trusted Users Use this screen to configure the local user account(s) on the
ZyAIR.
CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage
certificates and certification requests.
Trusted CAs Use this screen to view and manage the list of the trusted CAs.
LOGS View Log Use this screen to view the logs for the categories that you
selected.
Log Settings Use this screen to change your ZyAIR’s log settings.
MAINTENANCE Status This screen contains administrative and system-related
information.
Association List
Channel Usage
F/W Upload Use this screen to upload firmware to your ZyAIR
Configuration Use this screen to backup and restore the configuration or reset
Restart This screen allows you to reboot the ZyAIR without turning the
LOGOUT Click LOGOUT to exit the web configurator.
Use this screen to view a list of wireless clients that are connected to the ZyAIR.
Use this screen to see which APs are using which wireless channels within range of your ZyAIR.
the factory defaults to your ZyAIR.
power off.
Chapter 2 Introducing the Web Configurator 41
Page 42
ZyAIR G-5100 User’s Guide
42 Chapter 2 Introducing the Web Configurator
Page 43
This chapter provides information on the WIZARD SETUP screens in the web configurator.

3.1 Wizard Setup Overview

The web configurator’s setup wizard helps you configure your ZyAIR for wireless stations to access your wired LAN.
Note: Click Next in each screen to continue or click Back to return to the previous screen.
Your settings are not saved when you click Back.
ZyAIR G-5100 User’s Guide
CHAPTER 3

Wizard Setup

3.2 Wizard Setup: General Setup

General Setup contains administrative and system-related information.
Figure 11 Wizard: General Setup
The following table describes the labels in this screen.
Chapter 3 Wizard Setup 43
Page 44
ZyAIR G-5100 User’s Guide
Table 4 Wizard: General Setup
LABEL DESCRIPTION
System Name It is recommended you type your computer's "Computer name".
Domain Name This is not a required field. Leave this field blank or enter the domain name here
Next Click Next to proceed to the next screen.
In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.
In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.
In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyAIR System Name.
This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
if you know it.

3.3 Wizard Setup: Wireless LAN

Use this wizard screen to configure one of the ZyAIR’s two wireless LAN (WLAN) adapters to function as an AP (WLAN 1 is recommended). Use the ADVANCED WIRELESS screens to configure a WLAN adapter for bridge/repeater functions.
Note: The wireless clients and ZyAIR must use the same SSID, channel ID and WEP encryption key (if you enable WEP) for wireless communication.
44 Chapter 3 Wizard Setup
Page 45
Figure 12 Wizard: Wireless LAN Setup
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 5 Wizard: Wireless LAN Setup
LABEL DESCRIPTION
Wireless LAN Setup
WLAN Adapter Select which WLAN adapter you want to configure (WLAN 1 recommended).
Name (SSID) Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the
wireless LAN. If you change this field on the ZyAIR, make sure all wireless stations use the
same Name (SSID) in order to access the network.
Choose Channel ID To manually set the ZyAIR to use a channel, select the channel from the drop-
Scan Click this button to have the ZyAIR automatically scan for and select a channel
WEP Encryption Select Disable allows all wireless computers to communicate with the access
ASCII Select this option in order to enter ASCII characters as the WEP keys.
Hex Select this option to enter hexadecimal characters as the WEP keys.
down list box. To have the ZyAIR automatically select a channel, click Scan instead.
with the least interference.
points without any data encryption. Select 64-bit WEP or 128-bit WEP to use data encryption.
Note: Use the ADVANCED WIRELESS screens to configure stronger
types of security (such as WPA).
The preceding 0x is entered automatically.
Chapter 3 Wizard Setup 45
Page 46
ZyAIR G-5100 User’s Guide
Table 5 Wizard: Wireless LAN Setup
LABEL DESCRIPTION
Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless
stations must use the same WEP key. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal
characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal
characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one
time. The default key is key 1.
Back Click Back to return to the previous screen.
Next Click Next to continue.

3.4 Wizard Setup: IP Address Assignment

Use this wizard screen to configure IP address assignment for the ZyAIR.
Figure 13 Wizard: IP Address Assignment
The following table describes the labels in this screen.
Table 6 Wizard: IP Address Assignment
LABEL DESCRIPTION
IP Address Assignment
Get automatically from DHCP
Select this option to have the ZyAIR use a dynamically assigned IP address from a DHCP server.
Note: You must know the IP address assigned to the ZyAIR (by the DHCP server) to access the ZyAIR again.
Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select
this option, fill in the fields below.
46 Chapter 3 Wizard Setup
Page 47
Table 6 Wizard: IP Address Assignment
LABEL DESCRIPTION
IP Address Enter the IP address of your ZyAIR in dotted decimal notation.
Note: If you changed the ZyAIR's IP address, you must use the new IP address if you want to access the web configurator again.
IP Subnet Mask Type the subnet mask.
Gateway IP Address Type the IP address of the gateway. The gateway is an immediate neighbor
of your ZyAIR that will forward the packet to the destination. The gateway must be a router on the same segment as your ZyAIR's LAN or WAN port.
Back Click Back to return to the previous screen.
Finish Click Finish to proceed to complete the Wizard setup.

3.5 Basic Setup Complete

When you click Finish in the Wizard IP Address Assignment screen, a warning window displays as shown. Click OK to close the window. Log into the web configurator again using the new IP address if you change the default IP address (192.168.1.2).
ZyAIR G-5100 User’s Guide
Figure 14 TCP/IP Warning Screen
The following screen displays prompting you to close the web browser.
Figure 15 Close Browser Screen
Click Ye s to close the web configurator. Otherwise, click No to use the ADVANCED screens to configure other features (the congratulations screen shows next).
Chapter 3 Wizard Setup 47
Page 48
ZyAIR G-5100 User’s Guide
Figure 16 Wizard: Setup Complete
Well done! You have set up your ZyAIR to operate on your network and access the Internet.
48 Chapter 3 Wizard Setup
Page 49
This section provides information on general system setup.

4.1 System Overview

This chapter describes how to configure the ZyAIR’s general, DNS, password and time settings.

