Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications G-2000 Plus 7.9.1.2 Accounting-Request, 7.9.1.3 Accounting-Response, 7.9.1.4 EAP Authentication Overview

1 430

Download 430 pages, 15.18 Mb

ZyAIR G-2000 Plus User’s Guide

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

7.9.1.2 Accounting-Request

Sent by the access point requesting accounting.

7.9.1.3 Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the wired network from unauthorized access.

7.9.1.4 EAP Authentication Overview

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server or the AP. The ZyAIR supports EAP-TLS, EAP-TTLS and PEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the common types.

Your ZyAIR supports PEAP with the Internal RADIUS Server.

The following figure shows an overview of authentication when you specify a RADIUS server on your access point.

Figure 36 EAP Authentication

The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of PEAP authentication steps, see the IEEE 802.1x appendix.

1The wireless station sends a “start” message to the ZyAIR.

2The ZyAIR sends a “request identity” message to the wireless station for identity information.

3The wireless station replies with identity information, including username and password.

101	Chapter 7 Wireless Security

Contents

User’s Guide Page Copyright Disclaimer Trademarks Federal Communications Commission (FCC) Interference Statement Notice Certifications ZyXEL Limited Warranty Note Safety Warnings Customer Support Page Page Table of Contents Wizard Setup Page Wireless Security Internal RADIUS Server Single User Account (SUA) / Network Address Translation (NAT) Static Route Screens Remote Management Screens Page Content Filtering Maintenance Introducing the SMT Chapter LAN Setup Static Route Setup Dial-inUser Setup Network Address Translation (NAT) Enabling the Firewall SNMP Configuration System Security System Information and Diagnosis Firmware and Configuration File Maintenance System Maintenance and Information Remote Management Call Scheduling Appendix A Appendix B Page Page List of Figures Page Page Page Page Page List of Tables Page Page Page Preface About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Page Getting to Know Your ZyAIR 1.1 Introducing the ZyAIR 1.2 ZyAIR Features 1.2.1.1 4-PortSwitch 1.2.1.2 10/100M Auto-negotiatingEthernet/Fast Ethernet Interface 1.2.1.4 10/100 Mbps Ethernet WAN 1.2.1.5 Reset Button 1.2.1.6 ZyAIR LED 1.2.2.1 Internal RADIUS Server 1.2.2.2 Wi-FiProtected Access 1.2.2.4 802.11g Wireless LAN Standard 1.2.2.5 STP (Spanning Tree Protocol) / RSTP (Rapid STP) 1.2.2.6 Certificates 1.2.2.7 Limit the number of Client Connections 1.2.2.8 SSL Passthrough 1.2.2.9 Firewall 1.2.2.10 Brute-ForcePassword Guessing Protection 1.2.2.11 Wireless LAN MAC Address Filtering 1.2.2.12 WEP Encryption 1.2.2.13 IEEE 802.1X Network Security 1.2.2.16 PPPoE Support (RFC2516) 1.2.2.17 PPTP Encapsulation 1.2.2.18 Network Address Translation (NAT) 1.2.2.19 Traffic Redirect 1.2.2.20 NAT for Single-IP-addressInternet Access 1.2.2.22 Multicast 1.2.2.23 IP Alias 1.2.2.24 IP Policy Routing 1.2.2.25 SNMP 1.2.2.26 Full Network Management 1.3 Applications for the ZyAIR Page Introducing the Web Configurator 2.1 Web Configurator Overview 2.2Accessing the ZyAIR Web Configurator Replace Certificate MAIN MENU 2.3 Resetting the ZyAIR 2.4 Navigating the ZyAIR Web Configurator WIZARD SETUP MAINTENANCE Status Association List Channel Usage Wizard Setup 3.1 Wizard Setup Overview 3.2 Wizard Setup: General Setup 3.3 Wizard Setup: Wireless LAN 3.4 Wizard Setup: Screen Extend (WPA-PSK) Pre- Shared Key 3.5 Wizard Setup: Screen Page 3.5.2 PPPoE Encapsulation 3.5.3 PPTP Encapsulation Page 3.6 Wizard Setup: Screen 3.6.2 IP Address and Subnet Mask 3.6.3 DNS Server Address Assignment 3.6.4WAN MAC Address Page Page 3.7 Basic Setup Complete