ZyXEL Communications ZyAIR B-500 User Manual

Download

ZyAIR B-500

Wireless Access Point

User's Guide

Version 3.50

June 2004

ZyAIR B-500 Wireless Access Point User’s Guide

Copyright

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Disclaimer

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Trademarks

ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

ii Copyright

ZyAIR B-500 Wireless Access Point User’s Guide

Federal Communications Commission

(FCC) Interference Statement

This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

• This device may not cause harmful interference.

• This device must accept any interference received, including interference that may cause undesired

operations.

This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

1. Reorient or relocate the receiving antenna.

2. Increase the separation between the equipment and the receiver.

3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

4. Consult the dealer or an experienced radio/TV technician for help.

Caution

1. To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons.

2. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

Notice 1

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

This product has been designed for the WLAN 2.4 GHz network throughout the EC region and Switzerland, with restrictions in France.

Certifications

1. Go to www.zyxel.com

2. Select your product from the drop-down list box on the ZyXEL home page to go to that product's page.

3. Select the certification you wish to view from this page.

FCC Statement iii

ZyAIR B-500 Wireless Access Point User’s Guide

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.

To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.

Safety Warnings

1. To reduce the risk of fire, use only No. 26 AWG or larger telephone wire.

2. Do not use this product near water, for example, in a wet basement or near a swimming pool.

3. Avoid using this product during an electrical storm. There may be a remote risk of electric shock from lightening.

iv ZyXEL Warranty

ZyAIR B-500 Wireless Access Point User’s Guide

Customer Support

Please have the following information ready when you contact customer support.

• Product model and serial number.

• Warranty Information.

• Date that you received your device.

• Brief description of the problem and the steps you took to solve it.

SUPPORT E-MAIL TELEPHONE1 WEB SITE METHOD

LOCATION

WORLDWIDE

AMERICA

SALES E-MAIL FAX1 FTP SITE

support@zyxel.com.tw +886-3-578-3942 www.zyxel.com

www.europe.zyxel.com

sales@zyxel.com.tw

support@zyxel.com +1-800-255-4101

sales@zyxel.com

support@zyxel.de +49-2405-6909-0 www.zyxel.de GERMANY

sales@zyxel.de

support@zyxel.es +34 902 195 420 SPAIN

sales@zyxel.es

support@zyxel.dk +45 39 55 07 00 www.zyxel.dk DENMARK

sales@zyxel.dk

support@zyxel.no +47 22 80 61 80 www.zyxel.no NORWAY

sales@zyxel.no

support@zyxel.se +46 31 744 7700 www.zyxel.se SWEDEN

sales@zyxel.se

+886-3-578-2439 ftp.zyxel.com

ftp.europe.zyxel.com

www.us.zyxel.com NORTH

+1-714-632-0882

+1-714-632-0858 ftp.us.zyxel.com

+49-2405-6909-99

+33 (0)4 72 52 97 97 FRANCE info@zyxel.fr

+33 (0)4 72 52 19 20

+34 913 005 345

+45 39 55 07 07

+47 22 80 61 81

+46 31 744 7701

www.zyxel.fr ZyXEL France

www.zyxel.es

ZyXEL Communications

“+” is the (prefix) number you enter to make an international telephone call.

REGULAR MAIL

ZyXEL Communications Corp. 6 Innovation Road II Science Park Hsinchu 300 Taiwan

ZyXEL Communications Inc. 1130 N. Miller St. Anaheim CA 92806-2001 U.S.A.

ZyXEL Deutschland GmbH. Adenauerstr. 20/A2 D-52146 Wuerselen Germany

1 rue des Vergers Bat. 1 / C 69760 Limonest France

Alejandro Villegas 33 1º, 28043 Madrid Spain

ZyXEL Communications A/S Columbusvej 5 2860 Soeborg Denmark

ZyXEL Communications A/S Nils Hansens vei 13 0667 Oslo Norway

ZyXEL Communications A/S Sjöporten 4, 41764 Göteborg Sweden

Customer Support v

ZyAIR B-500 Wireless Access Point User’s Guide

LOCATION

SUPPORT E-MAIL TELEPHONE1 WEB SITE METHOD

SALES E-MAIL FAX1 FTP SITE

support@zyxel.fi +358-9-4780-8411 www.zyxel.fi FINLAND

sales@zyxel.fi

+358-9-4780 8448

REGULAR MAIL

ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland

vi ZyXEL Warranty

ZyAIR B-500 Wireless Access Point User’s Guide

Copyright.........................................................................................................................................................ii

Federal Communications Commission (FCC) Interference Statement.....................................................iii

ZyXEL Limited Warranty.............................................................................................................................iv

Customer Support........................................................................................................................................... v

List of Figures.................................................................................................................................................xi

List of Tables..................................................................................................................................................xv

Preface..........................................................................................................................................................xvii

OVERVIEW.................................................................................................................................................... I

Chapter 1 Getting to Know Your ZyAIR...................................................................................................1-1

1.1 Introducing the ZyAIR Wireless Access Point ..........................................................................1-1

1.2 ZyAIR Features..........................................................................................................................1-1

1.3 Applications for the ZyAIR........................................................................................................1-4

1.3.1 Internet Access Application ...............................................................................................1-4

1.3.2 Corporation Network Application......................................................................................1-4

Chapter 2 Introducing the Web Configurator...........................................................................................2-1

2.1 Accessing the ZyAIR Web Configurator ...................................................................................2-1

2.2 Resetting the ZyAIR ..................................................................................................................2-2

2.2.1 Method of Restoring Factory-Defaults...............................................................................2-2

2.3 Navigating the ZyAIR Web Configurator..................................................................................2-3

Chapter 3 Wizard Setup ..............................................................................................................................3-1

3.1 Wizard Setup Overview .............................................................................................................3-1

3.1.1 Channel ..............................................................................................................................3-1

3.1.2 ESS ID................................................................................................................................3-1

3.1.3 WEP Encryption.................................................................................................................3-1

3.2 Wizard Setup: General Setup.....................................................................................................3-2

3.3 Wizard Setup: Wireless LAN.....................................................................................................3-3

3.4 Wizard Setup: IP Address ..........................................................................................................3-4

3.4.1 IP Address Assignment ......................................................................................................3-5

3.4.2 IP Address and Subnet Mask..............................................................................................3-5

3.5 Basic Setup Complete ................................................................................................................3-7

SYSTEM, WIRELESS AND IP ....................................................................................................................II

Chapter 4 System Screens ...........................................................................................................................4-1

4.1 System Overview .......................................................................................................................4-1

4.2 Configuring General Setup.........................................................................................................4-1

4.3 Configuring Password................................................................................................................4-2

4.4 Configuring Time Setting...........................................................................................................4-3

Chapter 5 Wireless Configuration and Roaming ......................................................................................5-1

5.1 Wireless LAN Overview............................................................................................................5-1

5.1.1 IBSS ...................................................................................................................................5-1

Table of Contents vii

ZyAIR B-500 Wireless Access Point User’s Guide

5.1.2 BSS ....................................................................................................................................5-1

5.1.3 ESS ....................................................................................................................................5-2

5.2 Wireless LAN Basics.................................................................................................................5-3

5.2.1 RTS/CTS............................................................................................................................5-3

5.2.2 Fragmentation Threshold................................................................................................... 5-4

5.3 Configuring Wireless................................................................................................................. 5-5

5.4 Configuring Roaming ................................................................................................................5-6

5.4.1 Requirements for Roaming................................................................................................ 5-8

Chapter 6 Wireless Security........................................................................................................................6-1

6.1 Wireless Security Overview.......................................................................................................6-1

6.2 WEP Overview ..........................................................................................................................6-1

6.2.1 Data Encryption .................................................................................................................6-1

6.2.2 Authentication.................................................................................................................... 6-2

6.3 Configuring WEP Encryption....................................................................................................6-3

6.4 MAC Filter.................................................................................................................................6-4

6.5 802.1x Overview........................................................................................................................6-6

6.6 Introduction to RADIUS............................................................................................................ 6-6

6.6.1 EAP Authentication Overview...........................................................................................6-7

6.7 Dynamic WEP Key Exchange................................................................................................... 6-8

6.8 Introduction to Local User Database..........................................................................................6-9

6.9 Configuring 802.1x....................................................................................................................6-9

6.10 Configuring Local User Database............................................................................................ 6-11

6.11 Configuring RADIUS ..............................................................................................................6-13

Chapter 7 IP Screen .....................................................................................................................................7-1

7.1 Factory Ethernet Defaults ..........................................................................................................7-1

7.2 TCP/IP Parameters..................................................................................................................... 7-1

7.2.1 IP Address and Subnet Mask .............................................................................................7-1

7.3 Configuring IP ...........................................................................................................................7-1

LOGS .............................................................................................................................................................III

Chapter 8 Logs Screens............................................................................................................................... 8-1

8.1 Configuring View Log...............................................................................................................8-1

8.2 Configuring Log Settings........................................................................................................... 8-2

MAINTENANCE..........................................................................................................................................IV

Chapter 9 Maintenance...............................................................................................................................9-1

9.1 Maintenance Overview .............................................................................................................. 9-1

9.2 System Status Screen................................................................................................................. 9-1

9.2.1 System Statistics ................................................................................................................9-2

9.3 Wireless Screen..........................................................................................................................9-3

9.3.1 Association List .................................................................................................................9-3

