The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Copyright3
Page 4
ZyAIR G-5100 User’s Guide
Federal Communications Commission (FCC) Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
FCC Warning
This equipment has been tested and found to comply with the limits for a Class B digital
device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy, and if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
Certifications
If this equipment does cause harmful interference to radio/television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Any changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
FCC Caution:
Any changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate this equipment.
IMPORTANT NOTE:
FCC Radiation Exposure Statement:
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with minimum distance 20cm
between the radiator & your body.
4Certifications
Page 5
ZyAIR G-5100 User’s Guide
This transmitter must not be co-located or operating in conjunction with any other antenna or
transmitter.
Note: Antenna Warning! This device meets ETSI and FCC certification requirements
when using the included antennas or antenna connector cable. Only use the
included antennas or antenna connector cable.
Canadian Note
This Class B digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada.
Certifications
Go to www.zyxel.com
1 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
2 Select the certification you wish to view from this page.
Certifications5
Page 6
ZyAIR G-5100 User’s Guide
For your safety, be sure to read and follow all warning notices and instructions.
• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel can
service the device. Please contact your vendor for further information.
• Use ONLY the dedicated power supply for your device. Connect the power cord or
power adaptor to the right supply voltage (110V AC in North America or 230V AC in
Europe).
• Do NOT use the device if the power supply is damaged as it might cause electrocution.
• If the power supply is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power supply. Contact your local vendor to order a new
power supply.
• Place cables carefully so that no one will step on them or stumble over them. Do NOT
allow anything to rest on the power cord and do NOT locate the product where anyone
can walk on the power cord.
• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of
electric shock from lightning.
• Do NOT expose your device to corrosive liquids.
• Do NOT store things on the device.
• Connect ONLY suitable accessories to the device.
Safety Warnings
6Safety Warnings
Page 7
ZyAIR G-5100 User’s Guide
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or
subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind of character to the
purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
ZyXEL Limited Warranty7
Page 8
ZyAIR G-5100 User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
Table 109 Log Categories and Available Settings ................................................. 251
List of Tables25
Page 26
ZyAIR G-5100 User’s Guide
26List of Tables
Page 27
ZyAIR G-5100 User’s Guide
Preface
Congratulations on your purchase of the ZyAIR G-5100 Outdoor 802.11g Business Access
Point/Bridge/Repeater.
The ZyAIR is an Access Point (AP) through which wireless stations can communicate and/or
access a wired network. The ZyAIR can also function as a wireless network bridge/repeater
and establish wireless links with other APs.
The ZyAIR also supports both AP and bridge connections at the same time.
Your ZyAIR is easy to install and configure.
Note: Register your product online to receive e-mail notices of firmware upgrades and
information at www.zyxel.com
American products.
About This User's Guide
for global products, or at www.us.zyxel.com for North
This User’s Guide is designed to guide you through the configuration of your ZyAIR using the
web configurator or the System Management Terminal (SMT). The web configurator parts of
this guide contain background information on features configurable by web configurator. The
SMT parts of this guide contain background information solely on features not configurable
by web configurator
Note: Use the web configurator, System Management Terminal (SMT) or command
interpreter interface to configure your ZyAIR. Not all features can be configured
through all interfaces.
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. They
contain connection information and instructions on getting started.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary
information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com
support documentation.
Preface27
for an online glossary of networking terms and additional
Page 28
ZyAIR G-5100 User’s Guide
User Guide Feedback
Help us help you. E-mail all User Guide-related comments, questions or suggestions for
improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing
Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,
Hsinchu, 300, Taiwan. Thank you.
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for
you to use one predefined choices.
• The SMT menu titles and labels are in Bold Times New Roman font. Predefined field
choices are in Bold Arial font. Command and arrow keys are enclosed in square
brackets. [ENTER] means the Enter, or carriage return key; [ESC] means the Escape key
and [SPACE BAR] means the Space Bar.
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon,
Control Panels and then Modem” means first click the Apple icon, then point your
mouse pointer to Control Panels and then click Modem.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for
“that is” or “in other words” throughout this manual.
• The ZyAIR G-5100 may be referred to simply as the ZyAIR in the user’s guide.
Graphics Icons Key
ZyAIRComputerNotebook computer
ServerModemSwitch
RouterWireless Signal
28Preface
Page 29
Getting to Know Your ZyAIR
This chapter introduces the main features and applications of the ZyAIR.
1.1 Introducing the ZyAIR
The ZyAIR G-5100 is an enterprise level, outdoor IEEE 802.11g compliant business access
point, bridge and repeater with excellent wireless performance. Wireless Distribution System
(WDS) support provides flexibility in building an extended wireless network with bridge and
repeater applications. IEEE 802.1x, Wi-Fi Protected Access, WEP data encryption and MAC
address filtering offer highly secured wireless connectivity.
Rugged die-cast, watertight construction, built-in lightening protection, and grounding make
the ZyAIR perfect for outdoors applications.
ZyAIR G-5100 User’s Guide
CHAPTER1
It is easy to install and configure the ZyAIR. The web-based configurator allows remote
configuration and management of your ZyAIR. The Power over Ethernet (PoE) feature means
that power can be delivered to the ZyAIR over an Ethernet line. This allows you to mount the
ZyAIR in areas where there are no nearby power sources.
1.2 ZyAIR Features
The following sections describe the features of the ZyAIR
This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions
and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps
or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.
Power over Ethernet (PoE)
Power over Ethernet (PoE) is the ability to provide power to your ZyAIR via an 8-pin CAT 5
Ethernet cable, eliminating the need for a nearby power source. The ZyAIR G-5100 includes a
special high current power injector that allows the ZyAIR to be located farther away. This
feature allows increased flexibility in the locating of your ZyAIR.
Chapter 1 Getting to Know Your ZyAIR29
Page 30
ZyAIR G-5100 User’s Guide
Figure 1 PoE Installation Example
Wi-Fi Protected Access
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences
between WPA and WEP are user authentication and improved data encryption.
WDS Functionality
A Distribution System (DS) is a wired connection between two or more APs, while a Wireless
Distribution System (WDS) is a wireless connection. Your ZyAIR supports WDS, providing a
cost-effective solution for wireless network expansion. The ZyAIR supports up to five
wireless links with other APs.
Figure 2 WDS Functionality Example
30Chapter 1 Getting to Know Your ZyAIR
Page 31
ZyAIR G-5100 User’s Guide
IEEE 802.11g Wireless LAN Standard
The ZyAIR complies with the IEEE 802.11g wireless standard. IEEE 802.11g has several
intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g
data rate and modulation are as follows. The modulation technique defines how bits are
encoded onto radio waves.
Table 1 IEEE 802.11g
DATA RATE (MBPS)MODULATION
6/9/12/18/24/36/48/54OFDM (Orthogonal Frequency Division Multiplexing)
Note: The ZyAIR may be prone to RF (Radio Frequency) interference from other 2.4
GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices,
and other wireless LANs.
IEEE 802.11b Wireless LAN Standard
The ZyAIR also fully complies with the IEEE 802.11b standard. This means an IEEE 802.11b
radio card can interface directly with an IEEE 802.11g device (and vice versa) at 11 Mbps or
lower depending on range.
The IEEE 802.11b data rate and corresponding modulation techniques are shown in the table
below.
(R)STP detects and breaks network loops and provides backup links between switches,
bridges or routers. It allows a bridge to interact with other (R)STP -compliant bridges in your
network to ensure that only one path exists between any two stations on the network.
SSL Passthrough
SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL
connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites
use the protocol to obtain confidential user information, such as credit card numbers. By
convention, URLs that require an SSL connection start with “https” instead of “http”. The
ZyAIR allows SSL connections to take place through the ZyAIR.
Chapter 1 Getting to Know Your ZyAIR31
Page 32
ZyAIR G-5100 User’s Guide
VPN Passthrough
VPN (Virtual Private Network) connections use data encryption to provide secure
communications over unsecure networks (like the Internet). The ZyAIR allows VPN
connections to go through it.
Wireless LAN MAC Address Filtering
Your ZyAIR checks the MAC address of the wireless station against a list of allowed or
denied MAC addresses.
WEP Encryption
WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless
network to help keep network communications private.
IEEE 802.1x Network Security
The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. This allows
you to use a RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server
to authenticate users.
Embedded RADIUS Server
The ZyAIR’s embedded RADIUS server eliminates the need to purchase and maintain a
standalone external RADIUS server. Use the embedded RADIUS server to authenticate up to
32 users. You can also use an external RADIUS server to authenticate a potentially unlimited
number of users.
Backup RADIUS Server
You can configure the ZyAIR to use backup external RADIUS servers and accounting servers
in case the primary external RADIUS or accounting server does not respond.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger
station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP
version one (SNMPv1) and version two c (SNMPv2c).
Full Network Management
The web configurator is an HTML-based management interface that allows easy setup and
management via Internet browser. Most functions of the ZyAIR are also software configurable
via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface
that you can access from a terminal emulator over a telnet connection.
32Chapter 1 Getting to Know Your ZyAIR
Page 33
ZyAIR G-5100 User’s Guide
Logging and Tracing
• Built-in message logging and packet tracing.
• Syslog facility support.
Embedded FTP and TFTP Servers
The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as
configuration file backups and restoration.
Wireless Association List
With the wireless association list, you can see the list of the wireless stations that are currently
using the ZyAIR to access your wired network.
Wireless LAN Channel Usage
The Wireless Channel Usage screen displays which radio channels are being used by other
wireless devices within the transmission range of the ZyAIR. This allows you to select the
channel with minimum interference for your ZyAIR.
1.3 Applications for the ZyAIR
The ZyAIR can be configured using the following WLAN operating modes
1 AP
2 AP+Bridge
3 Bridge/Repeater
Applications for each operating mode are shown below.