Page System Screens 4.1 System Overview 4.2 Configuring General Setup 4.3 Dynamic DNS 4.4 Configuring Dynamic DNS 4.5 Configuring Password 4.6 Configuring Time Setting Page LAN Screens 5.1 LAN Overview 5.2 DHCP Setup 5.3 LAN TCP/IP 5.3.2 IP Address and Subnet Mask 5.3.3 RIP Setup RIP Direction Out Only In Only 5.4 Configuring IP Figure 18 LAN IP Table 17 LAN IP Page 5.5 Configuring Static DHCP 5.6 Configuring IP Alias Figure 20 IP Alias Table 19 IP Alias Wireless Configuration and Roaming 6.1 Wireless LAN Overview 6.1.3 ESS 6.2 Wireless LAN Basics RTS/CTS RTS/CTS Fragmentation Threshold 6.2.2 Fragmentation Threshold 6.3 Configuring Wireless Figure 25 Wireless Table 20 Wireless 6.4 Configuring Roaming 6.4.1Requirements for Roaming Roaming Figure 27 Roaming Page Wireless Security 7.1 Wireless Security Overview Page 7.2 Security Parameters Summary 7.3 WEP Overview 7.3.1.1 Authentication 7.4 Configuring WEP Encryption Page 7.5 Introduction to WPA 7.5.2 Encryption 7.5.3 WPA-PSKApplication Example 7.6 Configuring WPA-PSKAuthentication Page 7.7 Wireless Client WPA Supplicants 7.8 Configuring WPA Authentication Page 7.9 Introduction to RADIUS 7.9.1.1Access-Challenge 7.9.1.2 Accounting-Request 7.9.1.3 Accounting-Response 7.9.1.4 EAP Authentication Overview 7.10Configuring RADIUS Table 27 RADIUS 7.11 802.1x Overview 7.12 Dynamic WEP Key Exchange 7.13 Configuring 802.1x and Dynamic WEP Key Exchange Page 7.14 Configuring 802.1x and Static WEP Key Exchange Page Page 7.15 Configuring Page 7.16 MAC Filter Page Internal RADIUS Server 8.1 Internal RADIUS Overview Page 8.2 Internal RADIUS Server Setting Page 8.3 Trusted AP Overview 8.4Configuring Trusted AP 8.5 Trusted Users Overview 8.6 Configuring Trusted Users Page Page Page WAN 9.1 WAN Overview 9.2 Configuring WAN ISP 9.2.1.1 Service Type 9.2.2 PPPoE Encapsulation PPP over Ethernet PPPoE Page 9.2.3 PPTP Encapsulation Page 9.3 TCP/IP Priority (Metric) 9.4 Configuring WAN IP Figure 52 WAN: IP Table 40 WAN: IP Page 9.5 Configuring WAN MAC Page Single User Account (SUA) Network Address Translation (NAT) 10.1 NAT Overview 10.1.2 What NAT Does 10.1.3 How NAT Works 10.1.4 NAT Application 10.1.5 NAT Mapping Types One to One Many to One Many-to-Many Overload 10.2 Using NAT 10.3 SUA Server 10.3.1 Default Server IP Address 10.3.2 Port Forwarding: Services and Port Numbers SUA Server Note: 10.3.3 Configuring Servers Behind SUA (Example) 10.4 Configuring SUA Server Page 10.5 Configuring Address Mapping Page 10.5.1 Configuring Address Mapping 10.6 Trigger Port Forwarding 10.7 Configuring Trigger Port Forwarding Page Page Static Route Screens 11.1 Static Route Overview 11.2 Configuring IP Static Route 11.2.1 Configuring Route Entry Page Page Remote Management Screens 12.1 Remote Management Overview 12.2 Configuring WWW 12.3 Configuring Telnet 12.4 Configuring TELNET 12.5 Configuring FTP 12.6 SNMP 12.6.1Supported MIBs 12.6.2 SNMP Traps 12.6.3 Configuring SNMP SNMP Page 12.7 Configuring DNS 12.8 Configuring Security Figure 72 Security Table 56 Security UPN P 13.1 Universal Plug and Play Overview 13.2 UPnP and ZyXEL 13.3 Configuring UPnP 13.4 Installing UPnP in Windows Example 13.4.1 Installing UPnP in Windows Me Add/Remove Programs Windows Setup Communication Components 13.4.2 Installing UPnP in Windows XP 13.5 Using UPnP in Windows XP Example 13.5.1Auto-discoverYour UPnP-enabledNetwork Device Network Connections Properties 13.5.2 Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke 13.5.3 Web Configurator Easy Access Connections Firewalls 14.1 Firewall Overview 14.2 Types of Firewalls 14.3 Introduction to ZyXEL’s Firewall 14.4 Denial of Service 14.4.2 Types of DoS Attacks Ping of Death Teardrop SYN Flood LAND SYN Attack LAND Attack brute-force 14.4.2.1 ICMP Vulnerability 14.4.2.2 Traceroute 14.5Stateful Inspection 14.5.1 Stateful Inspection Process Firewall