ZyXEL Communications NWA-3160, User Manual

Page 1: ...m NWA3000 N Series Wireless N Business WLAN 3000 Series Access Point Copyright 2011 ZyXEL Communications Corporation Version 2 23 Edition 1 1 2011 Default Login Details IP Address https 192 168 1 2 User Name admin Password 1234 ...

Page 2: ......

Page 3: ...g right away It contains information on setting up your network and configuring for Internet access Support Disc Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following...

Page 4: ...ppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Status Show Statistics means you first click Maintenance in the navigation panel the...

Page 5: ...cons Used in Figures Figures in this User s Guide may use the following generic icons The NWA3000 N series AP icon is not an exact representation of your device NWA3000 N series AP Computer Notebook computer Server Printer Firewall Telephone Switch Router ...

Page 6: ...or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the power outlet Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightnin...

Page 7: ...ridge 22 1 2 3 MBSSID 22 1 3 Management Mode 23 1 4 Ways to Manage the NWA3000 N series AP 24 1 5 Good Habits for Managing the NWA3000 N series AP 25 1 6 Hardware Connections 26 1 7 LEDs 27 1 8 Starting and Stopping the NWA3000 N series AP 29 Chapter 2 The Web Configurator 31 2 1 Overview 31 2 2 Access 32 2 3 The Main Screen 33 2 3 1 Title Bar 34 2 3 2 Navigation Panel 34 2 3 3 Warning Messages 38...

Page 8: ...eports 53 3 5 3 File Manager 53 3 5 4 Diagnostics 53 3 5 5 Shutdown 53 Chapter 4 Tutorials 55 4 1 Sample Network Setup 55 4 1 1 Set the Management Modes 56 4 1 2 Set the LAN IP Address and Management VLAN vlan99 57 4 1 3 Set Up Wireless User Authentication 58 4 1 4 Create the AP Profiles staff guest 60 4 2 Rogue AP Detection 63 4 2 1 Rogue AP Containment 67 4 3 Load Balancing 69 4 4 Dynamic Channe...

Page 9: ...og 96 6 10 View AP Log 100 Chapter 7 Management Mode 103 7 1 Overview 103 7 2 About CAPWAP 103 7 2 1 CAPWAP Discovery and Management 104 7 2 2 Managed AP Finds the Controller 104 7 2 3 CAPWAP and IP Subnets 104 7 2 4 Notes on CAPWAP 105 7 3 The Management Mode Screen 105 Chapter 8 LAN Setting 107 8 1 LAN Setting Overview 107 8 1 1 What You Can Do in this Chapter 107 8 1 2 What You Need to Know 107...

Page 10: ...l 129 10 3 Active Passive Mode 131 10 3 1 Edit Monitored Interface 134 10 4 Technical Reference 135 Chapter 11 User 137 11 1 Overview 137 11 1 1 What You Can Do in this Chapter 137 11 1 2 What You Need To Know 137 11 2 User Summary 138 11 2 1 Add Edit User 139 11 3 Setting 141 11 3 1 Edit User Authentication Timeout Settings 144 Chapter 12 AP Profile 147 12 1 Overview 147 12 1 1 What You Can Do in...

Page 11: ...cates 185 14 3 1 Edit Trusted Certificates 187 14 3 2 Import Trusted Certificates 190 14 4 Technical Reference 191 Chapter 15 System 193 15 1 Overview 193 15 1 1 What You Can Do in this Chapter 193 15 2 Host Name 194 15 3 Date and Time 194 15 3 1 Pre defined NTP Time Servers List 197 15 3 2 Time Server Synchronization 198 15 4 Console Speed 199 15 5 WWW Overview 200 15 5 1 Service Access Limitatio...

Page 12: ...Chapter 227 16 2 Email Daily Report 227 16 3 Log Setting 229 16 3 1 Log Setting Summary 230 16 3 2 Edit Log Settings 232 16 3 3 Edit Remote Server 236 16 3 4 Active Log Summary 238 Chapter 17 File Manager 241 17 1 Overview 241 17 1 1 What You Can Do in this Chapter 241 17 1 2 What you Need to Know 241 17 2 Configuration File 243 17 3 Firmware Package 248 17 4 Shell Script 249 Chapter 18 Diagnostic...

Page 13: ...wer Hardware Connections and LEDs 267 21 3 NWA3000 N series AP Access and Login 268 21 4 Internet Access 270 21 5 Wireless AP Troubleshooting 272 21 6 Resetting the NWA3000 N series AP 277 21 7 Getting More Troubleshooting Help 278 Chapter 22 Product Specifications 279 22 1 Wall Mounting Instructions 282 Appendix A Log Descriptions 285 Appendix B Importing Certificates 305 Appendix C Wireless LANs...

Page 14: ...Table of Contents NWA3000 N Series User s Guide 14 ...

Page 15: ...15 PART I User s Guide ...

Page 16: ...16 ...

Page 17: ...eater or even as an RF monitor to search for rouge APs to help eliminate network threats The NWA3000 N series AP controls network access with Media Access Control MAC address filtering rogue Access Point AP detection and containment and an internal authentication server It also provides a high level of network traffic security supporting IEEE 802 1x Wi Fi Protected Access WPA WPA2 and Wired Equiva...

Page 18: ...series APs A and B are connected to independent wired networks and have a bridge connection A can communicate with B at the same time A NWA3000 N series AP in repeater mode C has no Ethernet connection When the NWA3000 N series AP is in bridge mode you should enable Spanning Tree Protocol STP to prevent bridge loops When the NWA3000 N series AP is in Bridge Repeater mode security between APs the W...

Page 19: ...0 N Series User s Guide 19 At the time of writing WDS security is compatible with other ZyXEL access points only Refer to your other access point s documentation for details Figure 1 Bridge Application Figure 2 Repeater Application ...

Page 20: ...ystem allowing the computers in LAN 1 to connect to the computers in LAN 2 Figure 3 Bridging Example Be careful to avoid bridge loops when you enable bridging in the NWA3000 N series AP Bridge loops cause broadcast traffic to circle the network endlessly resulting in possible throughput degradation and disruption of communications The following examples show two network topologies that can lead to...

Page 21: ...s AP in bridge mode is connected to a wired LAN while communicating with another wireless bridge that is also connected to the same wired LAN Figure 5 Bridge Loop Bridge Connected to Wired LAN To prevent bridge loops ensure that you enable Spanning Tree Protocol STP in the Wireless screen or your NWA3000 N series AP is not set to bridge mode while connected to both wired and wireless segments of t...

Page 22: ...rity between the wireless stations and the AP If you do not enable WDS security traffic between APs is not encrypted When WDS security is enabled both APs must use the same pre shared key Unless specified the term security settings refers to the traffic between the wireless stations and the NWA3000 N series AP Figure 6 AP Bridge Application 1 2 3 MBSSID A Basic Service Set BSS is the set of device...

Page 23: ...which they have the correct security settings See Section 4 1 on page 55 for an example of using MBSS 1 3 Management Mode One NWA3000 N series AP uses Control And Provisioning of Wireless Access Points CAPWAP see RFC 5415 to allow one AP to configure and manage up to 24 others This centralized management can greatly reduce the effort of setting up and maintaining multiple devices An NWA3000 N seri...

Page 24: ...can use the following ways to manage the NWA3000 N series AP Web Configurator The Web Configurator allows easy NWA3000 N series AP setup and management using an Internet browser This User s Guide provides information about the Web Configurator Command Line Interface CLI The CLI allows you to use text based commands to configure the NWA3000 N series AP You can access it using remote management for ...

Page 25: ...itored by an SNMP manager See the SNMP chapter in this User s Guide Controller Set one NWA3000 N series AP to be a controller and set other NWA3000 N series APs to be managed by it 1 5 Good Habits for Managing the NWA3000 N series AP Do the following things regularly to make the NWA3000 N series AP more secure and to manage it more effectively Change the password often Use a password that s not ea...

Page 26: ...becomes unstable or even crashes If you forget your password you will have to reset the NWA3000 N series AP to its factory default settings If you backed up an earlier configuration file you won t have to totally re configure the NWA3000 N series AP you can simply restore your last configuration 1 6 Hardware Connections See your Quick Start Guide for information on making hardware connections ...

Page 27: ... following are the LED descriptions for your NWA3000 N series AP Figure 8 LEDs Table 2 LEDs LABEL COLOR STATUS DESCRIPTION WLAN Green On The wireless LAN is active Blinking The wireless LAN is active and transmitting or receiving data Off The wireless LAN is not active ...

Page 28: ...es AP has a 1000 Mbps Ethernet connection and is sending receiving data Off The NWA3000 N series AP does not have an Ethernet connection POWER SYS Green On The NWA3000 N series AP is receiving power and functioning properly Off The NWA3000 N series AP is not receiving power Red Blinking Either If the LED blinks during the boot up process the system is starting up or If the LED blinks after the boo...

Page 29: ...ses Rebooting the NWA3000 N series AP A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The NWA3000 N series AP writes all cached data to the local storage stops the system processes and then does a warm start Using the RESET button If you press the RESET button the NWA3000 N series AP sets the con...

Page 30: ...Chapter 1 Introduction NWA3000 N Series User s Guide 30 ...

Page 31: ...sy management using an Internet browser In order to use the Web Configurator you must Use Internet Explorer 7 0 and later or Firefox 1 5 and later Allow pop up windows Enable JavaScript enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels and higher ...

Page 32: ...ogin screen appears 3 Enter the user name default admin and password default 1234 4 Click Login If you logged in using the default user name and password the Update Admin Info screen appears Otherwise the dashboard appears This screen appears every time you log in using the default user name and default password If you change the password for the default user account this screen does not appear an...

Page 33: ...nfigurator NWA3000 N Series User s Guide 33 2 3 The Main Screen The Web Configurator s main screen is divided into these parts Figure 9 The Web Configurator s Main Screen A Title Bar B Navigation Panel C Main Window A C B ...

Page 34: ...e NWA3000 N series AP s navigation panel menus and their screens Figure 11 Navigation Panel Table 4 Title Bar Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the NWA3000 N series AP Site Map Click this to see an overview of links to the Web ...

Page 35: ...formation about the radios of the connected APs AP List Displays which APs are currently connected to the NWA3000 N series AP This is available when the NWA3000 N series AP is in controller mode Station Info Displays information about the connected stations Rogue AP Displays information about suspected rogue APs Legacy Device Info Use these screens to connect to legacy NWA3000 N series AP 3000 APs...

Page 36: ...gs for all users general settings for user sessions and rules to force user authentication AP Profile Radio Create and manage wireless radio settings files that can be associated with different APs SSID Create and manage wireless SSID security and MAC filtering settings files that can be associated with different APs MON Profile Create and manage rogue AP monitoring files that can be associated wi...

Page 37: ...ing Configure the system log e mail logs and remote syslog servers Table 6 Configuration Menu Screens Summary continued FOLDER OR LINK TAB FUNCTION Table 7 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the NWA3000 N series AP Firmware Package View the current firmware version and to upload firmware Shell Scrip...

Page 38: ...up window Figure 12 Warning Message 2 3 4 Site Map Click Site MAP to see an overview of links to the Web Configurator screens Click a screen s link to go to that screen Figure 13 Site Map 2 3 5 Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration ...

Page 39: ...the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s po...

