ZyXEL Communications G-3000H Security, Security Modes

G-3000H User’s Guide

The following figure shows an overview of authentication when you specify a RADIUS server on your access point.

Figure 27 EAP Authentication

The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.

1The wireless station sends a “start” message to the ZyAIR.

2The ZyAIR sends a “request identity” message to the wireless station for identity information.

3The wireless station replies with identity information, including username and password.

4The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station.

6.5Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.

To use Dynamic WEP, enable and configure the RADIUS server and enable one of the Dynamic WEP Security Modes in the Security screen. Ensure that the wireless station’s EAP type is configured to one of the following:

•EAP-TLS

•EAP-TTLS

•PEAP

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange.

6.6 Introduction to WPA

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. Key differences between WPA and WEP are user authentication and improved data encryption.

Chapter 6 Wireless Security Configuration

75

Contents

User’s Guide Copyright Disclaimer Trademarks Federal Communications Commission (FCC) Interference Statement Notice Certifications ZyXEL Limited Warranty Note Safety Warnings Customer Support Page Page Table of Contents System Screens Other Wireless Configurations Page Page Chapter LAN Setup Dial-inUser Setup VLAN Setup SNMP Configuration Firmware and Configuration File Maintenance System Maintenance and Information Appendix A Page List of Figures Page Page Page Page Page List of Tables Page Page Page Preface About This User's Guide Related Documentation User Guide Feedback Syntax Conventions Graphics Icons Key Page Getting to Know Your ZyAIR 10/100M Auto-negotiatingEthernet/Fast Ethernet Interface 10/100M Auto-crossoverEthernet/Fast Ethernet Interface Reset Button ZyAIR LED Bridge/Repeater LED Power over Ethernet (PoE) Wi-FiProtected Access Layer-2Isolation VLAN WDS Functionality 802.11b Wireless LAN Standard 802.11g Wireless LAN Standard STP (Spanning Tree Protocol) / RSTP (Rapid STP) WMM QoS Certificates Limit the number of Client Connections SSL Passthrough Brute-ForcePassword Guessing Protection Wireless LAN MAC Address Filtering WEP Encryption Full Network Management Logging and Tracing Embedded FTP and TFTP Servers Wireless Association List Wireless LAN Channel Usage 1.3.1 Access Point 1.3.2 Multiple ESS 1.3.3 AP + Bridge AP+Bridge AP + Bridge 1.3.4 Bridge / Repeater Bridge/Repeater Page Introducing the Web Configurator Replace Certificate MAIN MENU RESET 2.2.1 Procedure To Use The Reset Button SYS LINK BDG/ RPT MAIN MENU WIZARD SETUP ADVANCED SYSTEM WIRELESS Wizard Setup General Setup Page 3.4.1 IP Address Assignment 3.4.2 IP Address and Subnet Mask Page Finish Wizard 3 IP Address Assignment System Screens Password Figure 16 Password Table 8 Password Time Setting Page Page Page Wireless Configuration 5.1.2 ESS Page 5.3.1 WMM QoS Priorities 5.3.2 Type Of Service (ToS) 5.3.2.1 DiffServ 5.3.2.2 DSCP and Per-HopBehavior 5.4.1 Rapid STP 5.4.2 STP Terminology 5.4.3 How STP Works 5.4.4 STP Port States SSID Profile Layer-2 Isolation MAC Filter Roaming Figure 21 Wireless: Access Point 5.6.2 Bridge/Repeater Mode Page Page Figure 25 Wireless: Bridge/Repeater 5.6.3 AP+Bridge Mode 5.6.4 Multiple ESS Mode MESSID Access Point AP+Bridge Page Wireless Security Configuration 6.1.4 Hide ZyAIR Identity 6.1.5 WEP Encryption WEP Encryption Authentication Method