1.3.1 Access Point
The ZyAIR is an ideal access solution for wireless Internet connection. A typical Internet
access application for your ZyAIR is shown as follows. Stations A, B and C can access the
wired network through the ZyAIRs.
Chapter 1 Getting to Know Your ZyAIR33
Page 34
ZyAIR G-5100 User’s Guide
Figure 3 Access Point Application
1.3.2 AP + Bridge
In AP+Bridge mode, the ZyAIR supports both AP connections (A and B can connect to the
wired network through X) and bridge connections (X can communicate with Y) at the same
time.
Figure 4 AP+Bridge Application
34Chapter 1 Getting to Know Your ZyAIR
Page 35
1.3.3 Bridge / Repeater
The ZyAIR can act as a wireless network bridge and establish wireless links with other APs. In
bridge mode, the ZyAIRs (see A and B in Figure 5 on page 35) are connected to independent
wired networks and have a bridge (A can communicate with B) connection at the same time. A
ZyAIR without a wired connection can act as a repeater (see C in Figure 6 on page 36).
Figure 5 Bridge Application
ZyAIR G-5100 User’s Guide
Chapter 1 Getting to Know Your ZyAIR35
Page 36
ZyAIR G-5100 User’s Guide
Figure 6 Repeater Application
36Chapter 1 Getting to Know Your ZyAIR
Page 37
Introducing the Web
This chapter describes how to access the ZyAIR web configurator and provides an overview
of its screens.
2.1 Web Configurator Overview
The embedded web configurator allows you to manage the ZyAIR from anywhere through a
browser such as Microsoft Internet Explorer. Use Internet Explorer 6.0 and later versions with
JavaScript enabled.
ZyAIR G-5100 User’s Guide
CHAPTER2
Configurator
It is recommended that you set your screen resolution to 1024 by 768 pixels.
2.2 Accessing the ZyAIR Web Configurator
1 Make sure your ZyAIR hardware is properly connected (refer to the Quick Start Guide).
2 Prepare your computer/computer network to connect to the ZyAIR (refer to Appendix D
on page 201).
3 Launch your web browser.
4 Type "192.168.1.2" (the default IP address of the ZyAIR) as the URL.
5 Type "1234" (default) as the password and click Login. In some versions, the default
password appears automatically - if this is the case, click Login.
6 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore to allow access without password change.
Chapter 2 Introducing the Web Configurator37
Page 38
ZyAIR G-5100 User’s Guide
Figure 7 Change Password Screen
7 Click Apply in the Replace Certificate screen to create a certificate using your ZyAIR’s
MAC address that will be specific to this device.
Figure 8 Replace Certificate Screen.
8 You should now see the MAIN MENU screen (see Figure 10 on page 40).
Note: The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply log back
into the ZyAIR if this happens to you.
2.3 Resetting the ZyAIR
If you forget your password or cannot access the ZyAIR, you will need to reload the factorydefault configuration file. Uploading this configuration file replaces the current configuration
file with the factory-default configuration file. This means that you will lose all configurations
that you had previously. The password will be reset to “1234” and the IP address will be reset
to 192.168.1.2.
Do the following to erase the current configuration and restore factory defaults.
38Chapter 2 Introducing the Web Configurator
Page 39
ZyAIR G-5100 User’s Guide
Obtain the default configuration file, unzip it and save it in a folder. Use a console cable to
connect a computer with terminal emulation software to the ZyAIR’s console port. Turn the
ZyAIR off and then on to begin a session. When you turn on the ZyAIR again, you will see the
initial screen. When you see the message “Press any key to enter Debug Mode within 3
seconds” press a key to enter debug mode.
To upload the configuration file, do the following:
1 Type “atlc” after the Enter Debug Mode message.
2 Wait for the Starting XMODEM upload message before activating XMODEM upload on
your terminal.
3 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer,
then Send File to display the following screen.
Figure 9 Example Xmodem Upload
Type the configuration
file’s location, or
click Browse to
search for it.
4 After a successful configuration file upload, type “atgo” to restart the ZyAIR.
The ZyAIR is now reinitialized with a default configuration file including the default
password of “1234” and IP address of 192.168.1.2.
2.4 Navigating the ZyAIR Web Configurator
The following summarizes how to navigate the web configurator from the MAIN MENU
screen.
Note: Follow the instructions you see in the MAIN MENU screen or click the
icon (located in the top right corner of most screens) to view online help.
The icon does not appear in the MAIN MENU screen.
Choose the Xmodem
protocol.
Then click Send.
Chapter 2 Introducing the Web Configurator39
Page 40
ZyAIR G-5100 User’s Guide
Figure 10 The MAIN MENU Screen of the Web Configurator
Use submenus to configure ZyAIR features.
Click LOGOUT at any time to exit the web configurator.
The following table describes the sub-menus.
Table 3 Screens Summary
LINKTABFUNCTION
WIZARD SETUPClick WIZARD SETUP for initial configuration including general
setup, wireless LAN setup and IP address assignment.
SYSTEMGeneralThis screen contains administrative and system-related
PasswordUse this screen to change your password.
Time SettingUse this screen to change your ZyAIR’s time and date settings.
WIRELESS WirelessUse this screen to configure the wireless LAN settings and WLAN
MAC FilterUse this screen to change MAC filter settings on the ZyAIR
RoamingUse this screen to configure the ZyAIR to allow wireless users to
802.1x/WPAUse this screen to configure wireless LAN security.
IPIPUse this screen to configure IP address settings.
information.
authentication/security settings.
roam seamlessly between APs that are within the same subnet.
40Chapter 2 Introducing the Web Configurator
Page 41
ZyAIR G-5100 User’s Guide
Table 3 Screens Summary (continued)
LINKTABFUNCTION
AUTH. SERVER SettingConfigure this screen to use the internal server to authenticate
wireless users.
Trusted APConfigure this screen to allow specified AP’s to communicate with
the ZyAIR.
Trusted UsersUse this screen to configure the local user account(s) on the
ZyAIR.
CERTIFICATESMy Certificates Use this screen to view a summary list of certificates and manage
certificates and certification requests.
Trusted CAsUse this screen to view and manage the list of the trusted CAs.
LOGSView LogUse this screen to view the logs for the categories that you
selected.
Log SettingsUse this screen to change your ZyAIR’s log settings.
MAINTENANCE StatusThis screen contains administrative and system-related
information.
Association
List
Channel
Usage
F/W UploadUse this screen to upload firmware to your ZyAIR
ConfigurationUse this screen to backup and restore the configuration or reset
RestartThis screen allows you to reboot the ZyAIR without turning the
LOGOUTClick LOGOUT to exit the web configurator.
Use this screen to view a list of wireless clients that are connected
to the ZyAIR.
Use this screen to see which APs are using which wireless
channels within range of your ZyAIR.
the factory defaults to your ZyAIR.
power off.
Chapter 2 Introducing the Web Configurator41
Page 42
ZyAIR G-5100 User’s Guide
42Chapter 2 Introducing the Web Configurator
Page 43
This chapter provides information on the WIZARD SETUP screens in the web configurator.
3.1 Wizard Setup Overview
The web configurator’s setup wizard helps you configure your ZyAIR for wireless stations to
access your wired LAN.
Note: Click Next in each screen to continue or click Back to return to the previous
screen.
Your settings are not saved when you click Back.
ZyAIR G-5100 User’s Guide
CHAPTER3
Wizard Setup
3.2 Wizard Setup: General Setup
General Setup contains administrative and system-related information.
Figure 11 Wizard: General Setup
The following table describes the labels in this screen.
Chapter 3 Wizard Setup43
Page 44
ZyAIR G-5100 User’s Guide
Table 4 Wizard: General Setup
LABELDESCRIPTION
System NameIt is recommended you type your computer's "Computer name".
Domain NameThis is not a required field. Leave this field blank or enter the domain name here
NextClick Next to proceed to the next screen.
In Windows 95/98 click Start, Settings, Control Panel, Network. Click the
Identification tab, note the entry for the Computer Name field and enter it as the
System Name.
In Windows 2000, click Start, Settings, Control Panel and then double-click
System. Click the Network Identification tab and then the Properties button.
Note the entry for the Computer name field and enter it as the System Name.
In Windows XP, click Start, My Computer, View system information and then
click the Computer Name tab. Note the entry in the Full computer name field
and enter it as the ZyAIR System Name.
This name can be up to 30 alphanumeric characters long. Spaces are not
allowed, but dashes "-" and underscores "_" are accepted.
if you know it.
3.3 Wizard Setup: Wireless LAN
Use this wizard screen to configure one of the ZyAIR’s two wireless LAN (WLAN) adapters
to function as an AP (WLAN 1 is recommended). Use the ADVANCED WIRELESS screens
to configure a WLAN adapter for bridge/repeater functions.
Note: The wireless clients and ZyAIR must use the same SSID, channel ID and WEP
encryption key (if you enable WEP) for wireless communication.
44Chapter 3 Wizard Setup
Page 45
Figure 12 Wizard: Wireless LAN Setup
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 5 Wizard: Wireless LAN Setup
LABELDESCRIPTION
Wireless LAN Setup
WLAN AdapterSelect which WLAN adapter you want to configure (WLAN 1 recommended).
Name (SSID)Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the
wireless LAN.
If you change this field on the ZyAIR, make sure all wireless stations use the
same Name (SSID) in order to access the network.
Choose Channel IDTo manually set the ZyAIR to use a channel, select the channel from the drop-
ScanClick this button to have the ZyAIR automatically scan for and select a channel
WEP EncryptionSelect Disable allows all wireless computers to communicate with the access
ASCIISelect this option in order to enter ASCII characters as the WEP keys.