Page 40: ...to remove the currently displayed information Note See the Command Reference Guide for information about the commands 2 3 5 2 Console The Console allows you to use CLI commands from directly within the Web Configurator rather than having to use a separate terminal program In addition to logging in directly to the NWA3000 N series AP s CLI you can also log into other devices on the network through ...

Page 41: ...EL DESCRIPTION Command Line Enter commands for the device that you are currently logged into here If you are logged into the NWA3000 N series AP see the CLI Reference Guide for details on using the command line to configure it Device IP Address This is the IP address of the device that you are currently logged into Logged In User This displays the username of the account currently logged into the ...

Page 42: ...lick the Console button on the Web Configurator title bar 2 Enter the IP address of the NWA3000 N series AP and click OK Connection Status This displays the connection status of the account currently logged in If you are logged in and connected then this displays Connected If you lose the connection get disconnected or logout then this displays Not Connected Tx RX Activity Monitor This displays th...

Page 43: ...your target device and then click OK 4 You may be prompted to authenticate your account password depending on the type of device that you are logging into Enter the password and click OK 5 If your login is successful the command line appears and the status bar at the bottom of the Console updates to reflect your connection state ...

Page 44: ...lick a column heading to sort the table s entries according to that column s criteria 2 Click the down arrow next to a column heading for more options about how to display the entries The options available vary depending on the type of fields in the column Here are some examples of what you can do Sort in ascending alphabetical order Sort in descending reverse alphabetical order Select which colum...

Page 45: ...the column 4 Select a column heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time ...

Page 46: ...open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The NWA3000 N series AP confirms you want to remove it before doing so Activate To turn on an ...

Page 47: ...vailable entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other In some lists you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 17 Working with Lists ...

Page 48: ...Chapter 2 The Web Configurator NWA3000 N Series User s Guide 48 ...

Page 49: ... use the object For example if you create a local certificate object you can have HTTPS FTP SSH and other settings use it If you modify the local certificate object all the HTTPS FTP SSH and other settings that are linked to that object automatically apply the updated settings You can use the Configuration Objects screens to create objects before you configure features that use them If you are in ...

Page 50: ...ems and tabs you should click to find the main screen s for this feature See the web help or the related User s Guide chapter for information about each screen PREREQUISITES These are other features you should configure before you configure the main screen s for this feature If you did not configure one of the prerequisites first you can often select an option to create a new object After you crea...

Page 51: ...use this table when you want to delete an object because you have to delete references to the object first 3 4 1 User Use these screens to configure the NWA3000 N series AP s administrator and user accounts The NWA3000 N series AP provides the following user types PREREQUISITES Radio profiles SSID profiles and security profiles MENU ITEM S Configuration Device HA PREREQUISITES Interfaces with a st...

Page 52: ...onsole speed Use Language to select a language for the Web Configurator screens 3 5 1 WWW SSH TELNET FTP SNMP and Auth Server Use these screens to set which services or protocols can be used to access the NWA3000 N series AP Table 14 AP Profile Types TYPE ABILITIES Radio Create radio profiles for the APs on your network SSID Create SSID profiles for the APs on your network Security Create security...

Page 53: ...o run a series of CLI commands These are useful for large repetitive configuration changes and for troubleshooting You can edit configuration files and shell scripts in any text editor 3 5 4 Diagnostics The NWA3000 N series AP can generate a file containing the NWA3000 N series AP s configuration and diagnostic information It can also capture packets going through the NWA3000 N series AP s interfa...

Page 54: ...Chapter 3 Configuration Basics NWA3000 N Series User s Guide 54 ...

Page 55: ...s staff and guest Staff connections have full access to the network while guests are limited to Internet access DNS HTTP and HTTPS services Figure 18 Tutorial Network Topology Requirements A DHCP server A with Option 138 an AD server a switch B that supports 802 1q a Layer 3 routing device and a firewall C Note In this topology the firewall such as a ZyWALL controls what services traffic from diff...

Page 56: ...n only access the Internet while the staff VLAN 101 has access to all aspects of the network 4 1 1 Set the Management Modes Use this section to set the management modes for the controller and managed APs Table 16 Tutorial Topology Summary VLAN VLAN ID IP ADDRESS Management 99 10 10 99 10 24 Staff 101 10 1 101 254 24 Guest 102 10 1 102 254 24 vlan 102 vlan 102 Managed APs Controller ...

Page 57: ...ther NWA3000 N series APs and use the Configuration MGNT MODE screen to set them to be the managed APs using the Auto IP address option so they obtain the controller s IP address from the DHCP server 2 Now you can no longer log into the web configurator of the managed NWA3000 N series APs you must manage the NWA3000 N series AP through the controller AP on your network 4 1 2 Set the LAN IP Address...

Page 58: ...ler s IP address configured as option 138 so the managed NWA3000 N series APs can get the controller s IP address from it See Chapter 7 on page 103 for details 4 1 3 Set Up Wireless User Authentication This section shows you how to set up the controller s internal RADIUS server and user accounts Note If you did not replace the factory default certificate with one that uses your NWA3000 N series AP...

Page 59: ...User s Guide 59 1 Open the Configuration System Auth Server screen Turn on the authentication server and select the certificate to use Click Apply 2 Open the Configuration Object User User screen and click Add 3 The Add A User window opens ...

Page 60: ... Profiles staff guest This section shows you how to configure the Access Point AP profiles that will be used by your APs once they are connected to the network You will first create a security profile and an SSID profile for staff access then you will create a second pair for guest access Finally you will associate them with a radio profile which is applied to your AP s radio transmitter 1 Open th...

Page 61: ...file Name Enter wap2 2b Security Mode Select wpa2 from the list of available wireless security encryption methods 2c Under Security Mode select 802 1X then set the Radius Server Type to Internal 2d Click OK 3 Next open the Configuration Object AP Profile SSID SSID List screen and click the Add button ...

Page 62: ... Security Profile Select wpa2 from the list This is the security profile created in step 2 4d QoS Select WMM 4e VLAN ID Enter 101 4f Turn on intra BSS traffic blocking 4g Click OK to save these settings 5 Repeat steps 3 and 4 to create the guest SSID profile with the same settings except guest as the profile name and SSID and 102 for the VLAN ID 6 Open the Configuration Object AP Profile Radio scr...

Page 63: ...er the control of the network administrator In short they are a security risk because they circumvent network security policy AP detection only works when at least 1 AP is configured for Monitor mode The following are some suggestions on monitor AP placement Neighboring companies that both support wireless network If you can detect your neighbor s APs and you know they are friendly you can add the...

Page 64: ... 64 In this example an employee illicitly connects his own AP RG to the network that the NWA3000 N series AP manages While not necessarily a malicious act it can nonetheless have severe security consequences on the network Figure 20 Rogue AP Example A ...

Page 65: ...mimic an NWA3000 N series AP controlled SSID in order to capture passwords and other information when authorized wireless clients mistakenly connect to it Figure 21 Rogue AP Example B This tutorial shows you how to detect rogue APs on your network 1 Click Configuration Object MON Profile to open the MON Profile screen and click the Add button ...

Page 66: ...ile Profile Name For the purposes of this tutorial set this to Monitor01 Channel Dwell Time Leave this as the default 100 milliseconds This field is the number of milliseconds that the monitor AP scans each channel before moving on to the next Scan Channel Mode Set this to auto to automatically scan channels in the area 3 Click OK to save your changes 4 Next click Configuration Wireless AP Managem...

Page 67: ...er 13 on page 165 4 2 1 Rogue AP Containment When the NWA3000 N series AP discovers a rogue AP within its broadcast radius it can react in one of two ways If the rogue AP is connected directly to the network such as plugged into a switch downstream of the NWA3000 N series AP then the network administrator must manually disconnect it The NWA3000 N series AP does not allow the isolation of a rogue A...

Page 68: ... broadcasting dummy packets so that it cannot makes connections with employee clients and capture data from them Figure 22 Containing a Rogue AP This tutorial shows you how to quarantine a rogue AP on your network 1 Click Configuration Wireless MON Mode ...

Page 69: ... network 4 3 Load Balancing When your AP becomes overloaded there are two basic responses it can take The first one is to delay a client connection by withholding the connection until the data transfer throughput is lowered or the client connection is picked up by another AP If the client isn t picked up after a set period of time the AP allows it to connect regardless The second response is to ki...

Page 70: ...signal strength 5 Click Apply to save your changes See also Chapter 9 on page 111 4 4 Dynamic Channel Selection Dynamic Channel Selection DCS is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices When numerous APs broadcast within a given area they intr...

Page 71: ...long as the area in which your AP is located has minimal interference from other devices you can set the DCS Sensitivity Level to Low This means that the AP has a very broad tolerance 5 Select Enable DCS Client Aware Select this so that the APs on your network do not change channels as long as any wireless clients are connected to them When they must change channels they will wait until all statio...

Page 72: ...Chapter 4 Tutorials NWA3000 N Series User s Guide 72 ...

Page 73: ...73 PART II Technical Reference ...

Page 74: ...74 ...

Page 75: ...information about the NWA3000 N series AP 5 1 1 What You Can Do in this Chapter The main Dashboard screen Section 5 2 on page 76 displays the NWA3000 N series AP s general device information system status system resource usage and interface status You can also display other status screens for more information ...

Page 76: ...u can also collapse refresh and close individual widgets Figure 23 Dashboard The following table describes the labels in this screen Table 17 Dashboard LABEL DESCRIPTION Widget Settings A Use this link to re open closed widgets Widgets that are already open appear grayed out Up Arrow B Click this to collapse a widget Refresh Time Setting C Set the interval for refreshing the information displayed ...

Page 77: ... This field displays what percentage of the NWA3000 N series AP s RAM is currently being used Hover your cursor over this field to display the Show Memory Usage icon that takes you to a chart of the NWA3000 N series AP s recent memory usage Flash Usage This field displays what percentage of the NWA3000 N series AP s onboard flash memory is currently being used AP Information This shows a summary o...

Page 78: ...s AP started up successfully Firmware update OK A firmware update was successful Problematic configuration after firmware update The application of the configuration failed after a firmware upgrade System default configuration The NWA3000 N series AP successfully applied the system default configuration This occurs when the NWA3000 N series AP starts for the first time or you intentionally reset t...

Page 79: ...k via DHCP If this interface is a member of an active virtual router this field displays the IP address it is currently using This is either the static IP address of the interface if it is the master or the management IP address if it is a backup IP Assignment This field displays how the interface gets its IP address Static This interface has a static IP address DHCP Client This interface gets its...

Page 80: ...e radio OP Mode This indicates the radio s operating mode Operating modes are AP access point or MON monitor Channel This indicates the channel number the radio is using Station This displays the number of wireless clients connected to the NWA3000 N series AP Table 17 Dashboard continued LABEL DESCRIPTION Table 18 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU us...

Page 81: ...ard Figure 25 Dashboard Memory Usage The following table describes the labels in this screen Table 19 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the wi...

Page 82: ...Chapter 5 Dashboard NWA3000 N Series User s Guide 82 ...

Page 83: ...in each of the APs connected to the NWA3000 N series AP The Station Info screen Section 6 6 on page 93 displays information about suspected rogue APs The Rogue AP screen Section 6 7 on page 94 displays information about suspected rogue APs Use the Legacy Device screens Section 6 8 on page 95 to connect to legacy NWA3000 N series AP 3000 APs This is available when the NWA3000 N series AP is in cont...

