NWA3550-N - Access Point ZYXEL - Free user manual and instructions

USER MANUAL NWA3550-N ZYXEL

Wireless N Business WLAN 3000 Series Access Point

User's Guide

NWA3560-N: 802.11 a/b/g/n Dual-Radio Business Access Point (Indoor)

NWA3160-N: 802.11 a/b/g/n Business Access Point (Indoor)

NWA3550-N: 802.11 a/b/g/n Dual-Radio Outdoor Business Access Point (Outdoor)

Default Login Details

IP Address https://192.168.1.2

User Name admin

Password 1234

Version 2.23

Edition 1, 7/2011

www.zyxel.com

ZyXEL

About This User's Guide

Intended Audience

This manual is intended for people who want to configure a device using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.

Related Documentation

• Quick Start Guide
  The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access.

• Support Disc

Refer to the included CD for support documents.

• Z y X E L W e b S i t e

Please refer to www.zyxel.com for additional support documentation and product certifications.

User Guide Feedback

Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!

The Technical Writing Team,

ZyXEL Communications Corp.

E-mail: techwriters@zyxel.com.tw

Document Conventions

Warnings and Notes

These are how warnings and notes are shown in this User's Guide.

Warnings tell you about things that could harm you or your device.

Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.

Syntax Conventions

• The product in this book may be referred to as the “device”, the “device”, the “AP”, or the “system” in this User’s Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the "enter" or "return" key on your keyboard.
• “Enter” means for you to type one or more characters and then press the [ENTER] key. “Select” or “choose” means for you to use one of the predefined choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Status > Show Statistics means you first click Maintenance in the navigation panel, then the Status sub menu and finally the Show Statistics button to get to that screen.
• Units of measurement may denote the "metric" value or the "scientific" value. For example, "k" for kilo may denote "1000" or "1024", "M" for mega may denote "1000000" or "1048576" and so on.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
• Screens reproduced here for demonstration purposes may not exactly match the screens on your device.

Icons Used in Figures

Figures in this User's Guide may use the following generic icons. The device icon is not an exact representation of your device.

device Computer Notebook	computer
Server Printer Firewall
Telephone Switch Router

Safety Warnings

• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• ONLY qualified service personnel should service or disassemble this device.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
  • Always disconnect all cables from this device before servicing or disassembling.
• Use ONLY an appropriate power adaptor or cord for your device.
• Connect the power adaptor or cord to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
• “Not to remove the plug and plug into a wall outlet by itself; always attach the plug to the power supply first before insert into the wall.”
• (In other words, do NOT remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet.)
• Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s).
• If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged.
• The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors.
• The indoors versions of this product are for indoor use only (utilisation intérieure exclusivement).

This product is recyclable. Dispose of it properly.

Contents Overview

User's Guide 17

Introduction 19

The Web Configurator 27

Configuration Basics 43

Tutorials 49

Technical Reference 67

Dashboard 69

Monitor 75

Management Mode 93

LAN Setting 97

Wireless 101

Device HA 117

User 127

AP Profile 135

MON Profile 151

Certificates 157

System 175

Log and Report 205

File Manager 219

Diagnostics 229

Reboot 237

Shutdown 239

Troubleshooting 241

Product Specifications 251

Table of Contents

About This User's Guide....3

Document Conventions 4

Safety Warnings....6

Contents Overview 7

Table of Contents 9

Part I: User's Guide ...... 17

Chapter 1 Introduction....19

1.1 Overview 19

1.2 Applications for the device .... 20

1.2.1 AP + Bridge 20

1.2.2 MBSSID 21

1.3 Management Mode 22

1.4 Ways to Manage the device 22

1.5 Good Habits for Managing the device ....23

1.6 Hardware Connections ......24

1.7 LEDs 25

1.8 Starting and Stopping the device ....26

Chapter 2 The Web Configurator .... 27

2.1 Overview 27

2.2 Access 27

2.3 The Main Screen 29

2.3.1 Title Bar 29

2.3.2 Navigation Panel 30

2.3.3 Warning Messages 33

2.3.4 Site Map 33

2.3.5 Object Reference 33

2.3.6 Tables and Lists ....39

Chapter 3 Configuration Basics....43

3.1 Overview 43
3.2 Object-based Configuration ......43
3.3 Feature Configuration Overview 43

3.3.1 Feature 43
3.3.2 MGNT Mode 44
3.3.3 LAN Setting 44
3.3.4 Wireless 44
3.3.5 Device HA 44

3.4 Objects 45

3.4.1 User 45
3.4.2 AP Profile 45
3.4.3 MON Profile 46

3.5 System 46

3.5.1 WWW, SSH, TELNET, FTP, SNMP, and Auth. Server 46
3.5.2 Logs and Reports ......46
3.5.3 File Manager 46
3.5.4 Diagnostics 47
3.5.5 Shutdown 47

Chapter 4 Tutorials......49

4.1 Sample Network Setup ....49

4.1.1 Set the Management Modes 50
4.1.2 Set the LAN IP Address and Management VLAN (vlan99) 51
4.1.3 Set Up Wireless User Authentication 52
4.1.4 Create the AP Profiles (staff, guest) 54

4.2 Rogue AP Detection 57
4.2.1 Rogue AP Containment 61
4.3 Load Balancing 63
4.4 Dynamic Channel Selection 64

Part II: Technical Reference....67

Chapter 5 Dashboard....69

5.1 Overview 69

5.1.1 What You Can Do in this Chapter 69

5.2 Dashboard 69

5.2.1 CPU Usage 73
5.2.2 Memory Usage 74

Chapter 6

Monitor....75

6.1 Overview 75
6.1.1 What You Can Do in this Chapter ....75

6.2 What You Need to Know ....75

6.3 LAN Status 76

6.3.1 LAN Status Graph 78

6.4 AP List 79

6.4.1 Station Count of AP 80

6.5 Radio List 81

6.5.1 AP Mode Radio Information 82

6.6 Station List 84

6.7 Rogue AP 84

6.8 Legacy Device Info 85

6.8.1 Legacy Device Info Add or Edit 86

6.9 View Log 87

6.10 View AP Log 90

Chapter 7

Management Mode 93

7.1 Overview 93

7.2 About CAPWAP 93

7.2.1 CAPWAP Discovery and Management ....93

7.2.2 Managed AP Finds the Controller 94

7.2.3 CAPWAP and IP Subnets 94

7.2.4 Notes on CAPWAP 95

7.3 The Management Mode Screen 95

Chapter 8

LAN Setting 97

8.1 LAN Setting Overview 97

8.1.1 What You Can Do in this Chapter .....97

8.1.2 What You Need to Know 97

8.2 LAN Setting 98

8.2.1 Add or Edit a DNS Setting 100

Chapter 9

Wireless 101

9.1 Overview ...... 101

9.1.1 What You Can Do in this Chapter 101

9.1.2 What You Need to Know 101

9.2 Controller 102

9.3 AP Management 102

9.3.1 Edit AP List 104

9.4 MON Mode 105

9.4.1 Add/Edit Rogue/Friendly List 107

9.5 Load Balancing 108

9.5.1 Disassociating and Delaying Connections 109

9.6 DCS 111

9.7 Technical Reference 113

Chapter 10

Device HA 117

10.1 Overview 117

10.1.1 What You Can Do in this Chapter 117

10.1.2 What You Need to Know 117

10.1.3 Before You Begin 118

10.2 Device HA General 118

10.3 Active-Passive Mode 120

10.3.1 Edit Monitored Interface ...... 123

10.4 Technical Reference 123

Chapter 11

User 127

11.1 Overview 127

11.1.1 What You Can Do in this Chapter 127

11.1.2 What You Need To Know 127

11.2 User Summary 128

11.2.1 Add/Edit User 128

11.3 Setting 130

11.3.1 Edit User Authentication Timeout Settings 132

Chapter 12

AP Profile....135

12.1 Overview 135

12.1.1 What You Can Do in this Chapter 135

12.1.2 What You Need To Know 135

12.2 Radio 136

12.2.1 Add/Edit Radio Profile 138

12.3 SSID 142

12.3.1 SSID List 142

12.3.2 Security List 144

12.3.3 MAC Filter List 147

Chapter 13

MON Profile 151

13.1 Overview 151

13.1.1 What You Can Do in this Chapter 151

13.1.2 What You Need To Know 151

13.2 MON Profile 152

13.2.1 Add/Edit MON Profile 153

13.3 Technical Reference ...... 154

Chapter 14

Certificates 157

14.1 Overview ...... 157

14.1.1 What You Can Do in this Chapter 157

14.1.2 What You Need to Know .... 157

14.1.3 Verifying a Certificate 159

14.2 My Certificates 160

14.2.1 Add My Certificates 162

14.2.2 Edit My Certificates ...... 165

14.2.3 Import Certificates 167

14.3 Trusted Certificates ...... 168

14.3.1 Edit Trusted Certificates ...... 170

14.3.2 Import Trusted Certificates ...... 173

14.4 Technical Reference 173

Chapter 15

System 175

15.1 Overview 175

15.1.1 What You Can Do in this Chapter 175

15.2 Host Name 176

15.3 Date and Time 176

15.3.1 Pre-defined NTP Time Servers List 179

15.3.2 Time Server Synchronization 179

15.4 Console Speed 180

15.5 WWW Overview 181

15.5.1 Service Access Limitations .... 181

15.5.2 System Timeout .... 181

15.5.3 HTTPS 181

15.5.4 Configuring WWW Service Control 182

15.5.5 HTTPS Example 183

15.6 SSH 190

15.6.1 How SSH Works .... 191

15.6.2 SSH Implementation on the device 192

15.6.3 Requirements for Using SSH 192

15.6.4 Configuring SSH 192

15.6.5 Examples of Secure Telnet Using SSH 193

15.7 Telnet 195
15.8 FTP 195
15.9 SNMP 196

15.9.1 Supported MIBs 198
15.9.2 SNMP Traps 198
15.9.3 Configuring SNMP 198
15.9.4 Adding or Editing an SNMPv3 User Profile 200

15.10 Internal RADIUS Server 200

15.10.1 Configuring the Internal RADIUS Server 201
15.10.2 Adding or Editing a Trusted AP Profile 203

15.11 Technical Reference 204

Chapter 16

Log and Report 205

16.1 Overview ......205
16.1.1 What You Can Do In this Chapter 205
16.2 Email Daily Report ....205
16.3 Log Setting 207

16.3.1 Log Setting Summary ......208
16.3.2 Edit Log Settings 210
16.3.3 Edit Remote Server 213
16.3.4 Active Log Summary 214

Chapter 17

File Manager....219

17.1 Overview ......219

17.1.1 What You Can Do in this Chapter 219
17.1.2 What you Need to Know 219

17.2 Configuration File 220
17.3 Firmware Package 224
17.4 Shell Script 226

Chapter 18

Diagnostics 229

18.1 Overview 229
18.1.1 What You Can Do in this Chapter 229
18.2 Diagnostics 229
18.3 Packet Capture 230

18.3.1 Packet Capture Files 232
18.3.2 Example of Viewing a Packet Capture File 232

18.4 Wireless Frame Capture 233

18.4.1 Wireless Frame Capture Files 235

Chapter 19

Reboot 237

19.1 Overview ...... 237
19.1.1 What You Need To Know ....237
19.2 Reboot 237

Chapter 20

Shutdown....239

20.1 Overview ...... 239
20.1.1 What You Need To Know 239
20.2 Shutdown 239

Chapter 21

Troubleshooting....241

21.1 Overview 241
21.2 Power, Hardware Connections, and LEDs 241
21.3 device Access and Login 242
21.4 Internet Access 244
21.5 Wireless AP Troubleshooting ....245
21.6 Resetting the device 249
21.7 Getting More Troubleshooting Help 249

Chapter 22

Product Specifications....251

22.1 Wall-Mounting Instructions ......253

Appendix A Log Descriptions....255
Appendix B Importing Certificates 273
Appendix C Wireless LANs....287
Appendix D Open Software Announcements 299
Appendix E Legal Information....343
Index 351

PART I

User's Guide

1.1 Overview

Your device's business-class reliability, SMB features, and centralized wireless management make it ideally suited for advanced service delivery in mission-critical networks. The device provides secure mobility across the 2.4GHz and 5GHz spectrums and the IEEE 802.11n standard's high bandwidth to support high-performance applications. It uses Multiple BSSID and VLAN to provide up to eight simultaneous independent virtual APs. Additionally, innovations in roaming technology and QoS features eliminate voice call disruptions. It can serve as an AP, Bridge or even as an RF monitor to search for rouge APs to help eliminate network threats.