HexSelect this option to enter hexadecimal characters as the WEP keys.
down list box.
To have the ZyAIR automatically select a channel, click Scan instead.
with the least interference.
points without any data encryption.
Select 64-bit WEP or 128-bit WEP to use data encryption.
Note: Use the ADVANCED WIRELESS screens to configure stronger
types of security (such as WPA).
The preceding 0x is entered automatically.
Chapter 3 Wizard Setup45
Page 46
ZyAIR G-5100 User’s Guide
Table 5 Wizard: Wireless LAN Setup
LABELDESCRIPTION
Key 1 to Key 4The WEP keys are used to encrypt data. Both the ZyAIR and the wireless
stations must use the same WEP key.
If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal
characters ("0-9", "A-F").
If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal
characters ("0-9", "A-F").
You must configure all four keys, but only one key can be activated at any one
time. The default key is key 1.
BackClick Back to return to the previous screen.
NextClick Next to continue.
3.4 Wizard Setup: IP Address Assignment
Use this wizard screen to configure IP address assignment for the ZyAIR.
Figure 13 Wizard: IP Address Assignment
The following table describes the labels in this screen.
Table 6 Wizard: IP Address Assignment
LABELDESCRIPTION
IP Address Assignment
Get automatically from
DHCP
Select this option to have the ZyAIR use a dynamically assigned IP address
from a DHCP server.
Note: You must know the IP address assigned to the ZyAIR (by
the DHCP server) to access the ZyAIR again.
Use fixed IP addressSelect this option if your ZyAIR is using a static IP address. When you select
this option, fill in the fields below.
46Chapter 3 Wizard Setup
Page 47
Table 6 Wizard: IP Address Assignment
LABELDESCRIPTION
IP AddressEnter the IP address of your ZyAIR in dotted decimal notation.
Note: If you changed the ZyAIR's IP address, you must use the
new IP address if you want to access the web configurator
again.
IP Subnet MaskType the subnet mask.
Gateway IP AddressType the IP address of the gateway. The gateway is an immediate neighbor
of your ZyAIR that will forward the packet to the destination. The gateway
must be a router on the same segment as your ZyAIR's LAN or WAN port.
BackClick Back to return to the previous screen.
FinishClick Finish to proceed to complete the Wizard setup.
3.5 Basic Setup Complete
When you click Finish in the Wizard IP Address Assignment screen, a warning window
displays as shown. Click OK to close the window. Log into the web configurator again using
the new IP address if you change the default IP address (192.168.1.2).
ZyAIR G-5100 User’s Guide
Figure 14 TCP/IP Warning Screen
The following screen displays prompting you to close the web browser.
Figure 15 Close Browser Screen
Click Ye s to close the web configurator. Otherwise, click No to use the ADVANCED
screens to configure other features (the congratulations screen shows next).
Chapter 3 Wizard Setup47
Page 48
ZyAIR G-5100 User’s Guide
Figure 16 Wizard: Setup Complete
Well done! You have set up your ZyAIR to operate on your network and access the Internet.
48Chapter 3 Wizard Setup
Page 49
This section provides information on general system setup.
4.1 System Overview
This chapter describes how to configure the ZyAIR’s general, DNS, password and time
settings.
4.2 General Screen
The General screen contains administrative and system-related information. System Name is
for identification purposes. However, because some ISPs check this name you should enter
your computer's "Computer Name".
• In Windows 95/98 click Start, Settings, Control Panel, Network. Click the
Identification tab, note the entry for the Computer Name field and enter it as the
System Name.
• In Windows 2000, click Start, Settings and Control Panel and then double-click
System. Click the Network Identification tab and then the Properties button. Note the
entry for the Computer name field and enter it as the System Name.
• In Windows XP, click Start, My Computer, View system information and then click
the Computer Name tab. Note the entry in the Full computer name field and enter it as
the ZyAIR System Name.
ZyAIR G-5100 User’s Guide
CHAPTER4
System Screens
4.2.1 Domain Name
You can manually enter a domain name or the ZyAIR can get it automatically by DHCP.
4.2.2 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is
extremely important because without it, you must know the IP address of a computer before
you can access it.
You can manually configure DNS server addresses if you know them or the ZyAIR can
receive them automatically through DHCP.
Chapter 4 System Screens49
Page 50
ZyAIR G-5100 User’s Guide
4.3 Configuring General Setup
Click the SYSTEM link under ADVANCED to open the General screen.
Figure 17 System General
The following table describes the labels in this screen.
Table 7 System General Setup
LABELDESCRIPTION
General Setup
System NameType a descriptive name to identify the ZyAIR in the Ethernet network.
This name can be up to 30 alphanumeric characters long. Spaces are not
allowed, but dashes "-" and underscores "_" are accepted.
Domain NameThis is not a required field. Leave this field blank or enter the domain name
here if you know it.
Administrator
Inactivity Timer
System DNS Servers
Type how many minutes a management session (either via the web
configurator or SMT) can be left idle before the session times out.
The default is 5 minutes. After it times out you have to log in with your
password again. Very long idle timeouts may have security risks.
A value of "0" means a management session never times out, no matter how
long it has been left idle (not recommended).
50Chapter 4 System Screens
Page 51
Table 7 System General Setup (continued)
LABELDESCRIPTION
ZyAIR G-5100 User’s Guide
First DNS Server
Second DNS Server
Third DNS Server
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
Select From DHCP if your ISP dynamically assigns DNS server information.
The field to the right displays the (read-only) DNS server IP address that the
DHCP assigns.
Select User-Defined if you have the IP address of a DNS server. Enter the
DNS server's IP address in the field to the right. If you chose User-Defined, but
leave the IP address set to 0.0.0.0, User-Defined changes to None after you
click Apply. If you set a second choice to User-Defined, and enter the same IP
address, the second User-Defined changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not
configure a DNS server, you must know the IP address of a machine in order to
access it.
The default setting is None.
4.4 Configuring Password
To change your ZyAIR’s password (recommended), click the SYSTEM link under
ADVANCED andthen the Password tab. The screen appears as shown. This screen allows
you to change the ZyAIR’s password.
If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See
Section 2.3 on page 38 for details.
Figure 18 Password.
The following table describes the labels in this screen.
Chapter 4 System Screens51
Page 52
ZyAIR G-5100 User’s Guide
Table 8 Password
LABELDESCRIPTIONS
Old PasswordType in your existing system password (1234 is the default password).
New PasswordType your new system password (up to 31 characters). Note that as you type a
password, the screen displays an asterisk (*) for each character you type.
Retype to ConfirmRetype your new system password for confirmation.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
4.5 Configuring Time Setting
To change your ZyAIR’s time and date, click the SYSTEM link under ADVANCED and then
the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s
time based on your local time zone.
Figure 19 Time Setting
52Chapter 4 System Screens
Page 53
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 9 Time Setting
LABELDESCRIPTION
Time ProtocolSelect the time service protocol that your time server uses. Not all time servers
support all protocols, so you may have to check with your ISP/network
administrator or use trial and error to find a protocol that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server.
Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0.
NTP (RFC 1305), is similar to Time (RFC 868).
Select Manual to enter the time and date manually.
Time Server AddressEnter the IP address or the URL of your time server. Check with your ISP/
Current Time
(hh:mm:ss)
New Time (hh:mm:ss) This field displays the last updated time from the time server.
Current Date (yyyy/
mm/dd)
New Date (yyyy/mm/
dd)
Time ZoneChoose the time zone of your location. This will set the time difference
Daylight SavingsSelect this option if you use daylight saving time. Daylight saving is a period
Start Date (mm-dd) Enter the month and day that your daylight-saving time starts on if you
End Date (mm-dd) Enter the month and day that your daylight-saving time ends on if you selected
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to reload the previous configuration for this screen.
network administrator if you are unsure of this information.
This field displays the time of your ZyAIR.
Each time you reload this page, the ZyAIR synchronizes the time with the time
server.
When you select None in the Time Protocol field, enter the new time in this
field and then click Apply.
This field displays the date of your ZyAIR.
Each time you reload this page, the ZyAIR synchronizes the date with the time
server.
This field displays the last updated date from the time server.
When you select None in the Time Protocol field, enter the new date in this
field and then click Apply.
between your time zone and Greenwich Mean Time (GMT).
from late spring to early fall when many countries set their clocks ahead of
normal local time by one hour to give more daytime light in the evening.
selected Daylight Savings.
Daylight Savings.
Chapter 4 System Screens53
Page 54
ZyAIR G-5100 User’s Guide
54Chapter 4 System Screens
Page 55
This chapter discusses how to configure wireless LAN.
5.1 Introduction
A wireless LAN can be as simple as two computers with wireless LAN adapters
communicating in a peer-to-peer network or as complex as a number of computers with
wireless LAN adapters communicating through access points which bridge network traffic to
the wired LAN.
Note: See the WLAN appendix for more detailed information on WLANs.
ZyAIR G-5100 User’s Guide
CHAPTER5
Wireless LAN
5.2 Wireless Security Overview
Wireless security is vital to your network to protect wireless communication between wireless
stations, access points and the wired network.
Wireless security methods available on the ZyAIR are data encryption, wireless client
authentication, restricting access by device MAC address and hiding the ZyAIR identity.
5.2.1 Encryption
• Use WPA security if you have WPA-aware wireless clients and a RADIUS server. WPA
has user authentication and improved data encryption over WEP.
• Use WPA-PSK if you have WPA-aware wireless clients but no RADIUS server.
• If you don’t have WPA-aware wireless clients, then use WEP key encrypting. A higher
bit key offers better security at a throughput trade-off.
5.2.2 Authentication
WPA has user authentication and you can also configure IEEE 802.1x to use the built-in
database (Local User Database) or a RADIUS server to authenticate wireless clients before
joining your network.