Page 84: ...orks for example See Chapter 13 on page 165 for details 6 3 LAN Status Use this screen to look at general LAN interface information and packet statistics To access this screen click Monitor LAN Status Figure 26 Monitor LAN Status The following table describes the labels in this screen Table 20 Monitor LAN Status LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated aut...

Page 85: ...If this interface is a member of an active virtual router this field displays the IP address it is currently using This is either the static IP address of the interface if it is the master or the management IP address if it is a backup IP Assignment This field displays how the interface gets its IP address Static This interface has a static IP address DHCP Client This interface gets its IP address...

Page 86: ...ion speed in bytes per second on the physical port in the one second interval before the screen updated Rx This field displays the reception speed in bytes per second on the physical port in the one second interval before the screen updated Up Time This field displays how long the physical port has been connected System Up Time This field displays how long the NWA3000 N series AP has been running ...

Page 87: ...tistics as a table Kbps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occurred TX This line represents traffic transmitted from the NWA3000 N series AP on the physical port since it was last connected RX This line represents the traffic received by the NWA3000 N series AP on the physical port since it was...

Page 88: ...P s connection status with icons For details on the different Status states see the next table Registration This indicates whether the AP is registered with the managed AP list IP Address This displays the AP s IP address MAC Address This displays the AP s MAC address Model This displays the AP s model number Mgmt VLAN ID This displays the number of the AP s management VLAN Description This displa...

Page 89: ...bes the labels in this screen 6 5 Radio List Use this screen to view statistics for the NWA3000 N series AP s wireless radio transmitters when it is in standalone mode or the radios in each of the APs Table 24 Monitor System Status AP List More Information LABEL DESCRIPTION Station Count The y axis represents the number of connected stations Time The x axis shows the time over which a station was ...

Page 90: ...plays the description of the AP to which the radio belongs Model This displays the model of the AP to which the radio belongs MAC Address This displays the MAC address of the radio Radio This indicates the radio number on the AP to which it belongs OP Mode This indicates the radio s operating mode Operating modes are AP access point or MON monitor Profile This indicates the profile name to which t...

Page 91: ...reen allows you to view a selected radio s MBSSID details wireless traffic statistics and station count for the preceding 24 hours To access this window click the More Information button in the Radio List Statistics screen Figure 31 Monitor Wireless AP Information Radio List More Information ...

Page 92: ...his displays information about the Wireless Distribution System WDS connections Link ID This field displays the name of the bridge connection Peer MAC Address This field displays the hardware address of the peer device Status This field displays the status of the connection to the peer device Security Mode This field displays which type of security the NWA3000 N series AP is using for WDS with thi...

Page 93: ...s list MAC Address This is the station s MAC address Associated AP This is available when the NWA3000 N series AP is in controller mode This indicates the AP through which the station is connected to the network SSID Name This indicates the name of the wireless network to which the station is connected A single AP can have multiple SSIDs or networks Security Mode This indicates which secure encryp...

Page 94: ...dly AP Click this button to mark the selected AP as a friendly AP For more on managing friendly APs see the Configuration Wireless MON Mode screen Chapter 9 on page 111 This is the station s index number in this list Status This indicates the detected device s status Device This indicates the type of device detected Role This indicates the detected device s role such as friendly or rogue MAC Addre...

Page 95: ...ribes the labels in this screen Last Seen This indicates the last time the device was detected by the NWA3000 N series AP Refresh Click this to refresh the items displayed on this page Table 28 Monitor Wireless Rogue AP continued LABEL DESCRIPTION Table 29 Monitor Wireless Legacy Device Info LABEL DESCRIPTION Add Click this to add a device to the list of legacy APs the NWA3000 N series AP monitors...

Page 96: ...u can look at all the log messages by selecting All Logs or you can select a specific category of log messages for example user You can also look at the debugging log by selecting Debug Log All debugging messages have the same priority To access this screen click Monitor Log The log is displayed in the following screen IP This is the IP address of the legacy AP Description This is manually entered...

Page 97: ...rst For individual log descriptions see Appendix A on page 285 For the maximum number of log messages in the NWA3000 N series AP see Chapter 22 on page 279 Events that generate an alert as well as a log message display in red Regular logs display in black Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure ...

Page 98: ...isplays when you show the filter Select the source interface of the packet that generated the log message Destination Interface This displays when you show the filter Select the destination interface of the packet that generated the log message Keyword This displays when you show the filter Type a keyword to look for in the Message Source Destination and Note fields If a match is found in any fiel...

Page 99: ... the Message field if log consolidation is turned on and multiple entries were aggregated to generate into this one Source This field displays the source IP address and the port number in the event that generated the log message Destination This field displays the destination IP address and the port number of the event that generated the log message Note This field displays any additional informat...

Page 100: ... 32 Monitor Log View AP Log LABEL DESCRIPTION Show Hide Filter Click this to show or hide the AP log filter Select an AP Select an AP from the list to view its log messages Log Query Status This indicates the current log query status init Indicates the query has not been initialized querying Indicates the query is in process fail Indicates the query failed success Indicates the query succeeded AP ...

Page 101: ...erface to display only the log messages that include it Note This criterion only appears when you Show Filter Keyword Enter a keyword to display only the log messages that include it Note This criterion only appears when you Show Filter Protocol Select a protocol to display only the log messages that include it Note This criterion only appears when you Show Filter Search Click this to start the lo...

Page 102: ...displays the source IP address of the selected log message Destination This displays the source IP address of the selected log message Note This displays any notes associated with the selected log message Table 32 Monitor Log View AP Log continued LABEL DESCRIPTION ...

Page 103: ...ing of Wireless Access Points CAPWAP network 7 2 About CAPWAP The NWA3000 N series AP supports CAPWAP This is ZyXEL s implementation of the CAPWAP protocol RFC 5415 The CAPWAP dataflow is protected by Datagram Transport Layer Security DTLS The following figure illustrates a CAPWAP wireless network You U configure the AP controller C which then automatically updates the configurations of the manage...

Page 104: ...tion information as well as securely transmitting the DTLS pre shared key The managed AP is ready for association with wireless clients 7 2 2 Managed AP Finds the Controller A managed NWA3000 N series AP can find the controller in one of the following ways Manually specify the controller s IP address using the commands See the NWA3000 N series AP CLI Reference Guide for details Get the controller ...

Page 105: ... implementation of the CAPWAP protocol When the AP controller uses its internal Remote Authentication Dial In User Service RADIUS server managed APs also use the AP controller s authentication server to authenticate wireless clients If a managed AP s link to the AP controller is broken the managed AP continues to use the wireless settings with which it was last provided 7 3 The Management Mode Scr...

Page 106: ... directly to the controller you have to connect to it through the wired network Standalone AP Select this to manage the NWA3000 N series AP using its own web configurator neither managing nor managed by other devices Managed AP Select this to have the NWA3000 N series AP managed by another NWA3000 N series AP on your network When you do this the NWA3000 N series AP can be configured ONLY by the ma...

Page 107: ...a The DNS server is extremely important because without it you must know the IP address of a machine before you can access it DNS Server Address Assignment The NWA3000 N series AP can get the DNS server addresses in the following ways The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses manually enter the...

Page 108: ...hapter 8 LAN Setting NWA3000 N Series User s Guide 108 8 2 LAN Setting This screen lists every Ethernet interface To access this screen click Configuration LAN Setting Figure 41 Configuration LAN Setting ...

Page 109: ...he following ways to specify these IP addresses User Defined enter a static IP address From ISP select the DNS server that another interface received from its DHCP server Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove a...

Page 110: ...ement VLAN ID Enter a VLAN ID for the NWA3000 N series AP As Native VLAN Select this option to treat this VLAN ID as a VLAN created on the NWA3000 N series AP and not one assigned to it from outside the network Apply Click Apply to save your changes back to the NWA3000 N series AP Reset Click Reset to return the screen to its last saved settings Table 34 Configuration LAN Setting continued LABEL D...

Page 111: ...AP is in controller mode The MON Mode screen Section 9 4 on page 116 allows you to assign APs either to the rogue AP list or the friendly AP list The Load Balancing screen Section 9 5 on page 119 configures network traffic load balancing between the APs and the NWA3000 N series AP The DCS screen Section 9 6 on page 122 configures dynamic radio channel selection 9 1 2 What You Need to Know The foll...

Page 112: ...on Wireless Controller Each field is described in the following table Table 36 Configuration Wireless Controller LABEL DESCRIPTION Registration Type Select Manual to add each AP to the NWA3000 N series AP for management or Always Accept to automatically add APs to the NWA3000 N series AP for management Note Select the Manual option for managing a specific set of APs This is recommended as the regi...

Page 113: ...list Note If in the Configuration Wireless Controller screen you set the Registration Type to Always Accept then as soon as you remove an AP from this list it reconnects Reboot Select an AP and click this button to force it to restart This field is a sequential value and it is not associated with any interface IP Address This field displays the IP address of the AP MAC This field displays the MAC ...

Page 114: ...P Management Standalone Mode LABEL DESCRIPTION Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the NWA3000 N series AP and the information is unavailable as a result R1 Mode Profile This field displays the AP or MON profile for Radio 1 R2 Mode Profile If the NWA3000 N series AP has a second radio this field displays the...

Page 115: ...wing table Table 39 Configuration Wireless Edit AP List LABEL DESCRIPTION Create new Object Use this menu to create a new Radio or SSID object to associate with this AP MAC Address This displays the MAC address of the selected AP Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the NWA3000 N series AP and the information...

Page 116: ... a new one through the Create new Object menu Radio 2 OP Mode This displays if the NWA3000 N series AP has a second radio Select the operating mode for radio 2 AP Mode means the AP can receive connections from wireless clients and pass their data traffic through to the NWA3000 N series AP to be managed or subsequently passed on to an upstream gateway for managing MON Mode means the AP monitors the...

Page 117: ...n AP in the list to remove Containment Click this button to quarantine the selected AP A quarantined AP cannot grant access to any network services Any stations that attempt to connect to a quarantined AP are disconnected automatically Dis Containment Click this button to stop the quarantine of the selected AP so it has normal access to the network This field is a sequential value and it is not as...

Page 118: ...opulated click Importing to bring the list into the NWA3000 N series AP You need to wait a while for the importing process to finish Exporting Click this button to export the current list of either rogue APs or friendly APS Apply Click Apply to save your changes back to the NWA3000 N series AP Reset Click Reset to return the screen to its last saved settings Table 40 Configuration Wireless MON Mod...

Page 119: ...on the NWA3000 N series AP Mode Select a mode by which load balancing is carried out Select By Station Number to balance network traffic based on the number of specified stations connect to an AP Select By Traffic Level to balance network traffic based on the volume generated by the stations connected to an AP Once the threshold is crossed either the maximum station numbers or with network traffic...

Page 120: ... AP simply delays the connection until it can afford the bandwidth it requires or it shunts the connection to another AP within its broadcast radius The kick priority is determined automatically by the NWA3000 N series AP and is as follows Idle Timeout Devices that have been idle the longest will be kicked first If none of the connected devices are idle then the priority shifts to Signal Strength ...

Page 121: ...k the connections that are pushing it over its balanced bandwidth allotment Figure 51 Kicking a Connection Connections are kicked based on either idle timeout or signal strength The NWA3000 N series AP first looks to see which devices have been idle the longest then starts kicking them in order of highest idle time If no connections are idle the next criteria the NWA3000 N series AP analyzes is si...