The device controls network access with Media Access Control (MAC) address filtering, rogue Access Point (AP) detection and containment, and an internal authentication server. It also provides a high level of network traffic security, supporting IEEE 802.1x, Wi-Fi Protected Access (WPA), WPA2 and Wired Equivalent Privacy (WEP) data encryption.

A device can manage up to 24 other devices on your network. Configuration profiles let you easily use different WLAN and security settings for various virtual and managed APs.

Your device is easy to install, configure and use. The embedded Web-based configurator enables simple, straightforward management and maintenance. See the Quick Start Guide for how to make hardware connections.

1.2 Applications for the device

The device can be configured to use the following operating modes

- A P + B r i d g e
- M B S S I D 

Applications for each operating mode are shown below.

Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference.

1.2.1 AP + Bridge

In AP + Bridge mode, the device supports both AP and bridge connection at the same time.

In the figure below, A and B use X as an AP to access the wired network, while X and Y communicate in bridge mode.

When the device is in AP + Bridge mode, security between APs (WDS) is independent of the security between the wireless stations and the AP. If you do not enable WDS security, traffic between APs is not encrypted. When WDS security is enabled, both APs must use the same pre-shared key.

Unless specified, the term “security settings” refers to the traffic between the wireless stations and the device.

Figure 1 AP + Bridge Application

graph TD
    subgraph Ethernet 1
        A["Computer"] -->|Ethernet 1| B["Device"]
        C["Printer"] -->|Ethernet 1| B
        D["Computer"] -->|Ethernet 1| B
    end
    subgraph Devices
        E["Computer"] -->|Ethernet 1| F["Device"]
        G["Printer"] -->|Ethernet 1| F
        H["Computer"] -->|Ethernet 1| F
        I["Computer"] -->|Ethernet 1| F
    end
    subgraph Wireless Circuits
        J["A"] --> K["B"]
        L["Y"] --> M["Y"]
    end

1.2.2 MBSSID

A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set Identifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the device provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile.

You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs.

To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings.

See Section 4.1 on page 49 for an example of using MBSS.

1.3 Management Mode

One device uses Control And Provisioning of Wireless Access Points (CAPWAP, see RFC 5415) to allow one AP to configure and manage up to 24 others. This centralized management can greatly reduce the effort of setting up and maintaining multiple devices.

An device in this group (ZLD-based models) can manage other APs in this group ^1 .

• NWA3160-N
• NWA3550-N
• NWA3560-N

It can also use legacy device information hyper-links to connect to the Web Configurators of the following ZyNOS-based NWA-3000 series APs:

• NWA-3160
• NWA-3163
• NWA-3500
• NWA-3550
• NWA-3166

The following figure illustrates a CAPWAP wireless network. The user (U) configures the controller AP (C), which then automatically updates the configurations of the managed APs (M1 \~ M4).

Figure 2 CAPWAP Network Example

graph TD
    U["User"] --> Switch["Switch"]
    Switch --> M1["M1"]
    Switch --> M2["M2"]
    Switch --> M3["M3"]
    Switch --> M4["M4"]
    M1 --> C["C"]
    M2 --> C
    M3 --> C
    M4 --> C
    C -->|Red Arrow| Switch
    Switch -->|Red Arrow| M1
    Switch -->|Red Arrow| M2
    Switch -->|Red Arrow| M3
    Switch -->|Red Arrow| M4

1.4 Ways to Manage the device

You can use the following ways to manage the device.

Web Configurator

The Web Configurator allows easy device setup and management using an Internet browser. This User's Guide provides information about the Web Configurator.

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the device. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information.

Console Port

You can use the console port to manage the device using CLI commands. See the Command Reference Guide for more information about the CLI. The default settings for the console port are as follows.

Table 1 Console Port Default Settings

File Transfer Protocol (FTP)

This protocol can be used for firmware upgrades and configuration backup and restore.

Simple Network Management Protocol (SNMP)

The device can be monitored by an SNMP manager. See the SNMP chapter in this User's Guide.

Controller

Set one device to be a controller and set other devices to be managed by it.

1.5 Good Habits for Managing the device

Do the following things regularly to make the device more secure and to manage it more effectively.

• Change the password often. Use a password that's not easy to guess and that consists of different types of characters, such as numbers and letters.
• Write down the password and put it in a safe place.

- Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the device to its factory default settings. If you backed up an earlier configuration file, you won't have to totally re-configure the device; you can simply restore your last configuration.

1.6 Hardware Connections

See your Quick Start Guide for information on making hardware connections.

1.7 LEDs

The following are the LED descriptions for your device.

Figure 3 LEDs

Table 2 LEDs

1.8 Starting and Stopping the device

Here are some of the ways to start and stop the device.

Always use Maintenance > Shutdown or the shutdown command before you turn off the device or remove the power. Not doing so can cause the firmware to become corrupt.

Table 3 Starting and Stopping the device

The device does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources.

The Web Configurator

2.1 Overview

The device Web Configurator allows easy management using an Internet browser.

In order to use the Web Configurator, you must:

• Use Internet Explorer 7.0 and later or Firefox 1.5 and later
• Allow pop-up windows
• Enable JavaScript (enabled by default)
• Enable Java permissions (enabled by default)
• Enable cookies

The recommended screen resolution is 1024 x 768 pixels and higher.

2.2 Access

1 Make sure your device hardware is properly connected. See the Quick Start Guide.

2 Browse to https://192.168.1.2. The Login screen appears.

3 Enter the user name (default: "admin") and password (default: "1234").

4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears.

This screen appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore.

2.3 The Main Screen

The Web Configurator's main screen is divided into these parts:

Figure 4 The Web Configurator's Main Screen

• A - Title Bar
• B - Navigation Panel
- C - Main Window

2.3.1 Title Bar

The title bar provides some useful links that always appear over the screens below, regardless of how deep into the Web Configurator you navigate.

Figure 5 Title Bar

The icons provide the following functions.

Table 4 Title Bar: Web Configurator Icons

2.3.2 Navigation Panel

Use the menu items on the navigation panel to open screens to configure device features. Click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them. The following sections introduce the device's navigation panel menus and their screens.

Figure 6 Navigation Panel

2.3.2.1 Dashboard

The dashboard displays general device information, system status, system resource usage, and interface status in widgets that you can re-arrange to suit your needs.

For details on the Dashboard's features, see Chapter 5 on page 69.

2.3.2.2 Monitor Menu

The monitor menu screens display status and statistics information.

Table 5 Monitor Menu Screens Summary

2.3.2.3 Configuration Menu

Use the configuration menu screens to configure the device's features.

Table 6 Configuration Menu Screens Summary

2.3.2.4 Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the device.

Table 7 Maintenance Menu Screens Summary

2.3.3 Warning Messages

Warning messages, such as those resulting from misconfiguration, display in a popup window.

Figure 7 Warning Message

2.3.4 Site Map

Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen's link to go to that screen.

Figure 8 Site Map

2.3.5 Object Reference

Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. The

following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule).

Figure 9 Object Reference

The fields vary with the type of object. The following table describes labels that can appear in this screen.

Table 8 Object References

2.3.5.1 CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following.

Figure 10 CLI Messages

Click Clear to remove the currently displayed information.

Note: See the Command Reference Guide for information about the commands.

2.3.5.2 Console

The Console allows you to use CLI commands from directly within the Web Configurator rather than having to use a separate terminal program. In addition to logging in directly to the device's CLI, you can also log into other devices on the network through this Console. It uses SSH to establish a connection.

Note: To view the functions in the Web Configurator user interface that correspond directly to specific device CLI commands, use the CLI Messages window (see Section 2.3.5.1 on page 35) in tandem with this one.

Figure 11 Console

The following table describes the elements in this screen.

Table 9 Console

LABEL DESCRIPTION
Command Line	Router> configure terminalRouter(config)#Enter commands for the device that you are currently logged into here. If you are logged into the device, see the CLI Reference Guide for details on using the command line to configure it.
Device IP Address	192.168.1.1:22This is the IP address of the device that you are currently logged into.
Logged-In User	adminThis displays the username of the account currently logged into the device through the Console Window.Note: You can log into the Web Configurator with a different account than used to log into the device through the Console.
Connection Status	This displays the connection status of the account currently logged in.If you are logged in and connected, then this displays 'Connected'.If you lose the connection, get disconnected, or logout, then this displays 'Not Connected'.
Tx/RX Activity Monitor	This displays the current upload / download activity. The faster and more frequently an LED flashes, the faster the data connection.

Before you use the Console, ensure that:

• Your web browser of choice allows pop-up windows from the IP address assigned to your device.
• Your web browser allows Java programs.
• You are using the latest version of the Java program (http://www.java.com).

To login in through the Console:

1 Click the Console button on the Web Configurator title bar.

2 Enter the IP address of the device and click OK.

3 Next, enter the User Name of the account being used to log into your target device and then click OK.

4 You may be prompted to authenticate your account password, depending on the type of device that you are logging into. Enter the password and click OK.

5 If your login is successful, the command line appears and the status bar at the bottom of the Console updates to reflect your connection state.

2.3.6 Tables and Lists

The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries.

2.3.6.1 Manipulating Table Display

Here are some of the ways you can manipulate the Web Configurator tables.

1 Click a column heading to sort the table's entries according to that column's criteria.

2 Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:

• Sort in ascending alphabetical order
• Sort in descending (reverse) alphabetical order
• Select which columns to display
• Group entries by field
  • Show entries in groups
• Filter by mathematical operators (<, >, or =) or searching for text.

3 Select a column heading cell's right border and drag to re-size the column.

4 Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column's title when you drag the column to a valid new location.

5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.

2.3.6.2 Working with Table Entries

The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.

Table 10 Common Table Icons

Radio Summary

Here are descriptions for the most common table icons.

Table 11 Common Table Icons

2.3.6.3 Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

Figure 12 Working with Lists

Configuration Basics

3.1 Overview

This section provides information to help you configure the device effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the device.

3.2 Object-based Configuration

The device stores information or settings as objects. You use these objects to configure many of the device's features and settings. Once you configure an object, you can reuse it in configuring other features.

When you change an object's settings, the device automatically updates all the settings or rules that use the object. For example, if you create a local certificate object, you can have HTTPS, FTP, SSH, and other settings use it. If you modify the local certificate object, all the HTTPS, FTP, SSH, and other settings that are linked to that object automatically apply the updated settings.