9.3.2 Channel Usage ...................................................................................................................9-4

9.4 F/W Upload Screen.................................................................................................................... 9-6

viii Table of Contents

ZyAIR B-500 Wireless Access Point User’s Guide

9.5 Configuration Screen .................................................................................................................9-8

9.5.1 Backup Configuration ........................................................................................................9-8

9.5.2 Restore Configuration ........................................................................................................9-9

9.5.3 Back to Factory Defaults..................................................................................................9-11

SMT CONFIGURATION.............................................................................................................................. V

Chapter 10 Introducing the SMT .............................................................................................................10-1

10.1 Connect to your ZyAIR Using Telnet ......................................................................................10-1

10.2 Changing the System Password ...............................................................................................10-1

10.3 ZyAIR SMT Menu Overview Example ...................................................................................10-2

10.4 Navigating the SMT Interface..................................................................................................10-4

10.4.1 System Management Terminal Interface Summary .........................................................10-5

Chapter 11 General Setup .........................................................................................................................11-1

11.1 General Setup...........................................................................................................................11-1

11.1.1 Procedure To Configure Menu 1......................................................................................11-1

Chapter 12 LAN Setup ..............................................................................................................................12-1

12.1 LAN Setup ...............................................................................................................................12-1

12.2 TCP/IP Ethernet Setup .............................................................................................................12-1

12.3 Wireless LAN Setup ................................................................................................................12-2

12.3.1 Configuring MAC Address Filter.....................................................................................12-5

12.3.2 Configuring Roaming.......................................................................................................12-7

Chapter 13 Dial-in User Setup..................................................................................................................13-1

13.1 Dial-in User Setup....................................................................................................................13-1

Chapter 14 SNMP Configuration .............................................................................................................14-1

14.1 About SNMP............................................................................................................................14-1

14.2 Supported MIBs .......................................................................................................................14-2

14.3 SNMP Configuration ...............................................................................................................14-2

14.4 SNMP Traps.............................................................................................................................14-3

Chapter 15 System Security ......................................................................................................................15-1

15.1 System Security........................................................................................................................15-1

15.1.1 System Password..............................................................................................................15-1

15.1.2 Configuring External RADIUS Server.............................................................................15-1

15.1.3 802.1x...............................................................................................................................15-3

Chapter 16 System Information and Diagnosis.......................................................................................16-1

16.1 Overview..................................................................................................................................16-1

16.2 System Status ...........................................................................................................................16-1

16.3 System Information..................................................................................................................16-3

16.3.1 System Information ..........................................................................................................16-3

16.3.2 Console Port Speed ..........................................................................................................16-4

16.4 Log and Trace ..........................................................................................................................16-5

16.4.1 Viewing Error Log...........................................................................................................16-5

16.5 Diagnostic ................................................................................................................................16-5

Table of Contents ix

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 17 Firmware and Configuration File Maintenance .................................................................17-1

17.1 Filename Conventions .............................................................................................................17-1

17.2 Backup Configuration..............................................................................................................17-2

17.2.1 Backup Configuration Using FTP....................................................................................17-2

17.2.2 Using the FTP command from the DOS Prompt .............................................................17-3

17.2.3 Backup Configuration Using TFTP ................................................................................. 17-4

17.2.4 Example: TFTP Command ..............................................................................................17-4

17.3 Restore Configuration..............................................................................................................17-5

17.4 Uploading Firmware and Configuration Files .........................................................................17-6

17.4.1 Firmware Upload............................................................................................................. 17-7

17.4.2 Configuration File Upload............................................................................................... 17-7

17.4.3 Using the FTP command from the DOS Prompt Example .............................................. 17-8

17.4.4 TFTP File Upload ............................................................................................................ 17-9

17.4.5 Example: TFTP Command ............................................................................................17-10

Chapter 18 System Maintenance and Information.................................................................................18-1

18.1 Command Interpreter Mode.....................................................................................................18-1

18.2 Time and Date Setting .............................................................................................................18-2

18.2.1 Resetting the Time...........................................................................................................18-3

APPENDICES...............................................................................................................................................VI

Appendix A Troubleshooting...................................................................................................................... A-1

Problems Starting Up the ZyAIR......................................................................................................... A-1

Problems with the Ethernet Interface................................................................................................... A-1

Problems with the Password ................................................................................................................A-2

Problems with Telnet ...........................................................................................................................A-2

Problems with the WLAN Interface ....................................................................................................A-3

Appendix B Brute-Force Password Guessing Protection........................................................................ B-1

Appendix C Setting up Your Computer’s IP Address.............................................................................. C-1

Appendix D Wireless LAN and IEEE 802.11 ........................................................................................... D-1

Appendix E Wireless LAN With IEEE 802.1x ......................................................................................... E-1

Appendix F Types of EAP Authentication ................................................................................................ F-1

Appendix G IP Subnetting .........................................................................................................................G-1

Appendix H Command Interpreter...........................................................................................................H-1

Appendix I Log Descriptions ...................................................................................................................... I-1

Appendix J Index.........................................................................................................................................J-1

x Table of Contents

ZyAIR B-500 Wireless Access Point User’s Guide

List of Figures

Figure 1-1 Internet Access Application.......................................................................................................... 1-4

Figure 1-2 Corporation Network Application ................................................................................................ 1-5

Figure 2-1 Change Password Screen.............................................................................................................. 2-1

Figure 2-2 Navigating the ZyAIR Web Configurator .................................................................................... 2-3

Figure 3-1 Wizard 1 : General Setup.............................................................................................................. 3-2

Figure 3-2 Wizard 2 : Wireless LAN Setup ................................................................................................... 3-3

Figure 3-3 Wizard 3 : IP Address Assignment ............................................................................................... 3-6

Figure 4-1 System General Setup .................................................................................................................. 4-1

Figure 4-2 Password....................................................................................................................................... 4-3

Figure 4-3 Time Setting ................................................................................................................................. 4-4

Figure 5-1 IBSS (Ad-hoc) Wireless LAN...................................................................................................... 5-1

Figure 5-2 Basic Service set........................................................................................................................... 5-2

Figure 5-3 Extended Service Set.................................................................................................................... 5-3

Figure 5-4 RTS/CTS ...................................................................................................................................... 5-4

Figure 5-5 Wireless ........................................................................................................................................ 5-5

Figure 5-6 Roaming Example........................................................................................................................ 5-7

Figure 5-7 Roaming ....................................................................................................................................... 5-8

Figure 6-1 ZyAIR Wireless Security Levels .................................................................................................. 6-1

Figure 6-2 WEP Authentication Steps............................................................................................................ 6-2

Figure 6-3 Wireless ........................................................................................................................................ 6-3

Figure 6-4 MAC Address Filter ..................................................................................................................... 6-5

Figure 6-5 EAP Authentication ...................................................................................................................... 6-8

Figure 6-6 802.1x Authentication .................................................................................................................. 6-9

Figure 6-7 Local User Database................................................................................................................... 6-12

Figure 6-8 RADIUS..................................................................................................................................... 6-13

Figure 7-1 IP Setup ........................................................................................................................................ 7-2

Figure 8-1 View Log ...................................................................................................................................... 8-1

Figure 8-2 Log Settings.................................................................................................................................. 8-3

Figure 9-1 System Status ............................................................................................................................... 9-1

Figure 9-2 System Status: Show Statistics ..................................................................................................... 9-2

Figure 9-3 Association List............................................................................................................................ 9-4

Figure 9-4 Channel Usage.............................................................................................................................. 9-5

Figure 9-5 Firmware Upload.......................................................................................................................... 9-6

Figure 9-6 Firmware Upload In Process ........................................................................................................ 9-7

Figure 9-7 Network Temporarily Disconnected............................................................................................. 9-7

Figure 9-8 Firmware Upload Error ................................................................................................................ 9-8

Figure 9-9 Backup Configuration .................................................................................................................. 9-9

Figure 9-10 Restore Configuration ................................................................................................................ 9-9

Figure 9-11 Configuration Upload Successful ............................................................................................. 9-10

List of Figures xi

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 9-12 Network Temporarily Disconnected..........................................................................................9-10

Figure 9-13 Configuration Upload Error ......................................................................................................9-11

Figure 9-14 Back to Factory Default ............................................................................................................9-12

Figure 9-15 Reset Warning Message ............................................................................................................9-12

Figure 10-1 Login Screen .............................................................................................................................10-1

Figure 10-2 Menu 23.1 System Security : Change Password....................................................................... 10-2

Figure 10-3 ZyAIR B-500 SMT Menu Overview Example .........................................................................10-3

Figure 10-4 ZyAIR B-500 SMT Main Menu................................................................................................10-5

Figure 11-1 Menu 1 General Setup...............................................................................................................11-1

Figure 12-1 Menu 3 LAN Setup...................................................................................................................12-1

Figure 12-2 Menu 3.2 TCP/IP Setup.............................................................................................................12-1

Figure 12-3 Menu 3.5 Wireless LAN Setup .................................................................................................12-3

Figure 12-4 Menu 3.5 Wireless LAN Setup .................................................................................................12-5

Figure 12-5 Menu 3.5.1 WLAN MAC Address Filter ..................................................................................12-6

Figure 12-6 Menu 3.5 Wireless LAN Setup .................................................................................................12-7

Figure 12-7 Menu 3.5.2 Roaming Configuration .........................................................................................12-7