Page 122: ...is to have the NWA3000 N series AP automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices DCS Time Interval Enter a number of minutes This regulates how often the NWA3000 N series AP surveys the other APs within its broadcast radius If the channel on which it is currently broadcasting su...

Page 123: ...clients that are connected to the AP when it switches channels are dropped 2 4 GHz Channel Selection Method Select how you want to specify the channels the NWA3000 N series AP switches between for 2 4 GHz operation Select auto to have the NWA3000 N series AP display a 2 4 GHz Channel Deployment field you can use to limit channel switching to 3 or 4 channels Select manual to select the individual c...

Page 124: ...Hz spectrum each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart Channel 1 is centered on 2 412 GHz while channel 13 is centered on 2 472 GHz Enable 5 GHz DFS Aware Select this if your APs are operating in an area known to have RADAR devices This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected thus prev...

Page 125: ...Deployment However some regions require the use of other channels and often use a safety scheme with the following four channels 1 4 7 and 11 While they are situated sufficiently close to both each other and the three so called safe channels 1 6 and 11 that interference becomes inevitable the severity of it is dependent upon other factors proximity to the affected AP signal strength activity and s...

Page 126: ...till connects to the AP regardless of the delay then the AP may boot other people who are already connected in order to associate with the new connection Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available If you are uncertain as to the exact number of wireless connections you will have then choose this option By setting a maximum bandwid...

Page 127: ...B is the backup for device A in the event something happens to it and prevents it from managing the wireless network 10 1 1 What You Can Do in this Chapter The General screen Section 10 2 on page 129 configures device HA global settings and displays the status of each interface monitored by device HA The Active Passive Mode screens Section 10 3 on page 131 use active passive mode device HA You can...

Page 128: ...P address Synchronization Use synchronization to have a backup NWA3000 N series AP copy the master NWA3000 N series AP s configuration and certificates Note Only NWA3000 N series APs of the same model and firmware version can synchronize Otherwise you must manually configure the master NWA3000 N series AP s settings on the backup by editing copies of the configuration files in a text editor for ex...

Page 129: ...ult Legacy mode device HA is not supported by the NWA3000 N series AP The master and its backups must all use the same device HA mode Monitored Interface Summary This table shows the status of the interfaces that you selected for monitoring in the other device HA screens This is the entry s index number in the list Interface These are the names of the interfaces that are monitored by device HA Vir...

Page 130: ... IP address and subnet mask Fault This interface is not functioning in the virtual router right now In active passive mode or in legacy mode with link monitoring enabled if one of the master NWA3000 N series AP s interfaces loses its connection the master NWA3000 N series AP forces all of its interfaces to the fault state so the backup NWA3000 N series AP can take over all of the master NWA3000 N ...

Page 131: ...assive Mode screen lets you configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup NWA3000 N series APs To access this screen click Configuration Device HA Active Passive Mode Figure 58 Configuration Device HA Active Passive Mode ...

Page 132: ...ace has priority 255 Enable Preemption This field is available for a backup NWA3000 N series AP Select this if this NWA3000 N series AP should become the master NWA3000 N series AP if a lower priority NWA3000 N series AP is the master when this one is enabled If the role is master the NWA3000 N series AP preempts by default Cluster Settings Cluster ID Type the cluster ID number A virtual router co...

Page 133: ...wn or up Synchronization Use synchronization to have a backup NWA3000 N series AP copy the master NWA3000 N series AP s configuration and certificates Every interface s management IP address must be in the same subnet as the interface s IP address the virtual router IP address Server Address If this NWA3000 N series AP is set to backup role enter the IP address or Fully Qualified Domain Name FQDN ...

Page 134: ... from it If you leave this field blank in a backup NWA3000 N series AP it cannot synchronize from the master NWA3000 N series AP Auto Synchronize Select this to get the updated configuration automatically from the specified NWA3000 N series AP according to the specified Interval The first synchronization begins after the specified Interval the NWA3000 N series AP does not synchronize immediately I...

Page 135: ...e s connection Interface Name This identifies the interface Virtual Router IP VRIP Subnet Mask This is the interface s static IP address and subnet mask in the virtual router Whichever NWA3000 N series AP is currently serving as the master uses this virtual router IP address and subnet mask These fields are blank if the interface is a DHCP client or has no IP settings Manage IP Enter the interface...

Page 136: ...ster and backup NWA3000 N series APs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master NWA3000 N series AP Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can ...

Page 137: ... lockout settings and other user settings for the NWA3000 N series AP You can also use this screen to specify when users must log in to the NWA3000 N series AP before it routes traffic for them 11 1 2 What You Need To Know The following terms and concepts may help as you read this chapter User Account A user account defines the privileges of a user logged into the NWA3000 N series AP User accounts...

Page 138: ...cess Users user Used for the embedded RADIUS server and SNMPv3 user access Browse user mode commands CLI Table 47 Types of User Accounts continued TYPE ABILITIES LOGIN METHOD S Table 48 Configuration Object User LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an...

Page 139: ... used for BOB not bob User names have to be different than user group names Here are the reserved user names User Name This field displays the user name of each user User Type This field displays type of user this account was configured as admin this user can look at and change the configuration of the NWA3000 N series AP limited admin this user can look at the configuration of the NWA3000 N serie...

Page 140: ...user can look at and change the configuration of the NWA3000 N series AP limited admin this user can look at the configuration of the NWA3000 N series AP but not to change it user this is used for embedded RADIUS server and SNMPv3 user access Password This field is not available if you select the ext user or ext group user type Enter the password of this user account It can consist of 4 31 alphanu...

Page 141: ...ou can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main screen refreshes in the Web Configurator Reauthentication Time Type the number of minutes this user can be logged into the NWA3000 N series AP in one session before the user has to log in again You can specify 1 to 1440 minutes You can enter 0 to make the numbe...

Page 142: ...ettings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s setting...

Page 143: ...limit on the number of simultaneous logins by admin users If you do not select this admin users can login as many times as they want at the same time using the same or different IP addresses Maximum number per administration account This field is effective when Limit for administration account is checked Type the maximum number of simultaneous logins by each admin user User Lockout Settings Enable...

Page 144: ...PTION User Type This read only field identifies the type of user account for which you are configuring the default settings admin this user can look at and change the configuration of the NWA3000 N series AP limited admin this user can look at the configuration of the NWA3000 N series AP but not to change it user this user has access to the NWA3000 N series AP s services but cannot look at the con...

Page 145: ... in again You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out OK Click OK to save your changes back to the NWA3000 N series AP Cancel Click Cancel to exit this screen without saving your changes Table 51 User Setting Edit User Authentication Timeout Settings continued LABEL ...

Page 146: ...Chapter 11 User NWA3000 N Series User s Guide 146 ...

Page 147: ...s on the NWA3000 N series AP are profiles A profile represents a group of saved settings that you can use across any number of connected APs You can set up the following wireless profile types Radio This profile type defines the properties of an AP s radio transmitter You can have a maximum of 32 radio profiles on the NWA3000 N series AP SSID This profile type defines the properties of a single wi...

Page 148: ... name of the wireless network that clients use to connect to it WEP WEP Wired Equivalent Privacy encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private Both the wireless stations and the access points must use the same WEP key for data encryption and decryption WPA and WPA2 Wi Fi Protected Access...

Page 149: ...Add Click this to add a new radio profile Edit Click this to edit the selected radio profile Remove Click this to remove the selected radio profile Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Click this to view which other objects are linked to the selected radio profile This field is a sequential value a...

Page 150: ...Radio Profile This screen allows you to create a new radio profile or edit an existing one To access this screen click the Add button or select a radio profile from the list and click the Edit button Figure 67 Configuration Object AP Profile Add Edit Profile Standalone Mode ...

Page 151: ...h this radio profile should use 2 4 GHz is the frequency used by IEEE 802 11b g n wireless clients 5 GHz is the frequency used by IEEE 802 11a n wireless clients Channel Select the wireless channel which this radio profile should use It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented This will reduce the amount of interferen...

Page 152: ...ess client sends an RTS for all packets larger than the number of bytes that you enter here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Fragmentation Threshold The threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Enter an even number between 256 and 2346 Beacon Interval W...

Page 153: ...access points that support WDS security Use this if the other access points on your network support WDS security but do not have an AES option Note Check your other AP s documentation to make sure it supports WDS security Select AES to enable Advanced Encryption System AES security on your WDS AES provides superior security to TKIP Use AES if the other access points on your network support it for ...

Page 154: ...ick Configuration Object AP Profile SSID Remote Bridge MAC Type the MAC address of the peer device in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc PSK Type a pre shared key PSK from 8 to 63 case sensitive ASCII characters including spaces and symbols You must also set the peer device to use the same pre shared key Each peer device can use a diffe...

Page 155: ...s to view which other objects are linked to the selected SSID profile for example radio profile This field is a sequential value and it is not associated with a specific user Profile Name This field indicates the name assigned to the SSID profile SSID This field indicates the SSID name as it appears to wireless clients Security Profile This field indicates which if any security profile is associat...

Page 156: ...ect type from the list to create a new one associated with this SSID profile Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed SSID Enter the SSID name for this profile This is the name visible on the network to wireless clients Enter up to 32 characters s...

Page 157: ...alls WMM_VIDEO All wireless traffic to the SSID is tagged as video data This is recommended for activities like video conferencing WMM_BEST_EFFORT All wireless traffic to the SSID is tagged as best effort meaning the data travels the best route it can without displacing higher priority traffic This is good for activities that do not require the best bandwidth throughput such as surfing the Interne...

Page 158: ... your changes back to the NWA3000 N series AP Cancel Click Cancel to exit this screen without saving your changes Table 55 Configuration Object AP Profile Add Edit SSID Profile continued LABEL DESCRIPTION Table 56 Configuration Object AP Profile SSID Security List LABEL DESCRIPTION Add Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this ...

Page 159: ... profile name This name is only visible in the Web Configurator and is only for management purposes Spaces and underscores are allowed Security Mode Select a security mode from the list wep wpa wpa2 or wpa2 mix 802 1X Select this to enable 802 1x secure authentication Radius Server Type Select internal to use the NWA3000 N series AP s internal authentication database or external to use an external...

Page 160: ...onds that a client can be idle before authentication is discontinued Authentication Type Select a WEP authentication method Choices are Open or Share key Share key is only available if you are not using 802 1x Key Length Select the bit length of the encryption key to be used in WEP connections If you select WEP 64 Enter 10 hexadecimal digits in the range of A F a f and 0 9 for example 0x11AA22BB33...

Page 161: ...Advanced Encryption Standard encryption method It is a more recent development over TKIP and considerably more robust Not all wireless clients may support this Group Key Update Timer Enter the interval in seconds at which the AP updates the group WPA encryption key Pre Authentication This is available when the profile is set to use wpa2 or wpa2 mix and 802 1x Enable or Disable pre authentication t...

Page 162: ...ue and it is not associated with a specific user Profile Name This field indicates the name assigned to the MAC filtering profile Filter Action This field indicates this profile s filter action if any Table 58 Configuration Object AP Profile SSID MAC Filter List continued LABEL DESCRIPTION Table 59 SSID MAC Filter List Add Edit MAC Filter Profile LABEL DESCRIPTION Profile Name Enter up to 31 alpha...