You can use the Configuration > Objects screens to create objects before you configure features that use them. If you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object.

Use the Object Reference screen to see what objects are configured and which configuration settings reference specific objects.

3.3 Feature Configuration Overview

This section provides information about configuring the main features in the device. The features are listed in the same sequence as the menu item(s) in the Web Configurator. Each feature description is organized as shown below.

3.3.1 Feature

This provides a brief description. See the appropriate chapter(s) in this User's Guide for more information about any feature.

Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference AP management entries, so there is no WHERE USED entry.

3.3.2 MGNT Mode

Use this screen to set the device to control other devices, work as a standalone AP, or be managed by another device.

3.3.3 LAN Setting

Use this screen to configure the LAN Ethernet interface including VLAN settings.

3.3.4 Wireless

Use these screens to manage your wireless Access Points.

3.3.5 Device HA

To increase network reliability, device HA lets a backup device automatically take over if a master device fails. Device HA is available when the device is in controller mode.

3.4 Objects

Objects store information and are referenced by other features. If you update this information in response to changes, the device automatically propagates the change through the features that use the object. Select an object (such as a user) and then click Object Reference at the top of the list box where the object appears in order to display basic information about it.

The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first.

Table 12 Objects Overview

3.4.1 User

Use these screens to configure the device's administrator and user accounts. The device provides the following user types.

Table 13 User Types

3.4.2 AP Profile

Use these screens to configure preset profiles for the Access Points (APs) connected to your device's wireless network.

Table 14 AP Profile Types

3.4.3 MON Profile

Use these screens to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity.

Table 15 MON Profile Types

TYPE ABILITIES

Monitor Create monitor mode configurations that can be used by the APs to periodically listen to a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies.

3.5 System

This section introduces some of the management features in the device. Use Host Name to configure the system and domain name for the device. Use Date/ Time to configure the current date, time, and time zone in the device. Use Console Speed to set the console speed. Use Language to select a language for the Web Configurator screens.

3.5.1 WWW, SSH, TELNET, FTP, SNMP, and Auth. Server

Use these screens to set which services or protocols can be used to access the device.

3.5.2 Logs and Reports

The device provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It can also e-mail you statistical reports on a daily basis.

3.5.3 File Manager

Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage:

• Configuration files. Use configuration files to back up and restore the complete configuration of the device. You can store multiple configuration files in the device and switch between them without restarting.
• Shell scripts. Use shell scripts to run a series of CLI commands. These are useful for large, repetitive configuration changes and for troubleshooting.

You can edit configuration files and shell scripts in any text editor.

3.5.4 Diagnostics

The device can generate a file containing the device's configuration and diagnostic information. It can also capture packets going through the device's interfaces so you can analyze them to identify network problems

3.5.5 Shutdown

Use this to shutdown the device in preparation for disconnecting the power.

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the device or remove the power. Not doing so can cause the firmware to become corrupt.

4.1 Sample Network Setup

This tutorial shows you how to use CAPWAP to have one device control other devices to create a wireless network that allows two types of connections: staff and guest. Staff connections have full access to the network, while guests are limited to Internet access (DNS, HTTP and HTTPS services).

Figure 13 Tutorial Network Topology

graph TD
    Server1["Server 1"] -->|VLAN 199| RouterC["VRouter C"]
    Server2["Server 2"] -->|VLAN 199| RouterC
    Server3["Server 3 10.1.199.250"] -->|VLAN 199| RouterC
    RouterC -->|VLAN 99| RouterD["VRouter D"]
    RouterC -->|VLAN 99| RouterE["VRouter E"]
    RouterD -->|SSID: staff| RouterF["Server F"]
    RouterE -->|SSID: guest| RouterG["Server G"]
    RouterF -->|VLAN 99: 10.10.99.10/24| RouterH["Server H"]
    RouterG -->|VLAN 99: 10.1.101.254/24| RouterI["Server I"]
    RouterG -->|VLAN 99: 10.1.102.254/24| RouterJ["Server J"]
    RouterG -->|VLAN 99: 10.1.199.254/24| RouterK["Server K"]

Requirements: A DHCP server (A) with Option 138, an AD server, a switch (B) that supports 802.1q, a Layer-3 routing device and a firewall (C).

Note: In this topology the firewall, such as a ZyWALL, controls what services traffic from different VLANs can use.

The following VLAN settings are used in this tutorial:

Table 16 Tutorial Topology Summary

Figure 14 Tutorial Guest VLAN Example

graph TD
    A["Server 1"] --> B["Controller"]
    C["Server 2"] --> B
    D["Server 3"] --> B
    B --> E["VLAN 102"]
    E --> F["INTERNET"]
    F --> G["controller"]
    G --> H["Managed APs"]
    H --> I["VLAN 102"]
    J["Computer"] --> K["SSID: staff"]
    L["SSID: guest"] --> M["SSID: staff"]
    N["Internet"] --> O["vlan 102"]

In this example, the guest VLAN (102) can only access the Internet while the staff VLAN (101) has access to all aspects of the network.

4.1.1 Set the Management Modes

Use this section to set the management modes for the controller and managed APs.

4.1.1.1 Controller

1 Use the Configuration > MGNT MODE screen to set the device to controller mode.

2 The device resets to its default settings for the controller mode including the IP address of 192.168.1.2 and restarts. Wait a short while before you attempt to log in again.

4.1.1.2 Managed APs

1 Log into the other devices and use the Configuration > MGNT MODE screen to set them to be the managed APs using the Auto IP address option so they obtain the controller's IP address from the DHCP server.

2 Now you can no longer log into the web configurator of the managed devices; you must manage the device through the controller AP on your network.

4.1.2 Set the LAN IP Address and Management VLAN (vlan99)

This section shows you how to set up the LAN IP address and the VLAN for managing the controller. This is only for network administrators to manage the controller.

1 Open the controller's Configuration > LAN Setting screen.

• IP Address: Enter 10.10.99.10.
- Subnet Mask: Enter 255.255.255.0.
• Gateway: Enter 10.10.99.10.
- Management VLAN ID: Enter '99' as the VLAN ID tag.
- Click Apply to save these changes.

2 Configure your DHCP server with the controller's IP address configured as option 138 so the managed devices can get the controller's IP address from it. See Chapter 7 on page 93 for details.

4.1.3 Set Up Wireless User Authentication

This section shows you how to set up the controller's internal RADIUS server and user accounts.

Note: If you did not replace the factory default certificate with one that uses your device's MAC address when you first logged into the device, do it now in the Object > Certificate > My Certificates screen.

1 Open the Configuration > System > Auth. Server screen. Turn on the authentication server and select the certificate to use. Click Apply.

2 Open the Configuration > Object > User > User screen and click Add.

3 The Add A User window opens.

3a User Name: Enter 'guest1'.

3b User Type: User

3c Password: Enter 'guest1', and re-enter it in the Retype field to confirm.

3d Click OK to save these settings.

4 Repeat steps 2 and 3 to create accounts for the staff members.

4.1.4 Create the AP Profiles (staff, guest)

This section shows you how to configure the Access Point (AP) profiles that will be used by your APs once they are connected to the network. You will first create a security profile and an SSID profile for staff access, then you will create a second pair for guest access. Finally, you will associate them with a radio profile which is applied to your AP's radio transmitter.

1 Open the Configuration > Object > AP Profile > SSID > Security List screen and then click the Add button.

2 The Add Security Profile window opens.

2a Profile Name: Enter wap2.
2b Security Mode: Select wpa2 from the list of available wireless security encryption methods.
2c Under Security Mode, select 802.1X then set the Radius Server Type to Internal.

2d Click OK.

3 Next, open the Configuration > Object > AP Profile > SSID > SSID List screen and click the Add button.

4 The Add SSID Profile window opens.

4a Profile Name: Enter 'staff'.

4b SSID: Enter 'staff'. This is the wireless network name that appears when wireless clients are looking for networks to join.

4c Security Profile: Select wpa2 from the list. This is the security profile created in step 2.

4d QoS: Select WMM.

4e VLAN ID: Enter '101'.

4f Turn on intra-BSS traffic blocking.

4g Click OK to save these settings.

5 Repeat steps 3 and 4 to create the guest SSID profile with the same settings except 'guest' as the profile name and SSID and 102 for the VLAN ID.

6 Open the Configuration > Object> AP Profile > Radio screen and then double-click the default entry.

7 The Edit Radio Profile window opens.

7a Activate: Select this to make the radio profile active.

7b MBSSID Settings: Select an entry to change it to a drop-down list. Set #1, to the staff SSID profile and #2 to the guest SSID profile. These are the two profiles you created in steps 3 to 5 of this procedure.

7c Click OK to save these settings.

4.2 Rogue AP Detection

Rogue APs are wireless access points interacting with the network managed by the device but which are not under the control of the network administrator. In short, they are a security risk because they circumvent network security policy. AP detection only works when at least 1 AP is configured for Monitor mode.

The following are some suggestions on monitor AP placement:

• Neighboring companies that both support wireless network. If you can detect your neighbor's APs and you know they are 'friendly', you can add them to the friendly exception list.
• Reception areas. If a reception area has a high volume of visitor traffic, it might be useful to see if anyone is setting up their wireless device as an AP.
• High security areas. An AP set to Monitor mode will let you see if anyone sets up an unauthorized AP that could potentially compromise your security.

In this example, an employee illicitly connects his own AP (RG) to the network that the device manages. While not necessarily a malicious act, it can nonetheless have severe security consequences on the network.

Figure 15 Rogue AP Example A

graph TD
    A["Router"] --> B["Router switch"]
    B --> C["RG"]
    B --> D["AP"]
    B --> E["MON"]
    B --> F["AP"]
    C --> G["Laptop"]
    D --> G
    E --> G
    F --> G

Here, an attacker sets up a rogue AP (RG) outside the network, which he uses in an attempt to mimic an device-controlled SSID in order to capture passwords and other information when authorized wireless clients mistakenly connect to it.

Figure 16 Rogue AP Example B

graph TD
    A["AP"] --> B["Router"]
    C["AP"] --> B
    D["MON"] --> B
    E["AP"] --> B
    F["RG"] --> G["Laptop"]
    style F fill:#f9f,stroke:#333
    style G fill:#ccf,stroke:#333
    style_H["Red Devil Icon"] below F
    style_I["Wireless Circle"] above B
    style_J["Wireless Circle"] above C
    style_K["Wireless Circle"] above D
    style_L["Wireless Circle"] above E
    style_M["Wireless Circle"] above H
    style_N["Wireless Circle"] above I
    style_O["Wireless Circle"] above J
    style_P["Wireless Circle"] above K
    style_Q["Wireless Circle"] above L
    style_R["Wireless Circle"] above M
    style_S["Wireless Circle"] above N
    style_T["Wireless Circle"] above O
    style_U["Wireless Circle"] above P
    style_V["Wireless Circle"] above Q
    style_W["Wireless Circle"] above R
    style_X["Wireless Circle"] above M
    style_Y["Wireless Circle"] above N
    style_Z["Wireless Circle"] above L

This tutorial shows you how to detect rogue APs on your network:

1 Click Configuration > Object > MON Profile to open the MON Profile screen and click the Add button.

2 Click the Add button.

When the Add Mon Profile window opens, configure the following:

Activate: Select this to allow your monitor APs to use this profile.