• Use RADIUS authentication if you have a RADIUS server. See the appendices for
information on protocols used when a client authenticates with a RADIUS server via the
ZyAIR.
Chapter 5 Wireless LAN55
Page 56
ZyAIR G-5100 User’s Guide
• Use the Local User Database if you have less than 32 wireless clients in your network.
The ZyAIR uses MD5 encryption when a client authenticates with the Local User
Database
5.2.3 Restricted Access
The MAC Filter screen allows you to configure the AP to give exclusive access to devices
(Allow Association) or exclude them from accessing the AP (Deny Association).
5.2.4 Hide ZyAIR Identity
If you hide the SSID, then the ZyAIR cannot be seen when a wireless client scans for local
APs. The trade-off for the extra security of “hiding” the ZyAIR may be inconvenience for
some valid WLAN clients. If you don’t hide the ESSID, at least you should change the default
one.
5.2.5 Configuring Wireless LAN on the ZyAIR
1 Configure the ESSID and WEP in the Wireless screen.
2 Use the MAC Filter screen to restrict access to your wireless network by MAC address.
3 Configure WPA or WPA-PSK in the 802.1x/WPA screen. You can also configure
802.1x wireless client authentication in the 802.1x/WPA screen.
4 Configure the RADIUS settings in the AUTH. SERVER screens.
The following table shows the relative effectiveness of these wireless security methods
available on your ZyAIR.
Table 10 ZyAIR Wireless Security Levels
Security LevelSecurity Type
Least Secure
Most Secure
Unique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
Note: You must enable the same wireless security settings on the ZyAIR and on all
wireless clients that you want to associate with it.
If you do not enable any wireless security on your ZyAIR, your network is
accessible to any wireless networking device that is within range.
56Chapter 5 Wireless LAN
Page 57
5.3 Spanning Tree Protocol (STP)
STP detects and breaks network loops and provides backup links between switches, bridges or
routers. It allows a bridge to interact with other STP-compliant bridges in your network to
ensure that only one route exists between any two stations on the network.
5.3.1 Rapid STP
The ZyAIR uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster
convergence of the spanning tree (while also being backwards compatible with STP-only
aware bridges). Using RSTP topology change information does not have to propagate to the
root bridge and unwanted learned addresses are flushed from the filtering database. In RSTP,
the port states are Discarding, Learning, and Forwarding.
5.3.2 STP Terminology
The root bridge is the base of the spanning tree; it is the bridge with the lowest identifier value
(MAC address).
ZyAIR G-5100 User’s Guide
Path cost is the cost of transmitting a frame onto a LAN through that port. It is assigned
according to the speed of the link to which a port is attached. The slower the media, the higher
the cost - see the next table.
Table 11 STP Path Costs
LINK SPEED
Path Cost4Mbps250100 to 10001 to 65535
Path Cost10Mbps10050 to 6001 to 65535
Path Cost16Mbps6240 to 4001 to 65535
Path Cost100Mbps1910 to 601 to 65535
Path Cost1Gbps43 to 101 to 65535
Path Cost10Gbps21 to 51 to 65535
RECOMMENDED
VALUE
RECOMMENDED
RANGE
ALLOWED
RANGE
On each bridge, the root port is the port through which this bridge communicates with the root.
It is the port on this switch with the lowest path cost to the root (the root path cost). If there is
no root port, then this bridge has been accepted as the root bridge of the spanning tree network.
For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the
root among the bridges connected to the LAN.
Chapter 5 Wireless LAN57
Page 58
ZyAIR G-5100 User’s Guide
5.3.3 How STP Works
After a bridge determines the lowest cost-spanning tree with STP, it enables the root port and
the ports that are the designated ports for connected LANs, and disables all other ports that
participate in STP. Network packets are therefore only forwarded between enabled ports,
eliminating any possible network loops.
STP-aware bridges exchange Bridge Protocol Data Units (BPDUs) periodically. When the
bridged LAN topology changes, a new spanning tree is constructed.
Once a stable network topology has been established, all bridges listen for Hello BPDUs
(Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello
BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root
bridge is down. This bridge then initiates negotiations with other bridges to reconfigure the
network to re-establish a valid network topology.
5.3.4 STP Port States
STP assigns five port states (see next table) to eliminate packet looping. A bridge port is not
allowed to go directly from blocking state to forwarding state so as to eliminate transient
loops.
Table 12 STP Port States
PORT STATESDESCRIPTIONS
DisabledSTP is disabled (default).
BlockingOnly configuration and management BPDUs are received and processed.
ListeningAll BPDUs are received and processed.
LearningAll BPDUs are received and processed. Information frames are submitted to the
learning process but not forwarded.
ForwardingAll BPDUs are received and processed. All information frames are received and
forwarded.
5.4 WEP Encryption
WEP encryption scrambles the data transmitted between the wireless stations and the access
points to keep network communications private. It encrypts unicast and multicast
communications in a network. Both the wireless stations and the access points must use the
same WEP key.
5.5 Configuring the Wireless Screen
Click the WIRELESS link under ADVANCED to display the Wireless screen. The screen
varies depending upon the operating mode you select.
58Chapter 5 Wireless LAN
Page 59
5.5.1 Access Point Mode
Select Access Point in the Operating Mode drop-down list box to display the screen as
shown next.
Figure 20 Wireless: Access Point
ZyAIR G-5100 User’s Guide
The following table describes the general wireless LAN labels in this screen.
Chapter 5 Wireless LAN59
Page 60
ZyAIR G-5100 User’s Guide
Table 13 Wireless: Access Point
LABELDESCRIPTION
WLAN AdapterSelect which WLAN adapter you want to configure.
Operating Mode Select the operating mode from the drop-down list. The options are Access Point,
Name (SSID)(Service Set IDentity) The SSID identifies the Service Set with which a wireless
Hide Name
(SSID)
Choose Channel IDSet the operating frequency/channel depending on your particular region.
ScanClick this button to have the ZyAIR automatically scan for and select a channel with
RTS/CTS
Threshold
Fragmentation
Threshold
WEP Encryption WEP (Wired Equivalent Privacy) provides data encryption to prevent unauthorized
Authentication
Method
It is recommended that you configure the first WLAN adapter for AP functions and
use the second WLAN adapter for bridge functions.
Bridge/Repeater and AP+Bridge.
station is associated. Wireless stations associating to the access point (AP) must
have the same SSID. Enter a descriptive name (up to 32 printable 7-bit ASCII
characters) for the wireless LAN.
Note: If you are configuring the ZyAIR from a computer connected to
the wireless LAN and you change the ZyAIR’s SSID or WEP
settings, you will lose your wireless connection when you click Apply
to confirm. You must then change the wireless settings of your
computer to match the ZyAIR’s new settings.
Select this check box to hide the SSID in the outgoing beacon frame so a station
cannot obtain the SSID through passive scanning using a site survey tool.
To manually set the ZyAIR to use a channel, select a channel from the drop-down
list box. Click MAINTENANCE and then the Channel Usage tab to open the
Channel Usage screen to make sure the channel is not already used by another AP
or independent peer-to-peer wireless network.
To have the ZyAIR automatically select a channel, click Scan instead.
the least interference.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS
handshake. Data with its frame size larger than this value will perform the RTS/CTS
handshake. Setting this attribute to be larger than the maximum MSDU (MAC
service data unit) size turns off the RTS/CTS handshake. Setting this attribute to
zero turns on the RTS/CTS handshake. Enter a value between 0 and 2432.
The threshold (number of bytes) for the fragmentation boundary for directed
messages. It is the maximum data fragment size that can be sent. Enter a value
between 800 and 2432.
wireless stations from accessing data transmitted over the wireless network.
Select Disable to allow wireless stations to communicate with the access points
without any data encryption.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
If you use WEP encryption, select Auto, Open System or Shared Key from the
drop-down list box.
60Chapter 5 Wireless LAN
Page 61
ZyAIR G-5100 User’s Guide
Table 13 Wireless: Access Point (continued)
LABELDESCRIPTION
Key 1 to Key 4If you chose 64-bit WEP in the WEP Encryption field, then enter any 5 characters
(ASCII string) or 10 hexadecimal characters ("0-9", "A-F") preceded by 0x for each
key.
If you chose 128-bit WEP in the WEP Encryption field, then enter 13 characters
(ASCII string) or 26 hexadecimal characters ("0-9", "A-F") preceded by 0x for each
key.
There are four data encryption keys to secure your data from eavesdropping by
unauthorized wireless users. The values for the keys must be set up exactly the
same on the access points as they are on the wireless stations.
The preceding “0x” is entered automatically. You must configure all four keys, but
only one key can be activated at any one time. The default key is key 1.
Enable IntraBSS Traffic
Enable
Spanning Tree
Protocol (STP)
Output PowerSet the output power of the ZyAIR in this field. If there is a high density of APs within
PreamblePreamble is used to signal that data is coming to the receiver.
Intra-BSS traffic is traffic between wireless stations in the same BSS.
Enable Intra-BSS traffic to allow wireless stations connected to the ZyAIR to
communicate with each other.
Disable Intra-BSS traffic to only allow wireless stations to communicate with the
wired network, not with each other.
(R)STP detects and breaks network loops and provides backup links between
switches, bridges or routers. It allows a bridge to interact with other (R)STP compliant bridges in your network to ensure that only one path exists between any
two stations on the network. Select the check box to activate STP on the ZyAIR.
an area, decrease the output power of the ZyAIR to reduce interference with other
APs. The options are 100% (Full Power), 50%, 25% or 12.5%. The power output at
full power is 18 ± 2 dBm.
Short preamble increases performance as less time sending preamble means more
time for sending data. All IEEE 802.11b compliant wireless adapters support long
preamble, but not all support short preamble.