Page 163: ...a sequential value and it is not associated with a specific user MAC This field specifies a MAC address associated with this profile Description This field displays a description for the MAC address associated with this profile You can click the description to make it editable Enter up to 60 characters spaces and underscores allowed Table 59 SSID MAC Filter List Add Edit MAC Filter Profile continu...

Page 164: ...Chapter 12 AP Profile NWA3000 N Series User s Guide 164 ...

Page 165: ...es preset monitor mode configurations that can be used by the APs 13 1 2 What You Need To Know The following terms and concepts may help as you read this chapter Active Scan An active scan is performed when an 802 11 compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on the 802 11 frequencies by se...

Page 166: ...to add a new monitor mode profile Edit Click this to edit the selected monitor mode profile Remove Click this to remove the selected monitor mode profile Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Click this to view which other objects are linked to the selected monitor mode profile for example an AP man...

Page 167: ...iguration Object MON Profile Add Edit MON Profile LABEL DESCRIPTION Activate Select this to activate this monitor mode profile Profile Name This field indicates the name assigned to the monitor mode profile Channel dwell time Enter the interval in milliseconds before the AP switches to another channel for monitoring Scan Channel Mode Select auto to have the AP switch to the next sequential channel...

Page 168: ...ly available software to physically locate it Figure 76 Rogue AP Example Set Scan Channel List 2 4 G Move a channel from the Available channels column to the Channels selected column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual These channels are limited to the 2 4 GHz range 802 11 b g n Set Scan Channel List 5 G Move a channel from the Available cha...

Page 169: ... running readily available encryption cracking software In this example the attacker now has access to the company network including sensitive data stored on the file server C Friendly APs If you have more than one AP in your wireless network you should also configure a list of friendly APs Friendly APs are other wireless access points that are detected in your network as well as any others that y...

Page 170: ...Chapter 13 MON Profile NWA3000 N Series User s Guide 170 ...

Page 171: ...NWA3000 N series AP trusts any valid certificate that you have imported as a trusted certificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 14 1 2 What You Need to Know The following terms and concepts may help as you read this chapter When using public key cryptology for authentication each host has two keys One key is pu...

Page 172: ...to establish a connection not to encrypt the data that you send after establishing a connection The method used to secure the data that you send through an established connection depends on the type of connection The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the h...

Page 173: ...crypted A PKCS 7 file is used to transfer a public key certificate The private key is not included The NWA3000 N series AP currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 1...

Page 174: ...re that the certificate has a cer or crt file name extension 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situati...

Page 175: ...a certificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The NWA3000 N series AP keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Re...

Page 176: ...ry It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date tha...

Page 177: ...tificate My Certificates and then the Add icon to open the My Certificates Add screen Use this screen to have the NWA3000 N series AP create a self signed certificate enroll a certificate with a certification authority or generate a certification request Figure 78 Configuration Object Certificate My Certificates Add ...

Page 178: ...e certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Organization Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Town City Identify the town or city where the certificate owner is located You can use up to 3...

Page 179: ...select Create a certification request and enroll for a certificate immediately online Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key I...

Page 180: ...tication When you select Create a certification request and enroll for a certificate immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol Just the Key field displays if your certifica...

Page 181: ...tes Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 79 Configuration Object Certificate My Certificates Edit ...

Page 182: ...ate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generated by t...

Page 183: ...nvert a binary certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certif...

Page 184: ... You must remove any spaces in the certificate s filename before you can import it Figure 80 Configuration Object Certificate My Certificates Import The following table describes the labels in this screen OK Click OK to save your changes back to the NWA3000 N series AP You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen Table 64 Configuration Object Ce...

Page 185: ...NWA3000 N series AP Cancel Click Cancel to quit and return to the My Certificates screen Table 65 Configuration Object Certificate My Certificates Import continued LABEL DESCRIPTION Table 66 Configuration Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the NWA3000 N series AP s PKI storage space that is currently in use When th...

Page 186: ...e subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable Valid To This fi...

Page 187: ...n the Trusted Certificates Edit screen Use this screen to view in depth information about the certificate change the certificate s name and set whether or not you want the NWA3000 N series AP to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 82 Configuration Object Certificate Trusted Certificates Edit ...

Page 188: ...SCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The NWA3000 N series AP may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification au...

Page 189: ...thm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algo...

Page 190: ...ly their certificate Certificate This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text edit...

Page 191: ... The second is a reduction in network traffic since the NWA3000 N series AP only gets information on the certificates that it needs to verify not a huge list When the NWA3000 N series AP requests certificate status information the OCSP server returns a expired current or unknown response Table 68 Configuration Object Certificate Trusted Certificates Import LABEL DESCRIPTION File Path Type in the l...

Page 192: ...Chapter 14 Certificates NWA3000 N Series User s Guide 192 ...

Page 193: ...or HTTP or HTTPS access to the NWA3000 N series AP The SSH screen Section 15 6 on page 209 configures SSH Secure SHell for securely accessing the NWA3000 N series AP s command line interface The Telnet screen Section 15 7 on page 214 configures Telnet for accessing the NWA3000 N series AP s command line interface The FTP screen Section 15 8 on page 215 specifies FTP server settings You can upload ...

Page 194: ...t time and date from an external server Table 69 Configuration System Host Name LABEL DESCRIPTION System Name Choose a descriptive name to identify your NWA3000 N series AP device This name can be up to 64 alphanumeric characters long Spaces are not allowed but dashes underscores _ and periods are accepted Domain Name Enter the domain name if you know it here This name is propagated to DHCP client...

Page 195: ...ime This field displays the present time of your NWA3000 N series AP Current Date This field displays the present date of your NWA3000 N series AP Time and Date Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered W...

Page 196: ...his will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Select this option if you use Daylight Saving Time Start Date Configure the day and time when Daylight Saving Time starts ...

Page 197: ...uple of examples Daylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union sto...

Page 198: ...me screen To manually set the NWA3000 N series AP date and time 1 Click System Date Time 2 Select Manual under Time and Date Setup 3 Enter the NWA3000 N series AP s time in the New Time field 4 Enter the NWA3000 N series AP s date in the New Date field 5 Under Time Zone Setup select your Time Zone from the list 6 As an option you can select the Enable Daylight Saving check box to adjust the NWA300...

Page 199: ...ing table describes the labels in this screen Table 72 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your NWA3000 N series AP supports 9600 19200 38400 57600 and 115200 bps default for the console port The Console Port Speed applies to a console port connection using terminal emulation software and NOT the...

Page 200: ...y logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the NWA3000 N series AP for authentication again when the reauthentication time expires You can change the timeout settings in the User screens 15 5 3 HTTPS You can set the NWA3000 N series AP to us...

Page 201: ...quires it to do so select Authenticate Client Certificates in the WWW screen Authenticate Client Certificates is optional and if selected means the HTTPS client must send the NWA3000 N series AP a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the NWA3000 N series AP Please refer to the following figure 1 HTTPS connection requests from an SSL aware w...

Page 202: ...AP IP Address 8443 as the URL Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the NWA3000 N series AP by sending the NWA3000 N series AP a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the NWA3000 N series AP Server Certificate Select a...

Page 203: ...te Click View Certificate if you want to verify that the certificate is from the NWA3000 N series AP You see the following Security Alert screen in Internet Explorer Select Yes to proceed to the Web Configurator login screen if you select No then Web Configurator access is blocked Figure 91 Security Alert Dialog Box Internet Explorer Server Port You may change the server port number for a service ...

Page 204: ... certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix B on page 305 for details 15 5 5 3 Login Screen After you accept the certificate the NWA3000 N series AP login screen appears The lock displa...

Page 205: ...00 N series AP s Trusted CA Web Configurator screen Figure 93 Trusted Certificates The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 15 5 5 5 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next ...

Page 206: ...ance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certi...

Page 207: ...es User s Guide 207 3 Enter the password given to you by the CA 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location ...

Page 208: ...import process 6 You should see the following screen when the certificate is correctly installed on your computer 15 5 5 7 Using a Certificate When Accessing the NWA3000 N series AP To access the NWA3000 N series AP via HTTPS 1 Enter https NWA3000 N series AP IP Address in your browser s web address field ...

Page 209: ... even if you only have a single certificate as in the example 3 You next see the Web Configurator login screen 15 6 SSH You can use SSH Secure SHell to securely access the NWA3000 N series AP s command line interface SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the fo...

Page 210: ...between two remote hosts using SSH v1 Figure 95 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent co...

Page 211: ...sends its authentication information user name and password to the server to log in to the server 15 6 2 SSH Implementation on the NWA3000 N series AP Your NWA3000 N series AP supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the NWA3000 N series AP for management using port 22 by default 15 6 3 Requir...

Page 212: ...ontrol table to access the NWA3000 N series AP CLI using this service Version 1 Select the check box to have the NWA3000 N series AP use both SSH version 1 and version 2 protocols If you clear the check box the NWA3000 N series AP uses only SSH version 2 protocol Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that...

Page 213: ... to access the NWA3000 N series AP using the Secure Shell Client program 1 Launch the SSH client and specify the connection information IP address port number for the NWA3000 N series AP 2 Configure the SSH client to accept connection using SSH version 1 3 A window displays prompting you to store the host key in you computer Click Yes to continue Figure 97 SSH Example 1 Store Host Key Enter the pa...

Page 214: ...t information of the NWA3000 N series AP Type yes and press ENTER Then enter the password to log in to the NWA3000 N series AP Figure 99 SSH Example 2 Log in 3 The CLI screen displays next 15 7 Telnet You can use Telnet to access the NWA3000 N series AP s command line interface Click Configuration System TELNET to configure your NWA3000 N series AP for remote Telnet access Use this screen to enabl...

Page 215: ... configuration files Table 75 Configuration System TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the NWA3000 N series AP CLI using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order ...

Page 216: ...using this service TLS required Select the check box to use FTP over TLS Transport Layer Security to encrypt communication This implements TLS as a security mechanism to secure FTP clients and or servers Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the...

Page 217: ...component agents and a manager An agent is a management software module that resides in a managed device the NWA3000 N series AP An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed de...

Page 218: ...e NWA3000 N series AP also supports private MIBs ZYXEL ES CAPWAP MIB ZYXEL ES COMMON MIB ZYXEL ES HYBRIDAP MIB ZYXEL ES PROWLAN MIB ZYXEL ES RFMGMT MIB ZYXEL ES SMI MIB and ZYXEL ES WIRELESS MIB to collect information about CPU and memory usage and VPN total throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the NW...

Page 219: ...ers to access the NWA3000 N series AP using SNMP Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of th...

Page 220: ...ry s settings Remove To remove an entry select it and click Remove The NWA3000 N series AP confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action This the index number of an SNMPv3 user profile User Name This is the name of the user for which this SNMPv3 user profile is configured Authentication This field displays the type of authentic...

Page 221: ...0 N series AP using this SNMPv3 user profile Select NONE to not authenticate the SNMPv3 user Select MD5 to require the SNMPv3 user s password be encrypted by MD5 for authentication Select SHA to require the SNMPv3 user s password be encrypted by SHA for authentication Privacy Select the type of encryption the SNMPv3 user must use to connect to the NWA3000 N series AP using this SNMPv3 user profile...