Profile Name: For the purposes of this tutorial set this to 'Monitor01'.

Channel Dwell Time: Leave this as the default 100 milliseconds. This field is the number of milliseconds that the monitor AP scans each channel before moving on to the next.

Scan Channel Mode: Set this to auto to automatically scan channels in the area.

3 Click OK to save your changes.

4 Next, click Configuration > Wireless > AP Management.

5 Select an AP and click Edit.

When the Edit AP List window opens, configure the following:

Radio 1 OP Mode: Set this to MON Mode to turn the AP into a rogue AP monitoring device.

Radio 1 Profile: Select your newly created 'Monitor01' profile from the list.

6 Click OK to save your changes.

See also: Chapter 6 on page 75 and Chapter 13 on page 151.

4.2.1 Rogue AP Containment

When the device discovers a rogue AP within its broadcast radius, it can react in one of two ways: If the rogue AP is connected directly to the network (such as plugged into a switch downstream of the device), then the network administrator must manually disconnect it. The device does not allow the isolation of a rogue AP connected directly to the network.

However, if a rogue AP independent of the device mimics a legitimate one, then the device can interfere with it by broadcasting dummy packets so that it cannot make connections with employee clients and capture data from them.

Figure 17 Containing a Rogue AP

graph TD
    A["Router"] --> B["AP"]
    A --> C["AP"]
    A --> D["AP"]
    A --> E["AP"]
    A --> F["Router"]
    G["Laptop"] --> H["Router"]
    I["X"] -.-> J["Router"]
    style A fill:#f9f,stroke:#333
    style G fill:#ccf,stroke:#333
    style I fill:#cfc,stroke:#333
    style J fill:#fcc,stroke:#333

This tutorial shows you how to quarantine a rogue AP on your network:

1 Click Configuration > Wireless > MON Mode.

2 Click the Add button.

When the Edit Rogue/ Friendly AP List opens, paste the MAC address copied from the other screen in the corresponding field, set its Role as Rogue AP and then click OK to save your changes.

3 The new rogue AP appears in the Rogue/ Friendly AP List.

Select it, then click the Containment button to quarantine it away from the rest of the network.

4.3 Load Balancing

When your AP becomes overloaded, there are two basic responses it can take. The first one is to "delay" a client connection by withholding the connection until the data transfer throughput is lowered or the client connection is picked up by another AP. (If the client isn't picked up after a set period of time, the AP allows it to connect regardless.) The second response is to kick the connections until the AP is no longer considered overloaded. Both of these tactics are known as 'load balancing'.

This tutorial shows you how to configure the device's load balancing feature.

1 Click Configuration > Wireless > Load Balancing.

2 Select Enable Load Balancing to turn on this feature.
3 Set the Mode. If you choose By Station Number, then enter the Max Station Number in the available field. This balances network traffic based on the number of specified stations downstream of the device. If you choose By Traffic Level, then enter the traffic threshold at which the device starts balancing connected stations.
4 Select Disassociate station when overloaded to disconnect stations when the load balancing threshold is crossed. The stations are first disconnected based on how long they have been idle, then secondly based on the weakness of their connection signal strength.
5 Click Apply to save your changes.

See also: Chapter 9 on page 101.

4.4 Dynamic Channel Selection

Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices.

When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. This can make accessing the network potentially rather difficult for the stations connected to them. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of channel interference.

1 Click Configuration > Wireless > DCS.

2 Select Enable Dynamic Channel Selection to turn on this feature.
3 Set the DCS Time Interval. This is how often the device surveys the other APs within its broadcast radius. If you place your APs in an area with a large number of competing APs, set this number lower to ensure that your device can adjust quickly changing conditions.
4 Select DCS Sensitivity Level. This is how sensitive the APs on your network are to other channels. Generally, as long as the area in which your AP is located has minimal interference from other devices you can set the DCS Sensitivity Level to Low. This means that the AP has a very broad tolerance.
5 Select Enable DCS Client Aware. Select this so that the APs on your network do not change channels as long as any wireless clients are connected to them. When they must change channels, they will wait until all stations disconnect first.
6 Set the 2.4-GHz Channel Selection Method to auto.
7 Select a 2.4 GHz Channel Deployment scheme. Choose Three-Channel Deployment to have the device rotate through 3 channels. Choose Four-Channel Deployment to have the device rotate through 4 channels, if allowed.
8 Click Apply to save your changes.

See also: Chapter 9 on page 101.

PART II

Technical Reference

5.1 Overview

Use the Dashboard screens to check status information about the device.

5.1.1 What You Can Do in this Chapter

- The main Dashboard screen (Section 5.2 on page 69) displays the device's general device information, system status, system resource usage, and interface status. You can also display other status screens for more information.

5.2 Dashboard

This screen is the first thing you see when you log into the device. It also appears every time you click the Dashboard icon in the navigation panel. The Dashboard displays general device

information, system status, system resource usage, and interface status in widgets that you can rearrange to suit your needs. You can also collapse, refresh, and close individual widgets.

Figure 18 Dashboard

The following table describes the labels in this screen.

Table 17 Dashboard

5.2.1 CPU Usage

Use this screen to look at a chart of the device's recent CPU usage. To access this screen, click CPU Usage in the dashboard.

Figure 19 Dashboard > CPU Usage

The following table describes the labels in this screen.

Table 18 Dashboard > CPU Usage

5.2.2 Memory Usage

Use this screen to look at a chart of the device's recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard.

Figure 20 Dashboard > Memory Usage

The following table describes the labels in this screen.

Table 19 Dashboard > Memory Usage

6.1 Overview

Use the Monitor screens to check status and statistics information.

6.1.1 What You Can Do in this Chapter

• The LAN Status screen (Section 6.3 on page 76) displays general LAN interface information and packet statistics.
• The LAN Status Graph screen (Section 6.3.1 on page 78) displays a line graph of packet statistics for the device's physical LAN port.
• The AP List screen (Section 6.4 on page 79) displays which APs are currently connected to the device. This is available when the device is in controller mode.
• The Radio List screen (Section 6.5 on page 81) displays statistics about the wireless radio transmitters in each of the APs connected to the device.
• The Station Info screen (Section 6.6 on page 84) displays information about suspected rogue APs.
• The Rogue AP screen (Section 6.7 on page 84) displays information about suspected rogue APs.
• Use the Legacy Device screens (Section 6.8 on page 85) to connect to legacy APs. This is available when the device is in controller mode.
• The View Log screen (Section 6.9 on page 87) displays the device's current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen.
• The View AP Log screen (Section 6.10 on page 90) displays the device's current wireless AP log messages. This is available when the device is in controller mode.

6.2 What You Need to Know

The following terms and concepts may help as you read through the chapter.

Rogue AP

Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. See Chapter 13 on page 151 for details.

Friendly AP

Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from neighboring networks, for example). See Chapter 13 on page 151 for details.

6.3 LAN Status

Use this screen to look at general LAN interface information and packet statistics. To access this screen, click Monitor > LAN Status.

Figure 21 Monitor > LAN Status

The following table describes the labels in this screen.

Table 20 Monitor > LAN Status

6.3.1 LAN Status Graph

Use the port statistics graph to look at a line graph of packet statistics for the device's physical LAN port. To view, in the LAN Status screen click the Switch to Graphic View button.

Figure 22 Monitor > LAN Status > Switch to Graphic View

The following table describes the labels in this screen.

Table 21 Monitor > LAN Status > Switch to Graphic View

6.4 AP List

Use this screen to view which APs are currently connected to the device. This is available when the device is in controller mode. To access this screen, click Monitor > Wireless > AP Information > AP List.

Figure 23 Monitor > Wireless > AP Information > AP List

The following table describes the labels in this screen.

Table 22 Monitor > Wireless > AP Information > AP List

The following table describes the icons in this screen.

Table 23 Monitor > Wireless > AP List Icons

6.4.1 Station Count of AP

Use this screen to look at station statistics for the connected AP. To access this screen, click the More Information button in the AP List screen.

Figure 24 Monitor > System Status > AP List > More Information

The following table describes the labels in this screen.

Table 24 Monitor > System Status > AP List > More Information

6.5 Radio List

Use this screen to view statistics for the device's wireless radio transmitters when it is in standalone mode or the radios in each of the APs connected to the device when it is in controller mode. To access this screen, click Monitor > Wireless > AP Information > Radio List.

Figure 25 Monitor > Wireless > AP Information > Radio List (Controller Mode)

The following table describes the labels in this screen.

Table 25 Monitor > Wireless > AP Information > Radio List

6.5.1 AP Mode Radio Information

This screen allows you to view a selected radio's MBSSID details, wireless traffic statistics and station count for the preceding 24 hours. To access this window, click the More Information button in the Radio List Statistics screen.

Figure 26 Monitor > Wireless > AP Information > Radio List > More Information

The following table describes the labels in this screen.

Table 26 Monitor > Wireless > AP Information > Radio List > More Information

6.6 Station List

Use this screen to view statistics pertaining to the associated stations (or "wireless clients"). Click Monitor > Wireless > Station Info to access this screen.

Figure 27 Monitor > Wireless > Station Info

The following table describes the labels in this screen.

Table 27 Monitor > Wireless > Station Info

6.7 Rogue AP

Use this screen to view information about suspected rogue APs. Click Monitor > Wireless > Rogue AP > Detected Device to access this screen.

Note: The device or at least one of the APs the device is managing must be set to Monitor mode in order to detect other wireless devices in its vicinity.

Figure 28 Monitor > Wireless > Rogue AP

The following table describes the labels in this screen.

Table 28 Monitor > Wireless > Rogue AP

6.8 Legacy Device Info

When the device is in controller mode you can use this screen to configure and maintain a list of compatible legacy (NWA-3000 series) APs. Use the list to link to their Web Configurators. Click Monitor > Wireless > Rogue AP > Legacy Device Info to access this screen.

Compatible legacy APs:

• NWA-3160
• NWA-3163
• NWA-3500
• NWA-3550
• NWA-3166

Figure 29 Monitor > Wireless > Legacy Device Info

The following table describes the labels in this screen.

Table 29 Monitor > Wireless > Legacy Device Info

6.8.1 Legacy Device Info Add or Edit

Use this screen to configure an entry for linking to a compatible legacy AP's Web Configurator. The legacy AP must also be in controller mode. Click Monitor > Wireless > Rogue AP > Legacy Device Info and then click the Add button or select a radio profile from the list and click the Edit button to access this screen.

Figure 30 Monitor > Wireless > Legacy Device Info > Add

The following table describes the labels in this screen.

Table 30 Monitor > Wireless > Legacy Device Info

6.9 View Log

Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority.

To access this screen, click Monitor > Log. The log is displayed in the following screen.

Note: When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

• For individual log descriptions, see Appendix A on page 255.
• For the maximum number of log messages in the device, see Chapter 22 on page 251.

Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.

Figure 31 Monitor > Log > View Log

The following table describes the labels in this screen.

Table 31 Monitor > Log > View Log

The Web Configurator saves the filter settings if you leave the View Log screen and return to it later.

6.10 View AP Log

Use this screen to view a managed AP's log. Click Monitor > Log > View AP Log to access this screen.

Figure 32 Monitor > Log > View AP Log

The following table describes the labels in this screen.

Table 32 Monitor > Log > View AP Log

Management Mode

7.1 Overview

This chapter discusses using the device in management mode, which determines whether the device is used in its default standalone mode, or as part of a Control And Provisioning of Wireless Access Points (CAPWAP) network.