Security Security Modes 6.6.1 User Authentication 6.6.2Encryption 6.6.3 WPA(2)-PSKApplication Example Page Page Page Page Figure 30 Security Table 19 Security 6.12.1 Security: No Access No Access 6.12.2 Security: WEP WEP 6.12.3 Security: 802.1x Only, 802.1x Static 64-bitWEP, 128-bitWEP Page 6.12.4 Security: 802.1x Dynamic 64-bitWEP, 128-bitWEP 6.12.5 Security: WPA, WPA-MIX,WPA2, WPA2-MIX WPA WPA-MIX WPA2 WPA2-MIX 6.12.6 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Page Page Figure 37 RADIUS Table 26 RADIUS Page Page Multiple ESS, SSID and VLAN 7.1.3 Multiple ESS Example 7.1.4 Multi-ESSwith VLAN Example 7.1.5 Configuring Multiple ESS Wireless tab Page Page Figure 41 SSID Table 29 SSID 7.2.1 Configuring SSID MAC Filter Page 7.2.2 Second Rx VLAN ID Second Rx VLAN ID Page Page Other Wireless Configurations Page 8.2.1 Layer-2Isolation Examples 8.2.2 Layer-2Isolation Example Enable Allow devices with these MAC addresses 8.2.3 Layer-2Isolation Example •Select the Enable Layer-2Isolation check box 8.2.4 Layer-2Isolation Example Page Enable Enable MAC Filtering Page 8.4.1 Requirements for Roaming Page VLAN Figure 54 VLAN Table 34 VLAN 9.2.1 Configuring Management VLAN Example 1Click VLAN under Advanced Application 2Click Static VLAN ACTIVE VLAN Group ID Tx Tagging Control Fixed VLAN Status 9.2.2 Configuring Microsoft’s IAS Server Example 9.2.2.1 Configuring VLAN Groups 9.2.2.2 Configuring Remote Access Policies Conditions Select Attribute Windows-Groups Select Groups Permissions Grant remote access permission Edit Profile Dial-in Profile Encryption Strongest Client may request an IP address Advanced Service-Type •Select Tunnel-Medium-Type Enumerable Attribute Information Attribute value RADIUS Attribute Screen •Select Tunnel-Pvt-Group-ID 14The Attribute Information screen displays •Select Tunnel-Type 16The Enumerable Attribute Information screen displays Virtual LANs (VLAN) Close Configuring Remote Access Policies IP Screen Figure 74 IP Setup Table 37 IP Setup Certificates 11.1.1 Advantages of Certificates My Certificate Trusted CA Page Page Page Page Page My Certificate Create Return Page Page Page Page Import Trusted CA Import Trusted CA Details Page Page Page Page Remote Management Screens 12.1.2 Remote Management and NAT 12.1.3System Timeout System WWW Page TELNET REMOTE MGMT FTP Page Page 12.6.1 Supported MIBs 12.6.2 SNMP Traps 12.7.1 Configuring SNMP SNMP Page Log Screens System Errors Figure 89 Log Settings Page Maintenance 14.2.1 System Statistics Poll Interval Figure 91 System Status: Show Statistics Association List Figure 92 Association List Page Figure 93 Channel Usage F/W Upload Figure 94 Firmware Upload Firmware Upload in Process 14.6.1 Backup Configuration Backup 14.6.2 Restore Configuration Figure 99 Configuration Upload Successful Figure 100 Network Temporarily Disconnected 14.6.3 Back to Factory Defaults Reset Restart Introducing the SMT New Password Retype to confirm Page Figure 106 G-3000HSMT Main Menu 15.4.1 System Management Terminal Interface Summary Page Page General Setup Page LAN Setup Figure 109 Menu 3.2 TCP/IP Setup Menu 3.5 – Wireless LAN Setup Page 17.3.1 Configuring MAC Address Filter 2Enter 5 to display Menu 3.5 – Wireless LAN Setup Figure 111 Menu 3.5 Wireless LAN Setup AP + Bridge Edit MAC Address Filter [ENTER]. Menu 3.5.1 – WLAN MAC Address Filter displays as shown next Figure 112 Menu 3.5.1 WLAN MAC Address Filter 17.3.2 Configuring Roaming Figure 113 Menu 3.5 Wireless LAN Setup Edit Roaming Configuration Menu 3.5.2 – Roaming Configuration 17.3.3 Configuring SSID Profiles