4.2 General Screen

The General screen contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
• In Windows 95/98 click Start, Settings, Control Panel, Network. Click the
Identification tab, note the entry for the Computer Name field and enter it as the System Name.
• In Windows 2000, click Start, Settings and Control Panel and then double-click
System. Click the Network Identification tab and then the Properties button. Note the
entry for the Computer name field and enter it as the System Name.
• In Windows XP, click Start, My Computer, View system information and then click
the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyAIR System Name.
ZyAIR G-5100 User’s Guide
CHAPTER 4

System Screens

4.2.1 Domain Name

You can manually enter a domain name or the ZyAIR can get it automatically by DHCP.

4.2.2 DNS Server Address Assignment

Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
You can manually configure DNS server addresses if you know them or the ZyAIR can receive them automatically through DHCP.
Chapter 4 System Screens 49
Page 50
ZyAIR G-5100 User’s Guide

4.3 Configuring General Setup

Click the SYSTEM link under ADVANCED to open the General screen.
Figure 17 System General
The following table describes the labels in this screen.
Table 7 System General Setup
LABEL DESCRIPTION
General Setup
System Name Type a descriptive name to identify the ZyAIR in the Ethernet network.
This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.
Domain Name This is not a required field. Leave this field blank or enter the domain name
here if you know it.
Administrator Inactivity Timer
System DNS Servers
Type how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out.
The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.
A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).
50 Chapter 4 System Screens
Page 51
Table 7 System General Setup (continued)
LABEL DESCRIPTION
ZyAIR G-5100 User’s Guide
First DNS Server Second DNS Server Third DNS Server
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
Select From DHCP if your ISP dynamically assigns DNS server information. The field to the right displays the (read-only) DNS server IP address that the DHCP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User-Defined changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
The default setting is None.

4.4 Configuring Password

To change your ZyAIR’s password (recommended), click the SYSTEM link under ADVANCED and then the Password tab. The screen appears as shown. This screen allows
you to change the ZyAIR’s password.
If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See
Section 2.3 on page 38 for details.
Figure 18 Password.
The following table describes the labels in this screen.
Chapter 4 System Screens 51
Page 52
ZyAIR G-5100 User’s Guide
Table 8 Password
LABEL DESCRIPTIONS
Old Password Type in your existing system password (1234 is the default password).
New Password Type your new system password (up to 31 characters). Note that as you type a
password, the screen displays an asterisk (*) for each character you type.
Retype to Confirm Retype your new system password for confirmation.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.

4.5 Configuring Time Setting

To change your ZyAIR’s time and date, click the SYSTEM link under ADVANCED and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone.
Figure 19 Time Setting
52 Chapter 4 System Screens
Page 53
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 9 Time Setting
LABEL DESCRIPTION
Time Protocol Select the time service protocol that your time server uses. Not all time servers
support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0. NTP (RFC 1305), is similar to Time (RFC 868). Select Manual to enter the time and date manually.
Time Server Address Enter the IP address or the URL of your time server. Check with your ISP/
Current Time (hh:mm:ss)
New Time (hh:mm:ss) This field displays the last updated time from the time server.
Current Date (yyyy/ mm/dd)
New Date (yyyy/mm/ dd)
Time Zone Choose the time zone of your location. This will set the time difference
Daylight Savings Select this option if you use daylight saving time. Daylight saving is a period
Start Date (mm-dd) Enter the month and day that your daylight-saving time starts on if you
End Date (mm-dd) Enter the month and day that your daylight-saving time ends on if you selected
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to reload the previous configuration for this screen.
network administrator if you are unsure of this information.
This field displays the time of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the time with the time
server.
When you select None in the Time Protocol field, enter the new time in this field and then click Apply.
This field displays the date of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the date with the time
server.
This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this
field and then click Apply.
between your time zone and Greenwich Mean Time (GMT).
from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.
selected Daylight Savings.
Daylight Savings.
Chapter 4 System Screens 53
Page 54
ZyAIR G-5100 User’s Guide
54 Chapter 4 System Screens
Page 55
This chapter discusses how to configure wireless LAN.

5.1 Introduction

A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.
Note: See the WLAN appendix for more detailed information on WLANs.
ZyAIR G-5100 User’s Guide
CHAPTER 5

Wireless LAN

5.2 Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.
Wireless security methods available on the ZyAIR are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyAIR identity.

5.2.1 Encryption

• Use WPA security if you have WPA-aware wireless clients and a RADIUS server. WPA
has user authentication and improved data encryption over WEP.
• Use WPA-PSK if you have WPA-aware wireless clients but no RADIUS server.
• If you don’t have WPA-aware wireless clients, then use WEP key encrypting. A higher
bit key offers better security at a throughput trade-off.

5.2.2 Authentication

WPA has user authentication and you can also configure IEEE 802.1x to use the built-in database (Local User Database) or a RADIUS server to authenticate wireless clients before joining your network.
• Use RADIUS authentication if you have a RADIUS server. See the appendices for
information on protocols used when a client authenticates with a RADIUS server via the ZyAIR.
Chapter 5 Wireless LAN 55
Page 56
ZyAIR G-5100 User’s Guide
• Use the Local User Database if you have less than 32 wireless clients in your network.
The ZyAIR uses MD5 encryption when a client authenticates with the Local User Database

5.2.3 Restricted Access

The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association).

5.2.4 Hide ZyAIR Identity

If you hide the SSID, then the ZyAIR cannot be seen when a wireless client scans for local APs. The trade-off for the extra security of “hiding” the ZyAIR may be inconvenience for some valid WLAN clients. If you don’t hide the ESSID, at least you should change the default one.

5.2.5 Configuring Wireless LAN on the ZyAIR

1 Configure the ESSID and WEP in the Wireless screen.
2 Use the MAC Filter screen to restrict access to your wireless network by MAC address.
3 Configure WPA or WPA-PSK in the 802.1x/WPA screen. You can also configure
802.1x wireless client authentication in the 802.1x/WPA screen.
4 Configure the RADIUS settings in the AUTH. SERVER screens.
The following table shows the relative effectiveness of these wireless security methods available on your ZyAIR.
Table 10 ZyAIR Wireless Security Levels
Security Level Security Type
Least Secure
Most Secure
Unique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
Note: You must enable the same wireless security settings on the ZyAIR and on all
wireless clients that you want to associate with it.
If you do not enable any wireless security on your ZyAIR, your network is accessible to any wireless networking device that is within range.
56 Chapter 5 Wireless LAN
Page 57

5.3 Spanning Tree Protocol (STP)

STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network.

