Configuring Radius | ZyXEL Communications HS100/HS100W guide

HomeSafe User’s Guide

7.17.1 EAP Authentication Overview

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server or the AP. The HomeSafe supports EAP-TLS, EAP-TTLS and DEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the four common types.

Your HomeSafe supports EAP-MD5 (Message-Digest Algorithm 5) with the local user database and RADIUS.

The following figure shows an overview of authentication when you specify a RADIUS server on your access point.

Figure 7-14 EAP Authentication

The details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix.

¾The wireless station sends a “start” message to the HomeSafe.

¾The HomeSafe sends a “request identity” message to the wireless station for identity information.

¾The wireless station replies with identity information, including username and password.

¾The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station.

7.18 Configuring RADIUS

Configure the RADIUS screen if you want to authenticate wireless users using an external server.

To specify a RADIUS server, click the WIRELESS link under ADVANCED and then the RADIUS tab. The screen appears as shown.

Wireless Security

7-21

Image 114

ZyXEL Communications HS100/HS100W manual Configuring Radius, EAP Authentication Overview

Contents

HS-100 / HS-100W Version 10/2005 Copyright 2004 by ZyXEL Communications Corporation DisclaimerTrademarks Certifications Information for Canadian Users ZyXEL Limited Warranty Online Registration Customer Support Table of Contents III 11-1 Viii 27.1 Page List of Figures Xiv List of Figures 10-1 Xvi List of Figures Xvii Xviii List of Figures List of Tables List of Tables 20-3 Xxii List of Tables Related Documentation User’s Guide Feedback¾ ZyXEL Glossary and Web Site Syntax Conventions Graphics Icons KeyDslam HomeSafe User’s Guide Preface Xxv Part Page Non-Physical Features HomeSafe FeaturesPhysical Features Getting to Know Your HomeSafe 802.11b Wireless LAN Standard HS-100W only Content FilteringBrute-Force Password Guessing Protection Firewall Call Scheduling Packet FilteringUniversal Plug and Play UPnP PPPoE Network Address Translation NAT Dhcp Dynamic Host Configuration ProtocolUpgrade HomeSafe Firmware via LAN Traffic Redirect Applications for the HomeSafe Secure Broadband Internet Access via Cable or DSL ModemWireless Association List HS-100W only HomeSafe Parental Control Gateway Wireless LAN Application Wireless LAN Application Example Introducing the Web Configurator Web Configurator OverviewAccessing the HomeSafe Web Configurator Set up your wireless LAN using the second wizard screen System Administrator Password SetupWlan Setup Following table describes the fields in this screen Wlan Setup Basic Security Access screenEssid WEP Wlan Setup Extended SecurityFollowing table describes the labels in this screen Ascii Internet Configuration Setup Refer to the chapter on wireless LAN for more information Internet Configuration Setup ISP Parameters Internet Access Setup Internet Access Static IP Address Setup Dhcp Internet Configuration Setup Complete Parental Control Wizard Parental Control Time Setup Wizard Parental Control Wizard 10 Wizard Parental Control Time Setup Parental Control Create or Edit a Profile Parental Control Profile Information 11 Wizard Create or Edit a Profile Parental Control User Group 12 Wizard Parental Control Profile Information Parental Control Time Allowance Administrator can decide each group’sAccess rights 13 Wizard Parental Control User Group Parental Control Application Blocking Parental Control Account Summary 15 Wizard Parental Control Application BlockingAllowance screen Parental Control Register for Content Filter 16 Wizard Parental Control Summary Content Filtering with an External Server Checking Content Filtering Activation Content Filter Service Activation If you click Register Later you will proceed to FigureFollowing screen appears after you click Activate in Figure Accessing the Internet via the HomeSafe Gateway Content Filter Setup Complete 25 Password Screen HomeSafe Main Menu Resetting the HomeSafeProcedure To Use The Reset Button Navigation Panel 17 Screens