Select Long preamble if you are unsure what preamble mode the wireless adapters
support, and to provide more reliable communications in busy wireless networks.
Select Short preamble if you are sure the wireless adapters support it, and to
provide more efficient communications.
Select Dynamic to have the ZyAIR automatically use short preamble when all
wireless clients support it, otherwise the ZyAIR uses long preamble.
Note: The ZyAIR and the wireless stations MUST use the same
preamble mode in order to communicate.
802.11 ModeSelect 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to
Max. Frame
Burst
associate with the ZyAIR.
Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to
associate with the ZyAIR.
Select Mixed to allow either IEEE 802.11b or IEEE 802.11g compliant WLAN
devices to associate with the ZyAIR. The transmission rate of your ZyAIR might be
reduced.
Enable Maximum Frame Burst to help eliminate collisions in mixed-mode networks
(networks with both IEEE 802.11g and IEEE 802.11b traffic) and enhance the
performance of both pure IEEE 802.11g and mixed IEEE 802.11b/g networks.
Maximum Frame Burst sets the maximum time, in microseconds, that the ZyAIR
transmits IEEE 802.11g wireless traffic only.
Type the maximum frame burst between 0 and 1800 (650, 1000 or 1800
recommended). Enter 0 to disable this feature.
Chapter 5 Wireless LAN61
Page 62
ZyAIR G-5100 User’s Guide
Table 13 Wireless: Access Point (continued)
LABELDESCRIPTION
VLAN IDThe ZyAIR supports IEEE 802.1 tagged VLAN for partioning a physical network into
multiple logical networks. Enter a number from 1 to 4094 to set the VLAN ID tag that
the ZyAIR adds to the Ethernet frames that this WLAN adapter receives from
wireless clients or other APs.
Use the VLAN screen to enable or disable the ZyAIR’s VLAN feature.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
5.5.2 Bridge/Repeater Mode
The ZyAIR can act as a wireless network bridge and establish wireless links with other APs.
You need to know the MAC address of the peer device, which also must be in bridge mode.
The ZyAIR can establish wireless links with other APs.
In the example below, when both ZyAIRs are in Bridge/Repeater mode, they form a WDS
(Wireless Distribution System) allowing the computers in LAN 1 to connect to the computers
in LAN 2.
Figure 21 Bridging Example
Be careful to avoid bridge loops when you enable bridging in the ZyAIR. Bridge loops cause
broadcast traffic to circle the network endlessly, resulting in possible throughput degradation
and disruption of communications. The following examples show two network topologies that
can lead to this problem:
If two or more ZyAIRs (in bridge mode) are connected to the same hub as shown next.
62Chapter 5 Wireless LAN
Page 63
ZyAIR G-5100 User’s Guide
Figure 22 Bridge Loop: Two Bridges Connected to Hub
If your ZyAIR (in bridge mode) is connected to a wired LAN while communicating with
another wireless bridge that is also connected to the same wired LAN as shown next.
Figure 23 Bridge Loop: Bridge Connected to Wired LAN
To prevent bridge loops, ensure that you enable STP in the Wireless screen or your ZyAIR is
not set to bridge mode while connected to both wired and wireless segments of the same LAN.
Click the WIRELESS link under ADVANCED. Select Bridge/Repeater in the Operating Mode drop-down list box to have the ZyAIR act as a wireless bridge only.
Chapter 5 Wireless LAN63
Page 64
ZyAIR G-5100 User’s Guide
Figure 24 Wireless: Bridge/Repeater
The following table describes the labels in this screen that are specific to bridge/repeater
mode.
Table 14 Wireless: Bridge/Repeater
LABELDESCRIPTIONS
WLAN AdapterSelect which WLAN adapter you want to configure.
It is recommended that you configure the first WLAN adapter for AP functions
and use the second WLAN adapter for bridge functions.
Operating ModeSelect Bridge/Repeater in this field to display the screen shown above.
Enable WDS Security A Wireless Distribution System (WDS) is a wireless connection between two or
more APs.
Select the check box to use TKIP to encrypt traffic on the WDS between APs.
When you enable WDS security, type a Pre-Shared Key (PSK) for each link.
Note: Other APs must use the same encryption method in order
to communicate with the ZyAIR when you enable WDS security.
#This is the index number of the bridge connection.
ActiveSelect the check box to enable the bridge connection. Otherwise, clear the
check box to disable it.
64Chapter 5 Wireless LAN
Page 65
Table 14 Wireless: Bridge/Repeater (continued)
LABELDESCRIPTIONS
ZyAIR G-5100 User’s Guide
Remote Bridge MAC
Address
PSKType a pre-shared key from 8 to 63 case-sensitive ASCII characters (including
Enable Spanning
Tree Protocol (STP)
5.5.3 AP+Bridge Mode
Click the WIRELESS link under ADVANCED. Select AP+Bridge in the Operating Mode
drop-down list box to display the screen as shown next. In this screen, you can configure the
ZyAIR to function as an AP and bridge simultaneously. See the section on ZyAIR applications
for more information.
Type the MAC address of the peer device in a valid MAC address format, that
is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
spaces and symbols).
When the ZyAIR is in Bridge/Repeater mode, you don’t have to enter a pre-
shared key, but the traffic between devices won’t be encrypted if you don’t. The
peer bridge must use the same pre-shared key and encryption method.
Select the check box to activate STP on the ZyAIR.
Chapter 5 Wireless LAN65
Page 66
ZyAIR G-5100 User’s Guide
Figure 25 Wireless: AP+Bridge
See Table 13 on page 60 and Table 14 on page 64 descriptions of the fields in the Access Point
and Bridge/Repeater operating modes for descriptions of the fields in this screen.
66Chapter 5 Wireless LAN
Page 67
When you enable WEP encryption, you can also specify MAC addresses and pre-shared keys
of peer bridges in order to use TKIP (see Appendix F on page 221 for more on TKIP) to
encrypt traffic between the bridges.
Note: The following screens are configurable only in Access Point and AP+Bridge
operating modes.
5.6 Configuring MAC Filters
The MAC filter screen allows you to configure the ZyAIR to give exclusive access to up to 32
devices (Allow Association) or exclude up to 32 devices from accessing the ZyAIR (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The
MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for
example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure
this screen.
To change your ZyAIR’s MAC filter settings, click the WIRELESS link under ADVANCED
and then the MAC Filter tab. The screen appears as shown.
ZyAIR G-5100 User’s Guide
Note: Be careful not to list your computer’s MAC address and set the Action field to
Deny Association when managing the ZyAIR via a wireless connection. This
would lock you out.
Chapter 5 Wireless LAN67
Page 68
ZyAIR G-5100 User’s Guide
Figure 26 MAC Address Filter
The following table describes the labels in this screen.
Table 15 MAC Address Filter
LABELDESCRIPTION
WLAN AdapterSelect the WLAN adapter for which you want to configure MAC address filtering.
ActiveSelect Yes from the drop down list box to enable MAC address filtering.
68Chapter 5 Wireless LAN
Page 69
Table 15 MAC Address Filter (continued)
LABELDESCRIPTION
Filter Action Define the filter action for the list of MAC addresses in the MAC address filter
table.
Select Deny Association to block access to the router, MAC addresses not
listed will be allowed to access the router.
Select Allow Association to permit access to the router, MAC addresses not
listed will be denied access to the router.
MAC AddressEnter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless
station that are allowed or denied access to the ZyAIR in these address fields.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
5.7 Configuring Roaming
A wireless station is a device with an IEEE 802.11b or an IEEE 802.11g compliant wireless
interface. An access point (AP) acts as a bridge between the wireless and wired networks. An
AP creates its own wireless coverage area. A wireless station can associate with a particular
access point only if it is within the access point’s coverage area.
ZyAIR G-5100 User’s Guide
In a network environment with multiple access points, wireless stations are able to switch from
one access point to another as they move between the coverage areas. This is roaming. As the
wireless station moves from place to place, it is responsible for choosing the most appropriate
access point depending on the signal strength, network utilization or other factors.
The roaming feature on the access points allows the access points to relay information about
the wireless stations to each other. When a wireless station moves from a coverage area to
another, it scans and uses the channel of a new access point, which then informs the access
points on the LAN about the change. The new information is then propagated to the other
access points on the LAN. An example is shown in Figure 27 on page 70.
With roaming, a wireless LAN mobile user enjoys a continuous connection to the wired
network through an access point while moving around the wireless LAN.
Enable roaming to exchange the latest bridge information of all wireless stations between APs
when a wireless station moves between coverage areas. Wireless stations can still associate
with other APs even if you disable roaming. Enabling roaming ensures correct traffic
forwarding (bridge tables are updated) and maximum AP efficiency. The AP deletes records
of wireless stations that associate with other APs (Non-ZyXEL APs may not be able to
perform this). IEEE 802.1x authentication information is not exchanged (at the time of
writing).
Chapter 5 Wireless LAN69
Page 70
ZyAIR G-5100 User’s Guide
Figure 27 Roaming Example
The steps below describe the roaming process.
1 As wireless station Y moves from the coverage area of access point AP 1 to that of access
point
2 AP 2, it scans and uses the signal of access point AP 2.
3 Access point AP 2 acknowledges the presence of wireless station Y and relays this
information to access point AP 1 through the wired LAN.
4 Access point AP 1 updates the new position of wireless station.
5 Wireless station Y sends a request to access point AP 2 for reauthentication.
5.7.1 Requirements for Roaming
The following requirements must be met in order for wireless stations to roam between the
coverage areas.
1 All the access points must be on the same subnet and configured with the same SSID.
2 If IEEE 802.1x user authentication is enabled and to be done locally on the access point,
the new access point must have the user profile for the wireless station.
3 The adjacent access points should use different radio channels when their coverage areas
overlap.