5.3.1 Rapid STP

The ZyAIR uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only aware bridges). Using RSTP topology change information does not have to propagate to the root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP, the port states are Discarding, Learning, and Forwarding.

5.3.2 STP Terminology

The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value (MAC address).
ZyAIR G-5100 User’s Guide
Path cost is the cost of transmitting a frame onto a LAN through that port. It is assigned according to the speed of the link to which a port is attached. The slower the media, the higher the cost - see the next table.
Table 11 STP Path Costs
LINK SPEED
Path Cost 4Mbps 250 100 to 1000 1 to 65535
Path Cost 10Mbps 100 50 to 600 1 to 65535
Path Cost 16Mbps 62 40 to 400 1 to 65535
Path Cost 100Mbps 19 10 to 60 1 to 65535
Path Cost 1Gbps 4 3 to 10 1 to 65535
Path Cost 10Gbps 2 1 to 5 1 to 65535
RECOMMENDED VALUE
RECOMMENDED RANGE
ALLOWED RANGE
On each bridge, the root port is the port through which this bridge communicates with the root. It is the port on this switch with the lowest path cost to the root (the root path cost). If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network.
For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN.
Chapter 5 Wireless LAN 57
Page 58
ZyAIR G-5100 User’s Guide

5.3.3 How STP Works

After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and the ports that are the designated ports for connected LANs, and disables all other ports that participate in STP. Network packets are therefore only forwarded between enabled ports, eliminating any possible network loops.
STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the bridged LAN topology changes, a new spanning tree is constructed.
Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the network to re-establish a valid network topology.

5.3.4 STP Port States

STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not allowed to go directly from blocking state to forwarding state so as to eliminate transient loops.
Table 12 STP Port States
PORT STATES DESCRIPTIONS
Disabled STP is disabled (default).
Blocking Only configuration and management BPDUs are received and processed.
Listening All BPDUs are received and processed.
Learning All BPDUs are received and processed. Information frames are submitted to the
learning process but not forwarded.
Forwarding All BPDUs are received and processed. All information frames are received and
forwarded.

5.4 WEP Encryption

WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key.

5.5 Configuring the Wireless Screen

Click the WIRELESS link under ADVANCED to display the Wireless screen. The screen varies depending upon the operating mode you select.
58 Chapter 5 Wireless LAN
Page 59

5.5.1 Access Point Mode

Select Access Point in the Operating Mode drop-down list box to display the screen as shown next.
Figure 20 Wireless: Access Point
ZyAIR G-5100 User’s Guide
The following table describes the general wireless LAN labels in this screen.
Chapter 5 Wireless LAN 59
Page 60
ZyAIR G-5100 User’s Guide
Table 13 Wireless: Access Point
LABEL DESCRIPTION
WLAN Adapter Select which WLAN adapter you want to configure.
Operating Mode Select the operating mode from the drop-down list. The options are Access Point,
Name (SSID) (Service Set IDentity) The SSID identifies the Service Set with which a wireless
Hide Name (SSID)
Choose Channel IDSet the operating frequency/channel depending on your particular region.
Scan Click this button to have the ZyAIR automatically scan for and select a channel with
RTS/CTS Threshold
Fragmentation Threshold
WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized
Authentication Method
It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.
Bridge/Repeater and AP+Bridge.
station is associated. Wireless stations associating to the access point (AP) must have the same SSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
Note: If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s SSID or WEP settings, you will lose your wireless connection when you click Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.
Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through passive scanning using a site survey tool.
To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
To have the ZyAIR automatically select a channel, click Scan instead.
the least interference.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to zero turns on the RTS/CTS handshake. Enter a value between 0 and 2432.
The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Enter a value between 800 and 2432.
wireless stations from accessing data transmitted over the wireless network. Select Disable to allow wireless stations to communicate with the access points
without any data encryption. Select 64-bit WEP or 128-bit WEP to enable data encryption.
If you use WEP encryption, select Auto, Open System or Shared Key from the drop-down list box.
60 Chapter 5 Wireless LAN
Page 61
ZyAIR G-5100 User’s Guide
Table 13 Wireless: Access Point (continued)
LABEL DESCRIPTION
Key 1 to Key 4 If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters
(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters (ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each key.
There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users. The values for the keys must be set up exactly the same on the access points as they are on the wireless stations.
The preceding “0x” is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1.
Enable Intra­BSS Traffic
Enable Spanning Tree Protocol (STP)
Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs within
Preamble Preamble is used to signal that data is coming to the receiver.
Intra-BSS traffic is traffic between wireless stations in the same BSS. Enable Intra-BSS traffic to allow wireless stations connected to the ZyAIR to
communicate with each other. Disable Intra-BSS traffic to only allow wireless stations to communicate with the
wired network, not with each other.
(R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other (R)STP ­compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the ZyAIR.
an area, decrease the output power of the ZyAIR to reduce interference with other APs. The options are 100% (Full Power), 50%, 25% or 12.5%. The power output at full power is 18 ± 2 dBm.
Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11b compliant wireless adapters support long preamble, but not all support short preamble.
Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks. Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications.
Select Dynamic to have the ZyAIR automatically use short preamble when all wireless clients support it, otherwise the ZyAIR uses long preamble.
Note: The ZyAIR and the wireless stations MUST use the same preamble mode in order to communicate.
802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
Max. Frame Burst
associate with the ZyAIR. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR. Select Mixed to allow either IEEE 802.11b or IEEE 802.11g compliant WLAN
devices to associate with the ZyAIR. The transmission rate of your ZyAIR might be reduced.
Enable Maximum Frame Burst to help eliminate collisions in mixed-mode networks (networks with both IEEE 802.11g and IEEE 802.11b traffic) and enhance the performance of both pure IEEE 802.11g and mixed IEEE 802.11b/g networks. Maximum Frame Burst sets the maximum time, in microseconds, that the ZyAIR transmits IEEE 802.11g wireless traffic only.
Type the maximum frame burst between 0 and 1800 (650, 1000 or 1800 recommended). Enter 0 to disable this feature.
Chapter 5 Wireless LAN 61
Page 62
ZyAIR G-5100 User’s Guide
Table 13 Wireless: Access Point (continued)
LABEL DESCRIPTION
VLAN ID The ZyAIR supports IEEE 802.1 tagged VLAN for partioning a physical network into
multiple logical networks. Enter a number from 1 to 4094 to set the VLAN ID tag that the ZyAIR adds to the Ethernet frames that this WLAN adapter receives from wireless clients or other APs.
Use the VLAN screen to enable or disable the ZyAIR’s VLAN feature.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.