7.2 About CAPWAP

The device supports CAPWAP. This is ZyXEL's implementation of the CAPWAP protocol (RFC 5415).

The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS).

The following figure illustrates a CAPWAP wireless network. You (U) configure the AP controller (C), which then automatically updates the configurations of the managed APs (M1 \~ M4).

Figure 33 CAPWAP Network Example

graph TD
    A["Person U"] --> B["DHCP SERVER"]
    B --> C["Router"]
    C --> D["M1"]
    C --> E["M2"]
    C --> F["M3"]
    C --> G["M4"]
    D --> H["Red arrow"]
    E --> I["Red arrow"]
    F --> J["Red arrow"]
    G --> K["Red arrow"]
    H -.-> L["Red dashed arrow"]
    I -.-> L
    J -.-> L
    K -.-> L

Note: The device can be a standalone AP (default), a CAPWAP managed AP, or a CAPWAP AP controller.

7.2.1 CAPWAP Discovery and Management

The link between CAPWAP-enabled access points proceeds as follows:

1 An AP in managed AP mode joins a wired network (receives a dynamic IP address).
2 The AP sends out a discovery request, looking for an AP in CAPWAP AP controller mode.
3 If there is an AP controller on the network, it receives the discovery request. If the AP controller is in Manual mode it adds the details of the AP to its Unmanaged Access Points list, and you decide which available APs to manage. If the AP is in Always Accept mode, it automatically adds the AP to its Managed Access Points list and provides the managed AP with default configuration information, as well as securely transmitting the DTLS pre-shared key. The managed AP is ready for association with wireless clients.

7.2.2 Managed AP Finds the Controller

A managed device can find the controller in one of the following ways:

• Manually specify the controller's IP address using the commands. See the device CLI Reference Guide for details.
• Get the controller's IP address from a DHCP server with the controller's IP address configured as option 138.
• Broadcasting to discover the controller within the broadcast domain.

The AP controller must have a static IP address; it cannot be a DHCP client.

7.2.3 CAPWAP and IP Subnets

By default, CAPWAP works only between devices with IP addresses in the same subnet (see the appendices for information on IP addresses and subnetting).

However, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following.

• Activate DHCP. Your network's DHCP server must support option 138 defined in RFC 5415.
• Configure DHCP option 138 with the IP address of the CAPWAP AP controller on your network.

DHCP Option 138 allows the CAPWAP management request (from the AP in managed AP mode) to reach the AP controller in a different subnet, as shown in the following figure.

Figure 34 CAPWAP and DHCP Option 138

graph TD
    A["AP CONTROLLER (STATIC IP)"] -->|CAPWAP TRAFFIC| B["Switch"]
    C["MANAGED AP"] -->|DHCP SERVER + OPTION 138| B
    B -->|Red Arrow| A

7.2.4 Notes on CAPWAP

This section lists some additional features of ZyXEL's implementation of the CAPWAP protocol.

• When the AP controller uses its internal Remote Authentication Dial In User Service (RADIUS) server, managed APs also use the AP controller's authentication server to authenticate wireless clients.
• If a managed AP's link to the AP controller is broken, the managed AP continues to use the wireless settings with which it was last provided.

7.3 The Management Mode Screen

Use this screen to configure the device as an a controller of managed devices, a standalone AP, or a managed AP.

Note: After you change the operation mode, the device resets to its default settings for the mode you set it to, including the IP address of 192.168.1.2. It also backs up its configuration to a xxx-backup.conf file where xxx denotes the mode the device was previously using.

Click Configuration > MGNT MODE in the device's navigation menu. The following screen displays.

Figure 35 Configuration > MGNT MODE

The following table describes the labels in this screen.

Table 33 Configuration > MGNT MODE

8.1 LAN Setting Overview

Use these screens to configure the device's LAN Ethernet interface including VLAN settings.

8.1.1 What You Can Do in this Chapter

- The LAN Setting screens (Section 8.2 on page 98) manage the LAN Ethernet interface including VLAN settings.

8.1.2 What You Need to Know

DNS Overview

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.

DNS Server Address Assignment

The device can get the DNS server addresses in the following ways.

• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server fields.
• If your ISP dynamically assigns the DNS server IP addresses (along with the device's WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
• You can manually enter the IP addresses of other DNS servers.

8.2 LAN Setting

This screen lists every Ethernet interface. To access this screen, click Configuration > LAN Setting.

Figure 36 Configuration > LAN Setting

Each field is described in the following table.

Table 34 Configuration > LAN Setting

8.2.1 Add or Edit a DNS Setting

Use this screen to configure a DNS server entry for the LAN. Click Configuration > LAN Setting and then click the Add button or select a DNS server entry from the list and click the Edit button to access this screen.

Figure 37 Configuration > LAN Setting > Add

The following table describes the labels in this screen.

Table 35 Configuration > LAN Setting > Add

9.1 Overview

Use the Wireless screens to configure how the device manages the Access Point that are connected to it.

9.1.1 What You Can Do in this Chapter

• The Controller screen (Section 9.2 on page 102) sets how the device allows new APs to connect to the network. This is available when the device is in controller mode.
• The AP Management screen (Section 9.3 on page 102) manages the device's general wireless settings if it is in standalone mode or the general wireless settings of all of the device's managed APs if the device is in controller mode.
• The MON Mode screen (Section 9.4 on page 105) allows you to assign APs either to the rogue AP list or the friendly AP list.
• The Load Balancing screen (Section 9.5 on page 108) configures network traffic load balancing between the APs and the device.
• The DCS screen (Section 9.6 on page 111) configures dynamic radio channel selection.

9.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

Station / Wireless Client

A station or wireless client is any wireless-capable device that can connect to an AP using a wireless signal.

Dynamic Channel Selection (DCS)

Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices.

Load Balancing (Wireless)

Wireless load balancing is the process where you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it so the AP does not become overloaded.

9.2 Controller

Use this screen to set how the device allows new APs to connect to the network. This is available when the device is in controller mode. Click Configuration > Wireless > Controller to access this screen.

Figure 38 Configuration > Wireless > Controller

Each field is described in the following table.

Table 36 Configuration > Wireless > Controller

9.3 AP Management

Use this screen to manage all of the APs connected to the device. Click Configuration > Wireless > AP Management to access this screen. This screen manages the device's general wireless

settings if it is in standalone mode or the general wireless settings of all of the device's managed APs if the device is in controller mode.

Figure 39 Configuration > Wireless > AP Management (Controller Mode)

The following fields display if the Ndevice is in controller mode.

Table 37 Configuration > Wireless > AP Management (Controller Mode)

Figure 40 Configuration > Wireless > AP Management (Standalone Mode)

The following fields display if the Ndevice is in standalone mode.

Table 38 Configuration > Wireless > AP Management (Standalone Mode)

9.3.1 Edit AP List

Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Use this screen to set the managed AP's general wireless settings.

Figure 41 Configuration > Wireless > Edit AP List

Each field is described in the following table.

Table 39 Configuration > Wireless > Edit AP List

9.4 MON Mode

Use this screen to assign APs either to the rogue AP list or the friendly AP list. A rogue AP is a wireless access point operating in a network's coverage area that is not under the control of the network administrator, and which can potentially open up holes in a network's security.

Click Configuration > Wireless > MON Mode to access this screen.

Figure 42 Configuration > Wireless > MON Mode

Each field is described in the following table.

Table 40 Configuration > Wireless > MON Mode

9.4.1 Add/Edit Rogue/Friendly List

Select an AP and click the Edit button in the Configuration > Wireless > MON Mode table to display this screen.

Figure 43 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly

Each field is described in the following table.

Table 41 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly

9.5 Load Balancing

Use this screen to configure wireless network traffic load balancing between the APs on your network. Click Configuration > Wireless > Load Balancing to access this screen.

Figure 44 Configuration > Wireless > Load Balancing

Each field is described in the following table.

Table 42 Configuration > Wireless > Load Balancing

9.5.1 Disassociating and Delaying Connections

When your AP becomes overloaded, there are two basic responses it can take. The first one is to "delay" a client connection. This means that the AP withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another AP. If the client is picked up by another AP then the original AP cannot resume the connection.

For example, here the AP has a balanced bandwidth allotment of 6 Mbps. If laptop R connects and it pushes the AP over its allotment, say to 7 Mbps, then the AP delays the red laptop's connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare.

Figure 45 Delaying a Connection

graph TD
    A["1 Mbps"] -->|6_Mbps["7 Mbps"]| B["2 Mbps"]
    C["2 Mbps"] -->|6_Mbps["7 Mbps"]| D["2 Mbps"]
    E["6 Mbps"] --> F["Hourglass"]
    G["2 Mbps"] --> H["R"]
    I["2 Mbps"] --> J["Hourglass"]

The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment.

Figure 46 Kicking a Connection

Connections are kicked based on either idle timeout or signal strength. The device first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle time. If no connections are idle, the next criteria the device analyzes is signal strength. Devices with the weakest signal strength are kicked first.

9.6 DCS

Use this screen to configure dynamic radio channel selection. Click Configuration > Wireless > DCS to access this screen.

Figure 47 Configuration > Wireless > DCS

Each field is described in the following table.

Table 43 Configuration > Wireless > DCS

9.7 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Dynamic Channel Selection

When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of interference. Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically. The AP can scan the area around it looking for the channel with the least amount of interference.

In the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart. Channel 1 is centered on 2.412 GHz while channel 13 is centered on 2.472 GHz.

Figure 48 An Example Three-Channel Deployment

Three channels are situated in such a way as to create almost no interference with one another if used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not interfere with neighboring APs as long as they are also limited to same trio.

Figure 49 An Example Four-Channel Deployment

However, some regions require the use of other channels and often use a safety scheme with the following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other and the three so-called "safe" channels (1,6 and 11) that interference becomes inevitable, the severity of it is dependent upon other factors: proximity to the affected AP, signal strength, activity, and so on.

Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one.

Figure 50 An Alternative Four-Channel Deployment

Load Balancing

Because there is a hard upper limit on an AP's wireless bandwidth, load balancing can be crucial in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.

There are two kinds of wireless load balancing available on the device:

Load balancing by station number limits the number of devices allowed to connect to your AP. If you know exactly how many stations you want to let connect, choose this option.

For example, if your company's graphic design team has their own AP and they have 10 computers, you can load balance for 10. Later, if someone from the sales department visits the graphic design team's offices for a meeting and he tries to access the network, his computer's connection is delayed, giving it the opportunity to connect to a different, neighboring AP. If he still connects to the AP regardless of the delay, then the AP may boot other people who are already connected in order to associate with the new connection.

Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available. If you are uncertain as to the exact number of wireless connections you will have then choose this option. By setting a maximum bandwidth cap, you allow any number of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range.

Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can't possibly know how many connections his AP will have at any given moment. As such, he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows. This means anyone can connect to his wireless network as long as the AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP.

10.1 Overview

Device HA is available when the device is in controller mode. Device HA lets a backup device (also in controller mode) automatically take over if the master device fails.