Figure 13-1 Menu 14- Dial-in User Setup .................................................................................................... 13-1

Figure 13-2 Menu 14.1- Edit Dial-in User....................................................................................................13-1

Figure 14-1 SNMP Management Model.......................................................................................................14-1

Figure 14-2 Menu 22 SNMP Configuration .................................................................................................14-3

Figure 15-1 Menu 23 System Security .........................................................................................................15-1

Figure 15-2 Menu 23 System Security .........................................................................................................15-1

Figure 15-3 Menu 23.2 System Security : RADIUS Server.........................................................................15-2

Figure 15-4 Menu 23 System Security .........................................................................................................15-3

Figure 15-5 Menu 23.4 System Security : IEEE802.1x................................................................................15-4

Figure 16-1 Menu 24 System Maintenance..................................................................................................16-1

Figure 16-2 Menu 24.1 System Maintenance : Status ..................................................................................16-2

Figure 16-3 Menu 24.2 System Information and Console Port Speed..........................................................16-3

Figure 16-4 Menu 24.2.1 System Information : Information........................................................................16-3

Figure 16-5 Menu 24.2.2 System Maintenance : Change Console Port Speed.............................................16-4

Figure 16-6 Menu 24.3 System Maintenance : Log and Trace.....................................................................16-5

Figure 16-7 Sample Error and Information Messages..................................................................................16-5

Figure 16-8 Menu 24.4 System Maintenance : Diagnostic...........................................................................16-6

Figure 17-1 Menu 24.5 Backup Configuration.............................................................................................17-2

Figure 17-2 FTP Session Example................................................................................................................17-3

Figure 17-3 Menu 24.6 Restore Configuration.............................................................................................17-6

Figure 17-4 Menu 24.7 System Maintenance : Upload Firmware................................................................17-6

Figure 17-5 Menu 24.7.1 System Maintenance : Upload System Firmware ................................................17-7

Figure 17-6 Menu 24.7.2 System Maintenance : Upload System Configuration File ..................................17-8

Figure 17-7 FTP Session Example................................................................................................................17-9

Figure 18-1 Menu 24 System Maintenance..................................................................................................18-1

xii List of Figures

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 18-2 Valid CI Commands ................................................................................................................. 18-1

Figure 18-3 Menu 24.10 System Maintenance : Time and Date Setting...................................................... 18-2

List of Figures xiii

ZyAIR B-500 Wireless Access Point User’s Guide

List of Tables

Table 3-1 Wizard 1 : General Setup ............................................................................................................... 3-2

Table 3-2 Wizard 2 : Wireless LAN Setup..................................................................................................... 3-3

Table 3-3 Private IP Address Ranges ............................................................................................................. 3-5

Table 3-4 Wizard 3 : IP Address Assignment ................................................................................................. 3-6

Table 4-1 System General Setup.................................................................................................................... 4-2

Table 4-2 Password ........................................................................................................................................ 4-3

Table 4-3 Time Setting................................................................................................................................... 4-4

Table 5-1 Wireless.......................................................................................................................................... 5-6

Table 5-2 Roaming......................................................................................................................................... 5-9

Table 6-1 Wireless.......................................................................................................................................... 6-4

Table 6-2 MAC Address Filter....................................................................................................................... 6-6

Table 6-3 802.1x Authentication.................................................................................................................. 6-10

Table 6-4 Local User Database .................................................................................................................... 6-13

Table 6-5 RADIUS....................................................................................................................................... 6-14

Table 7-1 IP Setup.......................................................................................................................................... 7-2

Table 8-1 View Log........................................................................................................................................ 8-2

Table 8-2 Log Settings ................................................................................................................................... 8-4

Table 9-1 System Status................................................................................................................................. 9-1

Table 9-2 System Status: Show Statistics....................................................................................................... 9-2

Table 9-3 Association List.............................................................................................................................. 9-4

Table 9-4 Channel Usage ............................................................................................................................... 9-5

Table 9-5 Firmware Upload ........................................................................................................................... 9-7

Table 9-6 Restore Configuration.................................................................................................................. 9-10

Table 10-1 Main Menu Commands.............................................................................................................. 10-4

Table 10-2 Main Menu Summary ................................................................................................................ 10-5

Table 11-1 Menu 1 General Setup.................................................................................................................11-2

Table 12-1 Menu 3.2 TCP/IP Setup ............................................................................................................. 12-2

Table 12-2 Menu 3.5 Wireless LAN Setup .................................................................................................. 12-3

Table 12-3 Menu 3.5.1 WLAN MAC Address Filter ...................................................................................12-6

Table 12-4 Menu 3.5.2 Roaming Configuration .......................................................................................... 12-8

Table 13-1 Menu 14.1- Edit Dial-in User..................................................................................................... 13-2

Table 14-1 Menu 22 SNMP Configuration.................................................................................................. 14-3

Table 14-2 SNMP Traps............................................................................................................................... 14-4

Table 14-3 Ports and Interface Types ........................................................................................................... 14-4

Table 15-1 Menu 23.2 System Security : RADIUS Server.......................................................................... 15-2

Table 15-2 Menu 23.4 System Security : IEEE802.1x................................................................................. 15-4

Table 16-1 Menu 24.1 System Maintenance : Status ................................................................................... 16-2

Table 16-2 Menu 24.2.1 System Maintenance : Information....................................................................... 16-4

Table 16-3 Menu 24.4 System Maintenance Menu : Diagnostic ................................................................. 16-6

List of Tables xv

ZyAIR B-500 Wireless Access Point User’s Guide

Table 17-1 Filename Conventions ................................................................................................................17-2

Table 17-2 General Commands for Third Party FTP Clients........................................................................17-3

Table 17-3 General Commands for Third Party TFTP Clients .....................................................................17-5

Table 18-1 Menu 24.10 System Maintenance : Time and Date Setting........................................................18-3

xvi List of Tables

ZyAIR B-500 Wireless Access Point User’s Guide

Preface

Congratulations on your purchase from the ZyAIR B-500 Wireless Access Point.

An access point (AP) acts as a bridge between the wireless and wired networks, extending your existing wired network without any additional wiring.

This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the SMT.

Use the web configurator, System Management Terminal (SMT) or command

interpreter interface to configure your ZyAIR. Not all features can be configured

through all interfaces.

The web configurator parts of this guide contain background information on features configurable by the web configurator and the SMT. The SMT parts of this guide contain background information solely on features not configurable by the web configurator.

information at www.zyxel.com for global products, or at www.us.zyxel.com for

North American products.

Getting to Know Your ZyAIR

This chapter introduces the main features and applications of the ZyAIR.

1.1 Introducing the ZyAIR Wireless Access Point

The ZyAIR extends the range of your existing wired network without any additional wiring efforts. The ZyAIR provides easy network access to mobile users. The ZyAIR offers highly secured wireless connectivity to your wired network with IEEE 802.1x, Wi-Fi Protected Access, WEP data encryption and MAC address filtering.

The ZyAIR is easy to install and configure. The embedded web-based configurator and SNMP network management enables remote configuration and management of your ZyAIR.

1.2 ZyAIR Features

The following sections describe the features of the ZyAIR.

10/100M Auto-negotiating Ethernet/Fast Ethernet Interface

This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet network.

10/100M Auto-crossover Ethernet/Fast Ethernet Interface

The LAN interface automatically adjusts to either a crossover or straight-through Ethernet cable.

Reset Button

The ZyAIR reset button is built into the top panel. Use this button to restore the factory default password to 1234; IP address to 192.168.1.2, subnet mask to 255.255.255.0.

Brute-Force Password Guessing Protection

The ZyAIR has a special protection mechanism to discourage brute-force password guessing attacks on the ZyAIR's management interfaces. You can specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. Please see the appendix for details about this feature.

Getting to Know Your ZyAIR 1-1

ZyAIR B-500 Wireless Access Point User’s Guide

802.11b Wireless LAN Standard

ZyAIR products containing the letter “B” in the model name, such as ZyAIR B-1000, ZyAIR B-500, comply with the 802.11b wireless standard.

The 802.11b data rate and corresponding modulation techniques are as follows. The modulation technique defines how bits are encoded onto radio waves.

802.11b

Data Rate (Mbps) Modulation

1 DBPSK (Differential Binary Phase Shift Keyed)

5.5 / 11 CCK (Complementary Code Keying)

DQPSK (Differential Quadrature Phase Shift Keying

)

The ZyAIR may be prone to RF (Radio Frequency) interference from other 2.4 GHz

devices such as microwave ovens, wireless phones, Bluetooth enabled devices,

and other wireless LANs.

Output Power Management

Output Power Management is the ability to set the level of output power.

There may be interference or difficulty with channel assignment when there is a high density of APs within a coverage area. In this case you can lower the output power of each access point, thus enabling you to place access points closer together.

Limit the number of Client Connections

You may set a maximum number of wireless stations that may connect to the ZyAIR. This may be necessary if for example, there is interference or difficulty with channel assignment due to a high density of APs within a coverage area.

SSL Passthrough

SSL (Secure Sockets Layer) uses a public key to encrypt data that's transmitted over an SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https” instead of “http”. The ZyAIR allows SSL connections to take place through the ZyAIR.

Wireless LAN MAC Address Filtering

Your ZyAIR checks the MAC address of the wireless station against a list of allowed or denied MAC addresses.

