Manuals / ZyXEL Communications / Computer Equipment / Network Card

ZyXEL Communications G-1000 manual WPA2, Encryption

Models: G-1000

1 192

Download 192 pages 21.42 Kb

Page 166

G-1000 User’s Guide

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 68 Comparison of EAP Authentication Types

	EAP-MD5	EAP-TLS	EAP-TTLS	PEAP	LEAP

Mutual Authentication	No	Yes	Yes	Yes	Yes

Certificate – Client	No	Yes	Optional	Optional	No

Certificate – Server	No	Yes	Yes	Yes	No

Dynamic Key Exchange	No	Yes	Yes	Yes	Yes

Credential Integrity	None	Strong	Strong	Strong	Moderate

Deployment Difficulty	Easy	Hard	Moderate	Moderate	Moderate

Client Identity Protection	No	No	Yes	Yes	No

WPA(2)

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA 2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA(2) and WEP are improved data encryption and user authentication.

Encryption

Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption.

Temporal Key Integrity Protocol (TKIP) uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

WPA2 AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael.

166	Wireless LANs

Image 166

ZyXEL Communications G-1000 manual WPA2, Encryption

Contents

G-1000 802.11g Wireless Access PointUser’s Guide Disclaimer CopyrightTrademarks Federal Communications Commission FCC Interference Statement Information for Canadian UsersCertifications Safety Warnings ZyXEL Limited Warranty Brief description of the problem and the steps you took to solve it Customer SupportProduct model and serial number Warranty Information Date that you received your deviceG-1000 User’s Guide Customer SupportG-1000 User’s Guide Customer SupportZyXEL Limited Warranty Table of ContentsSafety Warnings CopyrightG-1000 User’s Guide Chapter Wireless LANRemote Management Screens ChapterChapter MaintenanceGeneral Setup ChapterSystem Password Appendix B Figure 6 The MAIN MENU Screen of the Web Configurator List of FiguresG-1000 User’s Guide Figure 37 System Status Show Statistics Figure 80 Menu 24 System Maintenance G-1000 User’s Guide List of Tables G-1000 User’s GuideTable 37 Restore Configuration Table 80 Subnet G-1000 User’s Guide About This Users Guide PrefaceRelated Documentation Syntax Conventions User Guide FeedbackGraphics Icons Key 1.2.1.3 Reset Button 1.2 G-1000 Features1.2.1 Physical Features Getting to Know Your G-10001.2.2.3 802.11b Wireless LAN Standard 1.2.2 Firmware Features1.2.2.2 Wi-Fi Protected Access 1.2.1.4 G-1000 LED1.2.2.8 Wireless LAN MAC Address Filtering 1.2.2.4 802.11g Wireless LAN Standard1.2.2.7 Brute-Force Password Guessing Protection 1.2.2.5 STP Spanning Tree Protocol / RSTP Rapid STP1.2.2.10 IEEE 802.1x Network Security 1.2.2.15 Wireless Association List1.3 Applications for the G-1000 1.2.2.11 SNMP1.3.1 Internet Access Application 1.3.2 Corporation Network ApplicationG-1000 User’s Guide Chapter 1 Getting to Know Your G-10002.1 Front Panel of the G-1000 Hardware Installation and Initial SetupCH A P T E R G-1000 User’s Guide Table 3 Front Panel LED Description 2.2 Top Panel and Connections of the G-1000Chapter 2 Hardware Installation and Initial Setup COLOR2.2.3 The RESET Button 2.2.2 Power Port2.2.1 One 10/100M Ethernet Port 2.3 Hardware Mounting Options 2.4 Additional Installation Requirements2.5 Configuring Your G-1000 2.2.4 Antennas3.1 Accessing the G-1000 Web Configurator Introducing the Web ConfiguratorCH A P T E R 3.2 Resetting the G-1000 3.2.1 Procedure To Use The Reset Button3.3 Navigating the G-1000 Web Configurator 3.2.2 Method of Restoring Factory-DefaultsClick LOGOUT at any time to exit the web configurator 4.1.1 Channel Wizard Setup4.1 Wizard Setup Overview 4.1.2 ESS IDFigure 7 Wizard 1 General Setup 4.2 Wizard Setup General Setup4.3 Wizard Setup Wireless LAN Table 5 Wizard 1 General SetupFigure 8 Wizard 2 Wireless LAN Setup Note This field is only available when you have an externalwireless card inserted in the G-1000 Table 6 Wizard 2 Wireless LAN Setup4.4.1 IP Address Assignment 