Figure 51 Device HA Backup Taking Over for the Master

graph TD
    A["Router A"] --> C["Internet"]
    B["Router B"] --> C["Internet"]
    D["Computer 1"] --> A
    E["Computer 2"] --> A
    F["Computer 3"] --> A
    G["Computer 4"] --> A
    H["Router 5"] --> B
    I["Router 6"] --> B
    J["Router 7"] --> B
    K["Router 8"] --> B
    L["Router 9"] --> B
    M["Router 10"] --> B
    N["Router 11"] --> B
    O["Router 12"] --> B
    P["Router 13"] --> B
    Q["Router 14"] --> B
    R["Router 15"] --> B
    S["Router 16"] --> B
    T["Router 17"] --> B
    U["Router 18"] --> B
    V["Router 19"] --> B
    W["Router 20"] --> B

In this example, device B is the backup for device A in the event something happens to it and prevents it from managing the wireless network.

10.1.1 What You Can Do in this Chapter

• The General screen (Section 10.2 on page 118) configures device HA global settings, and displays the status of each interface monitored by device HA.
• The Active-Passive Mode screens (Section 10.3 on page 120) use active-passive mode device HA. You can configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup devices.

10.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

Management Access

You can configure a separate management IP address for each interface. You can use it to access the device for management whether the device is the master or a backup. The management IP address should be in the same subnet as the interface IP address.

Synchronization

Use synchronization to have a backup device copy the master device's configuration, and certificates.

Note: Only devices of the same model and firmware version can synchronize.

Otherwise you must manually configure the master device's settings on the backup (by editing copies of the configuration files in a text editor for example).

10.1.3 Before You Begin

- Configure a static IP address for each interface that you will have device HA monitor.

Note: Subscribe to services on the backup device before synchronizing it with the master device.

10.2 Device HA General

This screen lets you enable or disable device HA, and displays which device HA mode the device is set to use along with a summary of the monitored interfaces. Click Configuration > Device HA > General to display.

Figure 52 Configuration > Device HA > General

The following table describes the labels in this screen.

Table 44 Configuration > Device HA > General

10.3 Active-Passive Mode

The Device HA Active-Passive Mode screen lets you configure general active-passive mode device HA settings, view and manage the list of monitored interfaces, and synchronize backup devices. To access this screen, click Configuration > Device HA > Active-Passive Mode.

Figure 53 Configuration > Device HA > Active-Passive Mode

The following table describes the labels in this screen.

Table 45 Configuration > Device HA > Active-Passive Mode

10.3.1 Edit Monitored Interface

This screen lets you enable or disable monitoring of an interface and set the interface's management IP address and subnet mask. To access this screen, click Configuration > Device HA > Active-Passive Mode > Edit.

Figure 54 Device HA > Active-Passive Mode > Edit Monitored Interface

The following table describes the labels in this screen.

Table 46 Device HA > Active-Passive Mode > Edit Monitored Interface

10.4 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Virtual Router

The master and backup device form a single 'virtual router'. In the following example, master device A and backup device B form a virtual router.

Figure 55 Virtual Router

graph TD
    A["Server 1"] --> R["Router"]
    B["Server 2"] --> R
    C["Server 3"] --> R
    R --> D["Server 2"]
    R --> E["Server 3"]
    D --> F["INTERNET Cloud"]
    E --> F

Cluster ID

You can have multiple device virtual routers on your network. Use a different cluster ID to identify each virtual router. In the following example, devices A and B form a virtual router that uses cluster ID 1. devices C and D form a virtual router that uses cluster ID 2.

Figure 56 Cluster IDs for Multiple Virtual Routers

graph TD
    A["Computer 1"] --> R["Router"]
    B["Computer 2"] --> R
    C["Computer 3"] --> R
    D["Computer 4"] --> R
    R --> E["Internet Cloud"]
    A --> F["A"]
    B --> G["B"]
    C --> H["C"]
    D --> I["D"]
    F --> J["1"]
    G --> K["2"]
    H --> L["2"]
    I --> M["2"]

Monitored Interfaces in Active-Passive Mode Device HA

You can select which interfaces device HA monitors. If a monitored interface on the device loses its connection, device HA has the backup device take over.

Enable monitoring for the same interfaces on the master and backup devices. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master device.

Virtual Router and Management IP Addresses

• If a backup takes over for the master, it uses the master's IP addresses. These IP addresses are known as the virtual router IP addresses.
  • Each interface can also have a management IP address. You can connect to this IP address to manage the device regardless of whether it is the master or the backup.

For example, device B takes over A's 192.168.1.2 LAN interface IP address. This is a virtual router IP address. device A keeps it's LAN management IP address of 192.168.1.5 and device B has its own LAN management IP address of 192.168.1.6. These do not change when device B becomes the master.

11.1 Overview

This chapter describes how to set up user accounts and user settings for the device. You can also set up rules that control when users have to log in to the device before the device routes traffic for them.

11.1.1 What You Can Do in this Chapter

• The User screen (see Section 11.2 on page 128) provides a summary of all user accounts.
• The Setting screen (see Section 11.3 on page 130) controls default settings, login settings, lockout settings, and other user settings for the device. You can also use this screen to specify when users must log in to the device before it routes traffic for them.

11.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

User Account

A user account defines the privileges of a user logged into the device. User accounts are used in controlling access to configuration and services in the device.

User Types

These are the types of user accounts the device uses.

Table 47 Types of User Accounts

Note: The default admin account is always authenticated locally, regardless of the authentication method setting.

11.2 User Summary

The User screen provides a summary of all user accounts. To access this screen click Configuration > Object > User.

Figure 57 Configuration > Object > User

The following table describes the labels in this screen.

Table 48 Configuration > Object > User

11.2.1 Add/Edit User

The User Add/ Edit screen allows you to create a new user account or edit an existing one.

11.2.1.1 Rules for User Names

Enter a user name from 1 to 31 characters.

The user name can only contain the following characters:

- Alphanumeric A-z 0-9 (there is no unicode support)

• _ [underscores]
• [dashes]

The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:

• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not 'bob'.
• User names have to be different than user group names.
  • Here are the reserved user names:

To access this screen, go to the User screen, and click Add or Edit.

Figure 58 Configuration > User > User > Add/Edit A User

The following table describes the labels in this screen.

Table 49 Configuration > User > User > Add/Edit A User

11.3 Setting

This screen controls default settings, login settings, lockout settings, and other user settings for the device. You can also use this screen to specify when users must log in to the device before it routes traffic for them.

To access this screen, login to the Web Configurator, and click Configuration > Object > User > Setting.

Figure 59 Configuration > Object > User > Setting

The following table describes the labels in this screen.

Table 50 Configuration > Object > User > Setting

11.3.1 Edit User Authentication Timeout Settings

This screen allows you to set the default authentication timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings.

To access this screen, go to the Configuration > Object > User > Setting screen, and click one of the Default Authentication Timeout Settings section's Edit icons.

Figure 60 User > Setting > Edit User Authentication Timeout Settings

The following table describes the labels in this screen.

Table 51 User > Setting > Edit User Authentication Timeout Settings

12.1 Overview

This chapter shows you how to configure preset profiles for the Access Points (APs) connected to your device's wireless network.

12.1.1 What You Can Do in this Chapter

• The Radio screen (Section 12.2 on page 136) creates radio configurations that can be used by the APs.
• The SSI D screen (Section 12.3 on page 142) configures three different types of profiles for your networked APs.

12.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

Wireless Profiles

At the heart of all wireless AP configurations on the device are profiles. A profile represents a group of saved settings that you can use across any number of connected APs. You can set up the following wireless profile types:

• Radio - This profile type defines the properties of an AP's radio transmitter. You can have a maximum of 32 radio profiles on the device.
• SSID - This profile type defines the properties of a single wireless network signal broadcast by an AP. Each radio on a single AP can broadcast up to 8 SSIDs. You can have a maximum of 32 SSID profiles on the device.
• Security - This profile type defines the security settings used by a single SSID. It controls the encryption method required for a wireless client to associate itself with the SSID. You can have a maximum of 32 security profiles on the device.
• MAC Filtering - This profile provides an additional layer of security for an SSID, allowing you to block access or allow access to that SSID based on wireless client MAC addresses. If a client's MAC address is on the list, then it is either allowed or denied, depending on how you set up the MAC Filter profile. You can have a maximum of 32 MAC filtering profiles on the device.

SSID

The SSID (Service Set Identifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it.

WEP

WEP (Wired Equivalent Privacy) encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA(2) and WEP are improved data encryption and user authentication.

IEEE 802.1x

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication is done using an external RADIUS server.

12.2 Radio

This screen allows you to create radio profiles for the APs on your network. A radio profile is a list of settings that an device AP can use to configure either one of its two radio transmitters. To access this screen click Configuration > Object > AP Profile.

Note: You can have a maximum of 32 radio profiles on the device.

Figure 61 Configuration > Object > AP Profile > Radio

The following table describes the labels in this screen.

Table 52 Configuration > Object > AP Profile > Radio

12.2.1 Add/Edit Radio Profile

This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button.

Figure 62 Configuration > Object > AP Profile > Add/Edit Profile (Standalone Mode)

The following table describes the labels in this screen.

Table 53 Configuration > Object > AP Profile > Add/Edit Profile

12.3 SSID

The SSID screens allow you to configure three different types of profiles for your networked APs: an SSID list, which can assign specific SSID configurations to your APs; a security list, which can assign specific encryption methods to the APs when allowing wireless clients to connect to them; and a MAC filter list, which can limit connections to an AP based on wireless clients MAC addresses.

12.3.1 SSID List

This screen allows you to create and manage SSID configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the name of the wireless network to which a wireless client can connect. The SSID appears as readable text to any device capable of scanning for wireless frequencies (such as the WiFi adapter in a laptop), and is displayed as the wireless network name when a person makes a connection to it.

To access this screen click Configuration > Object > AP Profile > SSID.

Note: You can have a maximum of 32 SSID profiles on the device.

Figure 63 Configuration > Object > AP Profile > SSID List

The following table describes the labels in this screen.

Table 54 Configuration > Object > AP Profile > SSID List

12.3.1.1 Add/Edit SSID Profile

This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select an SSID profile from the list and click the Edit button.

Figure 64 Configuration > Object > AP Profile > Add/Edit SSID Profile

The following table describes the labels in this screen.

Table 55 Configuration > Object > AP Profile > Add/Edit SSID Profile

12.3.2 Security List

This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it.

To access this screen click Configuration > Object > AP Profile > SSID > Security List.

Note: You can have a maximum of 32 security profiles on the device.

Figure 65 Configuration > Object > AP Profile > SSID > Security List

The following table describes the labels in this screen.

Table 56 Configuration > Object > AP Profile > SSID > Security List

12.3.2.1 Add/Edit Security Profile

This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button.

Note: This screen's options change based on the Security Mode selected. Only the default screen is displayed here.

Figure 66 SSID > Security Profile > Add/Edit Security Profile

The following table describes the labels in this screen.

Table 57 SSID > Security Profile > Add/Edit Security Profile

12.3.3 MAC Filter List

This screen allows you to create and manage security configurations that can be used by your SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter List.

Note: You can have a maximum of 32 MAC filtering profiles on the device.

Figure 67 Configuration > Object > AP Profile > SSID > MAC Filter List

The following table describes the labels in this screen.

Table 58 Configuration > Object > AP Profile > SSID > MAC Filter List

12.3.3.1 Add/Edit MAC Filter Profile

This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button.

Note: Each MAC filtering profile can include a maximum of 512 MAC addresses.

Figure 68 SSID > MAC Filter List > Add/Edit MAC Filter Profile

The following table describes the labels in this screen.