1-2 Getting to Know Your ZyAIR

ZyAIR B-500 Wireless Access Point User’s Guide

WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.

IEEE 802.1x Network Security

The ZyAIR supports the IEEE 802.1x standard to enhance user authentication. Use the built-in user profile database to authenticate up to 32 users using MD5 encryption. Use an EAP-compatible RADIUS (RFC2138, 2139 - Remote Authentication Dial In User Service) server to authenticate a limitless number of users using EAP (Extensible Authentication Protocol). EAP is an authentication protocol that supports multiple types of authentication.

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manger station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).

Full Network Management

The embedded web configurator is an all-platform web-based utility that allows you to easily access the ZyAIR’s management settings. Most functions of the ZyAIR are also software configurable via the SMT (System Management Terminal) interface. The SMT is a menu-driven interface that you can access from a terminal emulator over a telnet connection.

Logging and Tracing

♦ Built-in message logging and packet tracing.

♦ Unix syslog facility support.

Embedded FTP and TFTP Servers

The ZyAIR’s embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration.

Wireless Association List

With the wireless association list, you can see the list of the wireless stations that are currently using the ZyAIR to access your wired network.

Getting to Know Your ZyAIR 1-3

ZyAIR B-500 Wireless Access Point User’s Guide

Wireless LAN Channel Usage

The Wireless Channel Usage screen displays whether the radio channels are used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR.

1.3 Applications for the ZyAIR

Here are some application examples of what you can do with your ZyAIR.

1.3.1 Internet Access Application

The ZyAIR is an ideal access solution for wireless Internet connection. A typical Internet access application for your ZyAIR is shown as follows.

Figure 1-1 Internet Access Application

1.3.2 Corporation Network Application

In situations where users are always on the move in the coverage area but still need access to corporate network access, the ZyAIR is an ideal solution for wireless stations to connect to the corporate network without expensive network cabling.

The following figure depicts a typical application of the ZyAIR in an enterprise environment. The three computers with wireless adapters are allowed to access the network resource through the ZyAIR after account validation by the network authentication server.

1-4 Getting to Know Your ZyAIR

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 1-2 Corporation Network Application

Getting to Know Your ZyAIR 1-5

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 2

Introducing the Web Configurator

This chapter describes how to access the ZyAIR web configurator and provides an overview of its

screens. The default IP address of the ZyAIR is 192.168.1.2.

2.1 Accessing the ZyAIR Web Configurator

Step 1. Make sure your ZyAIR hardware is properly connected (refer to the Quick Installation Guide).

Step 2. Prepare your computer/computer network to connect to the ZyAIR (refer to the appendix).

Step 3. Launch your web browser.

Step 4. Type "192.168.1.2" (default) as the URL.

Step 5. Type "1234" (default) as the password and click Login. In some versions, the default password

appears automatically - if this is the case, click Login.

Step 6. You should see a screen asking you to change your password (highly recommended) as shown

next. Type a new password (and retype it to confirm) and click Apply or click Ignore to allow access without password change.

Figure 2-1 Change Password Screen

Step 7. You should now see the MAIN MENU screen.

Introducing the Web Configurator 2-1

ZyAIR B-500 Wireless Access Point User’s Guide

The management session automatically times out when the time period set in the

Administrator Inactivity Timer field expires (default five minutes). Simply log back into

the ZyAIR if this happens to you.

2.2 Resetting the ZyAIR

If you forget your password or cannot access the ZyAIR, you will need to reload the factory-default configuration file or use the RESET button on the top panel of the ZyAIR. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously. The password will be reset to “1234”, also.

2.2.1 Method of Restoring Factory-Defaults

You can erase the current configuration and restore factory defaults in three ways:

1. Use the RESET button on the top panel of the ZyAIR to upload the default configuration file (hold this

button in for about 10 seconds or until the Link LED turns red). Use this method for cases when the password or IP address of the ZyAIR is not known.

2. Use the web configurator to restore defaults (refer to the chapter on maintenance).

3. Transfer the configuration file to your ZyAIR using FTP. See later in the part on SMT configuration for more information.

2-2 Introducing the Web Configurator

ZyAIR B-500 Wireless Access Point User’s Guide

and Default) and

estart

2.3 Navigating the ZyAIR Web Configurator

The following summarizes how to navigate the web configurator.

Follow the instructions below or click the icon (located in the top right corner

of most screens) to view online help.

Click WIZARD SETUP for initial configuration including general setup, Wireless LAN setup and IP address assignment.

Click LOGOUT at any time to exit the web configurator.

Click the links under ADVANCED to configure advanced features such as SYSTEM (General Setup, Password), WIRELESS (Wireless, MAC Filter, Roaming, Local User Database and RADIUS), IP and Logs (View reports and Log Settings).

Click to view the web configurator in the language of your choice.

Click MAINTENANCE to view information about your ZyAIR or upgrade configuration/firmware files. Maintenance includes Status (Statistics), Association List, Channel Usage, F/W (firmware) Upload, Configuration (Backup, Restore

Introducing the Web Configurator 2-3

Figure 2-2 Navigating the ZyAIR Web Configurator

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 3

Wizard Setup

This chapter provides information on the Wizard Setup screens in the web configurator.

3.1 Wizard Setup Overview

The web configurator’s setup wizard helps you configure your ZyAIR for wireless stations to access your wired LAN.

3.1.1 Channel

A channel is the radio frequency(ies) used by IEEE 802.11b wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

The ZyAIR’s “Scan” function is especially designed to automatically scan for a channel with the least interference.

3.1.2 ESS ID

An Extended Service Set (ESS) is a group of access points connected to a wired LAN on the same subnet. An ESS ID uniquely identifies each set. All access points and their associated wireless stations in the same set must have the same ESSID.

3.1.3 WEP Encryption

WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network. WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.

Wizard Setup 3-1

ZyAIR B-500 Wireless Access Point User’s Guide

3.2 Wizard Setup: General Setup

General Setup contains administrative and system-related information.

Figure 3-1 Wizard 1 : General Setup

The following table describes the labels in this screen.

Table 3-1 Wizard 1 : General Setup

LABEL DESCRIPTION

System Name It is recommended you type your computer's "Computer name".

 In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification

tab, note the entry for the Computer Name field and enter it as the System Name.

 In Windows 2000, click Start, Settings, Control Panel and then double-click System.

Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name.

 In Windows XP, click Start, My Computer, View system information and then click the

Computer Name tab. Note the entry in the Full computer name field and enter it as the

ZyAIR System Name.

This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

3-2 Wizard Setup

ZyAIR B-500 Wireless Access Point User’s Guide

Table 3-1 Wizard 1 : General Setup

LABEL DESCRIPTION

Domain Name This is not a required field. Leave this field blank or enter the domain name here if you know

it.

Click Next to proceed to the next screen.

3.3 Wizard Setup: Wireless LAN

Use the second wizard screen to set up the wireless LAN.

Figure 3-2 Wizard 2 : Wireless LAN Setup

The following table describes the labels in this screen.

Table 3-2 Wizard 2 : Wireless LAN Setup

LABEL DESCRIPTION

Wireless LAN Setup ESSID Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless

LAN.

If you change this field on the ZyAIR, make sure all wireless stations use the same ESSID in order to access the network.

Wizard Setup 3-3

ZyAIR B-500 Wireless Access Point User’s Guide

Table 3-2 Wizard 2 : Wireless LAN Setup

LABEL DESCRIPTION

Choose Channel ID

Scan Click this button to have the ZyAIR automatically scan for and select a channel with

Security

Back

To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.

To have the ZyAIR automatically select a channel, click Scan instead.

the least interference.

The level of Security can be selected as none, basic or extended. Choose No security to have no wireless LAN security configured and proceed to the ISP Parameters for Internet Access screen.

Choose Basic security if you want to configure WEP Encryption parameters.

Choose Extend security to configure a Pre-Shared Key.

The third screen varies depending on which security level you select.

Click Back to return to the previous screen.

Click Next to continue.

The wireless stations and ZyAIR must use the same ESSID, channel ID and WEP

encryption key or pre-shared key (if wireless security is enabled) for wireless

communication.

3.4 Wizard Setup: Screen 3

Basic Security

If you choose Basic, you can setup WEP Encryption parameters.

3-4 Wizard Setup

ZyAIR B-500 Wireless Access Point User’s Guide

The following table describes the labels in this screen.

Table 3-3 Wizard 2 : Wireless LAN Setup

LABEL DESCRIPTION

Wireless LAN Setup

WEP Encryption

ASCII Select this option in order to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.

Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations

Back

Select 64-bit WEP or 128-bit WEP to allow data encryption.

The preceding 0x is entered automatically.

must use the same WEP key for data transmission.

If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F").

You must configure all four keys, but only one key can be used at any one time. The default key is key 1.

Click Back to return to the previous screen.

Click Next to continue.

Wizard Setup 3-5

ZyAIR B-500 Wireless Access Point User’s Guide

Extend Security

If you choose Extend security in the Wireless LAN Setup screen, you can set up a Pre-Shared Key.

The following table describes the labels in this screen.

Table 3-4 Wizard 2 : Wireless LAN Setup

LABEL DESCRIPTION

Wireless LAN Setup

Pre-Shared Key Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-

9", "A-F") characters. You must precede a hexadecimal key with a "0x” (zero x), which is not counted as part of the 16 to 62-character range for the key.