Summary Link TAB Function Remote Mgmt Telnet MaintenanceFirewall FTPPage Connection Wizard Overview Connection Wizard General Setup and System NameChapter Connection Wizard Domain Name Connection Wizard General Setup Connection Wizard Screen Connection Wizard Wireless LAN Setup Basic Security Connection Wizard Wireless LAN Setup Extend Security Ethernet PPPoE Encapsulation Connection Wizard Ethernet Encapsulation Connection Wizard PPPoE Encapsulation Pptp Encapsulation Connection Wizard Pptp Encapsulation WAN IP Address Assignment Private IP Address Ranges IP Address and Subnet Mask DNS Server Address AssignmentWAN MAC Address Connection Wizard WAN Setup ISP Basic Setup Complete Connection Wizard Finish 10 Connection Wizard Problems HomeSafe User’s Guide Connection Wizard System, LAN, Wlan and WAN System Overview Configuring General SetupChapter System Screens Click System to open the General screen Configuring Dynamic DNS Dynamic DNSDynDNS Wildcard System Ddns Configuring Password Configuring Time Setting System Time Setting Daylight Savings Dhcp Setup Chapter LAN ScreensLAN Overview Any IP Multicast How Any IP Works Any IP Example Application Configuring IP Click LAN to open the IP screen LAN TCP/IP Configuring Static Dhcp LAN Static Dhcp Configuring IP Alias LAN IP Alias LAN IP Alias Ibss Wireless Configuration and RoamingWireless LAN Overview 2 BSS Basic Service set 3 ESS Wireless LAN Basics 1 RTS/CTS Configuring Wireless Fragmentation Threshold Configuring Roaming RTS/CTS Requirements for Roaming Roaming Example Wireless stations must have the same Essid to All APs on the same subnetAllow roaming Page Chapter Wireless Security Wireless Security Overview WPA-PSK WPA Security Parameters Summary AuthenticationWireless Security Relational Matrix WEP Overview WEP Authentication Steps Preamble Type Configuring WEP Encryption Encryption field User Authentication Introduction to WPAEncryption WPA-PSK Application Example WPA-PSK application looks as follows Using a Radius server, the reauthentication Configuring WPA-PSK AuthenticationIf wireless station authentication is done Timer on the Radius server has priority Wireless Client WPA Supplicants WPA with Radius Application Example Configuring WPA Authentication WPA with Radius Application Example Wlan Wireless WPA 802.1x Overview Configuring 802.1x and Dynamic WEP Key Exchange Dynamic WEP Key ExchangeEAP-MD5 cannot be used with Dynamic WEP Key Exchange Configuring 802.1x and Static WEP Key Exchange 10 Wlan Wireless 802.1x and Static WEP Wlan Wireless 802.1x and Static WEP Wlan Wireless 802.1x and Static WEP Configuring Reset MAC Filter Following table describes the labels in this menu Wlan MAC Address FilterMAC 10 Wlan Local User Database Configuring Local User DatabaseIntroduction to Local User Database Active Select this option to activate the user profile Introduction to Radius Configuring Radius EAP Authentication Overview 15 Wlan Radius 11 Wlan Radius HomeSafe User’s Guide Page WAN Overview Configuring RouteChapter WAN Screens TCP/IP Priority Metric Configuring WAN ISP Ethernet EncapsulationScreen shown next is for Ethernet encapsulation PPPoE Encapsulation WAN ISP PPPoE Encapsulation WAN ISP Pptp Encapsulation Configuring WAN IP WAN IP Address Assignment Server WAN IPSelected Use Fixed IP Address Choose Both, None, In Only or Out Only Configuring WAN MAC Choose RIP-1 , RIP-2B or RIP-2MRIP-1 Traffic Redirect WAN Setup Traffic Redirect Configuring Traffic Redirect WAN Traffic Redirect WAN Traffic Redirect SUA/NAT and Static Route Page NAT Definitions Chapter Network Address Translation NAT ScreensNAT Overview What NAT Does How NAT Works NAT Application NAT Mapping Types Following table summarizes these types SUA Single User Account Versus NAT Using NATSUA Server NAT Mapping Types Services and Port Numbers Port Forwarding Services and Port NumbersDefault Server IP Address Services Port Number Configuring SUA Server Configuring Servers Behind SUA Example Configuring Address Mapping SUA/NAT Setup Address Mapping One-to-One and Server mapping types Configuring Address Mapping Trigger Port ForwardingMany-to-One and Server mapping types Two Points To Remember About Trigger