Table 59 SSID > MAC Filter List > Add/Edit MAC Filter Profile

13.1 Overview

This screen allows you to set up monitor mode configurations that allow your connected APs to scan for other wireless devices in the vicinity. Once detected, you can use the MON Mode screen (Chapter 9 on page 101) to classify them as either rogue or friendly and then manage them accordingly.

13.1.1 What You Can Do in this Chapter

The MON Profile screen (Section 13.2 on page 152) creates preset monitor mode configurations that can be used by the APs.

13.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

Active Scan

An active scan is performed when an 802.11-compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies by sending probe request frames.

Passive Scan

A passive scan is performed when an 802.11-compatible monitoring device is set to periodically listen to a specified channel or number of channels for other wireless devices broadcasting on the 802.11 frequencies.

13.2 MON Profile

This screen allows you to create monitor mode configurations that can be used by the APs. To access this screen, login to the Web Configurator, and click Configuration > Object > MON Profile.

Figure 69 Configuration > Object > MON Profile

The following table describes the labels in this screen.

Table 60 Configuration > Object > MON Profile

13.2.1 Add/Edit MON Profile

This screen allows you to create a new monitor mode profile or edit an existing one. To access this screen, click the Add button or select and existing monitor mode profile and click the Edit button.

Figure 70 Configuration > Object > MON Profile > Add/Edit MON Profile

The following table describes the labels in this screen.

Table 61 Configuration > Object > MON Profile > Add/Edit MON Profile

13.3 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Rogue APs

Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. Attackers can take advantage of a rogue AP's weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture information from wireless clients. If a scan reveals a rogue AP, you can use commercially-available software to physically locate it.

Figure 71 Rogue AP Example

graph TD
    X["User"] -->|X| Router
    A["Computer"] -->|A| Router
    Router -->|RG| C["Server"]
    C --> Internet
    Router -->|B| Laptop1["Laptop"]
    Router -->|B| Laptop2["Laptop"]
    Router -->|B| Laptop3["Laptop"]
    Router -->|B| Internet
    style Router fill:#f9f,stroke:#333
    style Internet fill:#ccf,stroke:#333

In the example above, a corporate network's security is compromised by a rogue AP (RG) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company's legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available

encryption-cracking software. In this example, the attacker now has access to the company network, including sensitive data stored on the file server (C).

Friendly APs

If you have more than one AP in your wireless network, you should also configure a list of “friendly” APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points.

14.1 Overview

The device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner's identity and public key. Certificates provide a way to exchange public keys for use in authentication.

14.1.1 What You Can Do in this Chapter

• The My Certificate screens (Section 14.2 on page 160) generate and export self-signed certificates or certification requests and import the device's CA-signed certificates.
• The Trusted Certificates screens (Section 14.3 on page 168) save CA certificates and trusted remote host certificates to the device. The device trusts any valid certificate that you have imported as a trusted certificate. It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate.

14.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure.

These keys work like a handwritten signature (in fact, certificates are often referred to as "digital signatures"). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key "writes" your digital signature and your public key allows people to verify whether data was signed by you, or by someone else.

This process works as follows:

1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim's public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim's private key).

5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny's public key to verify the message.

The device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority's public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate. The device does not trust a certificate if any certificate on its path has expired or been revoked.

Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The device can check a peer's certificate against a directory server's list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).

Advantages of Certificates

Certificates offer the following benefits.

• The device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

Self-signed Certificates

You can have the device act as a certification authority and sign its own certificates.

Factory Default Certificate

The device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate.

Certificate File Formats

Any certificate that you want to import has to be in one of these file formats:

• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The device currently allows the importation of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS# 7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS# 7 certificate into a printable form.

- Binary PKCS# 12: This is a format for transferring public key and private key certificates. The private key in a PKCS # 12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS # 12 file creates this and you must provide it to decrypt the contents when you import the file into the device.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

14.1.3 Verifying a Certificate

Before you import a trusted certificate into the device, you should verify that you have the correct certificate. You can do this using the certificate's fingerprint. A certificate's fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate's fingerprint to verify that you have the actual certificate.

1 Browse to where you have the certificate saved on your computer.

2 Make sure that the certificate has a ".cer" or ".crt" file name extension.

3 Double-click the certificate's icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.

4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.

14.2 My Certificates

Click Configuration > Object > Certificate > My Certificates to open this screen. This is the device's summary list of certificates and certification requests.

Figure 72 Configuration > Object > Certificate > My Certificates

The following table describes the labels in this screen.

Table 62 Configuration > Object > Certificate > My Certificates

14.2.1 Add My Certificates

Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.

Figure 73 Configuration > Object > Certificate > My Certificates > Add

The following table describes the labels in this screen.

Table 63 Configuration > Object > Certificate > My Certificates > Add

If you configured the My Certificate Create screen to have the device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the device to enroll a certificate online.

14.2.2 Edit My Certificates

Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name.

Figure 74 Configuration > Object > Certificate > My Certificates > Edit

The following table describes the labels in this screen.

Table 64 Configuration > Object > Certificate > My Certificates > Edit

Table 64 Configuration > Object > Certificate > My Certificates > Edit

14.2.3 Import Certificates

Click Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the device.

Note: You can import a certificate that matches a corresponding certification request that was generated by the device. You can also import a certificate in PKCS# 12 format, including the certificate's public and private keys.

The certificate you import replaces the corresponding request in the My Certificates screen.

You must remove any spaces in the certificate's filename before you can import it.

Figure 75 Configuration > Object > Certificate > My Certificates > Import

The following table describes the labels in this screen.

Table 65 Configuration > Object > Certificate > My Certificates > Import

14.3 Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you have set the device to accept as trusted. The device also accepts any valid certificate signed by a certificate on this list

as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates.

Figure 76 Configuration > Object > Certificate > Trusted Certificates

The following table describes the labels in this screen.

Table 66 Configuration > Object > Certificate > Trusted Certificates

14.3.1 Edit Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates and then a certificate's Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate's name and set whether or not you want the device to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority.

Figure 77 Configuration > Object > Certificate > Trusted Certificates > Edit

The following table describes the labels in this screen.

Table 67 Configuration > Object > Certificate > Trusted Certificates > Edit

14.3.2 Import Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the device.

Note: You must remove any spaces from the certificate's filename before you can import the certificate.

Figure 78 Configuration > Object > Certificate > Trusted Certificates > Import

The following table describes the labels in this screen.

Table 68 Configuration > Object > Certificate > Trusted Certificates > Import

14.4 Technical Reference

The following section contains additional technical information about the features described in this chapter.

OCSP

OCSP (Online Certificate Status Protocol) allows an application or device to check whether a certificate is valid. With OCSP the device checks the status of individual certificates instead of downloading a Certificate Revocation List (CRL). OCSP has two main advantages over a CRL. The first is real-time status information. The second is a reduction in network traffic since the device only gets information on the certificates that it needs to verify, not a huge list. When the device requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response.

15.1 Overview

Use the system screens to configure general device settings.

15.1.1 What You Can Do in this Chapter

• The Host Name screen (Section 15.2 on page 176) configures a unique name for the device in your network.
• The Date/ Time screen (Section 15.3 on page 176) configures the date and time for the device.
• The Console Speed screen (Section 15.4 on page 180) configures the console port speed when you connect to the device via the console port using a terminal emulation program.
• The WWW screens (Section 15.5 on page 181) configure settings for HTTP or HTTPS access to the device.
• The SSH screen (Section 15.6 on page 190) configures SSH (Secure SHell) for securely accessing the device's command line interface.
• The Telnet screen (Section 15.7 on page 195) configures Telnet for accessing the device's command line interface.
• The FTP screen (Section 15.8 on page 195) specifies FTP server settings. You can upload and download the device's firmware and configuration files using FTP. Please also see Chapter 17 on page 219 for more information about firmware and configuration files.
• The SNMP screens (Section 15.9 on page 196) configure the device's SNMP settings, including profiles that define allowed SNMPv3 access.
• The Auth. Server screens (Section 15.10 on page 200) configure settings for the device's built-in authentication server.

15.2 Host Name

A host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open this screen.

Figure 79 Configuration > System > Host Name

The following table describes the labels in this screen.

Table 69 Configuration > System > Host Name

15.3 Date and Time

For effective scheduling and logging, the device system time must be accurate. The device has a software mechanism to set the time manually or get the current time and date from an external server.

To change your device's time based on your local time zone and date, click Configuration > System > Date/ Time. The screen displays as shown. You can manually set the device's time and date or have the device get the date and time from a time server.

Figure 80 Configuration > System > Date/Time

The following table describes the labels in this screen.

Table 70 Configuration > System > Date/Time

15.3.1 Pre-defined NTP Time Servers List

When you turn on the device for the first time, the date and time start at 2003-01-01 00:00:00. The device then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.

The device continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.

Table 71 Default Time Servers

When the device uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.

15.3.2 Time Server Synchronization

Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field.

When the Loading message appears, you may have to wait up to one minute.

Figure 81 Loading

The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.

If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen.

To manually set the device date and time:

1 Click System > Date/ Time.
2 Select Manual under Time and Date Setup.
3 Enter the device's time in the New Time field.
4 Enter the device's date in the New Date field.
5 Under Time Zone Setup, select your Time Zone from the list.
6 As an option you can select the Enable Daylight Saving check box to adjust the device clock for daylight savings.
7 Click Apply.

To get the device date and time from a time server:

1 Click System > Date/ Time.
2 Select Get from Time Server under Time and Date Setup.
3 Under Time Zone Setup, select your Time Zone from the list.
4 Under Time and Date Setup, enter a Time Server Address.
5 Click Apply.

15.4 Console Speed

This section shows you how to set the console port speed when you connect to the device via the console port using a terminal emulation program. See Table 1 on page 23 for default console port settings.

Click Configuration > System > Console Speed to open this screen.

Figure 82 Configuration > System > Console Speed

The following table describes the labels in this screen.

Table 72 Configuration > System > Console Speed

15.5 WWW Overview

The following figure shows secure and insecure management of the device coming in from the WAN. HTTPS and SSH access are secure. HTTP, and Telnet management access are not secure.

Figure 83 Secure and Insecure Service Access From the WAN

graph TD
    A["LAN"] --> B["Router"]
    B --> C["HTTPS"]
    B --> D["SSH"]
    B --> E["INTERNET"]
    F["WiN"] --> G["HTTPS"]
    F --> H["SSH"]
    F --> I["INTERNET"]
    F --> J["HTTP"]
    F --> K["Telnet"]

15.5.1 Service Access Limitations

A service cannot be used to access the device when you have disabled that service in the corresponding screen.

15.5.2 System Timeout

There is a lease timeout for administrators. The device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.

Each user is also forced to log in the device for authentication again when the reauthentication time expires.

You can change the timeout settings in the User screens.

15.5.3 HTTPS

You can set the device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions.

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys (see Chapter 14 on page 157 for more information).

HTTPS on the device is used so that you can securely access the device using the Web Configurator. The SSL protocol specifies that the HTTPS server (the device) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the device), whereas the

HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the device a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the device.

Please refer to the following figure.

1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the device's web server.
2 HTTP connection requests from a web browser go to port 80 (by default) on the device's web server.

Figure 84 HTTP/HTTPS Implementation

Note: If you disable HTTP in the WWW screen, then the device blocks all HTTP connection attempts.

15.5.4 Configuring WWW Service Control

Click Configuration > System > WWW to open the WWW screen. Use this screen to specify HTTP or HTTPS settings.

Figure 85 Configuration > System > WWW > Service Control

The following table describes the labels in this screen.