5.5.2 Bridge/Repeater Mode

The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. You need to know the MAC address of the peer device, which also must be in bridge mode.
The ZyAIR can establish wireless links with other APs.
In the example below, when both ZyAIRs are in Bridge/Repeater mode, they form a WDS (Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers in LAN 2.
Figure 21 Bridging Example
Be careful to avoid bridge loops when you enable bridging in the ZyAIR. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem:
If two or more ZyAIRs (in bridge mode) are connected to the same hub as shown next.
62 Chapter 5 Wireless LAN
Page 63
ZyAIR G-5100 User’s Guide
Figure 22 Bridge Loop: Two Bridges Connected to Hub
If your ZyAIR (in bridge mode) is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN as shown next.
Figure 23 Bridge Loop: Bridge Connected to Wired LAN
To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyAIR is not set to bridge mode while connected to both wired and wireless segments of the same LAN.
Click the WIRELESS link under ADVANCED. Select Bridge/Repeater in the Operating Mode drop-down list box to have the ZyAIR act as a wireless bridge only.
Chapter 5 Wireless LAN 63
Page 64
ZyAIR G-5100 User’s Guide
Figure 24 Wireless: Bridge/Repeater
The following table describes the labels in this screen that are specific to bridge/repeater mode.
Table 14 Wireless: Bridge/Repeater
LABEL DESCRIPTIONS
WLAN Adapter Select which WLAN adapter you want to configure.
It is recommended that you configure the first WLAN adapter for AP functions and use the second WLAN adapter for bridge functions.
Operating Mode Select Bridge/Repeater in this field to display the screen shown above.
Enable WDS Security A Wireless Distribution System (WDS) is a wireless connection between two or
more APs. Select the check box to use TKIP to encrypt traffic on the WDS between APs. When you enable WDS security, type a Pre-Shared Key (PSK) for each link.
Note: Other APs must use the same encryption method in order to communicate with the ZyAIR when you enable WDS security.
# This is the index number of the bridge connection.
Active Select the check box to enable the bridge connection. Otherwise, clear the
check box to disable it.
64 Chapter 5 Wireless LAN
Page 65
Table 14 Wireless: Bridge/Repeater (continued)
LABEL DESCRIPTIONS
ZyAIR G-5100 User’s Guide
Remote Bridge MAC Address
PSK Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including
Enable Spanning Tree Protocol (STP)

5.5.3 AP+Bridge Mode

Click the WIRELESS link under ADVANCED. Select AP+Bridge in the Operating Mode drop-down list box to display the screen as shown next. In this screen, you can configure the ZyAIR to function as an AP and bridge simultaneously. See the section on ZyAIR applications for more information.
Type the MAC address of the peer device in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
spaces and symbols). When the ZyAIR is in Bridge/Repeater mode, you don’t have to enter a pre-
shared key, but the traffic between devices won’t be encrypted if you don’t. The peer bridge must use the same pre-shared key and encryption method.
Select the check box to activate STP on the ZyAIR.
Chapter 5 Wireless LAN 65
Page 66
ZyAIR G-5100 User’s Guide
Figure 25 Wireless: AP+Bridge
See Table 13 on page 60 and Table 14 on page 64 descriptions of the fields in the Access Point and Bridge/Repeater operating modes for descriptions of the fields in this screen.
66 Chapter 5 Wireless LAN
Page 67
When you enable WEP encryption, you can also specify MAC addresses and pre-shared keys of peer bridges in order to use TKIP (see Appendix F on page 221 for more on TKIP) to encrypt traffic between the bridges.
Note: The following screens are configurable only in Access Point and AP+Bridge operating modes.

5.6 Configuring MAC Filters

The MAC filter screen allows you to configure the ZyAIR to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the ZyAIR (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure this screen.
To change your ZyAIR’s MAC filter settings, click the WIRELESS link under ADVANCED and then the MAC Filter tab. The screen appears as shown.
ZyAIR G-5100 User’s Guide
Note: Be careful not to list your computer’s MAC address and set the Action field to
Deny Association when managing the ZyAIR via a wireless connection. This
would lock you out.
Chapter 5 Wireless LAN 67
Page 68
ZyAIR G-5100 User’s Guide
Figure 26 MAC Address Filter
The following table describes the labels in this screen.
Table 15 MAC Address Filter
LABEL DESCRIPTION
WLAN Adapter Select the WLAN adapter for which you want to configure MAC address filtering.
Active Select Yes from the drop down list box to enable MAC address filtering.
68 Chapter 5 Wireless LAN
Page 69
Table 15 MAC Address Filter (continued)
LABEL DESCRIPTION
Filter Action Define the filter action for the list of MAC addresses in the MAC address filter
table. Select Deny Association to block access to the router, MAC addresses not
listed will be allowed to access the router. Select Allow Association to permit access to the router, MAC addresses not
listed will be denied access to the router.
MAC Address Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless
station that are allowed or denied access to the ZyAIR in these address fields.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.

5.7 Configuring Roaming

A wireless station is a device with an IEEE 802.11b or an IEEE 802.11g compliant wireless interface. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.
ZyAIR G-5100 User’s Guide
In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in Figure 27 on page 70.
With roaming, a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN.
Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas. Wireless stations can still associate with other APs even if you disable roaming. Enabling roaming ensures correct traffic forwarding (bridge tables are updated) and maximum AP efficiency. The AP deletes records of wireless stations that associate with other APs (Non-ZyXEL APs may not be able to perform this). IEEE 802.1x authentication information is not exchanged (at the time of writing).
Chapter 5 Wireless LAN 69
Page 70
ZyAIR G-5100 User’s Guide
Figure 27 Roaming Example
The steps below describe the roaming process.
1 As wireless station Y moves from the coverage area of access point AP 1 to that of access
point
2 AP 2, it scans and uses the signal of access point AP 2.
3 Access point AP 2 acknowledges the presence of wireless station Y and relays this
information to access point AP 1 through the wired LAN.
4 Access point AP 1 updates the new position of wireless station.
5 Wireless station Y sends a request to access point AP 2 for reauthentication.