Ports Configuring Trigger Port ForwardingTrigger Port Forwarding Example Following is an example of trigger port forwarding Only one LAN computer can use a trigger port range at a time Page Static Route Overview Configuring IP Static RouteChapter Static Route Screens Click Static Route to open the screen as shown next Configuring Route Entry Static Route Edit NAT Screens 10-3 UPnP, Parental Control and Firewall Universal Plug and Play Overview How Do I Know If Im Using UPnP?Chapter UPnP UPnP and ZyXEL Configuring UPnP Installing UPnP in Windows ExampleClick UPnP to display the screen shown next Follow the steps below to install UPnP in Windows Me Installing UPnP in Windows MeInstalling UPnP in Windows XP Follow the steps below to install UPnP in Windows XP Using UPnP in Windows XP Example Auto-discover Your UPnP-enabled Network Device Internet Connection Properties Web Configurator Easy Access Connections Select My Network Places under Other Places UPnP 11-7 Page Chapter Parental Control Parental Control LoginsInitial Configuration Parental Control Overview Parental Administrator log Parental Control Application Configuring Parental Control HomeSafe Parental Control Wireless Gateway Application Parental Control Web site displays a registration successful For content filtering to be activated. See CheckingContent filtering activation Web page. It may take up to another ten minutes Content Filtering with an External Server Reset Click Reset to start configuring this screen againParental Control Group Edit Filter Parental Control Group Edit Configuration Parental Control Filter Parental Control 12-9 12-10 Parental Control Parental Control 12-11 Blocking URL Checking section for How to set how much of the URLSee the Customizing Keyword HomeSafe checks Customizing Keyword Blocking URL Checking Parental Control Edit Services Service Description RCMDTCP512 RLOGINTCP513PPTPTUNNELGRE0 REALAUDIOTCP7070 Parental Control Edit If you want to allow twenty-four hour Access, you should select the unrestrictedUser access will be denied after the End Check box Parental Control Bypass List Weekdays or Weekend boxes Parental Control 12-19 Page Chapter Firewall IntroductionGuidelines For Enhancing Security With Your Firewall Firewall Settings Screen Firewall Settings No Log Firewall, NAT and Remote ManagementLAN-to-WAN rules Log All log all LAN to WAN packets Services WAN-to-LAN rules Firewall Service Click Clear All to empty the Blocked Service Remote Management Page Remote Management Overview Only LAN only Neither DisableChapter Remote Management Screens Remote Management Limitations Configuring WWW System TimeoutRemote Management and NAT Configuring Telnet Telnet Configuration on a TCP/IP Network Configuring FTP Remote Management Telnet Snmp Remote Management FTP Snmp is only available if TCP/IP is configured Snmp Management Model Snmp Traps Configuring SnmpSupported MIBs Snmp Traps Remote Management Snmp Configuring DNS Remote Management DNS Configuring Security Icmp Remote Management Screens 14-11 Page HomeSafe User’s Guide VPN Screens 14-1 Logs and Maintenance Chapter Centralized Logs View Log Log Settings Settings, see section Log Settings Weekly When Log is FullDaily Hourly Chapter Maintenance Maintenance OverviewStatus Screen Maintenance System Statistics System Statistics Maintenance Dhcp Table Dhcp Table Screen Any IP Table Association List Maintenance Firmware Upload 16.6 F/W Upload Screen Configuration Screen Upload Warning Backup Configuration Restore ConfigurationMaintenance Restore Configuration Back to Factory Defaults 11 Configuration Restore Successful 14 Factory Defaults Restart Screen SMT General Configuration Page Chapter Introducing the SMT SMT Introduction Operation Keystroke Description Main Menu CommandsNavigating the SMT Interface Enter ? or ChangeMe System Management Terminal Interface SummaryMain Menu Summary Menu Title Description Changing the System Password Menu 23 System Password Procedure To Configure Menu Chapter Menu 1 General SetupGeneral Setup Field Description Example Procedure to Configure Dynamic DNS Select Yes to configure Menu 1.1 Configure Dynamic DNS Yes DynamicDNSUser Specified IP Address