Back

Click Back to return to the previous screen.

Click Next to continue.

Refer to the chapter on wireless LAN for more information.

3.5 Wizard Setup: IP Address

The third wizard screen allows you to configure IP address assignment.

3.5.1 IP Address Assignment

Every computer on the Internet must have a unique IP address. If your networks are isolated from the Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks.

3-6 Wizard Setup

ZyAIR B-500 Wireless Access Point User’s Guide

Table 3-5 Private IP Address Ranges

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.

Regardless of your particular situation, do not create an arbitrary IP address;

always follow the guidelines above. For more information on address assignment,

please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466,

Guidelines for Management of IP Address Space.

3.5.2 IP Address and Subnet Mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

Once you have decided on the network number, pick an IP address that is easy to remember, for instance,

192.168.1.2, for your ZyAIR, but make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the ZyAIR unless you are instructed to do otherwise.

Wizard Setup 3-7

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 3-3 Wizard 3 : IP Address Assignment

The following table describes the labels in this screen.

Table 3-6 Wizard 3 : IP Address Assignment

LABEL DESCRIPTION

IP Address Assignment

Get automatically From

DHCP

Select this option if your ZyAIR is using a dynamically assigned IP address from a DHCP server each time.

You must know the IP address assigned to the ZyAIR (by

the DHCP server) to access the ZyAIR again.

Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select

this option, fill in the fields below.

IP Address Enter the IP address of your ZyAIR in dotted decimal notation.

If you change the ZyAIR's IP address, you must use the

new IP address if you want to access the web

configurator again.

IP Subnet Mask Enter the subnet mask.

3-8 Wizard Setup

ZyAIR B-500 Wireless Access Point User’s Guide

Table 3-6 Wizard 3 : IP Address Assignment

LABEL DESCRIPTION

Gateway IP Address Enter the IP address of a gateway. The gateway is an immediate neighbor of

your ZyAIR that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyAIR; over the WAN, the gateway must be the IP address of one of the remote node.

Back

Finish

Click Back to return to the previous screen.

Click Finish to proceed to complete the Wizard setup.

3.6 Basic Setup Complete

When you click Finish in the Wizard 3 IP Address Assignment screen, a warning window display as shown. Click OK to close the window and log in to the web configurator again using the new IP address if you change the default IP address (192.168.1.2).

You have successfully set up the ZyAIR. A screen displays prompting you to close the web browser.

Click Yes. Otherwise, click No and the congratulations screen shows next.

Wizard Setup 3-9

ZyAIR B-500 Wireless Access Point User’s Guide

Well done! You have successfully set up your ZyAIR to operate on your network and access the Internet.

3-10 Wizard Setup

System, Wireless and IP

Part II:

SYSTEM, WIRELESS AND IP

This part covers the information and web configurator screens of System, Wireless and IP.

ZyAIR B-500 Wireless Access Point User’s Guide

This chapter provides information on the System screens.

4.1 System Overview

This section provides information on general system setup.

4.2 Configuring General Setup

Click SYSTEM to open the General screen.

Chapter 4

System Screens

Figure 4-1 System General Setup

The following table describes the labels in this screen.

System Screens 4-1

ZyAIR B-500 Wireless Access Point User’s Guide

Table 4-1 System General Setup

LABEL DESCRIPTION

System Name Type a descriptive name to identify the ZyAIR in the Ethernet network.

This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

Domain Name This is not a required field. Leave this field blank or enter the domain name here if you

know it.

Administrator Inactivity Timer

System DNS Servers

First DNS Server

Second DNS

Server

Third DNS

Server

Apply

Reset

Type how many minutes a management session (either via the web configurator or SMT) can be left idle before the session times out.

The default is 5 minutes. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.

A value of "0" means a management session never times out, no matter how long it has been left idle (not recommended).

Select From DHCP if your DHCP server dynamically assigns DNS server information (and the ZyAIR's Ethernet IP address). The field to the right displays the (read-only) DNS server IP address that the DHCP assigns.

Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose User-Defined, but leave the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply. If you set a second choice to User-Defined, and enter the same IP address, the second User- Defined changes to None after you click Apply.

Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.

The default setting is None.

Click Apply to save your changes back to the ZyAIR.

Click Reset to reload the previous configuration for this screen.

4.3 Configuring Password

To change your ZyAIR’s password (recommended), click SYSTEM and then the Password tab. The screen appears as shown. This screen allows you to change the ZyAIR’s password.

If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR. See the section on resetting the ZyAIR for details.

4-2 System Screens

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 4-2 Password

The following table describes the labels in this screen.

Table 4-2 Password

LABEL DESCRIPTION

Old Password Type in your existing system password (1234 is the default password).

New Password Type your new system password (up to 31 characters). Note that as you type a

password, the screen displays an asterisk (*) for each character you type.

Retype to Confirm Retype your new system password for confirmation.

Apply

Reset

Click Apply to save your changes back to the ZyAIR.

Click Reset to reload the previous configuration for this screen.

4.4 Configuring Time Setting

To change your ZyAIR’s time and date, click SYSTEM and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone.

System Screens 4-3

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 4-3 Time Setting

The following table describes the labels in this screen.

Table 4-3 Time Setting

LABEL DESCRIPTION

Time Protocol Select the time service protocol that your time server sends when you turn on the

ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.

The main difference between them is the format.

Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of seconds

since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868). Select None to enter the time and date manually.

4-4 System Screens

ZyAIR B-500 Wireless Access Point User’s Guide

Table 4-3 Time Setting

LABEL DESCRIPTION

Time Server Address

Current Time (hh:mm:ss)

New Time (hh:mm:ss)

Current Date (yyyy/mm/dd)

New Date (yyyy/mm/dd)

Time Zone Choose the time zone of your location. This will set the time difference between your

Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period from

Start Date (mm-dd) Enter the month and day that your daylight-savings time starts on if you selected

End Date (mm-dd) Enter the month and day that your daylight-savings time ends on if you selected

Apply

Reset

Enter the IP address or the URL of your time server. Check with your ISP/network administrator if you are unsure of this information.

This field displays the time of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the time with the time server.

This field displays the last updated time from the time server. When you select None in the Time Protocol field, enter the new time in this field and then click Apply.

This field displays the date of your ZyAIR. Each time you reload this page, the ZyAIR synchronizes the time with the time server.

This field displays the last updated date from the time server. When you select None in the Time Protocol field, enter the new date in this field and then click Apply.

time zone and Greenwich Mean Time (GMT).

late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.

Daylight Savings.

Click Apply to save your changes back to the ZyAIR.

Click Reset to reload the previous configuration for this screen.

System Screens 4-5

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 5

Wireless Configuration and Roaming

This chapter discusses how to configure Wireless and Roaming screens on the ZyAIR.

5.1 Wireless LAN Overview

This section introduces the wireless LAN (WLAN) and some basic scenarios.

5.1.1 IBSS

An Independent Basic Service Set (IBSS), also called an Ad-hoc network, is the simplest WLAN configuration. An IBSS is defined as two or more computers with wireless adapters within range of each other that from an independent (wireless) network without the need of an access point (AP).

Figure 5-1 IBSS (Ad-hoc) Wireless LAN

5.1.2 BSS

A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).

Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled, wireless station A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless station A and B can still access the wired network but cannot communicate with each other.

Wireless Configuration and Roaming 5-1

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 5-2 Basic Service set

5.1.3 ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate.

5-2 Wireless Configuration and Roaming

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 5-3 Extended Service Set

5.2 Wireless LAN Basics

Refer also to the chapter on wizard setup for more background information on Wireless LAN features, such as channels.

5.2.1 RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear” each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

Wireless Configuration and Roaming 5-3

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 5-4 RTS/CTS

When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.

When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.

Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake.

You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the “cost” of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake.

If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.

5.2.2 Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the ZyAIR will fragment the packet into smaller data frames.

A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.

5-4 Wireless Configuration and Roaming

ZyAIR B-500 Wireless Access Point User’s Guide

If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

5.3 Preamble Type

A preamble is used to synchronize the transmission timing in your wireless network. There are two preamble modes: long and short.

Short preamble takes less time to process and minimizes overhead, so it should be used in a good wireless network environment when all wireless clients support it.

Select Long if you have a ‘noisy’ network or are unsure of what preamble mode your wireless clients support as all IEEE 802.11b compliant wireless adapters must support long preamble. However, not all wireless adapters support short preamble. Use long preamble if you are unsure what preamble mode the wireless adapters support, to ensure interpretability between the ZyAIR and the wireless stations and to provide more reliable communication in ‘noisy’ networks.

Select Dynamic to have the ZyAIR automatically use short preamble when all wireless clients support it, otherwise the ZyAIR uses long preamble.

The ZyAIR and the wireless stations MUST use the same preamble mode in order

to communicate.

5.4 Configuring Wireless

Click the WIRELESS link under ADVANCED to display the Wireless screen.

Wireless Configuration and Roaming 5-5

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 5-5 Wireless

The following table describes the general wireless LAN labels in this screen.

Table 5-1 Wireless

LABEL DESCRIPTION

ESSID (Extended Service Set IDentity) The ESSID identifies the Service Set with which a

wireless station is associated. Wireless stations associating to the access point (AP) must have the same ESSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.

If you are configuring the ZyAIR from a computer connected to

the wireless LAN and you change the ZyAIR’s ESSID or WEP

settings, you will lose your wireless connection when you

press Apply to confirm. You must then change the wireless

settings of your computer to match the ZyAIR’s new settings.