5.7.1 Requirements for Roaming

The following requirements must be met in order for wireless stations to roam between the coverage areas.
1 All the access points must be on the same subnet and configured with the same SSID.
2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point,
the new access point must have the user profile for the wireless station.
3 The adjacent access points should use different radio channels when their coverage areas
overlap.
4 All access points must use the same port number to relay roaming information.
5 The access points must be connected to the Ethernet and be able to get IP addresses from
a DHCP server if using dynamic IP address assignment.
70 Chapter 5 Wireless LAN
Page 71
ZyAIR G-5100 User’s Guide
To enable roaming on your ZyAIR, click the WIRELESS link under ADVANCED and then the Roaming tab. The screen appears as shown.
Figure 28 Roaming
The following table describes the labels in this screen.
Table 16 Roaming
LABEL DESCRIPTION
Active Select Yes from the drop-down list box to enable roaming on the ZyAIR if you
have two or more APs on the same subnet.
Note: All APs on the same subnet and the wireless stations must have the same SSID to allow roaming.
Port Enter the port number to communicate roaming information between access
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
points. The port number must be the same on all access points. The default is
3517. Make sure this port is not used by other services.

5.8 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.

5.9 WPA-PSK Application Example

A WPA-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters (including spaces and symbols).
Chapter 5 Wireless LAN 71
Page 72
ZyAIR G-5100 User’s Guide
2 The AP checks each client’s password and (only) allows it to join the network if it
matches its password.
3 The AP derives and distributes keys to the wireless clients.
4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged
between them.
Figure 29 WPA - PSK Authentication

5.10 WPA with RADIUS Application Example

This example is for using WPA with an external RADIUS server. You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA application example with an external RADIUS server looks as follows. “A” is the RADIUS server. “DS” is the distribution system.
1 The AP passes the wireless client’s authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then
sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
72 Chapter 5 Wireless LAN
Page 73
Figure 30 WPA with RADIUS Application Example
ZyAIR G-5100 User’s Guide

5.11 Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built­in "Zero Configuration" wireless client. However, you must run Windows XP to use it.
The Funk Software's Odyssey client is bundled free (at the time of writing) with some of ZyXEL’s client wireless adapter(s).

5.12 Configuring 802.1x and WPA

To change your ZyAIR’s authentication settings, click the WIRELESS link under ADVANCED and then the 802.1x/WPA tab. The screen varies by the key management
protocol you select. The WPA function is not available on all ZyAIR models.
Chapter 5 Wireless LAN 73
Page 74
ZyAIR G-5100 User’s Guide
You see the next screen when you select No Access Allowed or No Authentication Required in the Wireless Port Control field.
Figure 31 Wireless LAN: 802.1x/WPA
The following table describes the labels in this screen.
Table 17 Wireless LAN: 802.1x/WPA
LABEL DESCRIPTION
Wireless Port Control
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
To control wireless stations access to the wired network, select a control method from the drop-down list box. Choose from No Access Allowed, No
Authentication Required and Authentication Required. No Access Allowed blocks all wireless stations access to the wired network. No Authentication Required allows all wireless stations access to the wired
network without entering usernames and passwords. This is the default setting. Authentication Required means that all wireless stations have to enter
usernames and passwords before access to the wired network is allowed. Select Authentication Required to configure Key Management Protocol and
other related fields.

5.13 Authentication Required: 802.1x

Select Authentication Required in the Wireless Port Control field and 802.1x in the Key Management Protocol field to display the next screen.
74 Chapter 5 Wireless LAN
Page 75
Figure 32 Wireless LAN: 802.1x/WPA for 802.1x Protocol
ZyAIR G-5100 User’s Guide
Chapter 5 Wireless LAN 75
Page 76
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol
LABEL DESCRIPTION
Wireless Port Control
ReAuthentication Timer (In Seconds)
Idle Timeout (In Seconds)
Key Management Protocol
Dynamic WEP Key Exchange
Authentication Databases
Internal RADIUS Server
External RADIUS Server
To control wireless stations access to the wired network, select a control method from the drop-down list box. Choose from No Authentication Required,
Authentication Required and No Access Allowed. No Authentication Required allows all wireless stations access to the wired
network without entering usernames and passwords. This is the default setting. Authentication Required means that all wireless stations have to enter
usernames and passwords before access to the wired network is allowed. No Access Allowed blocks all wireless stations access to the wired network. The following fields are only available when you select Authentication Required.
Specify how often wireless stations have to reenter usernames and passwords in order to stay connected. This field is activated only when you select Authentication Required in the Wireless Port Control field.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
Note: If wireless station authentication is done using a RADIUS
server, the reauthentication timer on the RADIUS server has priority.
The ZyAIR automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
This field is activated only when you select Authentication Required in the Wireless Port Control field. The default time interval is 3600 seconds (or 1 hour).
Choose 802.1x from the drop-down list.
This field is activated only when you select Authentication Required in the Wireless Port Control field.
Select Disable to allow wireless stations to communicate with the access points without using dynamic WEP key exchange.
Select 64-bit WEP or 128-bit WEP to enable data encryption. This field is not available when you set Key Management Protocol to WPA or
WPA-PSK.
The authentication database contains wireless station login information.
Select this radio button to use the ZyAIR’s Internal RADIUS Server. Select the MD5 radio button to use this EAP authentication type to authenticate
other APs or wireless clients in other wireless networks. Select the PEAP radio button to use this EAP authentication type to authenticate
other APs or wireless clients in other wireless networks. Use the drop-down list box to select Disable, 64-bit WEP or 128-bit WEP for Dynamic WEP Exchange.
Note: MD5 cannot be used with Dynamic WEP Key Exchange.
Select the radio button to use an external radius server to authenticate the ZyAIR’s wireless clients.
Configure the server(s) details in the following fields.
76 Chapter 5 Wireless LAN
Page 77
ZyAIR G-5100 User’s Guide
Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol (continued)
LABEL DESCRIPTION
Authentication Server /Alternate
The ZyAIR will make three attempts to authenticate wireless users using the authentication server before attempting to use the alternate authentication server.
Requests can be issued from the client interface to use the alternate authentication server. The length of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field.
Note: You can use the command line interface to configure the ZyAIR to use up to four alternate authentication servers.
Active Select Active to enable user authentication through this external authentication
server. Clear the Active check box to not use this to not perform user authentication
through this external authentication server.
Server IP Address Enter the IP address of the external authentication server in dotted decimal
notation.
Port Number Enter the port number of the external authentication server. The default port
number is 1812. You need not change this value unless your network administrator instructs you to
do so with additional information.
Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared
between the external authentication server and the ZyAIR. The key must be the same on the external authentication server and your ZyAIR.
The key is not sent over the network.
Accounting Server /Alternate
The ZyAIR will make three attempts to communicate with the accounting server before attempting to use the alternate accounting server.
Note: You can use the command line interface to configure the ZyAIR to use up to four alternate accounting servers.
Active Select Active to enable user accounting through this external accounting server.
Clear the Active check box to not use this to not perform user accounting through this external accounting server.
Server IP Address Enter the IP address of the external accounting server in dotted decimal notation.
Port Number Enter the port number of the external accounting server. The default port number is
1813. You need not change this value unless your network administrator instructs you to
do so with additional information.
Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared
between the external accounting server and the ZyAIR. The key must be the same on the external accounting server and your ZyAIR. The
key is not sent over the network.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Note: If you enable the ZyAIR’s internal RADIUS server, configure trusted user accounts in the AUTH SERVER Trusted Users screen.
Chapter 5 Wireless LAN 77
Page 78
ZyAIR G-5100 User’s Guide