field Introduction to WAN Chapter Menu 2 WAN SetupWAN Setup From the main menu, enter 2 to open menuPage Protocol Dependent Ethernet Setup Chapter Menu 3 LAN SetupLAN Setup 20.3 TCP/IP Ethernet Setup and Dhcp Menu 3.2 TCP/IP and Dhcp Ethernet Setup Menu 3.2 Dhcp Ethernet Setup Fields RIP-1 Menu 3.2 LAN TCP/IP Setup FieldsBoth RIP-1,RIP-2B or RIP-2M IP Alias Setup Physical Network & Partitioned Logical Networks Wireless LAN Setup Both, In Only, Out Only or NoneField Description Example Essid RTS DisableCH06 2437MHz Auto Configuring MAC Address Filter Mixed Configuring Roaming on the HomeSafe Menu 3.5.1 Wlan MAC Address Filter 10 Menu 3.5.2 Roaming Configuration Menu 3.5.2 Roaming ConfigurationPage Menu 4 Internet Access Setup Ethernet Chapter Internet AccessIntroduction to Internet Access Setup Ethernet Encapsulation Configuring the Pptp Client New Fields in Menu 4 Pptp Screen Configuring the PPPoE ClientDefault New Fields in Menu 4 PPPoE screen 21-4 Internet Access Chapter Remote Node Configuration Introduction to Remote Node SetupRemote Node Profile Setup Press Enter to go to Menu 11.3 Remote Node Network EthernetAlias Layer Options Outgoing Authentication Protocol Nailed-Up Connection Fields in Menu 11.1 PPPoE Encapsulation Specific CHAP/PAP Remote Node Network Layer Options Edit IPMenu 11.1 Remote Node Profile for Pptp Encapsulation Dynamic Many-to-One and Server Remote Node FilterSUA Only RIP-1/RIP-2B/RIP-2M or None Traffic Redirect Setup Menu 11.5 Remote Node Filter Ethernet Encapsulation 22-8 Remote Node Configuration Chapter Static Route Setup IP Static Route Setup 23-2 Static Route Setup Chapter Dial-in User Setup Dial-in User SetupPage Menu 4 Applying NAT for Internet Access Applying NAT Applying NAT in Menus 4 NAT SetupFull Feature NAT Following table explains the fields in this menu Address Mapping SetsSUA Address Mapping Set Menu 15.1.255 is read-only SUA Address Mapping Rules User-Defined Address Mapping Sets Ordering Your Rules Edit Menu 15.1.1 First SetField Desription Example Select Rule item Configuring a Server behind NAT Follow these steps to configure a server behind NATOne-to-One,Many-to-One and Server types Example 1 Internet Access Only Following are some examples of NAT configurationGeneral NAT Examples Example 2 Internet Access with an Inside Server Example 3 Multiple Public IP Addresses With Inside ServersDynamic Inside Global Address is assigned by the ISP Address Translation field in menu 4 or menu 11.3 Enter 1 to configure the Address Mapping SetsFollowing figures show how to configure the first rule Then enter 15 from the main menu Enter 2 in Menu 15 NAT Setup Example 4 NAT Unfriendly Application Programs Example 3 Menu 20 Example 4 Menu 15.1.1 Address Mapping Rules Menu 15.3 Trigger Port Setup Page Remote Management and the Firewall Access MethodsChapter Enabling the Firewall Enabling the Firewall SMT Advanced Management Chapter Filter Configuration Introduction to FiltersFilter Structure of the HomeSafe Execute Configuring a Filter Set Abbreviations Used in the Filter Rules Summary Menu Rule Abbreviations Used Configuring a Filter RuleConfiguring a TCP/IP Filter Rule Abbreviation Description Less TCP/IP Filter RuleField Description Options Equal Following figure illustrates the logic flow of an IP filter Configuring a Generic Filter Rule Executing an IP Filter Generic Filter Rule Menu Fields Example Filter HomeSafe User’s Guide Generic Filter Rule Menu Fields 10 Example Filter Menu Filter Types and NAT Applying LAN Filters Firewall Versus FiltersApplying a Filter Applying Remote Node Filters 14 Filtering Remote Node Traffic Page Chapter Snmp Configuration About Snmp Snmp Configuration Following table describes the Snmp configuration parametersSupported MIBs Snmp Traps Ports and Permanent Virtual CircuitsPort PVC Permanent Virtual Circuit Page Chapter System Security System PasswordConfiguring External Radius Server System Security 29.1.3 Enter 4 to display Menu 23.4 System Security IEEE802.1x No Access Allowed Menu 23.4 System Security IEEE802.1x Mode PSKGroup Data Privacy field Management Protocol is selected System Information and Diagnosis System Status Menu 24.1 System Maintenance