5-6 Wireless Configuration and Roaming

ZyAIR B-500 Wireless Access Point User’s Guide

Table 5-1 Wireless

LABEL DESCRIPTION

Hide ESSID Select this check box to hide the ESSID in the outgoing beacon frame so a station

cannot obtain the ESSID through passive scanning using a site survey tool.

Choose Channel ID

Scan Click this button to have the ZyAIR automatically scan for and select a channel with the

RTS/CTS Threshold

Fragmentation Threshold

Security Refer to the chapter about Wireless security for detailed information.

Enable IntraBSS Traffic

Number of Wireless Stations Allowed

Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs within

Preamble

Apply

Reset

Set the operating frequency/channel depending on your particular region.

To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.

To have the ZyAIR automatically select a channel, click Scan instead.

Refer to the chapter on wizard setup for more information about channels.

least interference.

Enter a value between 0 and 2432. The default is 2432.

Enter a value between 256 and 2432. The default is 2432. It is the maximum data fragment size that can be sent.

Intra-BSS traffic is traffic between wireless stations in the same BSS. Select this check box to enable Intra-BSS traffic.

Use this field to set a maximum number of wireless stations that may connect to the ZyAIR

Enter the number (from 1 to 32) of wireless stations allowed.

an area, decrease the output power of the ZyAIR to reduce interference with other APs.

The options are 17dBm (50mW), 14dBm (25mW) or 11dBm (12.6mW).

Select a preamble type from the drop-down list menu. Choices are Long and Dynamic.

See the section on preamble for more information.

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

See the chapter on wireless security for information on the other labels in this screen.

Wireless Configuration and Roaming 5-7

ZyAIR B-500 Wireless Access Point User’s Guide

5.5 Configuring Roaming

A wireless station is a device with an IEEE 802.11b compliant wireless adapters. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.

In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.

The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the

channel of a new access point, which then informs the access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in Figure 5-6.

With roaming, a wireless LAN mobile user enjoys a continuous connection to the wired network through an access point while moving around the wireless LAN.

Enable roaming to exchange the latest bridge information of all wireless stations between APs when a wireless station moves between coverage areas. Wireless stations can still associate with other APs even if you disable roaming. Enabling roaming ensures correct traffic forwarding (bridge tables are updated) and maximum AP efficiency. The AP deletes records of wireless stations that associate with other APs (NonZyXEL APs may not be able to perform this). 802.1x authentication information is not exchanged (at the time of writing).

5-8 Wireless Configuration and Roaming

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 5-6 Roaming Example

The steps below describe the roaming process.

Step 1. As wireless station Y moves from the coverage area of access point AP 1 to that of access point

AP 2, it scans and uses the signal of access point AP 2.

Step 2. Access point AP 2 acknowledges the presence of wireless station Y and relays this information

to access point AP 1 through the wired LAN.

Step 3. Access point AP 1 updates the new position of wireless station. Step 4. Wireless station Y sends a request to access point AP 2 for reauthentication.

5.5.1 Requirements for Roaming

The following requirements must be met in order for wireless stations to roam between the coverage areas.

1. All the access points must be on the same subnet and configured with the same ESSID.

2. If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station.

3. The adjacent access points should use different radio channels when their coverage areas overlap.

4. All access points must use the same port number to relay roaming information.

Wireless Configuration and Roaming 5-9

ZyAIR B-500 Wireless Access Point User’s Guide

5. The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment.

To enable roaming on your ZyAIR, click the WIRELESS link under ADVANCED and then the Roaming tab. The screen appears as shown.

Figure 5-7 Roaming

The following table describes the labels in this screen.

Table 5-2 Roaming

LABEL DESCRIPTION

Active

Select Yes from the drop-down list box to enable roaming on the ZyAIR if you have two or more ZyAIRs on the same subnet.

All APs on the same subnet and the wireless stations must have the

same ESSID to allow roaming.

Port Enter the port number to communicate roaming information between access points. The

port number must be the same on all access points. The default is 16290. Make sure this port is not used by other services.

Apply

Reset

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

5-10 Wireless Configuration and Roaming

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 6

Wireless Security

This chapter describes how to use the MAC Filter, 802.1x, Local User Database and RADIUS to

configure wireless security on your ZyAIR.

6.1 Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.

The figure below shows the possible wireless security levels on your ZyAIR. EAP (Extensible Authentication Protocol) is used for authentication and utilizes dynamic WEP key exchange. It requires interaction with a RADIUS (Remote Authentication Dial-In User Service) server either on the WAN or your LAN to provide authentication service for wireless stations.

Figure 6-1 ZyAIR Wireless Security Levels

If you do not enable any wireless security on your ZyAIR, your network is accessible to any wireless networking device that is within range.

Select No Security to allow wireless stations to communicate with the access points without any data encryption. The screen varies according to what you select in the Security field.

Wireless Security 6-1

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-2 Wireless

The following table describes the wireless LAN security label in this screen.

Table 6-1 Wireless

LABEL DESCRIPTION

Security Choose from one of the security features listed in the drop-down box.

• No Security

• Static WEP

• WPA-PSK

• WPA

• 802.1x + Dynamic WEP

• 802.1x + Static WEP

• 802.1x + No WEP

6-2 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

6.2 Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. You enter manual keys by first selecting 64-bit WEP or 128-bit WEP from the WEP Encryption field and then typing the keys (in ASCII or hexadecimal format) in the key text boxes. MAC address filters are not dependent on how you configure these security features.

Table 6-2 Wireless Security Relational Matrix

AUTHENTICATION

METHOD/ KEY

MANAGEMENT PROTOCOL

Open None No Disable

Open WEP

Shared WEP

WPA WEP No Enable

WPA TKIP No Enable

WPA-PSK WEP Yes Enable

WPA-PSK TKIP Yes Enable

ENCRYPTION

METHOD

ENTER

MANUAL KEY

No Enable with Dynamic WEP Key

Yes Enable without Dynamic WEP Key

Yes Disable

No Enable with Dynamic WEP Key

Yes Enable without Dynamic WEP Key

Yes Disable

IEEE 802.1X

6.3 WEP Overview

WEP (Wired Equivalent Privacy) as specified in the IEEE 802.11 standard provides methods for both data encryption and wireless station authentication.

6.3.1 Data Encryption

WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyAIR allows you to configure up to four 64bit or 128-bit WEP keys, but only one key can be enabled at any one time.

Wireless Security 6-3

ZyAIR B-500 Wireless Access Point User’s Guide

6.3.2 Authentication

Three different methods can be used to authenticate wireless stations to the network: Open System, Shared Key, and Auto. The following figure illustrates the steps involved.

Figure 6-3 WEP Authentication Steps

Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.

Shared key authentication involves a four-message procedure. A wireless station sends a shared key authentication request to the AP, which will then reply with a challenge text message. The wireless station must then use the AP’s default WEP key to encrypt the challenge text and return it to the AP, which attempts to decrypt the message using the AP’s default WEP key. If the decrypted message matches the challenge text, the wireless station is authenticated. This requires you to enable the WEP encryption and specify a WEP key on both the wireless station and the AP.

6-4 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

When your ZyAIR's authentication method is set to open system, it will only accept open system authentication requests. The same is true for shared key authentication. However, when it is set to auto authentication, the ZyAIR will accept either type of authentication request and the ZyAIR will fall back to use open authentication if the shared key does not match.

6.4 Configuring WEP Encryption

In order to configure and enable WEP encryption, click the WIRELESS link under ADVANCED to display the Wireless screen. Select Static WEP from the Security list.

Wireless Security 6-5

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-4 Wireless: Static WEP

The following table describes the wireless LAN security labels in this screen.

6-6 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-3 Wireless: Static WEP

LABEL DESCRIPTION

Security

WEP Encryption

Authentication Method

ASCII Select this option to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.

Key 1 to

Key 4

Apply

Reset

Select Static WEP from the drop-down list.

Select 64-bit WEP or 128-bit WEP to enable data encryption.

Select Auto, Open System or Shared Key from the drop-down list box.

If WEP encryption is activated, the default setting is Auto.

The preceding “0x” is entered automatically.

The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations must use the same WEP key for data transmission.

You must configure all four keys, but only one key can be used at any one time. The default key is key 1.

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

6.5 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft. Key differences between WPA and WEP are user authentication and improved data encryption.

6.5.1 User Authentication

WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. You can’t use the ZyAIR’s Local User Database for WPA authentication purposes since the Local User Database uses EAP-MD5 which cannot be used to generate keys. See later in this chapter and the appendices for more information on IEEE 802.1x, RADIUS and EAP.

Therefore, if you don’t have an external RADIUS server you should use WPA-PSK (WPA -Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a client will be granted access to a WLAN.

Wireless Security 6-7

ZyAIR B-500 Wireless Access Point User’s Guide

6.5.2 Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decode data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network.

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The commonpassword approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to-use, consistent, single, alphanumeric password.

6.6 WPA-PSK Application Example

A WPA-PSK application looks as follows. Step 1. First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK)

must consist of between 8 and 63 ASCII characters (including spaces and symbols).

Step 2. The AP checks each client’s password and (only) allows it to join the network if it matches its

password.

Step 3. The AP derives and distributes keys to the wireless clients. Step 4. The AP and wireless clients use the TKIP encryption process to encrypt data exchanged between

them.