Default Rule 14.5.2Stateful Inspection and the ZyAIR 14.5.3 TCP Security 14.5.4 UDP/ICMP Security 14.6 Guidelines For Enhancing Security With Your Firewall 14.7Packet Filtering Vs Firewall 14.7.1.1 When To Use Filtering 14.7.2.1When To Use The Firewall Page Page Firewall Screens 15.1 Access Methods 15.2 Firewall Policies Overview 15.3 Rule Logic Overview 15.3.3.1 Action 15.3.3.2 Service 15.3.3.3 Source Address 15.3.3.4 Destination Address 15.4 Connection Direction Examples 15.5 Alerts 15.6 Configuring Firewall 15.6.1 Rule Summary Rule Summary Page 15.6.2 Configuring Firewall Rules Insert Page Page 15.6.3 Configuring Custom Services Custom Service 15.7 Example Firewall Rule Edit Custom Service Selected Service(s) Services Rule Summary Apply Page 15.8Predefined Services Page Page Page Content Filtering 16.1 Introduction to Content Filtering 16.2 Restrict Web Features 16.3 Days and Times 16.4 Configure Content Filtering Page Page Page Certificates 17.1 Certificates Overview 17.2Self-signedCertificates 17.3 Configuration Summary 17.4 My Certificates Page Page 17.5 Certificate File Formats 17.6Importing a Certificate 17.7 Creating a Certificate Page Page 17.8 My Certificate Details Page Page 17.9 Trusted CAs Page 17.10 Importing a Trusted CA’s Certificate 17.11 Trusted CA Certificate Details Page Page Page Log Screens 18.1 Configuring View Log 18.2 Configuring Log Settings Figure 99 Log Settings Page 18.3 Configuring Reports Figure 100 Reports Table 75 Reports Page Page Maintenance 19.1 Maintenance Overview 19.2 System Status Screen Figure 101 System Status 19.3 DHCP Table Screen 19.4 Association List 19.5 F/W Upload Screen Figure 105 Firmware Upload Firmware Upload in Process Page 19.6 Configuration Screen Figure 109 Configuration 19.6.1 Backup Configuration Backup 19.6.2 Restore Configuration Page 19.7 Restart Screen Figure 114 Restart Screen Introducing the SMT 20.1 SMT Introduction 20.2 Connect to your ZyAIR Using Telnet 20.3 Changing the System Password 20.4 ZyAIR SMT Menu Overview Example 20.5 Navigating the SMT Interface Page 20.6 Changing the System Password Menu 23 - System Security Menu 23.1 - System Security - Change Password General Setup 21.1 General Setup Page 21.1.2 Procedure to Configure Dynamic DNS Edit Dynamic DNS Menu 1.1— Configure Dynamic DNS Page Menu 2 WAN Setup 22.1 Introduction to WAN 22.2 WAN Setup Page LAN Setup 23.1 LAN Setup 23.2 Protocol Dependent Ethernet Setup 23.3TCP/IP Ethernet Setup and DHCP Page 23.3.1 IP Alias Setup Edit IP Alias Menu 3.2.1 - IP Alias Setup 23.4 Wireless LAN Setup Page 23.4.1 Configuring MAC Address Filter 2Enter 5 to display Menu 3.5 – Wireless LAN Setup Edit MAC Address Filtering [ENTER]. Menu 3.5.1 – WLAN MAC Address Filter displays as shown next Page Page Internet Access 24.1 Introduction to Internet Access Setup 24.2 Ethernet Encapsulation Page 24.3 Configuring the PPTP Client 24.4 Configuring the PPPoE Client 24.5 Basic Setup Complete Page Remote Node Configuration 25.1 Introduction to Remote Node Setup 25.2 Remote Node Profile Setup Page 25.2.2 PPPoE Encapsulation PPPoE 25.2.2.1 Outgoing Authentication Protocol 25.2.2.2 Nailed-UpConnection 25.2.3 PPTP Encapsulation 25.3 Edit IP My WAN Addr Gateway IP Addr 25.4 Remote Node Filter Page Page Static Route Setup 26.1 IP Static Route Setup Menu 12.1 – Edit IP Static Route Setup Dial-inUser Setup 27.1 Dial-inUser Setup Figure 145 Menu 14.1- Edit Dial-inUser Network Address Translation (NAT) 28.1 Using NAT 28.2 Applying NAT [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options 28.3 NAT Setup 28.3.