4.4 Wizard Setup IP Address4.4.2 IP Address and Subnet Mask Note You must know the IP address assigned to the G-1000 by the DHCP server to access the G-1000 againthe new IP address if you want to access the web configurator Note If you changed the G-1000s IP address, you must useBack Finish 4.5 Basic Setup CompleteClick Finish to proceed to complete the Wizard setup Click Back to return to the previous screen5.1 System Overview 5.2 Configuring General SetupSystem Screens Figure 11 System General SetupFigure 12 Password 5.3 Configuring PasswordTable 10 Password Table 11 Time Setting 5.4 Configuring Time SettingFigure 13 Time Setting G-1000 User’s GuideChapter 5 System Screens Table 11 Time SettingG-1000 User’s Guide LABEL6.2.2 Authentication Wireless LAN6.2 Wireless Security Overview 6.1 Introduction6.2.5 Configuring Wireless LAN on the G-1000 6.2.3 Restricted Access6.2.4 Hide G-1000 Identity 6.3 Configuring the Wireless Screen 6.3.1 WEP Encryptionsettings, you will lose your wireless connection when you press Note If you are configuring the G-1000 from a computer connectedto the wireless LAN and you change the G-1000’s ESSID or WEP Apply to confirm. You must then change the wireless settings of yourG-1000 User’s Guide Table 13 WirelessChapter 6 Wireless LAN LABEL6.4 Configuring Roaming 6.4.1 Requirements for Roaming Note All APs on the same subnet and the wireless stations must 6.5 MAC Filterhave the same ESSID to allow roaming Figure 17 MAC Address Filter Chapter 6 Wireless LANG-1000 User’s Guide Table 15 MAC Address Filter6.6 Introduction to WPA 6.6.1 WPA2-PSK Application Example6.6.2 WPA2 with RADIUS Application Example 6.7 Configuring IEEE 802.1x and WPA 6.6.3 Wireless Client WPA Supplicants6.7.1 Authentication Required Figure 21 Wireless LAN 802.1x/WPA for 802.1x Protocol Note If wireless station authentication is done using a RADIUSserver, the reauthentication timer on the RADIUS server has Table 17 Wireless LAN 802.1x/WPA for 802.1x ProtocolChapter 6 Wireless LAN 6.7.2 Authentication Required WPATable 17 Wireless LAN 802.1x/WPA for 802.1x Protocol G-1000 User’s Guide6.7.3 Authentication Required WPA-PSK Table 19 Wireless LAN 802.1x/WPA for WPA-PSK Protocol 6.7.4 Authentication Required WPA2Figure 23 Wireless LAN 802.1x/WPA for WPA-PSK Protocol Chapter 6 Wireless LAN6.7.5 Authentication Required WPA2-PSK 6.8 Configuring RADIUS Figure 26 RADIUS Screen Chapter 6 Wireless LANG-1000 User’s Guide Table 22 RADIUS Screen7.1.1 IP Address and Subnet Mask IP Screen7.1 TCP/IP Parameters 7.1.2 WAN IP Address Assignmentnew IP address if you want to access the web configurator 7.2 Configuring IPby the DHCP server to access the G-1000 again Figure 27 IP Setup8.1.1 Remote Management Limitations Remote Management Screens8.1 Remote Management Overview CH A P T E R8.1.3 System Timeout 8.2 Configuring WWW8.1.2 Remote Management and NAT 8.3 Configuring Telnet 8.4 Configuring TELNET8.5 Configuring FTP 8.6 SNMP Note SNMP is only available if TCP/IP is configuredGet - Allows the manager to retrieve an object variable from the agent G-1000 User’s Guide 8.6.1 Supported MIBs8.6.2 SNMP Traps Table 28 SNMP TrapsSNMP Configuration 8.6.4 Configuring SNMP8.6.3 SNMP Interface Index enet0Chapter 8 Remote Management Screens G-1000 User’s GuideTable 30 Remote Management SNMP LABELG-1000 User’s Guide Chapter 8 Remote Management ScreensLog Screens 9.1 Configuring View LogCH A P T E R Figure 34 View Log 9.2 Configuring Log SettingsTable 31 View Log G-1000 User’s Guide Figure 35 Log SettingsTable 32 Log Settings Chapter 9 Log ScreensChapter 9 Log Screens Table 32 Log SettingsG-1000 User’s Guide LABEL10.2 System Status Screen Maintenance10.1 Maintenance Overview CH A P T E R10.3 Association List 10.2.1 System StatisticsG-1000 User’s Guide 10.4 F/W Upload ScreenChapter 10 Maintenance Figure 38 Association ListFigure 39 Firmware Upload Note Do not turn off the G-1000 while firmware upload is in progressFigure 40 Firmware