Page 222: ...less client s utility A password and user name on the utility must match an entry in the Object Users screen s list so that the RADIUS server can be authenticated Note The NWA3000 N series AP can function as an AP and as a RADIUS server at the same time 15 10 1 Configuring the Internal RADIUS Server Use this screen to turn the NWA3000 N series AP s internal RADIUS server off or on select the certi...

Page 223: ... APs Note It is recommended that you replace the factory default certificate with one that uses your NWA3000 N series AP s MAC address Do this when you first log in to the NWA3000 N series AP or in the Object Certificate My Certificates screen Trusted Client Use this table to manage the list of profiles of trusted APs for which the NWA3000 N series AP authenticates wireless clients Add Click this ...

Page 224: ...ask of the trusted AP in dotted decimal notation The subnet mask indicates what part of the IP address is the same for all computers in the network Description This field shows the information listed to help identify the trusted AP profile Apply Click OK to save your changes back to the NWA3000 N series AP Reset Click Reset to start configuring this screen afresh Table 80 Configuration System Auth...

Page 225: ... the Use Windows logon name and password check box When authentication begins a pop up dialog box requests you to type a Name Password and Domain of the RADIUS server Specify a name and password only do not specify a domain Secret Enter a password up to 31 alphanumeric characters no spaces as the key for encrypting communications between the NWA3000 N series AP and this entry s AP The key is not s...

Page 226: ...Chapter 15 System NWA3000 N Series User s Guide 226 ...

Page 227: ...gures how and where to send daily reports and what reports to send The Log Setting screens Section 16 3 on page 229 specify which logs are e mailed where they are e mailed and how often they are e mailed 16 2 Email Daily Report Use this screen to start or stop data collection and view various statistics about traffic passing through your NWA3000 N series AP Note Data collection may decrease the NW...

Page 228: ...ide 228 Click Configuration Log Report Email Daily Report to display the following screen Configure this screen to have the NWA3000 N series AP e mail you system statistics every day Figure 108 Configuration Log Report Email Daily Report Standalone Mode ...

Page 229: ...om Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the use...

Page 230: ... Log Settings tab controls which events generate alerts and where alerts are e mailed The Log Settings Summary screen provides a summary of all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Active L...

Page 231: ...ld is a sequential value and it is not associated with a specific log Name This field displays the name of the log system log or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log tab VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Summary This fi...

Page 232: ... 16 3 2 Edit Log Settings This screen controls the detailed settings for each log in the system log which includes the e mail profiles Go to the Log Settings Summary screen and click the system log Edit icon Figure 110 Configuration Log Report Log Setting Edit ...

Page 233: ...he log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the use...

Page 234: ...e View Log tab The Default category includes debugging messages generated by open source software System log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green checkmark create log messages and alerts from this category enable normal logs and debug logs yellow check mark create lo...

Page 235: ... when multiple log messages were aggregated Log Consolidation Interval Type how often in seconds to consolidate log information If the same log message appears multiple times it is aggregated into one log message with the text count x where x is the number of original log messages appended at the end of the Message field OK Click this to save your changes and return to the previous screen Cancel C...

Page 236: ...Guide 236 16 3 3 Edit Remote Server This screen controls the settings for each log in the remote server syslog Go to the Log Settings Summary screen and click a remote server Edit icon Figure 111 Configuration Log Report Log Setting Edit Remote Server ...

Page 237: ...or all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is...

Page 238: ... change other log settings for example where and how often log information is e mailed or remote server names To access this screen go to the Log Settings Summary screen and click the Active Log Summary button Figure 112 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert The Default category includes deb...

Page 239: ...e settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 E mail Server 2 Use the E Mail Server 2 drop d...

Page 240: ... e mail settings specified in E Mail Server 1 The NWA3000 N series AP does not e mail debugging information even if it is recorded in the System log E mail Server 2 E mail Select whether each category of events should be included in log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 2 The NWA3000 N series AP d...

Page 241: ...hat You Can Do in this Chapter The Configuration File screen Section 17 2 on page 243 stores and names configuration files You can also download and upload configuration files The Firmware Package screen Section 17 3 on page 248 checks your current firmware version and uploads firmware to the NWA3000 N series AP The Shell Script screen Section 17 4 on page 249 stores names downloads uploads and ru...

Page 242: ...is run in Privilege mode If you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode Comments in Configuration Files or Shell Scripts In a configuration file or shell script use or as the first character of a command line to have the NWA3000 N series AP treat the line as a comment Your configuration files o...

Page 243: ...file or shell script and applies all of the valid commands The NWA3000 N series AP still generates a log for any errors 17 2 Configuration File Click Maintenance File Manager Configuration File to open this screen Use the Configuration File screen to store run and name configuration files You can also download configuration files from the NWA3000 N series AP to your computer and upload configurati...

Page 244: ...file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the NWA3000 N series AP applies the system default conf configuration file You can change the way the startup config conf file is applied Include the setenv startup stop on error off command The NWA3000 N series AP ignores any errors in the startup config conf file...

Page 245: ...plicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the NWA3000 N series AP You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configu...

Page 246: ... AP started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the NWA3000 N series AP apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applying ...

Page 247: ... to a valid configuration When you change the NWA3000 N series AP s operation mode it backs up the configuration to a xxx backup conf file where xxx denotes the mode the NWA3000 N series AP was previously using Size This column displays the size in KB of a configuration file Last Modified This column displays the date and time that the individual configuration files were last changed or saved Uplo...

Page 248: ...o five minutes Do not turn off or reset the NWA3000 N series AP while the firmware update is in progress Figure 114 Maintenance File Manager Firmware Package The following table describes the labels in this screen Table 89 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the NWA3000 N series AP Current Version This ...

Page 249: ...version in the Dashboard screen 17 4 Shell Script Use shell script files to have the NWA3000 N series AP use commands that you specify Use a text editor to create the shell script files They must use a zysh filename extension Click Maintenance File Manager Shell Script to open this screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple sh...

Page 250: ...ion to your computer Copy Use this button to save a duplicate of a shell script file on the NWA3000 N series AP Click a shell script file s row to select it and click Copy to open the Copy File screen Specify a name for the duplicate file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration ...

Page 251: ...ser s Guide 251 Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes Table 90 Maintenance File Manager Shell Script continued LABEL DESCRIPTION ...

Page 252: ...Chapter 17 File Manager NWA3000 N Series User s Guide 252 ...

Page 253: ...support during troubleshooting The Packet Capture screen Section 18 3 on page 254 captures data packets going through the NWA3000 N series AP The Wireless Frame Capture screens Section 18 4 on page 258 capture network traffic going through the AP interfaces connected to your NWA3000 N series AP 18 2 Diagnostics This screen provides an easy way for you to generate a file containing the NWA3000 N se...

Page 254: ...identify network problems Click Maintenance Diagnostics Packet Capture to open the packet capture screen Table 91 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagno...

Page 255: ...under Available Interfaces Select interfaces for which to capture packets and click the right arrow button to move them to the Capture Interfaces list Use the Shift and or Ctrl key to select multiple objects IP Type Select the protocol of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets ...

Page 256: ...o avoids making new capture files that overwrite existing files of the same name The file name format is interface name file suffix cap for example lan packet capture cap Number Of Bytes To Capture Per Packet Specify the maximum number of bytes to capture per packet The NWA3000 N series AP automatically truncates packets that exceed this size As a result when you view the packet capture files in a...

Page 257: ...gnostics Packet Capture Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NWA3000 N series AP Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The tot...

Page 258: ...500 bytes Figure 120 Packet Capture File Example 18 4 Wireless Frame Capture Use this screen to capture wireless network traffic going through the AP interfaces connected to your NWA3000 N series AP Studying these frame captures may help you identify network problems Click Maintenance Diagnostics Wireless Frame Capture to display this screen ...

Page 259: ...to function as an AP or a monitor Please configure at least one radio to MON mode Click this to go the Configuration Wireless AP Management screen where you can set a radio to monitor mode MON Mode APs This section appears when the NWA3000 N series AP is set to the controller mode Configure AP to MON Mode Click this to go the Configuration Wireless AP Management screen where you can set one or mor...

Page 260: ...overwrite existing frame capture files The file format is file prefix dump For example monitor dump Capture Click this button to have the NWA3000 N series AP capture frames according to the settings configured in this screen You can configure the NWA3000 N series AP while a frame capture is in progress although you cannot modify the frame capture settings The NWA3000 N series AP s throughput or pe...

Page 261: ...Frame Capture Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the NWA3000 N series AP Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number ...

Page 262: ...Chapter 18 Diagnostics NWA3000 N Series User s Guide 262 ...

Page 263: ...boot Otherwise the changes are lost when you reboot Reboot is different to reset reset returns the device to its default configuration 19 2 Reboot This screen allows remote users can restart the device To access this screen click Maintenance Reboot Figure 123 Maintenance Reboot Click the Reboot button to restart the NWA3000 N series AP Wait a few minutes until the login screen appears If the login...

Page 264: ...Chapter 19 Reboot NWA3000 N Series User s Guide 264 ...

Page 265: ...w Shutdown writes all cached data to the local storage and stops the system processes Shutdown is different to reset reset returns the device to its default configuration 20 2 Shutdown To access this screen click Maintenance Shutdown Figure 124 Maintenance Shutdown Click the Shutdown button to shut down the NWA3000 N series AP Wait for the device to shut down before you manually turn off or remove...

Page 266: ...Chapter 20 Shutdown NWA3000 N Series User s Guide 266 ...

Page 267: ...The NWA3000 N series AP does not turn on None of the LEDs turn on 1 Make sure you are using the power adaptor included with the NWA3000 N series AP or a PoE power injector 2 Make sure the power adaptor or PoE power injector is connected to the NWA3000 N series AP and plugged in to an appropriate power source Make sure the power source is turned on 3 Disconnect and re connect the power adaptor or P...

Page 268: ... the IP address for the NWA3000 N series AP 1 The default IP address is 192 168 1 2 2 Use the commands through the console port to check the IP address Connect your computer to the CONSOLE port using a console cable Your computer should have a terminal emulation communications program such as HyperTerminal set to VT100 terminal emulation no parity 8 data bits 1 stop bit no flow control and 115200 ...

Page 269: ...Start Guide 6 If the problem continues contact the network administrator or vendor or try one of the advanced suggestions Advanced Suggestions Try to access the NWA3000 N series AP using another service such as Telnet If you can access the NWA3000 N series AP check the remote management settings to find out why the NWA3000 N series AP does not respond to HTTP If your computer is connected wireless...

Page 270: ...efaults See Section 21 6 on page 277 I cannot access the NWA3000 N series AP via the console port 1 Check to see if the NWA3000 N series AP is connected to your computer s console port 2 Check to see if the communications program is configured correctly The communications software should be configured as follows VT100 terminal emulation 115200 bps is the default speed on leaving the factory Try ot...

Page 271: ...ilable anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 7 on page 27 2 Reboot the NWA3000 N series AP 3 If the problem continues contact your ISP The Internet connection is slow or intermittent 1 There might be a lot of traffic on the network Look at the LEDs and check Section 1 7 on page 27 If the NWA3000 N series AP ...

Page 272: ...ter installed is within the transmission range of the NWA3000 N series AP 5 Check that both the NWA3000 N series AP and your wireless station are using the same wireless and wireless security settings 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the NWA3000 N series AP 7 Make sure you allow the NWA3000 N series AP to be remotely accessed through the WLAN inter...