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets 28.3.1.1 User-DefinedAddress Mapping Sets 28.3.1.2 Ordering Your Rules Edit Menu 15.1.1.1 - Address Mapping Rule Local Global Start/End IPs 28.4 Configuring a Server behind NAT 28.5 General NAT Examples Network Address Translation 28.5.2 Example 2: Internet Access with an Inside Server 28.5.3 Example 3: Multiple Public IP Addresses With Inside Servers 1 : Many : Menu 15.1 - Address Mapping Sets Edit Action Start IP Page 2Enter 2 in Menu 15 - NAT Setup 28.5.4 Example 4: NAT Unfriendly Application Programs Many-to-Many No Overload Page 28.6 Configuring Trigger Port Forwarding Page Filter Configuration 29.1 Introduction to Filters 29.1.1 The Filter Structure of the ZyAIR 29.2 Configuring a Filter Set Edit Comments 29.2.1 Configuring a Filter Rule 29.2.2 Configuring a TCP/IP Filter Rule TCP/IP Filter Rule Filter Type Menu 21.1.1.1 - TCP/IP Filter Rule Page 29.2.3 Configuring a Generic Filter Rule Offset Length Mask Value Generic Filter Rule 29.3 Example Filter Menu 21.1.3 - Filter Rules Summary Yes •6 is the TCP IP Protocol Port # 29.4Filter Types and NAT 29.5 Firewall Versus Filters 29.6 Applying a Filter 29.6.2 Applying Remote Node Filters Enabling the Firewall 30.1 Remote Management and the Firewall 30.2Access Methods 30.3 Enabling the Firewall Page SNMP Configuration 31.1 About SNMP 31.2Supported MIBs 31.3 SNMP Configuration 31.4 SNMP Traps Page System Security 32.1 System Security Figure 185 Menu 23 System Security Menu23 – System Security Figure 187 Menu 23 System Security 2Enter 4 to display Menu 23.4 – System Security – IEEE802.1x Page Page Page System Information and Diagnosis 33.1 System Status Figure 190 Menu 24.1 System Maintenance : Status 33.2 System Information 33.3 Log and Trace Figure 194 Menu 24.3 System Maintenance : Log and Trace 33.3.2 UNIX Syslog Menu 24.3.2 – System Maintenance Figure 195 Menu 24.3.2 System Maintenance : UNIX Syslog 33.3.2.1 CDR 33.3.2.2 Packet triggered 33.3.2.3 Filter log 33.3.2.4 PPP log 33.3.2.5 Firewall log 33.4 Diagnostic Menu 24.4 – System Maintenance – Diagnostic Menu 24.4 System Maintenance : Diagnostic 33.4.1 WAN DHCP IP Address Assignment Dynamic WAN Release Renewal Page Page Firmware and Configuration File Page Page Page Page Page Page Page Page Page Page Page System Maintenance and Information 35.1 Command Interpreter Mode 35.2 Call Control Support 35.2.1 Budget Management Menu 24.9 - System Maintenance - Call Control 35.2.2 Call History 35.3 Time and Date Setting Figure 211 Menu 24.10 System Maintenance : Time and Date Setting 35.3.1 Resetting the Time Remote Management 36.1 Remote Management 36.1.1 Telnet 36.2Remote Management and NAT 36.3System Timeout Call Scheduling 37.1 Introduction to Call Scheduling Menu 26.1 — Schedule Set Setup Duration PPPoA Page Problems Starting Up the ZyAIR Problems with the Ethernet Interface Problems with the Password Problems with Telnet Problems with the WLAN Interface Example Page Windows 95/98/Me Installing Components Adapter Protocol Microsoft manufacturers Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP Network and Dial-up 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) Use the following IP Address IP address Subnet mask Default gateway IP Settin Macintosh OS 8/9 2Select Ethernet built-in from the Connect via list Using DHCP Server Configure: Macintosh OS Apply Now Page Page Case D: Two or more subscribers have the same IP address Page Page IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page Command Syntax Command Usage Page Page Log Commands Configuring What You Want the ZyAIR to Log Displaying Logs Log Command Example Benefits of a Wireless LAN IEEE Ad-hocWireless LAN Configuration Infrastructure Wireless LAN Configuration Page Page Security Flaws with IEEE Deployment Issues with IEEE Advantages of the IEEE RADIUS Server Authentication Sequence Mutual Authentication with Internal RADIUS server Page Page EAP-MD5 (Message-DigestAlgorithm 5) EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Service) PEAP (Protected EAP) LEAP Antenna Characteristics Types of Antennas For WLAN Connector Type Page Page Numerics