4 All access points must use the same port number to relay roaming information.
5 The access points must be connected to the Ethernet and be able to get IP addresses from
a DHCP server if using dynamic IP address assignment.
70Chapter 5 Wireless LAN
Page 71
ZyAIR G-5100 User’s Guide
To enable roaming on your ZyAIR, click the WIRELESS link under ADVANCED and then
the Roaming tab. The screen appears as shown.
Figure 28 Roaming
The following table describes the labels in this screen.
Table 16 Roaming
LABELDESCRIPTION
ActiveSelect Yes from the drop-down list box to enable roaming on the ZyAIR if you
have two or more APs on the same subnet.
Note: All APs on the same subnet and the wireless stations must
have the same SSID to allow roaming.
PortEnter the port number to communicate roaming information between access
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
points. The port number must be the same on all access points. The default is
3517. Make sure this port is not used by other services.
5.8 Introduction to WPA
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences
between WPA and WEP are user authentication and improved data encryption.
5.9 WPA-PSK Application Example
A WPA-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters (including spaces and
symbols).
Chapter 5 Wireless LAN71
Page 72
ZyAIR G-5100 User’s Guide
2 The AP checks each client’s password and (only) allows it to join the network if it
matches its password.
3 The AP derives and distributes keys to the wireless clients.
4 The AP and wireless clients use the TKIP encryption process to encrypt data exchanged
between them.
Figure 29 WPA - PSK Authentication
5.10 WPA with RADIUS Application Example
This example is for using WPA with an external RADIUS server. You need the IP address of
the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA
application example with an external RADIUS server looks as follows. “A” is the RADIUS
server. “DS” is the distribution system.
1 The AP passes the wireless client’s authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then
sets up a key hierarchy and management system, using the pair-wise key to dynamically
generate unique data encryption keys to encrypt every data packet that is wirelessly
communicated between the AP and the wireless clients.
72Chapter 5 Wireless LAN
Page 73
Figure 30 WPA with RADIUS Application Example
ZyAIR G-5100 User’s Guide
5.11 Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the
wireless client how to use WPA. At the time of writing, the most widely available supplicant is
the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data
Communications' AEGIS client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's builtin "Zero Configuration" wireless client. However, you must run Windows XP to use it.
The Funk Software's Odyssey client is bundled free (at the time of writing) with some of
ZyXEL’s client wireless adapter(s).
5.12 Configuring 802.1x and WPA
To change your ZyAIR’s authentication settings, click the WIRELESS link under
ADVANCED and then the 802.1x/WPA tab. The screen varies by the key management
protocol you select. The WPA function is not available on all ZyAIR models.
Chapter 5 Wireless LAN73
Page 74
ZyAIR G-5100 User’s Guide
You see the next screen when you select No Access Allowed or No Authentication Required
in the Wireless Port Control field.
Figure 31 Wireless LAN: 802.1x/WPA
The following table describes the labels in this screen.
Table 17 Wireless LAN: 802.1x/WPA
LABELDESCRIPTION
Wireless Port
Control
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
To control wireless stations access to the wired network, select a control method
from the drop-down list box. Choose from No Access Allowed, No
Authentication Required and Authentication Required.
No Access Allowed blocks all wireless stations access to the wired network.
No Authentication Required allows all wireless stations access to the wired
network without entering usernames and passwords. This is the default setting.
Authentication Required means that all wireless stations have to enter
usernames and passwords before access to the wired network is allowed.
Select Authentication Required to configure Key Management Protocol and
other related fields.
5.13 Authentication Required: 802.1x
Select Authentication Requiredin the Wireless Port Control field and 802.1x in the Key
Management Protocol field to display the next screen.
74Chapter 5 Wireless LAN
Page 75
Figure 32 Wireless LAN: 802.1x/WPA for 802.1x Protocol
ZyAIR G-5100 User’s Guide
Chapter 5 Wireless LAN75
Page 76
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol
LABELDESCRIPTION
Wireless Port
Control
ReAuthentication
Timer (In
Seconds)
Idle Timeout
(In Seconds)
Key Management
Protocol
Dynamic WEP
Key Exchange
Authentication
Databases
Internal RADIUS
Server
External RADIUS
Server
To control wireless stations access to the wired network, select a control method
from the drop-down list box. Choose from No Authentication Required,
Authentication Required and No Access Allowed.
No Authentication Required allows all wireless stations access to the wired
network without entering usernames and passwords. This is the default setting.
Authentication Required means that all wireless stations have to enter
usernames and passwords before access to the wired network is allowed.
No Access Allowed blocks all wireless stations access to the wired network.
The following fields are only available when you select Authentication Required.
Specify how often wireless stations have to reenter usernames and passwords in
order to stay connected. This field is activated only when you select
Authentication Required in the Wireless Port Control field.
Enter a time interval between 10 and 9999 seconds. The default time interval is
1800 seconds (30 minutes).
Note: If wireless station authentication is done using a RADIUS
server, the reauthentication timer on the RADIUS server has
priority.
The ZyAIR automatically disconnects a wireless station from the wired network
after a period of inactivity. The wireless station needs to enter the username and
password again before access to the wired network is allowed.
This field is activated only when you select Authentication Required in the
Wireless Port Control field. The default time interval is 3600 seconds (or 1 hour).
Choose 802.1x from the drop-down list.
This field is activated only when you select Authentication Required in the
Wireless Port Control field.
Select Disable to allow wireless stations to communicate with the access points
without using dynamic WEP key exchange.
Select 64-bit WEP or 128-bit WEP to enable data encryption.
This field is not available when you set Key Management Protocol to WPA or
WPA-PSK.
The authentication database contains wireless station login information.
Select this radio button to use the ZyAIR’s Internal RADIUS Server.
Select the MD5 radio button to use this EAP authentication type to authenticate
other APs or wireless clients in other wireless networks.
Select the PEAP radio button to use this EAP authentication type to authenticate
other APs or wireless clients in other wireless networks. Use the drop-down list box
to select Disable, 64-bit WEP or 128-bit WEP for Dynamic WEP Exchange.
Note: MD5 cannot be used with Dynamic WEP Key Exchange.
Select the radio button to use an external radius server to authenticate the ZyAIR’s
wireless clients.
Configure the server(s) details in the following fields.
76Chapter 5 Wireless LAN
Page 77
ZyAIR G-5100 User’s Guide
Table 18 Wireless LAN: 802.1x/WPA for 802.1x Protocol (continued)
LABELDESCRIPTION
Authentication
Server /Alternate
The ZyAIR will make three attempts to authenticate wireless users using the
authentication server before attempting to use the alternate authentication server.
Requests can be issued from the client interface to use the alternate authentication
server. The length of time for each authentication is decided by the wireless client
or based on the configuration of the ReAuthentication Timer field.
Note: You can use the command line interface to configure the
ZyAIR to use up to four alternate authentication servers.
ActiveSelect Active to enable user authentication through this external authentication
server.
Clear the Active check box to not use this to not perform user authentication
through this external authentication server.
Server IP Address Enter the IP address of the external authentication server in dotted decimal
notation.
Port NumberEnter the port number of the external authentication server. The default port
number is 1812.
You need not change this value unless your network administrator instructs you to
do so with additional information.
Shared SecretEnter a password (up to 31 alphanumeric characters) as the key to be shared
between the external authentication server and the ZyAIR.
The key must be the same on the external authentication server and your ZyAIR.
The key is not sent over the network.
Accounting Server
/Alternate
The ZyAIR will make three attempts to communicate with the accounting server
before attempting to use the alternate accounting server.
Note: You can use the command line interface to configure the
ZyAIR to use up to four alternate accounting servers.
ActiveSelect Active to enable user accounting through this external accounting server.
Clear the Active check box to not use this to not perform user accounting through
this external accounting server.
Server IP Address Enter the IP address of the external accounting server in dotted decimal notation.
Port NumberEnter the port number of the external accounting server. The default port number is
1813.
You need not change this value unless your network administrator instructs you to
do so with additional information.
Shared SecretEnter a password (up to 31 alphanumeric characters) as the key to be shared
between the external accounting server and the ZyAIR.
The key must be the same on the external accounting server and your ZyAIR. The
key is not sent over the network.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Note: If you enable the ZyAIR’s internal RADIUS server, configure trusted user
accounts in the AUTH SERVER Trusted Users screen.
Chapter 5 Wireless LAN77
Page 78
ZyAIR G-5100 User’s Guide
5.14 Authentication Required: WPA
Select Authentication Requiredin the Wireless Port Control field and WPA in the Key
Management Protocol field to display the next screen.
Figure 33 Wireless LAN: 802.1x/WPA for WPA Protocol
The following table describes the labels not previously discussed.
78Chapter 5 Wireless LAN
Page 79
Table 19 Wireless LAN: 802.1x/WPA for WPA Protocol
LABELDESCRIPTIONS
ZyAIR G-5100 User’s Guide
Key Management
Protocol
WPA Mixed Mode The ZyAIR can operate in WPA Mixed Mode, which supports both clients running
WPA Group Key
Update Timer
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Choose WPA in this field.
WPA and clients running dynamic WEP key exchange with IEEE 802.1x in the
same Wi-Fi network.
Select Enable to activate WPA mixed mode. Otherwise, select Disable.
The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK key management) or RADIUS server (if using WPA key management) sends
a new group key out to all clients. The re-keying process is the WPA equivalent of
automatically changing the WEP key for an AP and all stations in a WLAN on a
periodic basis. Setting of the WPA Group Key Update Timer is also supported in
WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).
5.15 Authentication Required: WPA-PSK
Select Authentication Requiredin the Wireless Port Control field and WPA-PSK in the
Key Management Protocol field to display the next screen.