Upload In Process Figure 42 Firmware Upload Error 10.5 Configuration ScreenFigure 41 Network Temporarily Disconnected 10.5.2 Restore Configuration 10.5.1 Backup ConfigurationFigure 43 Configuration Figure 44 Configuration Upload Successful Figure 45 Network Temporarily Disconnected10.5.3 Back to Factory Defaults 10.6 Restart ScreenIntroducing the SMT 11.1 Connect to your G-1000 Using Telnet11.2 Changing the System Password CH A P T E R11.3 G-1000 SMT Menus Overview Figure 50 Menu 23.1 System Security Change PasswordG-1000 User’s Guide Table 38 SMT Menus Overview continued 11.4 Navigating the SMT InterfaceTable 39 Main Menu Commands Chapter 11 Introducing the SMTFigure 51 G-1000 SMT Main Menu Table 39 Main Menu CommandsG-1000 User’s Guide Table 40 Main Menu SummaryGeneral Setup CH A P T E RG-1000 User’s Guide Table 41 Menu 1 General SetupChapter 12 General Setup FIELD13.2 TCP/IP Ethernet Setup LAN Setup13.1 LAN Setup CH A P T E R13.3 Wireless LAN Setup Figure 54 Menu 3.2 TCP/IP SetupChapter 13 LAN Setup G-1000 User’s Guide Figure 55 Menu 3.5 Wireless LAN SetupTable 43 Menu 3.5 Wireless LAN Setup FIELDChapter 13 LAN Setup 13.3.1 Configuring MAC Address FilterTable 43 Menu 3.5 Wireless LAN Setup ConfigurationChapter 13 LAN Setup 2 Enter 5 to display Menu 3.5 - Wireless LAN SetupFigure 56 Menu 3.5 Wireless LAN Setup ENTER. Menu 3.5.1 - WLAN MAC Address Filter displays as shown nextFigure 58 Menu 3.5 Wireless LAN Setup 13.3.2 Configuring Roaming2 Enter 5 to display Menu 3.5 - Wireless LAN Setup Chapter 13 LAN SetupChapter 13 LAN Setup Figure 59 WLAN Roaming ConfigurationTable 45 Menu 3.5.4 Bridge Link Configuration G-1000 User’s GuideChapter 13 LAN Setup G-1000 User’s GuideDial-in User Setup CH A P T E RFigure 61 Menu 14.1- Edit Dial-in User Chapter 14 Dial-in User SetupG-1000 User’s Guide Table 46 Menu 14.1- Edit Dial-in UserTable 47 Menu 22 SNMP Configuration SNMP ConfigurationFigure 62 Menu 22 SNMP Configuration Chapter 15 SNMP ConfigurationChapter 15 SNMP Configuration G-1000 User’s GuideSystem Security 16.1 System Password16.2 Configuring External RADIUS Server CH A P T E RChapter 16 System Security G-1000 User’s Guide Figure 65 Menu 23.2 System Security RADIUS ServerTable 48 Menu 23.2 System Security RADIUS Server FIELD16.3 2 Enter 4 to display Menu 23.4 - System Security - IEEE802.1xTable 49 Menu 23.4 System Security IEEE802.1x Required or No Access AllowedG-1000 User’s Guide Figure 67 Menu 23.4 System Security IEEE802.1x Chapter 16 System SecurityG-1000 User’s Guide configure Data Privacy for Broadcast/Multicast packets fieldWhen you configure Key Management Protocol to WPA, the Authentication Table 49 Menu 23.4 System Security IEEE802.1xG-1000 User’s Guide Chapter 16 System Security17.1 System Status System Information and DiagnosisCH A P T E R Figure 69 Menu 24.1 System Maintenance Status 17.2 System Information1 Enter 24 to display Menu 24 - System Maintenance Table 50 Menu 24.1 System Maintenance StatusMenu 1 - General Setup 17.2.1 System InformationTable 51 Menu 24.2.1 System Maintenance Information G-1000 User’s Guide17.3 Diagnostic 17.2.2 Console Port SpeedFollow the procedure next to get to display this menu G-1000 User’s Guide Chapter 17 System Information and Diagnosis18.1 Filename Conventions Firmware and Configuration File MaintenanceCH A P T E R 18.2 Backup Configuration 18.2.1 Backup Configuration Using FTP18.2.2 Using the FTP command from the DOS Prompt 18.2.3 Backup Configuration Using TFTP Figure 75 FTP Session Example18.2.4 Example TFTP Command 18.2.5 Backup Via Console Port1 Display menu 24.5 and enter “y” at the following screen 19.1 Command Interpreter Mode System Maintenance and InformationCH A P T E R Figure 80 Menu 24 System Maintenance 19.2 Time and Date SettingFigure 81 Valid CI Commands Chapter 19 System Maintenance and Information Figure 82 Menu 24.10 System Maintenance Time and Date SettingTable 56 System Maintenance Time and Date Setting G-1000 User’s Guide19.3.1 