Page 273: ...terface IP address Enable monitoring for the same interfaces on the master and backup NWA3000 N series APs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master NWA3000 N series AP If you have multiple NWA3000 N series AP virtual routers on your network use a different cluster ID to identify each virtual ro...

Page 274: ...pted A PKCS 7 file is used to transfer a public key certificate The private key is not included The NWA3000 N series AP currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 T...

Page 275: ...onfigurator is the recommended method for uploading firmware You only need to use the command line interface if you need to recover the firmware See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it My packet capture captured less than I wanted or failed The packet capture screen s File Size sets a maximum size limit for the total combined size ...

Page 276: ...d to the AP uses a security profile that is properly configured and which is matches the security settings in use by the NWA3000 N series AP For example if the security mode on the AP is set to WPA WPA2 then make sure the authentication server is running and able to complete the 802 1x authentication sequence See Chapter 12 on page 147 and Section 15 10 on page 221 for more If you cannot solve the...

Page 277: ...equired 21 6 Resetting the NWA3000 N series AP If you cannot access the NWA3000 N series AP by any method try restarting it by turning the power off and then on again If you still cannot access the NWA3000 N series AP by any method or you forget the administrator password s you can reset the NWA3000 N series AP to its factory default settings Any configuration files or shell scripts that you saved...

Page 278: ...Chapter 21 Troubleshooting NWA3000 N Series User s Guide 278 21 7 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 279: ...sole Port One PS 2 console port Antenna 2 reverse SMA antenna connectors 2 external dipole antennas Gain 2 dBi Output Power IEEE 802 11a 5150 5250 Using single antenna 12dBm IEEE 802 11a 5250 5850 Using single antenna 18dbm IEEE 802 11b Using single antenna 17dBm IEEE 802 11g Using single antenna 14dBm IEEE 802 11gn HT20 Using single antenna 12 5dBm Using three antennas 17dBm IEEE 802 11gn HT40 Us...

Page 280: ... 802 11a IEEE 802 11b IEEE 802 11g IEEE 802 11n Security and Control WPA and WPA2 Wi Fi Protected Access support Mixed WPA and WPA2 support 64 and 128 bit WEP Mixed 802 1x WEP and WPA support 802 1x authentication EAP TLS EAP TTLS PEAP SIM FAST AKA support AES TKIP WEP encryption support MBSSID mode allows the NWA3000 N series AP to operate up to 8 different wireless networks BSSs simultaneously e...

Page 281: ... an SSL connection start with https instead of http The NWA3000 N series AP allows SSL connections to take place through the NWA3000 N series AP MAC Address Filter Your NWA3000 N series AP checks the MAC address of the wireless station against a list of allowed or denied MAC addresses Wireless Association List With the wireless association list you can see the list of the wireless stations that ar...

Page 282: ...the screws Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3 Do not insert the screws all the way into the wall Leave a small gap of about 0 5 cm between the heads of the screws and the wall 4 Make sure the screws are snugly fastened to the wall They need to hold the weight of the NWA3000 N series AP with the connection cables 5 Align the hol...

Page 283: ...t Specifications NWA3000 N Series User s Guide 283 The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm Figure 126 Masonry Plug and M4 Tap Screw ...

Page 284: ...Chapter 22 Product Specifications NWA3000 N Series User s Guide 284 ...

Page 285: ...up s cannot get size of group 1st zysh group name s cannot specify properties for entry s 1st zysh group name 2st zysh entry name s cannot join group s loop detected 1st zysh group name 2st zysh group name cannot create too many groups d 1st max group num s cannot find entry s 1st zysh group name 2st zysh entry name s cannot remove entry s 1st zysh group name 2st zysh entry name List OPS can t all...

Page 286: ...index is out of range 1st zysh table name s cannot set entry d 1st zysh table name 2st zysh entry num s table is full 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry d 1st zysh entry num s invalid index 1st zysh table name Unable to delete entry d 1st zysh entry num Unable to change entry d 1st zysh entry num s cannot retrieve entries from table 1st zysh table ...

Page 287: ...ng HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out EnterpriseWLAN lease timeout The NWA3000 N series AP is signing the specified user out due to a lease timeout 1st s The type of user account 2nd s The user s user name 3rd s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out EnterpriseWLAN idle timeout The NWA3000 N ser...

Page 288: ...n denied access from s The NWA3000 N series AP blocked a login attempt by the specified user name because of an invalid user name or password 2nd s service name LDAP AD Wrong IP or Port IP s Port d LDAP AD Wrong IP or Port Please check the AAA server setting Domain auth fail Domain auth fail Please check the domain auth related setting Failed to join domain Access denied Failed to join domain Acce...

Page 289: ...er TELNET port has been changed to default port An administrator changed the port number for TELNET back to the default 23 FTP certificate s does not exist An administrator assigned a nonexistent certificate to FTP s is certificate name assigned by user FTP port has been changed to port s An administrator changed the port number for FTP s is port number assigned by user FTP port has been changed t...

Page 290: ...g check failed remove DNS servers from bind s is interface name Interface s ping check is disabled Zone Forwarder adds DNS servers in records Ping check disabled add DNS servers in bind s is interface name SNMP trap can not be sent successfully Cannot send a SNMP trap to a remote host due to network error Table 101 System Logs LOG MESSAGE DESCRIPTION Port d is up When LINK is up d is the port numb...

Page 291: ...t A packet was received but it is not an ARP response packet Receive an ARP response The device received an ARP response Receive ARP response from s s The device received an ARP response from the listed source The request IP is s sent from s The device accepted a request Received ARP response NOT for the request IP address The device received an ARP response that is NOT for the requested IP addres...

Page 292: ...ly Table 102 Device HA Logs LOG MESSAGE DESCRIPTION Device HA VRRP Group s has been added An VRRP group has been created s the name of VRRP group Device HA VRRP group s has been modified An VRRP group has been modified s the name of VRRP group Device HA VRRP group s has been deleted An VRRP group has been deleted s the name of VRRP group Device HA VRRP interface s for VRRP Group s has changed Conf...

Page 293: ...synchronizing a certain object AV AS IDP Certificate System Configuration due to an unknown reason 1st s The object to be synchronized 2ed s The feature name for the object to be synchronized Sync Failed Cannot connect to Master when syncing s for s Synchronization failed because the Backup could not connect to the Master The object to be synchronized 2ed s The feature name for the object to be sy...

Page 294: ...to update s for s Retry d An update failed Retrying to update the failed object again 1st s The object to be synchronized 2ed s The feature name for the object to be synchronized d the retry count Recovring to Backup original state for s has failed An update failed The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object Reco...

Page 295: ...decoding failed 10 Certificate was not found anywhere 11 Certificate chain looped did not find trusted root 12 Certificate contains critical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20...

Page 296: ... reinstall it System internal error Error enabling WPA 802 1X The NWA3000 N series AP was not able to enable WPA IEEE 802 1X Station has associated Interface s MAC s A wireless client with the specified MAC address second s associated with the specified WLAN interface first s WPA or WPA2 enterprise EAP timeout Interface s MAC s There was an EAP timeout for a wireless client connected to the specif...

Page 297: ... success RADIUS accounting succeeded Table 104 Account Logs LOG MESSAGE DESCRIPTION Account s s has been deleted A user deleted an ISP account profile 1st s profile type 2nd se profile name Account s s has been changed A user changed an ISP account profile s options 1st s profile type 2nd s profile name Account s s has been added A user added a new ISP account profile 1st s profile type 2nd s prof...

Page 298: ...r the specified IP address from the computer with the listed hostname and MAC address No applicable lease found for DHCP request s There is no matching DHCP lease for a DHCP client s request for the specified IP address DHCP released s with s s A DHCP client released the specified IP address The DHCP client s hostname and MAC address are listed Sending ACK to s The DHCP server feature received a D...

Page 299: ... series AP s or the server s network connection Table 108 CAPWAP Server Logs LOG MESSAGE DESCRIPTION WLAN Controller Start Registration Type s Indicates that AP management services has started WLAN Controller Reset The AP management service has reset WLAN Controller End The AP management service has ended Managed AP Connect MACAddr 02x 02x 02x 0 2x 02x 02x Model s Name s The specified Managed AP c...

Page 300: ...th s Managed AP Description Switch Managed AP to Standalone AP MACAddr 02x 02x 02x 0 2x 02x 02x Model s Name s Rollback the AP to Standalone Mode 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Model Name 8th s Managed AP Description Upgrade Managed AP s Firmware MACAddr 02x 02x 02x 0 2x 02x 02x Model s Name s Indicates that the AP on the Managed List had its firmware upgraded 1st 02x 6th ...

Page 301: ...er retransmited configuration to an AP on the Managed List 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP Model Name 8th s Managed AP Description 9th d Retry count STA Association MACAddr 02x 02x 02x 0 2x 02x 02x AP s A station connected to the specified AP 1st 02x 6th 02x Managed AP MAC Address 7th s Managed AP s description STA Disassociation MACAddr 02x 02x 02x 0 2x 02x 02x AP s A stat...

Page 302: ...ller failed 1st s Wrong Configuration ReBoot by a WLAN Controller WLAN Controller s The managed AP was rebooteed WLAN Controller 1st s WLAN Controller IP Address Switch Managed AP to Standalone AP WLAN Controller s The WLAN controller set the managed AP to Standalone Mode 1st s WLAN Controller IP Address Firmware upgraded by WLAN Controller WLAN Controller s The CAPWAP client s firmware was upgrad...

Page 303: ...ress 7th s AP s description STA Roaming MAC Addr 02x 02x 02x 02x 02x 02x From s To s The specified station roamed from the first specified AP to the other 1st 02x 6th 02x Station MAC Address 7th s Source AP s description 8th s Destination AP s description STA List Full STA List of Managed AP s is Full The number of stations connecting to the specified AP has reached its upper limit 1st s WTP s des...

Page 304: ...dler n While an AP is in Monitor mode the handler functions as a daemon if it fails to initialize the handler then this message is returned Table 113 DCS Logs LOG MESSAGE DESCRIPTION dcs init failed n Indicates that the NWA3000 N series AP failed to initialize the dcs daemon init zylog fail n Indicates that the NWA3000 N series AP failed to initialize zylog channel changed s d d n DCS has changed ...

Page 305: ... be issued to all visiting web browsers to let them know that the site is legitimate Many ZyXEL products such as the NSA 2401 issue their own public key certificates These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations ...

Page 306: ...ndows XP Professional however they can also apply to Internet Explorer on Windows Vista 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Click Continue to this website not recommended 3 In the Address Bar click Certificate Error View certificates ...

Page 307: ...Appendix B Importing Certificates NWA3000 N Series User s Guide 307 4 In the Certificate dialog box click Install Certificate 5 In the Certificate Import Wizard click Next ...

Page 308: ...omatically select certificate store based on the type of certificate click Next again and then go to step 9 7 Otherwise select Place all certificates in the following store and then click Browse 8 In the Select Certificate Store dialog box choose a location in which to save the certificate and then click OK ...

Page 309: ...Series User s Guide 309 9 In the Completing the Certificate Import Wizard screen click Finish 10 If you are presented with another Security Warning click Yes 11 Finally click OK when presented with the successful certificate installation message ...

Page 310: ...r Click it to view the page s Website Identification information Installing a Stand Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file 2 In the security warning dialog box click Op...