Figure 34 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol
Chapter 5 Wireless LAN79
Page 80
ZyAIR G-5100 User’s Guide
The following table describes the labels not previously discussed.
Table 20 Wireless LAN: 802.1x/WPA for WPA-PSK Protocol
LABELDESCRIPTION
Key Management
Protocol
Pre-Shared KeyThe encryption mechanisms used for WPA and WPA-PSK are the same. The only
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Choose WPA-PSK in this field.
difference between the two is that WPA-PSK uses a simple common password,
instead of user-specific credentials.
Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including
spaces and symbols).
80Chapter 5 Wireless LAN
Page 81
Internal RADIUS Server
The ZyAIR can use its internal RADIUS server to authenticate wireless clients. It can also
serve as a RADIUS server to authenticate other APs and their wireless clients. For more
background information on RADIUS, see the Introduction to RADIUS section.
6.1 Internal RADIUS Overview
The ZyAIR has a built-in RADIUS server that can authenticate wireless clients or other APs
(that are configured as trusted APs).
The ZyAIR can function as an AP and as a RADIUS server at the same time.
ZyAIR G-5100 User’s Guide
CHAPTER6
PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS
server using simple username and password methods over a secure TLS connection. See the
appendices for more information on the types of EAP authentication and the internal RADIUS
authentication method used in your ZyAIR.
Figure 35 ZyAIR Authenticates Wireless Stations
Chapter 6 Internal RADIUS Server81
Page 82
ZyAIR G-5100 User’s Guide
Figure 36 ZyAIR Authenticates Trusted APs
Table 21 Internal RADIUS Server Screens Overview
LABEL DESCRIPTION
ZyAIR as a RADIUS server
Trusted AP’s
SettingUse the Setting screen to turn the ZyAIR’s internal RADIUS server off or on
and to view information about the ZyAIR’s certificates.
Trusted APUse the Trusted AP screen to specify APs as trusted APs so they can use the
ZyAIR’s internal RADIUS server to authenticate wireless clients. You can set
up to 31 trusted AP’s.
Trusted UsersUse the Trusted Users screen to configure a list of wireless client user names
and passwords for the ZyAIR to authenticate. The ZyAIR internal RADIUS
server can authenticate up to 32 wireless clients.
6.2 Internal RADIUS Server Setting
The INTERNAL RADIUS SERVER Setting screen displays information about certificates.
The certificates are used by wireless clients to authenticate the RADIUS server. Information
matching the certificate is held on the wireless clients utility, for example, Funk Software’s
Odyssey client. A password and user name on the utility must match the Trusted Users list so
that the RADIUS server can be authenticated.
Note: The internal RADIUS server does not support domain accounts (DOMAIN/
user). When you configure your Windows XP SP2
MS-CHAPv2 settings, deselect the Use Windows logon name and password check
box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only,
do not specify a domain.
Wireless Zero Configuration PEAP/
Click the AUTH SERVER link under ADVANCED and then the Setting tab. The screen
appears as shown.
82Chapter 6 Internal RADIUS Server
Page 83
Figure 37 Internal RADIUS Server Setting Screen
The following table describes the labels in this screen.
ZyAIR G-5100 User’s Guide
Table 22 My Certificates
LABELDESCRIPTION
ActiveSelect the Active check box to have the ZyAIR use its internal RADIUS server to
authenticate wireless clients or other APs.
#This field displays the certificate index number. The certificates are listed in
alphabetical order. Use the CERTIFICATES screens to manage certificates. The
internal RADIUS server uses one of the certificates listed in this screen to
authenticate each wireless client. The exact certificate used, depends on the
certificate information configured on the wireless client.
NameThis field displays the name used to identify this certificate. It is recommended that
you give each certificate a unique name.
auto_generated_self_signed_cert is the factory default certificate common to all
ZyAIR’s that use certificates.
Note: ZyXEL recommends that you replace the factory default
certificate with one that uses your ZyAIR's MAC address. Do this
when you first log in to the ZyAIR or in the CERTIFICATES My Certificates screen.
TypeThis field displays what kind of certificate this is.
REQ represents a certification request and is not yet a valid certificate. Send a
certification request to a certification authority, which then issues a certificate. Use
the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
*SELF represents the default self-signed certificate, which the ZyAIR uses to sign
imported trusted remote host certificates.
CERT represents a certificate issued by a certification authority.
SubjectThis field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
Chapter 6 Internal RADIUS Server83
Page 84
ZyAIR G-5100 User’s Guide
Table 22 My Certificates (continued)
LABELDESCRIPTION
IssuerThis field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the same
information as in the Subject field.
Valid FromThis field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
Valid ToThis field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or
has already expired.
ApplyClick Apply to have the ZyAIR use certificates to authenticate wireless clients.
ResetClick Reset to start configuring this screen afresh.
6.3 Trusted AP Overview
A trusted AP is an AP that uses the ZyAIR’s internal RADIUS server to authenticate its
wireless clients. Each wireless client must have a user name and password configured in the
Trusted Users screen.
The following figure shows how this is done in two phases.
Figure 38 Trusted AP Overview
ZyAIR RADIUS ServerWireless clients. You can
Trusted AP’s
authenticate a maximum of
32 wireless clients using the
ZyAIR’s RADIUS server,
irrespective of the amount of
trusted AP’s configured on
the ZyAIR
.
1 Configure an IP address and shared secret in the Trust ed AP database to authenticate an
AP as a trusted AP.
84Chapter 6 Internal RADIUS Server
Page 85
2 Configure wireless client user names and passwords in the Trusted Users database to use
a trusted AP as a relay between the ZyAIR’s internal RADIUS server and the wireless
clients. The wireless clients can then be authenticated by the ZyAIR’s internal RADIUS
server.
6.4 Configuring Trusted AP
To specify APs as trusted APs so they can use the ZyAIR’s internal RADIUS server to
authenticate wireless clients, click the AUTH SERVER link under ADVANCED and then
the Trusted AP tab. The screen appears as shown.
Figure 39 Trusted AP Screen
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 23 Trusted AP
LABELDESCRIPTION
#This field displays the trusted AP index number.
Active Select this check box to have the ZyAIR use the IP Address and Shared Secret to
authenticate a trusted AP.
Chapter 6 Internal RADIUS Server85
Page 86
ZyAIR G-5100 User’s Guide
Table 23 Trusted AP
LABELDESCRIPTION
IP AddressType the IP address of the trusted AP in dotted decimal notation.
Shared SecretEnter a password (up to 31 alphanumeric characters, no spaces) as the key for
encrypting communications between the AP and the ZyAIR. The key is not sent over
the network. This key must be the same on the AP and the ZyAIR.
Both the ZyAIR’s IP address and this shared secret must also be configured in the
“external RADIUS” server fields of the trusted AP.
Note: The first trusted AP fields are for the ZyAIR itself. Use SMT
menu 23.2 to configure them.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
6.5 Trusted Users Overview
A trusted user entry consists of a wireless client user name and password
6.6 Configuring Trusted Users
To configure trusted user entries, click the AUTH SERVER link under ADVANCED and
then the Trusted Users tab. The screen appears as shown.
86Chapter 6 Internal RADIUS Server
Page 87
Figure 40 Trusted Users Screen
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 24 Trusted Users
LABELDESCRIPTION
#This field displays the trusted user index number.
Active Select this check box to have the ZyAIR authenticate wireless clients with the same
user name and password activated on their wireless utilities.
User NameEnter the user name for this user account. This name can be up to 31 alphanumeric
characters long, including spaces. The wireless client’s utility must use this name as
its login name.
Password
Type a password (up to 31 ASCII characters) for this user profile. Note that as you
type a password, the screen displays a (*) for each character you type.
The password on the wireless client’s utility must be the same as this password.
Note: If you are using PEAP authentication, this password field is
limited to 14 ASCII characters in length.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Chapter 6 Internal RADIUS Server87
Page 88
ZyAIR G-5100 User’s Guide
88Chapter 6 Internal RADIUS Server
Page 89
This chapter discusses how to configure VLAN on the ZyAIR
7.1 VLAN
A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into
multiple logical networks. Stations on a logical network can belong to one or more groups.
Only stations within the same group can talk to each other.
The ZyAIR supports IEEE 802.1q VLAN tagging. Tagged VLAN uses an explicit tag (VLAN
ID) in the MAC header of a frame to identify VLAN membership. The ZyAIR can identify
VLAN tags for incoming Ethernet frames and add VLAN tags to outgoing Ethernet frames.
ZyAIR G-5100 User’s Guide
CHAPTER7
VLAN
7.1.1 Management VLAN ID
The management VLAN ID identifies the “management VLAN”. A computer must be a
member of this “management VLAN” in order to access and manage the ZyAIR. A computer
that is not a member of this VLAN, then that device cannot manage the ZyAIR.
If no devices are in the management VLAN, then you will only be able to access the ZyAIR
through the console port (not through the network).
7.2 Configuring VLAN
Click ADVANCED and then VLAN. The screen appears as shown next.
Chapter 7 VLAN89
Page 90
ZyAIR G-5100 User’s Guide
Figure 41 VLAN
The following table describes the labels in this screen.
Table 25 VLAN
LABELDESCRIPTION
Enable VLAN Tagging Select this check box to turn on VLAN tagging.
Use the Wireless screen to set the VLAN ID tag that the ZyAIR adds to the
Ethernet frames that a WLAN adapter receives from wireless clients or APs.
Management VLAN ID Enter a number from 1 to 4094 to define this VLAN group. Your management
computer must belong to this VLAN group in order to manage the ZyAIR. This
can be done in the following ways:
•The management computer could be a wireless client of the ZyAIR if the
ZyAIR’s WLAN adapter is set to add the add the management VLAN ID
tag to Ethernet frames received from wireless clients.