Telnet 19.3 Remote Management Setup19.3.4 Remote Management Setup 19.3.2 FTPLAN only , WAN only , All or Disable . The default is LAN only 19.3.5 Remote Management LimitationsChapter 19 System Maintenance and Information G-1000 User’s Guide19.5 System Timeout 19.4 Remote Management and NATProblems with the Ethernet Interface TroubleshootingProblems Starting Up the G-1000 Appendix AProblems with the WLAN Interface Problems with the PasswordProblems with Telnet Table 61 Troubleshooting the PasswordHardware SpecificationsAppendix B FirmwareSpecifications G-1000 User’s Guide Table 65 Firmware continuedAppendix C Brute-Force Password Guessing ProtectionExample Brute-Force Password Guessing Protection G-1000 User’s GuideAppendix D Setting up Your Computer’s IP Address Windows 95/98/MeInstalling Components Configuring Verifying Settings Windows 2000/NT/XPG-1000 User’s Guide Setting up Your Computer’s IP Address3 Right-click Local Area Connection and then click Properties Figure 88 Windows XP Start MenuPage In the IP Settings tab, in IP addresses, click Add 1 Click Start, All Programs, Accessories and then Command Prompt Macintosh OS 8/9Verifying Settings 8 Click OK to close the Internet Protocol TCP/IP Properties windowG-1000 User’s Guide Setting up Your Computer’s IP Address2 Select Ethernet built-in from the Connect via list Figure 94 Macintosh OS 8/9 Apple Menu5 Close the TCP/IP Control Panel Macintosh OSVerifying Settings Select Built-in Ethernet from the Show listVerifying Settings Setting up Your Computer’s IP Address G-1000 User’s GuideAppendix E Case A The G-1000 is using the same LAN and WAN IP addressesIP Address Assignment Conflicts Figure 100 IP Address Conflicts Case C Case D Two or more subscribers have the same IP addressG-1000 User’s Guide Figure 99 IP Address Conflicts Case B IP Address Assignment ConflictsFigure 101 IP Address Conflicts Case D In this case, the subscribers are not able to access the InternetG-1000 User’s Guide IP Address Assignment ConflictsG-1000 User’s Guide IP Address Assignment ConflictsAd-hoc Wireless LAN Configuration Wireless LANsWireless LAN Topologies Appendix FPage Wireless LANs ChannelRTS/CTS G-1000 User’s Guide Figure 104 Infrastructure WLANFragmentation Threshold Figure 105 RTS/CTSIEEE 802.11g Wireless LAN Preamble TypeRADIUS IEEETypes of RADIUS Messages Types of Authentication EAP-MD5 Message-Digest AlgorithmPEAP Protected EAP EAP-TTLS Tunneled Transport Layer ServiceEAP-TLS Transport Layer Security LEAPWPA2 EncryptionUser Authentication Security Parameters SummaryAUTHENTICATION Table 69 Wireless Security Relational Matrix continuedWireless LANs ENABLE IEEEWireless LANs G-1000 User’s GuideIP Addressing Appendix GIP Subnetting IP ClassesSubnet Masks SubnettingSUBNET MASK “1” BITS Example Two SubnetsSUBNET MASK IP ADDRESS LAST OCTET BIT VALUETable 75 Subnet Table 76 SubnetTable 78 Subnet Example Four SubnetsTable 77 Subnet Table 79 SubnetExample Eight Subnets Subnetting With Class A and Class B Networks G-1000 User’s Guide IP SubnettingCommand Usage Command InterpreterCommand Syntax Appendix HCommand Interpreter G-1000 User’s GuideTable 84 System Maintenance Logs AppendixLog Descriptions G-1000 User’s GuideG-1000 User’s Guide Table 85 ICMP Notes continued Log CommandsConfiguring What You Want the G-1000 to Log Table 86 Sys logTable 87 Log Categories and Available Settings Log Command ExampleDisplaying Logs G-1000 User’s GuideG-1000 User’s Guide Log DescriptionsAntenna Selection and Positioning Recommendation Antenna CharacteristicsAppendix J Types of Antennas For WLANConnector Type Positioning AntennasPower Adaptor Specifications Power Adaptor SpecificationsAppendix K G-1000 User’s GuidePower Adaptor Specifications G-1000 User’s Guide Table 93 AUSTRALIA AND NEW ZEALAND PLUG STANDARDSIndex NumericsZyAIR G-3000 User’s Guide ZyAIR G-3000 User’s Guide FTP 72, 75, 134 RestrictionsZyAIR G-3000 User’s Guide ZyAIR G-3000 User’s Guide ZyAIR G-3000 User’s Guide