Status System Maintenance Status Menu Fields System Information Menu 1 General SetupSystem Information To get to the System Information Console Port Speed Menu 24.3.2 System Maintenance Syslog and AccountingLog and Trace Syslog Logging System Information and Diagnosis 30-5 Diagnostic Call-Triggering Packet System Maintenance Menu Diagnostic WAN Dhcp 30-8 System Information and Diagnosis Filename Conventions Chapter Firmware and Configuration File MaintenanceFilename Conventions File Type Internal Name External Name Description Example of FTP Commands from the Command Line Backup ConfigurationUsing the FTP Command from the Command Line Follow the instructions as shown in the next screen Command Description Backup Configuration Using TftpGeneral Commands for GUI-based FTP Clients GUI-based FTP Clients Restore Using FTP Restore ConfigurationTftp Command Example Following is an example Tftp command Uploading Firmware and Configuration Files Restore Using FTP Session Example Configuration File Upload You see the following screen when you telnet into menuFirmware File Upload FTP File Upload Command from the DOS Prompt Example FTP Session Example of Firmware File UploadTftp File Upload Tftp Upload Command Example Command Syntax Chapter System MaintenanceCommand Interpreter Mode Command Usage Call Control Support Budget Management Call History Call History Fields Time and Date Setting Time and Date Setting FieldsNTP RFC-1305 the default, is similar to Time RFC-868 Resetting the Time Daylight Saving fieldPage Chapter Remote Management Remote Management LAN Only Chapter Call Scheduling Introduction to Call Scheduling Menu 26.1 Schedule Set Setup Once Applying Schedule Sets to a Remote Node PPPoE Appendices and Index Page Troubleshooting Problem Corrective ActionAppendix a Control Group Edit screen Benefits of PPPoE Appendix B PPPoEPPPoE in Action Traditional Dial-up Scenario Diagram B-2 The HomeSafeas a PPPoE Client HomeSafeas a PPPoE Client Appendix C What is PPTP?Diagram C-1 Transport PPP frames over Ethernet Pptp and the HomeSafe Pptp Protocol Overview Diagram C-2 Pptp Protocol OverviewDiagram C-3 Example Message Exchange between PC and an ANT Control & PPP connections Pptp Page Appendix D Log Descriptions Chart 1 System Error LogsChart 2 System Maintenance Logs LOG Message Description Chart 3 UPnP Logs Chart 4 Content Filtering LogsID content Chart 5 Icmp Type and Code Explanations Type Code Description Log Commands Configuring What You Want the HomeSafe to Log Displaying Logs Page Appendix E Setting up Your Computer’s IP Address Windows 95/98/MeIf you need TCP/IP If you need Client for Microsoft Networks Checking/Modifying Your Computer’s IP Address Windows 2000/NT/XP Click Advanced to go to the Advanced TCP/IP HomeSafe User’s Guide Turn on your HomeSafeand restart your computer if prompted Macintosh OS 8/9 Select Ethernet built-in from the Connect via listClose the TCP/IP Control Panel Macintosh OS Check your TCP/IP properties in the Network windowSelect Built-in Ethernet from the Show list Page Ad-hoc Wireless LAN Configuration Appendix F Wireless LAN and IeeeBenefits of a Wireless LAN Ieee Infrastructure Wireless LAN Configuration Diagram F-1 Peer-to-Peer Communication in an Ad-hoc Network Diagram F-2 ESS Provides Campus-Wide Coverage Page Security Flaws with Ieee Appendix G Wireless LAN With IeeeDeployment Issues with Ieee Advantages of the Ieee Diagram G-1 Sequences for EAP MD5-Challenge Authentication EAP-MD5 Message-Digest Algorithm Appendix H Types of EAP AuthenticationEAP-TTLS Tunneled Transport Layer Service EAP-TLS Transport Layer Security Certificate Server Difficulty Wireless SecurityCertificate Client Dynamic Key Antenna Characteristics Appendix Antenna Selection and Positioning RecommendationTypes of Antennas For Wlan Positioning Antennas Appendix J Brute-Force Password Guessing Protection Chart 6 Brute-Force Password Guessing Protection CommandsExample Page Triangle Route Solutions Ideal SetupTriangle Route Problem Appendix K Triangle Route Diagram K-4 Gateways on the WAN Side How To Configure Triangle RouteDiagram K-3 IP Alias Gateways on the WAN Side Appendix L Index BSS Ibss See NAT See Ttls Wlan