6-8 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-5

WPA - PSK Authentication

6.7 Configuring WPA-PSK Authentication

In order to configure and enable WPA-PSK Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen. Select WPA-PSK from the Security list.

Wireless Security 6-9

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-6 Wireless: WPA-PSK

The following table describes the wireless LAN security labels in this screen.

Table 6-4 Wireless: WPA-PSK

LABEL DESCRIPTION

Security

Select WPA-PSK from the drop-down list.

6-10 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-4 Wireless: WPA-PSK

LABEL DESCRIPTION

Pre-Shared Key

ReAuthentication Timer (in seconds)

The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials.

Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).

Specify how often wireless stations have to reenter usernames and passwords in order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).

If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has

priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network after a

period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).

WPA Group Key Update Timer

Apply

Reset

The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK key management) or RADIUS server (if using WPA key management) sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis. Setting of the WPA Group Key Update Timer is also supported in WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

6.8 Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it.

Wireless Security 6-11

ZyAIR B-500 Wireless Access Point User’s Guide

6.9 WPA with RADIUS Application Example

You need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA application example with an external RADIUS server looks as follows. “A” is the RADIUS server. “DS” is the distribution system.

Step 1. The AP passes the wireless client’s authentication request to the RADIUS server. Step 2. The RADIUS server then checks the user's identification against its database and grants or denies

network access accordingly.

Step 3. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a

key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

Figure 6-7 WPA with RADIUS Application Example

6.10 Configuring WPA Authentication

In order to configure and enable WPA Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen. Select WPA from the Security list.

6-12 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-8 Wireless: WPA

The following table describes the wireless LAN security labels in this screen.

Table 6-5 Wireless: WPA

LABEL DESCRIPTION

Security

Select WPA from the drop-down list.

Wireless Security 6-13

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-5 Wireless: WPA

LABEL DESCRIPTION

ReAuthentication Timer (in seconds)

If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has

priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network after

a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).

WPA Group Key Update Timer

WPA-PSK mode. The ZyAIR default is 1800 seconds (30 minutes).

6.11 802.1x Overview

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication can be done using the local user database internal to the ZyAIR (authenticate up to 32 users) or an external RADIUS server for an unlimited number of users.

See also the section on RADIUS in this User’s Guide.

6.12 Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default WEP encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.

To use Dynamic WEP, enable and configure the RADIUS server (see section 6.20) and enable Dynamic WEP Key Exchange in the 802.1x screen. Ensure that the wireless station’s EAP type is configured to one of the following:

• EAP-TLS

6-14 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

• EAP-TTLS

• PEAP

EAP-MD5 cannot be used with Dynamic WEP Key Exchange.

6.13 Configuring 802.1x and Dynamic WEP Key Exchange

In order to configure and enable 802.1x and Dynamic WEP Key Exchange; click the WIRELESS link under ADVANCED to display the Wireless screen. Select 802.1x + Dynamic WEP from the Security list.

Figure 6-9 Wireless: 802.1x and Dynamic WEP

The following table describes the wireless LAN security labels in this screen.

Wireless Security 6-15

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-6 Wireless: 802.1x and Dynamic WEP

LABEL DESCRIPTION

Security

ReAuthentication Timer (in seconds)

Select 802.1x + Dynamic WEP from the drop-down list.

If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has

priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network after

a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).

Dynamic WEP Key Exchange

Select 64-bit WEP or 128-bit WEP to enable data encryption. Up to 32 stations can access the ZyAIR when you configure dynamic WEP key exchange.

6.14 Configuring 802.1x and Static WEP Key Exchange

In order to configure and enable 802.1x and Static WEP Key Exchange; click the WIRELESS link under ADVANCED to display the Wireless screen. Select 802.1x + Static WEP from the Security list.

6-16 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-10 Wireless: 802.1x + Static WEP

The following table describes the wireless LAN security labels in this screen.

Wireless Security 6-17

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-7 Wireless: 802.1x + Static WEP

LABEL DESCRIPTION

Security WEP Encryption

Authentication Method

ASCII Select this option to enter ASCII characters as the WEP keys.

Hex Select this option to enter hexadecimal characters as the WEP keys.

Key 1 to Key 4

ReAuthentication Timer (in seconds)

Select 802.1x + Static WEP from the drop-down list.

Select 64-bit WEP or 128-bit WEP to enable data encryption.

Select Auto, Open System or Shared Key from the drop-down list box.

If WEP encryption is activated, the default setting is Auto.

The preceding “0x” is entered automatically.

The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations must use the same WEP key for data transmission.

You must configure all four keys, but only one key can be used at any one time. The default key is key 1.

If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has

priority.

Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network after a

period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour).

6-18 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-7 Wireless: 802.1x + Static WEP

LABEL DESCRIPTION

Authentication Databases

The authentication database contains wireless station login information. The local user database is the built-in database on the ZyAIR. The RADIUS is an external server. Use this drop-down list box to select which database the ZyAIR should use (first) to authenticate a wireless station.

Before you specify the priority, make sure you have set up the corresponding database correctly first.

Select Local User Database Only to have the ZyAIR just check the built-in user database on the ZyAIR for a wireless station's username and password.

Select RADIUS Only to have the ZyAIR just check the user database on the specified RADIUS server for a wireless station's username and password.

Select Local first, then RADIUS to have the ZyAIR first check the user database on the ZyAIR for a wireless station's username and password. If the user name is not found, the ZyAIR then checks the user database on the specified RADIUS server.

Select RADIUS first, then Local to have the ZyAIR first check the user database on the specified RADIUS server for a wireless station's username and password. If the ZyAIR cannot reach the RADIUS server, the ZyAIR then checks the local user database on the ZyAIR. When the user name is not found or password does not match in the RADIUS server, the ZyAIR will not check the local user database and the authentication fails.

6.15 Configuring 802.1x

In order to configure and enable 802.1x; click the WIRELESS link under ADVANCED to display the Wireless screen. Select 802.1x + No WEP from the Security list.

Wireless Security 6-19

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-11 Wireless: 802.1x + No WEP

The following table describes the wireless LAN security labels in this screen.

Table 6-8 Wireless: 802.1x + No WEP

LABEL DESCRIPTION

Security

Select 802.1x from the drop-down list.

6-20 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-8 Wireless: 802.1x + No WEP

LABEL DESCRIPTION

ReAuthentication Timer (in Seconds)

Specify how often wireless stations have to reenter usernames and passwords in order to stay connected. This field is activated only when you select Authentication Required in the Wireless Port Control field.

Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).

If wireless station authentication is done using a RADIUS

server, the reauthentication timer on the RADIUS server has

priority.

Idle Timeout (in Seconds)

Authentication Databases

The ZyAIR automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.

This field is activated only when you select Authentication Required in the Wireless Port Control field. The default time interval is 3600 seconds (1 hour).

This field is activated only when you select Authentication Required in the Wireless Port Control field.

Before you specify the priority, make sure you have set up the corresponding database correctly first.

Select Local User Database Only to have the ZyAIR just check the built-in user database on the ZyAIR for a wireless station's username and password.

Select RADIUS Only to have the ZyAIR just check the user database on the specified RADIUS server for a wireless station's username and password.

Wireless Security 6-21

ZyAIR B-500 Wireless Access Point User’s Guide

Once you enable user authentication, you need to specify an external RADIUS

server or create local user accounts on the ZyAIR for authentication.

6.16 MAC Filter

The MAC filter screen allows you to configure the ZyAIR to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the ZyAIR (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of the devices to configure this screen.

To change your ZyAIR’s MAC Filter settings, click the WIRELESS link under ADVANCED and then the MAC Filter tab. The screen appears as shown.

6-22 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-12 MAC Address Filter

The following table describes the labels in this screen.

Wireless Security 6-23

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-9 MAC Address Filter

LABEL DESCRIPTION

Active

Filter Action Define the filter action for the list of MAC addresses in the MAC address filter table.

Set This is the index number of the MAC address.

MAC Address

Apply

Reset

Select Yes from the drop down list box to enable MAC address filtering.

Select Deny Association to block access to the ZyAIR, MAC addresses not listed will be allowed to access the ZyAIR.

Select Allow Association to permit access to the ZyAIR, MAC addresses not listed will be denied access to the ZyAIR.

Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless station that are allowed or denied access to the ZyAIR in these address fields.

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

6.17 Introduction to RADIUS

RADIUS is based on a client-sever model that supports authentication and accounting, where access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks among others:

• Authentication

Determines the identity of the users.

• Accounting

Keeps track of the client’s network activity.

RADIUS user is a simple package exchange in which your ZyAIR acts as a message relay between the wireless station and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

• Access-Request

Sent by an access point requesting authentication.

• Access-Reject

Sent by a RADIUS server rejecting access.

6-24 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

• Access-Accept

Sent by a RADIUS server allowing access.

• Access-Challenge

Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

• Accounting-Request

Sent by the access point requesting accounting.

• Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the wired network from unauthorized access.

6.17.1 EAP Authentication Overview

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server or the AP. The ZyAIR supports EAPTLS, EAP-TTLS and DEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the four common types.

Your ZyAIR supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database and RADIUS.

The following figure shows an overview of authentication when you specify a RADIUS server on your access point.

Figure 6-13 EAP Authentication

Wireless Security 6-25

ZyAIR B-500 Wireless Access Point User’s Guide

The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.