5.14 Authentication Required: WPA

Select Authentication Required in the Wireless Port Control field and WPA in the Key Management Protocol field to display the next screen.
Figure 33 Wireless LAN: 802.1x/WPA for WPA Protocol
The following table describes the labels not previously discussed.
78 Chapter 5 Wireless LAN
Page 79
Table 19 Wireless LAN: 802.1x/WPA for WPA Protocol
LABEL DESCRIPTIONS
ZyAIR G-5100 User’s Guide
Key Management Protocol
WPA Mixed Mode The ZyAIR can operate in WPA Mixed Mode, which supports both clients running
WPA Group Key Update Timer
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Choose WPA in this field.
WPA and clients running dynamic WEP key exchange with IEEE 802.1x in the same Wi-Fi network.
Select Enable to activate WPA mixed mode. Otherwise, select Disable.
The WPA Group Key Update Timer is the rate at which the AP (if using WPA- PSK key management) or RADIUS server (if using WPA key management) sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the WPA Group Key Update Timer is also supported in WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).

5.15 Authentication Required: WPA-PSK

Select Authentication Required in the Wireless Port Control field and WPA-PSK in the Key Management Protocol field to display the next screen.
Figure 34 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol
Chapter 5 Wireless LAN 79
Page 80
ZyAIR G-5100 User’s Guide
The following table describes the labels not previously discussed.
Table 20 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol
LABEL DESCRIPTION
Key Management Protocol
Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Choose WPA-PSK in this field.
difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
80 Chapter 5 Wireless LAN
Page 81

Internal RADIUS Server

The ZyAIR can use its internal RADIUS server to authenticate wireless clients. It can also serve as a RADIUS server to authenticate other APs and their wireless clients. For more background information on RADIUS, see the Introduction to RADIUS section.

6.1 Internal RADIUS Overview

The ZyAIR has a built-in RADIUS server that can authenticate wireless clients or other APs (that are configured as trusted APs).
The ZyAIR can function as an AP and as a RADIUS server at the same time.
ZyAIR G-5100 User’s Guide
CHAPTER 6
PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection. See the appendices for more information on the types of EAP authentication and the internal RADIUS authentication method used in your ZyAIR.
Figure 35 ZyAIR Authenticates Wireless Stations
Chapter 6 Internal RADIUS Server 81
Page 82
ZyAIR G-5100 User’s Guide
Figure 36 ZyAIR Authenticates Trusted APs
Table 21 Internal RADIUS Server Screens Overview
LABEL DESCRIPTION
ZyAIR as a RADIUS server
Trusted AP’s
Setting Use the Setting screen to turn the ZyAIR’s internal RADIUS server off or on
and to view information about the ZyAIR’s certificates.
Trusted AP Use the Trusted AP screen to specify APs as trusted APs so they can use the
ZyAIR’s internal RADIUS server to authenticate wireless clients. You can set up to 31 trusted AP’s.
Trusted Users Use the Trusted Users screen to configure a list of wireless client user names
and passwords for the ZyAIR to authenticate. The ZyAIR internal RADIUS server can authenticate up to 32 wireless clients.

6.2 Internal RADIUS Server Setting

The INTERNAL RADIUS SERVER Setting screen displays information about certificates. The certificates are used by wireless clients to authenticate the RADIUS server. Information matching the certificate is held on the wireless clients utility, for example, Funk Software’s Odyssey client. A password and user name on the utility must match the Trusted Users list so that the RADIUS server can be authenticated.
Note: The internal RADIUS server does not support domain accounts (DOMAIN/ user). When you configure your Windows XP SP2 MS-CHAPv2 settings, deselect the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only, do not specify a domain.
Wireless Zero Configuration PEAP/
Click the AUTH SERVER link under ADVANCED and then the Setting tab. The screen appears as shown.
82 Chapter 6 Internal RADIUS Server
Page 83
Figure 37 Internal RADIUS Server Setting Screen
The following table describes the labels in this screen.
ZyAIR G-5100 User’s Guide
Table 22 My Certificates
LABEL DESCRIPTION
Active Select the Active check box to have the ZyAIR use its internal RADIUS server to
authenticate wireless clients or other APs.
# This field displays the certificate index number. The certificates are listed in
alphabetical order. Use the CERTIFICATES screens to manage certificates. The internal RADIUS server uses one of the certificates listed in this screen to authenticate each wireless client. The exact certificate used, depends on the certificate information configured on the wireless client.
Name This field displays the name used to identify this certificate. It is recommended that
you give each certificate a unique name. auto_generated_self_signed_cert is the factory default certificate common to all
ZyAIR’s that use certificates.
Note: ZyXEL recommends that you replace the factory default certificate with one that uses your ZyAIR's MAC address. Do this when you first log in to the ZyAIR or in the CERTIFICATES My Certificates screen.
Type This field displays what kind of certificate this is.
REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate. *SELF represents the default self-signed certificate, which the ZyAIR uses to sign
imported trusted remote host certificates. CERT represents a certificate issued by a certification authority.
Subject This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Chapter 6 Internal RADIUS Server 83
Page 84
ZyAIR G-5100 User’s Guide
Table 22 My Certificates (continued)
LABEL DESCRIPTION
Issuer This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
Valid From This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
Valid To This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
Apply Click Apply to have the ZyAIR use certificates to authenticate wireless clients.
Reset Click Reset to start configuring this screen afresh.