Figure 115 Menu 3.5 Wireless LAN Setup MESSID Edit SSID Profile Menu 3.5.6 - SSID Profile Edit 17.3.4 Configuring Bridge Link Figure 117 Menu 3.5 Wireless LAN Setup Bridge / Repeater Edit Bridge Link Configuration Menu 3.5.4 – Bridge Link Configuration Figure 118 Menu 3.5.4 Bridge Link Configuration 17.3.5 Configuring Layer-2Isolation Figure 119 Menu 3.5 Wireless LAN Setup Menu 3.5.5 – Layer 2 Isolation Note: The Block Intra-BSSTraffic changes from No to Yes Page Dial-inUser Setup Figure 122 Menu 14.1- Edit Dial-inUser VLAN Setup Page SNMP Configuration Page System Security Mode System Information and Diagnosis Figure 129 Menu 24.1 System Maintenance: Status 1Enter 24 to display Menu 24 – System Maintenance 2Enter 2 to display Menu 24.2 – System Information and Console Port Speed 22.2.1 System Information 22.2.2 Console Port Speed Menu 24.2.2 – System Maintenance – Console Port Speed Figure 132 Menu 24.2.2 System Maintenance: Change Console Port Speed 22.3.1 Viewing Error Log Figure 133 Menu 24.3 System Maintenance: Log and Trace Figure 134 Sample Error and Information Messages Figure 135 Menu 24.4 System Maintenance: Diagnostic Menu 24.4 – System Maintenance – Diagnostic Firmware and Configuration File Page Page Page Page Page Page Page Page Page Page Page System Maintenance and Information Figure 151 Menu 24 System Maintenance Figure 152 Valid CI Commands 24.1.1 CNM 24.1.2 Configuring Vantage CNM Page Page 24.1.3 Configuration Example Page Menu 24.10 – System Maintenance – Time and Date Setting Figure 155 Menu 24.10 System Maintenance: Time and Date Setting 24.2.1 Resetting the Time 24.3.1 Telnet Figure 156 Telnet Configuration on a TCP/IP Network 24.3.2 FTP 24.3.3 Web 24.3.4 Remote Management Setup WAN only LAN only All Figure 157 Menu 24.11 Remote Management Control 24.3.5 Remote Management Limitations Page Appendix A Troubleshooting Page Appendix B Specifications Page Appendix C Power over Ethernet (PoE) Page Appendix D Brute-ForcePassword Guessing Protection Page Appendix E Setting up Your Computer’s IP Address Installing Components Adapter Protocol Microsoft manufacturers Client for Microsoft Networks Configuring Properties Obtain an IP address automatically Specify an IP address Gateway New gateway field TCP/IP Properties Verifying Settings IP Configuration Network Connections Network and Dial-up Connections 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) Use the following IP Address IP address Subnet mask Default gateway IP Settin Use the following DNS server addresses Preferred DNS server Alternate DNS server 8Click OK to close the Internet Protocol (TCP/IP) Properties window 9Click OK to close the Local Area Connection Properties window 2Select Ethernet built-in from the Connect via list Using DHCP Server Configure: Configure Manually Router address 5Close the TCP/IP Control Panel Save Apply Now Page Appendix F IP Address Assignment Conflicts Page Page Page Appendix G Wireless LANs ESS Page RTS/CTS RTS/CTS Fragmentation Threshold IEEE 802.11b Wireless LAN Types of RADIUS Messages EAP-MD5 EAP-TLS EAP- TTLS PEAP LEAP EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Service) PEAP (Protected EAP) LEAP Dynamic WEP Key Exchange Page User Authentication Page Page Appendix H IP Subnetting Page Page Page Page Table 106 Subnet Page Page Appendix Command Interpreter Page Appendix J Log Descriptions Table 112 Sys log Configuring What You Want the ZyAIR to Log Displaying Logs Page Appendix K Indoor Installation Recommendations Positioning Antennas Appendix L Power Adaptor Specifications Page Index