• The wireless station sends a “start” message to the ZyAIR.

• The ZyAIR sends a “request identity” message to the wireless station for identity information.

• The wireless station replies with identity information, including username and password.

• The RADIUS server checks the user information against its user profile database and determines

whether or not to authenticate the wireless station.

6.18 Introduction to Local User Database

By storing user profiles locally on the ZyAIR, your ZyAIR is able to authenticate wireless users without interacting with a network RADIUS server. However, there is a limit on the number of users you may authenticate in this way.

6.19 Configuring Local User Database

To change your ZyAIR’s local user database, click the WIRELESS link under ADVANCED and then the Local User Database tab. The screen appears as shown.

6-26 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-14 Local User Database

Wireless Security 6-27

ZyAIR B-500 Wireless Access Point User’s Guide

The following table describes the labels in this screen.

Table 6-10 Local User Database

LABEL DESCRIPTION

Active Select this check box to activate the user profile.

User Name Enter the username (up to 31 characters) for this user profile.

Password Type a password (up to 31 characters) for this user profile. Note that as you type a

password, the screen displays a (*) for each character you type.

Apply

Reset

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

6.20 Configuring RADIUS

Configure the RADIUS screen if you want to authenticate wireless users using an external server.

To set up your ZyAIR’s RADIUS server settings, click the WIRELESS link under ADVANCED and then the RADIUS tab. The screen appears as shown.

6-28 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 6-15 RADIUS

The following table describes the labels in this screen.

Table 6-11 RADIUS

LABEL DESCRIPTION

Authentication Server

Active

Server IP Address Enter the IP address of the external authentication server in dotted decimal

Select Yes from the drop-down list box to enable user authentication through an external authentication server.

Select No to enable user authentication using the local user profile on the ZyAIR.

notation.

Wireless Security 6-29

ZyAIR B-500 Wireless Access Point User’s Guide

Table 6-11 RADIUS

LABEL DESCRIPTION

Port Number Enter the port number of the external authentication server. The default port

number is 1812. You need not change this value unless your network administrator instructs you to do so with additional information.

Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared

between the external authentication server and the ZyAIR.

The key must be the same on the external authentication server and your ZyAIR. The key is not sent over the network.

Accounting Server

Active

Server IP Address Enter the IP address of the external accounting server in dotted decimal notation.

Port Number Enter the port number of the external accounting server. The default port number

Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared

Apply

Reset

Select Yes from the drop down list box to enable user accounting through an external authentication server.

is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.

between the external authentication server and the ZyAIR.

The key must be the same on the external authentication server and your ZyAIR. The key is not sent over the network.

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

6-30 Wireless Security

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 7

IP Screen

This chapter discusses how to configure IP on the ZyAIR

7.1 Factory Ethernet Defaults

The Ethernet parameters of the ZyAIR are preset in the factory with the following values:

• IP address of 192.168.1.2

• Subnet mask of 255.255.255.0 (24 bits)

These parameters should work for the majority of installations.

7.2 TCP/IP Parameters

7.2.1 IP Address and Subnet Mask

Refer to the section on IP address and subnet mask in the Wizard Setup chapter for this information.

7.3 Configuring IP

Click IP to display the screen shown next.

Figure 7-1 IP Setup

IP 7-1

ZyAIR B-500 Wireless Access Point User’s Guide

The following table describes the labels in this screen.

Table 7-1 IP Setup

LABEL DESCRIPTION

IP Address Assignment

Get automatically from

DHCP

Select this option if your ZyAIR is using a dynamically assigned IP address from a DHCP server each time.

You must know the IP address assigned to the ZyAIR (by

the DHCP server) to access the ZyAIR again.

Use fixed IP address Select this option if your ZyAIR is using a static IP address. When you select

this option, fill in the fields below.

IP Address Enter the IP address of your ZyAIR in dotted decimal notation.

If you change the ZyAIR's IP address, you must use the

new IP address if you want to access the web

configurator again.

IP Subnet Mask Enter the subnet mask.

Gateway IP Address Enter the IP address of a gateway. The gateway is an immediate neighbor of

Apply

Reset

Click Apply to save your changes back to the ZyAIR.

Click Reset to begin configuring this screen afresh.

7-2 IP

Logs

Part III:

LOGS

This part provides information and configuration instructions for the logs.

III

ZyAIR B-500 Wireless Access Point User’s Guide

Chapter 8

Logs Screens

This chapter contains information about configuring general log settings and viewing the ZyAIR’s

logs. Refer to the appendix for example log message explanations.

8.1 Configuring View Log

The web configurator allows you to look at all of the ZyAIR’s logs in one location.

Click LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see section 8.2). Options include logs about system maintenance, system errors and access control.

You can view logs and alert messages in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted.

Click a column heading to sort the entries. A triangle indicates the direction of the sort order.

Figure 8-1 View Log

Logs Screens 8-1

ZyAIR B-500 Wireless Access Point User’s Guide

The following table describes the labels in this screen.

Table 8-1 View Log

LABEL DESCRIPTION

Display Select a log category from the drop down list box to display logs within the selected

category. To view all logs, select All Logs. The number of categories shown in the drop down list box depends on the selection in the Log Settings page.

Time This field displays the time the log was recorded. Message This field states the reason for the log. Source This field lists the source IP address and the port number of the incoming packet. Destination This field lists the destination IP address and the port number of the incoming packet. Note This field displays additional information about the log entry.

Email Log Now

Refresh

Clear Log

Click Email Log Now to send the log screen to the e-mail address specified in the Log Settings page.

Click Refresh to renew the log screen.

Click Clear Log to clear all the logs.

8.2 Configuring Log Settings

To change your ZyAIR’s log settings, click LOGS and then the Log Settings tab. The screen appears as shown.

Use the Log Settings screen to configure to where the ZyAIR is to send the logs; the schedule for when the ZyAIR is to send the logs and which logs and/or immediate alerts the ZyAIR is to send.

An alert is a type of log that warrants more serious attention. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts are displayed in red and logs are displayed in black.

8-2 Logs Screens

ZyAIR B-500 Wireless Access Point User’s Guide

Figure 8-2 Log Settings

The following table describes the labels in this screen.

Logs Screens 8-3

ZyAIR B-500 Wireless Access Point User’s Guide

Table 8-2 Log Settings

LABEL DESCRIPTION

Address Info

Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses

specified below. If this field is left blank, logs and alert messages will not be sent via e-mail.

Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the

ZyAIR sends.

Send log to Logs are sent to the e-mail address specified in this field. If this field is left blank,

logs will not be sent via e-mail.

Send alerts to Enter the e-mail address where the alert messages will be sent. If this field is left

blank, alert messages will not be sent via e-mail.

Syslog Logging Syslog logging sends a log to an external syslog server used to store logs.

Active

Syslog IP Address Enter the server name or IP address of the syslog server that will log the selected

Log Facility Select a location from the drop down list box. The log facility allows you to log the

Send Log

Log Schedule This drop-down menu is used to configure the frequency of log messages being

Day for Sending Log

Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to

Click Active to enable syslog logging.

categories of logs.

messages to different files in the syslog server. Refer to the documentation of your syslog program for more details.

sent as E-mail:

• Daily

• Weekly

• Hourly

• When Log is Full

• None.

If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent.

This field is only available when you select Weekly in the Log Schedule field.

Use the drop down list box to select which day of the week to send the logs.

send the logs.

8-4 Logs Screens

ZyAIR B-500 Wireless Access Point User’s Guide

Table 8-2 Log Settings

LABEL DESCRIPTION

Clear log after sanding

Log Select the categories of logs that you want to record. Send Immediate Alert Select the categories of alerts for which you want the ZyAIR to immediately send

Apply Reset

Select the check box to clear all logs after logs and alert messages are sent via e-

mail

mail.

e-mail alerts. Click Apply to save your customized settings and exit this screen. Click Reset to reconfigure all the fields in this screen.

Logs Screens 8-5

Maintenance

Part IV:

MAINTENANCE

This part describes the Maintenance web configurator screens.

ZyXEL Communications ZyAIR B-500 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

ZyAIR B-500

Copyright

ZyXEL Limited Warranty

Customer Support

Table of Contents

List of Figures

List of Tables

Preface

Getting to Know Your ZyAIR

1.1 Introducing the ZyAIR Wireless Access Point

1.3 Applications for the ZyAIR

Introducing the Web Configurator

2.1 Accessing the ZyAIR Web Configurator

2.2 Resetting the ZyAIR

2.3 Navigating the ZyAIR Web Configurator

Wizard Setup

3.1 Wizard Setup Overview

3.2 Wizard Setup: General Setup

3.3 Wizard Setup: Wireless LAN

3.4 Wizard Setup: Screen 3

3.5 Wizard Setup: IP Address

3.6 Basic Setup Complete

4.2 Configuring General Setup

System Screens

4.4 Configuring Time Setting

Wireless Configuration and Roaming

5.2 Wireless LAN Basics

5.4 Configuring Wireless

Wireless Security

6.4 Configuring WEP Encryption

6.5 Introduction to WPA

6.7 Configuring WPA-PSK Authentication

To change your ZyAIR’s MAC Filter settings, click the WIRELESS link under ADVANCED and then the MAC Filter tab. The screen appears as shown.

IP Screen

7.3 Configuring IP

Logs Screens

8.1 Configuring View Log