6.3 Trusted AP Overview

A trusted AP is an AP that uses the ZyAIR’s internal RADIUS server to authenticate its wireless clients. Each wireless client must have a user name and password configured in the Trusted Users screen.
The following figure shows how this is done in two phases.
Figure 38 Trusted AP Overview
ZyAIR RADIUS Server Wireless clients. You can
Trusted AP’s
authenticate a maximum of 32 wireless clients using the ZyAIR’s RADIUS server, irrespective of the amount of trusted AP’s configured on the ZyAIR
.
1 Configure an IP address and shared secret in the Trust ed AP database to authenticate an
AP as a trusted AP.
84 Chapter 6 Internal RADIUS Server
Page 85
2 Configure wireless client user names and passwords in the Trusted Users database to use
a trusted AP as a relay between the ZyAIR’s internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the ZyAIR’s internal RADIUS server.

6.4 Configuring Trusted AP

To specify APs as trusted APs so they can use the ZyAIR’s internal RADIUS server to authenticate wireless clients, click the AUTH SERVER link under ADVANCED and then the Trusted AP tab. The screen appears as shown.
Figure 39 Trusted AP Screen
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 23 Trusted AP
LABEL DESCRIPTION
# This field displays the trusted AP index number.
Active Select this check box to have the ZyAIR use the IP Address and Shared Secret to
authenticate a trusted AP.
Chapter 6 Internal RADIUS Server 85
Page 86
ZyAIR G-5100 User’s Guide
Table 23 Trusted AP
LABEL DESCRIPTION
IP Address Type the IP address of the trusted AP in dotted decimal notation.
Shared Secret Enter a password (up to 31 alphanumeric characters, no spaces) as the key for
encrypting communications between the AP and the ZyAIR. The key is not sent over the network. This key must be the same on the AP and the ZyAIR.
Both the ZyAIR’s IP address and this shared secret must also be configured in the “external RADIUS” server fields of the trusted AP.
Note: The first trusted AP fields are for the ZyAIR itself. Use SMT menu 23.2 to configure them.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.

6.5 Trusted Users Overview

A trusted user entry consists of a wireless client user name and password

6.6 Configuring Trusted Users

To configure trusted user entries, click the AUTH SERVER link under ADVANCED and then the Trusted Users tab. The screen appears as shown.
86 Chapter 6 Internal RADIUS Server
Page 87
Figure 40 Trusted Users Screen
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 24 Trusted Users
LABEL DESCRIPTION
# This field displays the trusted user index number.
Active Select this check box to have the ZyAIR authenticate wireless clients with the same
user name and password activated on their wireless utilities.
User Name Enter the user name for this user account. This name can be up to 31 alphanumeric
characters long, including spaces. The wireless client’s utility must use this name as its login name.
Password
Type a password (up to 31 ASCII characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type.
The password on the wireless client’s utility must be the same as this password.
Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Chapter 6 Internal RADIUS Server 87
Page 88
ZyAIR G-5100 User’s Guide
88 Chapter 6 Internal RADIUS Server
Page 89
This chapter discusses how to configure VLAN on the ZyAIR

7.1 VLAN

A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Stations on a logical network can belong to one or more groups. Only stations within the same group can talk to each other.
The ZyAIR supports IEEE 802.1q VLAN tagging. Tagged VLAN uses an explicit tag (VLAN ID) in the MAC header of a frame to identify VLAN membership. The ZyAIR can identify VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames.
ZyAIR G-5100 User’s Guide
CHAPTER 7

VLAN

7.1.1 Management VLAN ID

The management VLAN ID identifies the “management VLAN”. A computer must be a member of this “management VLAN” in order to access and manage the ZyAIR. A computer that is not a member of this VLAN, then that device cannot manage the ZyAIR.
If no devices are in the management VLAN, then you will only be able to access the ZyAIR through the console port (not through the network).

7.2 Configuring VLAN

Click ADVANCED and then VLAN. The screen appears as shown next.
Chapter 7 VLAN 89
Page 90
ZyAIR G-5100 User’s Guide
Figure 41 VLAN
The following table describes the labels in this screen.
Table 25 VLAN
LABEL DESCRIPTION
Enable VLAN Tagging Select this check box to turn on VLAN tagging.
Use the Wireless screen to set the VLAN ID tag that the ZyAIR adds to the Ethernet frames that a WLAN adapter receives from wireless clients or APs.
Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group. Your management
computer must belong to this VLAN group in order to manage the ZyAIR. This can be done in the following ways:
The management computer could be a wireless client of the ZyAIR if the ZyAIR’s WLAN adapter is set to add the add the management VLAN ID tag to Ethernet frames received from wireless clients.
The management computer could be on the wired network, behind a VLAN-aware switch that is configured to add the management VLAN ID tag to Ethernet frames from the computer before sending them to ZyAIR.
Note: Mail and FTP servers must have the same management VLAN ID to communicate with the ZyAIR.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
90 Chapter 7 VLAN
Page 91
This chapter discusses how to configure IP on the ZyAIR

8.1 Factory Ethernet Defaults

The Ethernet parameters of the ZyAIR are preset in the factory with the following values:
1 IP address of 192.168.1.2
2 Subnet mask of 255.255.255.0 (24 bits)
These parameters should work for the majority of installations.
ZyAIR G-5100 User’s Guide
CHAPTER 8

IP Screen

8.2 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.2, for your ZyAIR, but make sure that no other device on your network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyAIR unless you are instructed to do otherwise.
Chapter 8 IP Screen 91
Page 92
ZyAIR G-5100 User’s Guide

8.2.1 IP Address Assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.
Table 26 Private IP Address Ranges
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.