Page 311: ...e beginning on page 306 to complete the installation process Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP 1 Open Internet Explorer and click Tools Internet Options 2 In the Internet Options dialog box click Content Certificates ...

Page 312: ...ot Certificates Authorities tab select the certificate that you want to delete and then click Remove 4 In the Certificates confirmation click Yes 5 In the Root Certificate Store dialog box click Yes 6 The next time you go to the web site that issued the public key certificate you just removed a certification error appears ...

Page 313: ...vice s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK 3 The certificate is stored and you can now connect securely to the Web Configurator A sealed padlock appears in the address bar which you can click to open the Page Info Security window to view the web p...

Page 314: ...File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Firefox and click Tools Options 2 In the Options dialog box click Advanced Encryption View Certificates ...

Page 315: ...ficate Manager dialog box click Web Sites Import 4 Use the Select File dialog box to locate the certificate and then click Open 5 The next time you visit the web site click the padlock in the address bar to open the Page Info Security window to see the web page s security information ...

Page 316: ... Series User s Guide 316 Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools Options 2 In the Options dialog box click Advanced Encryption View Certificates ...

Page 317: ...nager dialog box select the Web Sites tab select the certificate that you want to remove and then click Delete 4 In the Delete Web Site Certificates dialog box click OK 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears ...

Page 318: ...Appendix B Importing Certificates NWA3000 N Series User s Guide 318 ...

Page 319: ...endent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 127 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wi...

Page 320: ...xtended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network...

Page 321: ...uld use a channel different from an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For examp...

Page 322: ...on that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than th...

Page 323: ...ization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode other wireless devices on the network support and to provide more reliable communications in busy wireless networks Us...

Page 324: ...gure shows the relative effectiveness of these wireless security methods available on your NWA3000 N series AP Note You must enable the same wireless security settings on the NWA3000 N series AP and on all wireless clients that you want to associate with it Table 114 IEEE 802 11g DATA RATE MBPS MODULATION 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Key...

Page 325: ... the wireless clients RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to t...

Page 326: ... and LEAP Your wireless LAN device may not support all authentication types EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentica...

Page 327: ...assive attacks A digital certificate is an electronic ID card that authenticates the sender s identity However to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management overhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish...

Page 328: ...PA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WP...

Page 329: ...erver distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker fro...

Page 330: ...eady connecting to an AP to perform IEEE 802 1x authentication with another AP before connecting to it Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP pa...

Page 331: ...ith RADIUS Application Example WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and allows it to join the network only if the pa...

Page 332: ...r each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 117 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynam...

Page 333: ... END USER LICENSE AGREEMENT SHALL RESTRICT ANY RIGHTS AND LICENSES YOU MAY HAVE WITH RESPECT TO THE OPEN SOURCED COMPONENTS UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY 1 Grant of License for Personal Use ZyXEL Communications Corp ZyXEL grants you a non exclusive non sublicense non transferable license to use the program with which this license is distributed the Software including any d...

Page 334: ... Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products 5 Confidentiality You acknowledge that the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain the confidentiality of the Software using at least as great a degree of care as you use to maintain the confidentialit...

Page 335: ... including but not limited to if ZyXEL finds that you have violated any of the terms of this License Agreement Upon notification of termination you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies including backup copies have been destroyed All provisions relating to confidentiality proprietary rights and non disclosur...

Page 336: ...ermission The University of Delaware makes no representations about the suitability this software for any purpose It is provided as is without express or implied warranty This Product includes expat software under the Expat License Expat License Copyright c 1998 1999 2000 Thai Open Source Software Center Ltd Permission is hereby granted free of charge to any person obtaining a copy of this softwar...

Page 337: ...l in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software This ...

Page 338: ...cumentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived ...

Page 339: ...IABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISE...

Page 340: ...ic Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the...

Page 341: ... ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licen...

Page 342: ...ut specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUE...

Page 343: ...ns 1 through 9 of this document Licensor shall mean the copyright owner or entity authorized by the copyright owner that is granting the License Legal Entity shall mean the union of the acting entity and all other entities that control are controlled by or are under common control with that entity For the purposes of this definition control means i the power direct or indirect to cause the directi...

Page 344: ... where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution s alone or by combination of their Contribution s with the Work to which such Contribution s was submitted If You institute patent litigation against any entity including a cross claim or counterclaim in a lawsuit alleging that the Work or a Contribution incor...

Page 345: ...ncluding any direct indirect special incidental or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work including but not limited to damages for loss of goodwill work stoppage computer failure or malfunction or any and all other commercial damages or losses even if such Contributor has been advised of the possibility of such dama...

Page 346: ...S INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more information on the Apache Softw...

Page 347: ...t to make it very clear that there is no warranty for the free library Also if the library is modified by someone else and passed on the recipients should know that what they have is not the original version so that the original author s reputation will not be affected by problems that might be introduced by others Finally software patents pose a constant threat to the existence of any free progra...

Page 348: ...cations to it For a library complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the library Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running a program using the Library is not ...

Page 349: ...readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange If distribution of object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code even though third parties are not c...

Page 350: ... on of the operating system on which the executable runs unless that component itself accompanies the executable It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system Such a contradiction means you cannot use both them and the Library together in an executable that you distribute 7 You may place l...

Page 351: ...ed In such case this License incorporates the limitation as if written in the body of this License 13 The Free Software Foundation may publish revised and or new versions of the Lesser General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version...

Page 352: ...pply it to your programs too When we speak of free software we are referring to freedom not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you...

Page 353: ... may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change b You must cause any work th...

Page 354: ...s or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying...

Page 355: ...r permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE I...

Page 356: ...IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTIO...

Page 357: ... SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Part 2 Networks Associates Technology Inc copyright notice BSD ...

Page 358: ...IDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMA...

Page 359: ...ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE P...

Page 360: ...ed from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL ...

Page 361: ...this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL ...

Page 362: ...eir contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLD...

Page 363: ...o KG or any of its subsidiaries brand or product names may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT ...

Page 364: ... Apple nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL APPLE ...

Page 365: ...LC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHAL...

Page 366: ...NCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE This Product includes openldap s...

Page 367: ...CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale use or other dealing in this Software without specific written prior permission Title to copyright in this Software sha...

Page 368: ...g individuals added to the list of Contributing Authors Simon Pierre Cadieux Eric S Raymond Gilles Vollant and with the following additions to the disclaimer There is no warranty against interference with your enjoyment of the library or against infringement There is no warranty that our efforts or the library will fulfill any of your particular purposes or needs This library is provided with all ...

Page 369: ...olmgren Greg Roelofs Tom Tanner libpng versions 0 5 May 1995 through 0 88 January 1996 are Copyright c 1995 1996 Guy Eric Schalnat Group 42 Inc For the purposes of this copyright and license Contributing Authors is defined as the following set of individuals Andreas Dilger Dave Martindale Guy Eric Schalnat Paul Schmidt Tim Wegner The PNG Reference Library is supplied AS IS The Contributing Authors...

Page 370: ...s must be plainly marked as such and must not be misrepresented as being the original source 3 This Copyright notice may not be removed or altered from any source or altered source distribution The Contributing Authors and Group 42 Inc specifically permit without fee and encourage the use of this source code as a component to supporting the PNG file format in commercial products If you use this so...

Page 371: ... held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a produc...

Page 372: ...Appendix D Open Software Announcements NWA3000 N Series User s Guide 372 ...

Page 373: ... arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark o...

Page 374: ...he following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help FCC Caution Any changes or modifications not expressly approved by the party responsible for ...

Page 375: ...terference to co channel mobile satellite systems users should also be cautioned to take note that high power radars are allocated as primary users meaning they have priority of the bands 5250 5350 MHz and 5650 5850 MHz and these radars could cause interference and or damage to LE LAN devices IC Radiation Exposure Statement This equipment complies with IC radiation exposure limits set forth for an...

Page 376: ... material or workmanship for a specific period the Warranty Period from the date of purchase The Warranty Period varies by region Check with your vendor and or the authorized ZyXEL local distributor for details about the Warranty Period of this product During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyX...

Page 377: ...of any kind to the purchaser To obtain the services of this warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com ...

Page 378: ...Appendix E Legal Information NWA3000 N Series User s Guide 378 ...

Page 379: ... 22 23 319 C CA 327 and certificates 172 CA Certificate Authority see certificates CAPWAP 103 105 CEF Common Event Format 231 237 Certificate Authority See CA Certificate Authority CA see certificates Certificate Management Protocol CMP 179 Certificate Revocation List CRL 172 vs OCSP 191 certificates 171 advantages of 172 and CA 172 and FTP 216 and HTTPS 201 and SSH 212 and WWW 202 certification p...

Page 380: ...s 31 copyright 373 CPU usage 77 80 CTS Clear to Send 322 current date time 78 194 daylight savings 196 setting manually 198 time server 198 D date 194 daylight savings 196 device HA 127 active passive mode 131 cluster ID 136 273 configuration overview 51 copying configuration 128 device role 132 HA status 130 management access 128 management IP address 128 monitored interfaces 134 136 password 134...

Page 381: ...ode 321 HTTP over SSL see HTTPS redirect to HTTPS 202 vs HTTPS 201 HTTPS 200 and certificates 201 authenticating clients 201 avoiding warning messages 204 example 203 vs HTTP 201 with Internet Explorer 203 humidity 280 HyperText Transfer Protocol over Secure Socket Layer see HTTPS I IBSS 319 IEEE 802 11g 323 IEEE 802 1x 148 Independent Basic Service Set See IBSS 319 initialization vector IV 329 in...

Page 382: ...TP See FTP MBSSID 18 22 memory usage 77 81 message bar 38 Message Integrity Check MIC 329 messages CLI 40 warning 38 mobile access 17 mode 18 model name 77 monitored interfaces 136 device HA 134 My Certificates see also certificates 175 N Netscape Navigator 31 network 17 network bridge 18 Network Time Protocol NTP 197 O object based configuration 49 objects 49 51 certificates 171 for configuration...

Page 383: ...ate Enrollment Protocol 179 screen resolution 31 screws 282 Secure Socket Layer see SSL security 18 serial number 77 service control and users 200 limitations 200 timeouts 200 Service Set 148 Service Set Identifier see SSID shell scripts 241 downloading 250 editing 249 how applied 242 managing 249 syntax 242 uploading 251 shutdown 29 Simple Certificate Enrollment Protocol SCEP 179 Simple Network M...

Page 384: ...eshooting 253 Trusted Certificates see also certificates 185 U upgrading firmware 248 uploading configuration files 247 firmware 248 shell scripts 249 usage CPU 77 80 flash 77 memory 77 81 onboard flash 77 use 17 user authentication 137 user group objects 137 user groups 137 configuration overview 51 user name rules 139 user objects 137 users 137 access see also access users admin type 137 admin s...

Page 385: ...2 wireless security 23 272 324 WLAN interference 321 security parameters 332 WLAN interface 18 WPA 148 328 key caching 330 pre authentication 330 user authentication 330 vs WPA PSK 329 wireless client supplicant 330 with RADIUS application example 330 WPA2 148 328 user authentication 330 vs WPA2 PSK 329 wireless client supplicant 330 with RADIUS application example 330 WPA2 Pre Shared Key 328 WPA2...

Page 386: ...Index NWA3000 N Series User s Guide 386 ...