•The management computer could be on the wired network, behind a
VLAN-aware switch that is configured to add the management VLAN ID
tag to Ethernet frames from the computer before sending them to ZyAIR.
Note: Mail and FTP servers must have the same management
VLAN ID to communicate with the ZyAIR.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
90Chapter 7 VLAN
Page 91
This chapter discusses how to configure IP on the ZyAIR
8.1 Factory Ethernet Defaults
The Ethernet parameters of the ZyAIR are preset in the factory with the following values:
1 IP address of 192.168.1.2
2 Subnet mask of 255.255.255.0 (24 bits)
These parameters should work for the majority of installations.
ZyAIR G-5100 User’s Guide
CHAPTER8
IP Screen
8.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a
LAN share one common network number.
Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. The Internet Assigned Number Authority (IANA) reserved this block of addresses
specifically for private use; please do not use any other number unless you are told otherwise.
Let's say you select 192.168.1.0 as the network number; which covers 254 individual
addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the
first three numbers specify the network number while the last number identifies an individual
computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember,
for instance, 192.168.1.2, for your ZyAIR, but make sure that no other device on your network
is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyAIR will
compute the subnet mask automatically based on the IP address that you entered. You don't
need to change the subnet mask computed by the ZyAIR unless you are instructed to do
otherwise.
Chapter 8 IP Screen91
Page 92
ZyAIR G-5100 User’s Guide
8.2.1 IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated
from the Internet, for instance, only between your two branch offices, you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks.
Table 26 Private IP Address Ranges
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private
network. If you belong to a small organization and your Internet access is through an ISP, the
ISP can provide you with the Internet addresses for your local networks. On the other hand, if
you are part of a much larger organization, you should consult your network administrator for
the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address assignment,
please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466,
Guidelines for Management of IP Address Space.
8.3 Configuring IP
Click ADVANCED and then IP to display the screen shown next.
92Chapter 8 IP Screen
Page 93
Figure 42 IP Setup
The following table describes the labels in this screen.
Table 27 IP Setup
ZyAIR G-5100 User’s Guide
LABELDESCRIPTION
IP Address Assignment
Get automatically from
DHCP
Select this option to have the ZyAIR use a dynamically assigned IP address
from a DHCP server.
Note: You must know the IP address assigned to the ZyAIR
(by the DHCP server) to access the ZyAIR again.
Use fixed IP addressSelect this option if your ZyAIR is using a static IP address. When you select
this option, fill in the fields below.
IP AddressEnter the IP address of your ZyAIR in dotted decimal notation.
Note: If you change the ZyAIR's IP address, you must use the
new IP address if you want to access the web configurator
again.
IP Subnet MaskType the subnet mask.
Gateway IP Address Type the IP address of the gateway. The gateway is a router or switch on the
same network segment as the ZyAIR. The gateway helps forward packets to
their destinations. Leave this field as 0.0.0.0 if you do not know it.
ApplyClick Apply to save your changes back to the ZyAIR.
ResetClick Reset to begin configuring this screen afresh.
Chapter 8 IP Screen93
Page 94
ZyAIR G-5100 User’s Guide
94Chapter 8 IP Screen
Page 95
This chapter gives background information about public-key certificates and explains how to
use them.
9.1 Certificates Overview
The ZyAIR can use certificates (also called digital IDs) to authenticate users. Certificates are
based on public-private key pairs. A certificate contains the certificate owner’s identity and
public key. Certificates provide a way to exchange public keys for use in authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each
certificate owner. There are commercial certification authorities like CyberTrust or VeriSign
and government certification authorities. You can use the ZyAIR to generate certification
requests that contain identifying information and public keys and then send the certification
requests to a certification authority.
ZyAIR G-5100 User’s Guide
CHAPTER9
Certificates
In public-key encryption and decryption, each host has two keys. One key is public and can be
made openly available; the other key is private and must be kept secure. Public-key encryption
in general works as follows.
1 Tim wants to send a private message to Jenny. Tim generates a public key pair. What is
encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s
public key to decrypt the message.
The ZyAIR uses certificates based on public-key cryptology to authenticate users attempting
to establish a connection, not to encrypt the data that you send after establishing a connection.
The method used to secure the data that you send through an established connection depends
on the type of connection.
The certification authority uses its private key to sign certificates. Anyone can then use the
certification authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a
certificate. The ZyAIR does not trust a certificate if any certificate on its path has expired or
been revoked.
Chapter 9 Certificates95
Page 96
ZyAIR G-5100 User’s Guide
9.1.1 Advantages of Certificates
Certificates offer the following benefits.
• The ZyAIR only has to store the certificates of the certification authorities that you decide
to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and
you never need to transmit private keys.
9.2 Self-signed Certificates
Until public-key infrastructure becomes more mature, it may not be available in some areas.
You can have the ZyAIR act as a certification authority and sign its own certificates.
9.3 Configuration Summary
This section summarizes how to manage certificates on the ZyAIR.
Figure 43 Certificate Configuration Overview
Use the My Certificate screens to generate and export self-signed certificates or certification
requests and import the ZyAIRs’ CA-signed certificates.
Use the Trusted CA screens to save CA certificates to the ZyAIR.
9.4 My Certificates
Click CERTIFICATES, My Certificates to open the ZyAIR’s summary list of certificates
and certification requests. Certificates display in black and certification requests display in
gray. See the following figure.
96Chapter 9 Certificates
Page 97
Figure 44 My Certificates
ZyAIR G-5100 User’s Guide
The following table describes the labels in this screen.
Table 28 My Certificates
LABELDESCRIPTION
PKI Storage
Space in Use
ReplaceThis button displays when the ZyAIR has the factory default certificate. The factory
#This field displays the certificate index number. The certificates are listed in
NameThis field displays the name used to identify this certificate. It is recommended that
This bar displays the percentage of the ZyAIR’s PKI storage space that is currently
in use. The bar turns from green to red when the maximum is being approached.
When the bar is red, you should consider deleting expired or unnecessary
certificates before adding more certificates.
default certificate is common to all ZyAIRs that use certificates. ZyXEL
recommends that you use this button to replace the factory default certificate with
one that uses your ZyAIR's MAC address.
alphabetical order.
you give each certificate a unique name.
Chapter 9 Certificates97
Page 98
ZyAIR G-5100 User’s Guide
Table 28 My Certificates (continued)
LABELDESCRIPTION
TypeThis field displays what kind of certificate this is.
SubjectThis field displays identifying information about the certificate’s owner, such as CN
IssuerThis field displays identifying information about the certificate’s issuing certification
Valid FromThis field displays the date that the certificate becomes applicable. The text
Valid ToThis field displays the date that the certificate expires. The text displays in red and
DetailsSelect a certificate’s radio button and click Details to open a screen with an in-
CreateClick Create to go to the screen where you can have the ZyAIR generate a
ImportClick Import to open a screen where you can save the certificate that you have
DeleteSelect a certificate’s radio button and click Delete to remove the certificate.
RefreshClick Refresh to display the current validity status of the certificates.
REQ represents a certification request and is not yet a valid certificate. Send a
certification request to a certification authority, which then issues a certificate. Use
the My Certificate Import screen to import the certificate and replace the request.
SELF represents a self-signed certificate.
*SELF represents the default self-signed certificate, which the ZyAIR uses to sign
imported trusted remote host certificates.
CERT represents a certificate issued by a certification authority.
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the same
information as in the Subject field.
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
includes an Expiring! or Expired! message if the certificate is about to expire or has
already expired.
depth list of information about the certificate.
certificate or a certification request.
enrolled from a certification authority from your computer to the ZyAIR.
A window displays asking you to confirm that you want to delete the certificate.
You cannot delete a certificate that one or more features is configured to use.
Do the following to delete a certificate that shows *SELF in the Typ e field.
1. Make sure that no features are configured to use the *SELF certificate.
2. Select the radio button of another self-signed certificate and click Details (see
the description on the Create button if you need to create a self-signed certificate).
3. Select the Default self-signed certificate which signs the imported remote host certificates check box.
4. Click Apply to save the changes and return to the My Certificates screen.
5. The certificate that originally showed *SELF displays SELF and you can delete
it now.
Subsequent certificates move up by one when you take this action.
9.5 Certificate File Formats
The certification authority certificate that you want to import has to be in one of these file
formats:
98Chapter 9 Certificates
Page 99
• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509
certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII
characters to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including
digital signatures) that may be encrypted. The ZyAIR currently allows the importation of
a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64
ASCII characters to convert a binary PKCS#7 certificate into a printable form.
9.6 Importing a Certificate
Click CERTIFICATES, My Certificates and then Import to open the My Certificate
Import screen. Follow the instructions in this screen to save an existing certificate to the
ZyAIR, see the following figure.
Note: 1. You can only import a certificate that matches a corresponding certification
request that was generated by the ZyAIR.
Note: 2. The certificate you import replaces the corresponding request in the My
Certificates screen.
Note: 3. You must remove any spaces from the certificate’s filename before you can
import it.
ZyAIR G-5100 User’s Guide
Figure 45 My Certificate Import
The following table describes the labels in this screen.
Chapter 9 Certificates99
Page 100
ZyAIR G-5100 User’s Guide
Table 29 My Certificate Import
LABELDESCRIPTION
File Path Type in the location of the file you want to upload in this field or click Browse to find it.
Browse Click Browse to find the certificate file you want to upload.
ApplyClick Apply to save the certificate on the ZyAIR.
CancelClick Cancel to quit and return to the My Certificates screen.
9.7 Creating a Certificate
Click CERTIFICATES, My Certificates and then Create to open the My Certificate
Create screen. Use this screen to have the ZyAIR create a self-signed certificate, enroll a
certificate with a certification authority or generate a certification request, see the following
figure.
100Chapter 9 Certificates
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.