8.3 Configuring IP

Click ADVANCED and then IP to display the screen shown next.
92 Chapter 8 IP Screen
Page 93
Figure 42 IP Setup
The following table describes the labels in this screen.
Table 27 IP Setup
ZyAIR G-5100 User’s Guide
LABEL DESCRIPTION
IP Address Assignment
Get automatically from DHCP
Select this option to have the ZyAIR use a dynamically assigned IP address from a DHCP server.
Note: You must know the IP address assigned to the ZyAIR (by the DHCP server) to access the ZyAIR again.
Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select
this option, fill in the fields below.
IP Address Enter the IP address of your ZyAIR in dotted decimal notation.
Note: If you change the ZyAIR's IP address, you must use the new IP address if you want to access the web configurator again.
IP Subnet Mask Type the subnet mask.
Gateway IP Address Type the IP address of the gateway. The gateway is a router or switch on the
same network segment as the ZyAIR. The gateway helps forward packets to their destinations. Leave this field as 0.0.0.0 if you do not know it.
Apply Click Apply to save your changes back to the ZyAIR.
Reset Click Reset to begin configuring this screen afresh.
Chapter 8 IP Screen 93
Page 94
ZyAIR G-5100 User’s Guide
94 Chapter 8 IP Screen
Page 95
This chapter gives background information about public-key certificates and explains how to use them.

9.1 Certificates Overview

The ZyAIR can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyAIR to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority.
ZyAIR G-5100 User’s Guide
CHAPTER 9

Certificates

In public-key encryption and decryption, each host has two keys. One key is public and can be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows.
1 Tim wants to send a private message to Jenny. Tim generates a public key pair. What is
encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s
public key to decrypt the message.
The ZyAIR uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.
The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyAIR does not trust a certificate if any certificate on its path has expired or been revoked.
Chapter 9 Certificates 95
Page 96
ZyAIR G-5100 User’s Guide

9.1.1 Advantages of Certificates

Certificates offer the following benefits.
• The ZyAIR only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

9.2 Self-signed Certificates

Until public-key infrastructure becomes more mature, it may not be available in some areas. You can have the ZyAIR act as a certification authority and sign its own certificates.

9.3 Configuration Summary

This section summarizes how to manage certificates on the ZyAIR.
Figure 43 Certificate Configuration Overview
Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyAIRs’ CA-signed certificates.
Use the Trusted CA screens to save CA certificates to the ZyAIR.

9.4 My Certificates

Click CERTIFICATES, My Certificates to open the ZyAIR’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. See the following figure.
96 Chapter 9 Certificates
Page 97
Figure 44 My Certificates
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 28 My Certificates
LABEL DESCRIPTION
PKI Storage Space in Use
Replace This button displays when the ZyAIR has the factory default certificate. The factory
# This field displays the certificate index number. The certificates are listed in
Name This field displays the name used to identify this certificate. It is recommended that
This bar displays the percentage of the ZyAIR’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
default certificate is common to all ZyAIRs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyAIR's MAC address.
alphabetical order.
you give each certificate a unique name.
Chapter 9 Certificates 97
Page 98
ZyAIR G-5100 User’s Guide
Table 28 My Certificates (continued)
LABEL DESCRIPTION
Type This field displays what kind of certificate this is.
Subject This field displays identifying information about the certificate’s owner, such as CN
Issuer This field displays identifying information about the certificate’s issuing certification
Valid From This field displays the date that the certificate becomes applicable. The text
Valid To This field displays the date that the certificate expires. The text displays in red and
Details Select a certificate’s radio button and click Details to open a screen with an in-
Create Click Create to go to the screen where you can have the ZyAIR generate a
Import Click Import to open a screen where you can save the certificate that you have
Delete Select a certificate’s radio button and click Delete to remove the certificate.
Refresh Click Refresh to display the current validity status of the certificates.
REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate. *SELF represents the default self-signed certificate, which the ZyAIR uses to sign
imported trusted remote host certificates. CERT represents a certificate issued by a certification authority.
(Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.
displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.
includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.
depth list of information about the certificate.
certificate or a certification request.
enrolled from a certification authority from your computer to the ZyAIR.
A window displays asking you to confirm that you want to delete the certificate. You cannot delete a certificate that one or more features is configured to use. Do the following to delete a certificate that shows *SELF in the Typ e field.
1. Make sure that no features are configured to use the *SELF certificate.
2. Select the radio button of another self-signed certificate and click Details (see the description on the Create button if you need to create a self-signed certificate).
3. Select the Default self-signed certificate which signs the imported remote host certificates check box.
4. Click Apply to save the changes and return to the My Certificates screen.
5. The certificate that originally showed *SELF displays SELF and you can delete it now.
Subsequent certificates move up by one when you take this action.

9.5 Certificate File Formats

The certification authority certificate that you want to import has to be in one of these file formats:
98 Chapter 9 Certificates
Page 99
• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. The ZyAIR currently allows the importation of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64 ASCII characters to convert a binary PKCS#7 certificate into a printable form.

9.6 Importing a Certificate

Click CERTIFICATES, My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the
ZyAIR, see the following figure.
Note: 1. You can only import a certificate that matches a corresponding certification request that was generated by the ZyAIR.
Note: 2. The certificate you import replaces the corresponding request in the My Certificates screen. Note: 3. You must remove any spaces from the certificate’s filename before you can
import it.
ZyAIR G-5100 User’s Guide
Figure 45 My Certificate Import
The following table describes the labels in this screen.
Chapter 9 Certificates 99
Page 100
ZyAIR G-5100 User’s Guide
Table 29 My Certificate Import
LABEL DESCRIPTION
File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Browse Click Browse to find the certificate file you want to upload.
Apply Click Apply to save the certificate on the ZyAIR.
Cancel Click Cancel to quit and return to the My Certificates screen.

9.7 Creating a Certificate

Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyAIR create a self-signed certificate, enroll a
certificate with a certification authority or generate a certification request, see the following figure.
100 Chapter 9 Certificates
Loading...