Table 73 Configuration > System > WWW > Service Control

15.5.5 HTTPS Example

If you haven't changed the default HTTPS port on the device, then in your browser enter "https://device IP Address/" as the web site address where "device IP Address" is the IP address or domain name of the device you wish to access.

15.5.5.1 Internet Explorer Warning Messages

When you attempt to access the device HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificate if you want to verify that the certificate is from the device.

You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked.

Figure 86 Security Alert Dialog Box (Internet Explorer)

15.5.5.2 Avoiding Browser Warning Messages

Here are the main reasons your browser displays warnings about the device's HTTPS server certificate and what you can do to avoid seeing the warnings:

• The issuing certificate authority of the device's HTTPS server certificate is not one of the browser's trusted certificate authorities. The issuing certificate authority of the device's factory default certificate is the device itself since the certificate is a self-signed certificate.
• For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.
• To have the browser trust the certificates issued by a certificate authority, import the certificate authority's certificate into your operating system as a trusted certificate. Refer to Appendix B on page 273 for details.

15.5.5.3 Login Screen

After you accept the certificate, the device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection.

Figure 87 Login Screen (Internet Explorer)

15.5.5.4 Enrolling and Importing SSL Client Certificates

The SSL client needs a certificate if Authenticate Client Certificates is selected on the device.

You must have imported at least one trusted CA to the device in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).

Apply for a certificate from a Certification Authority (CA) that is trusted by the device (see the device's Trusted CA Web Configurator screen).

Figure 88 Trusted Certificates

The CA sends you a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).

15.5.5.5 Installing the CA's Certificate

1 Double click the CA's trusted certificate to produce a screen similar to the one shown next.

2 Click Install Certificate and follow the wizard as shown earlier in this appendix.

15.5.5.6 Installing a Personal Certificate

You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next

1 Click Next to begin the wizard.

2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.

3 Enter the password given to you by the CA.

4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.

5 Click Finish to complete the wizard and begin the import process.

6 You should see the following screen when the certificate is correctly installed on your computer.

15.5.5.7 Using a Certificate When Accessing the device

To access the device via HTTPS:

1 Enter 'https://device IP Address/ in your browser's web address field.

2 When Authenticate Client Certificates is selected on the device, the following screen asks you to select a personal certificate to send to the device. This screen displays even if you only have a single certificate as in the example.

3 You next see the Web Configurator login screen.

15.6 SSH

You can use SSH (Secure SHEll) to securely access the device's command line interface.

SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the

following figure, computer B on the Internet uses SSH to securely connect to the WAN port of the device (A) for a management session.

Figure 89 SSH Communication Over the WAN Example

graph LR
    A["Device A"] --> B["Device B"]
    B --> C["Internet Secure Connection"]
    C --> D["Device D"]

15.6.1 How SSH Works

The following figure is an example of how a secure connection is established between two remote hosts using SSH v1.

Figure 90 How SSH v1 Works Example

graph TD
    A["SSH Server"] -->|Connection request| B["SSH Client"]
    B -->|Host Key, Server Key| C["Session Key"]
    C -->|Host Identification Pass / Fail| D["Encryption method to use"]
    D -->|Password / User name| E["Authentication Pass / Fail"]
    E -->|Data Transmission| F["Data Transmission"]

1 Host Identification

The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.

The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.

2 Encryption Method

Once the identification is verified, both the client and server must agree on the type of encryption method to use.

3 Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.

15.6.2 SSH Implementation on the device

Your device supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the device for management using port 22 (by default).

15.6.3 Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the device over SSH.

15.6.4 Configuring SSH

Click Configuration > System > SSH to open the following screen. Use this screen to configure your NWA3000-N series AP's Secure Shell settings.

Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

Figure 91 Configuration > System > SSH

The following table describes the labels in this screen.

Table 74 Configuration > System > SSH

15.6.5 Examples of Secure Telnet Using SSH

This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the device. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user's guide.

15.6.5.1 Example 1: Microsoft Windows

This section describes how to access the device using the Secure Shell Client program.

1 Launch the SSH client and specify the connection information (IP address, port number) for the device.
2 Configure the SSH client to accept connection using SSH version 1.
3 A window displays prompting you to store the host key in you computer. Click Yes to continue.

Figure 92 SSH Example 1: Store Host Key

Enter the password to log in to the device. The CLI screen displays next.

15.6.5.2 Example 2: Linux

This section describes how to access the device using the OpenSSH client program that comes with most Linux distributions.

1 Test whether the SSH service is available on the device.

Enter "telnet 192.168.1.2 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the device (using the default IP address of 192.168.1.2).

A message displays indicating the SSH protocol version supported by the device.

Figure 93 SSH Example 2: Test

$ telnet 192.168.1.2 22
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
SSH-1.5-1.0.0 

2 Enter "ssh -1 192.168.1.2". This command forces your computer to connect to the device using SSH version 1. If this is the first time you are connecting to the device using SSH, a message displays prompting you to save the host information of the device. Type "yes" and press [ENTER].

Then enter the password to log in to the device.

Figure 94 SSH Example 2: Log in

$ ssh -1 192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (RSA1) to the list of known hosts.
Administrator@192.168.1.2's password: 

3 The CLI screen displays next.

15.7 Telnet

You can use Telnet to access the device's command line interface. Click Configuration > System > TELNET to configure your device for remote Telnet access. Use this screen to enable or disable Telnet and set the server port number.

Figure 95 Configuration > System > TELNET

The following table describes the labels in this screen.

Table 75 Configuration > System > TELNET

15.8 FTP

You can upload and download the device's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. See Chapter 17 on page 219 for more information about firmware and configuration files.

To change your device's FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify FTP settings.

Figure 96 Configuration > System > FTP

The following table describes the labels in this screen.

Table 76 Configuration > System > FTP

15.9 SNMP

Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your device supports SNMP agent functionality, which allows a manager station to manage and monitor the device through the network. The device supports SNMP version

one (SNMPv1), version two (SNMPv2c), and version three (SNMPv3). The next figure illustrates an SNMP management operation.

Figure 97 SNMP Management Model

graph TD
    A["MANAGER"] --> B["AGENT"]
    A --> C["AGENT"]
    A --> D["AGENT"]
    B --> E["Managed Device"]
    C --> F["Managed Device"]
    D --> G["Managed Device"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#ccf,stroke:#333
    style D fill:#ccf,stroke:#333

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

• Get - Allows the manager to retrieve an object variable from the agent.
• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
• Set - Allows the manager to set values for object variables within an agent.
• Trap - Used by the agent to inform the manager of some events.

15.9.1 Supported MIBs

The device supports MIB II that is defined in RFC-1213 and RFC-1215. The device also supports private MIBs (ZYXEL-ES-CAPWAP.MIB, ZYXEL-ES-COMMON.MIB, ZYXEL-ES-HYBRIDAP.MIB, ZYXEL-ES-PROWLAN.MIB, ZYXEL-ES-RFMGMT.MIB, ZYXEL-ES-SMI.MIB, and ZYXEL-ES-WIRELESS.MIB) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the device's MIBs from www.zyxel.com.

15.9.2 SNMP Traps

The device will send traps to the SNMP manager when any one of the following events occurs.

Table 77 SNMP Traps

15.9.3 Configuring SNMP

To change your device's SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings. You can also configure profiles that define allowed SNMPv3 access.

Figure 98 Configuration > System > SNMP

The following table describes the labels in this screen.

Table 78 Configuration > System > SNMP

15.9.4 Adding or Editing an SNMPv3 User Profile

This screen allows you to add or edit an SNMPv3 user profile. To access this screen, click the Configuration > System > SNMP screen's Add button or select a SNMPv3 user profile from the list and click the Edit button.

Figure 99 Configuration > System > SNMP > Add

The following table describes the labels in this screen.

Table 79 Configuration > System > SNMP

15.10 Internal RADIUS Server

The device can use its internal Remote Authentication Dial In User Service (RADIUS) server to authenticate the wireless clients of trusted APs. RADIUS is a protocol that enables you to control access to a network by authenticating user credentials.

The following figure shows how this is done. Wireless clients make access requests to trusted APs, which relay the requests to the device.

Figure 100 Trusted APs Overview

graph TD
    A["RADIUS Server"] --> B["Trusted APs"]
    B --> C["Wireless clients"]
    A --> D["Trusted APs"]
    D --> E["Trusted APs"]
    D --> F["Trusted APs"]
    D --> G["Trusted APs"]
    D --> H["Trusted APs"]
    D --> I["Trusted APs"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#ffc,stroke:#333
    style F fill:#cfc,stroke:#333
    style G fill:#cfc,stroke:#333
    style H fill:#cfc,stroke:#333
    style I fill:#cfc,stroke:#333

Certificates are used by wireless clients to authenticate the RADIUS server. These are "digital signatures" that identify network devices. Certificates ensure that the clients supply their login details to the correct device. Information matching the certificate is held on the wireless client's utility. A password and user name on the utility must match an entry in the Object > Users screen's list so that the RADIUS server can be authenticated.

Note: The device can function as an AP and as a RADIUS server at the same time.

15.10.1 Configuring the Internal RADIUS Server

Use this screen to turn the device's internal RADIUS server off or on, select the certificate it uses, and maintain a list of trusted client APs. A trusted AP is an AP that uses the device's internal RADIUS server to authenticate its wireless clients. Each wireless client must have a user name and password configured in the Object > Users screen.

Click Configuration > System > Auth. Server. The following screen displays.

Figure 101 Configuration > System > Auth. Server

The following table describes the labels in this screen.

Table 80 Configuration > System > Auth. Server

15.10.2 Adding or Editing a Trusted AP Profile

This screen allows you to add or edit an internal RADIUS server trusted AP profile. To access this screen, click the Configuration > System > Auth. Server screen's Add button or select a trusted AP profile from the list and click the Edit button.

Figure 102 Configuration > System > Auth. Server > Add

The following table describes the labels in this screen.

Table 81 Configuration > System > Auth. Server

15.11 Technical Reference

This section provides some technical background information about the topics covered in this chapter.

Internal RADIUS Server

PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection. See Appendix C on page 287 for more information on the types of EAP authentication and the internal RADIUS authentication method used in your device.

Note: The internal RADIUS server does not support domain accounts (DOMAIN/user). When you configure your Windows XP SP2 Wireless Zero Configuration PEAP/MS-CHAPv2 settings, clear the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only, do not specify a domain.

16.1 Overview

Use the system screens to configure daily reporting and log settings.

16.1.1 What You Can Do In this Chapter

• The Email Daily Report screen (Section 16.2 on page 205) configures how and where to send daily reports and what reports to send.
• The Log Setting screens (Section 16.3 on page 207) specify which logs are e-mailed, where they are e-mailed, and how often they are e-mailed.

16.2 Email Daily Report

Use this screen to start or stop data collection and view various statistics about traffic passing through your device.

Note: Data collection may decrease the device's traffic throughput rate.

Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the device e-mail you system statistics every day.

Figure 103 Configuration > Log & Report > Email Daily Report (Standalone Mode)

The following table describes the labels in this screen.

Table 82 Configuration > Log & Report > Email Daily Report

16.3 Log Setting

These screens control log messages and alerts. A log message stores the information for viewing (for example, in the View Log tab) or regular e-mailing later, and an alert is e-mailed immediately. Usually, alerts are used for events that require more serious attention, such as system errors and attacks.

The device provides a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers.

The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed.

For alerts, the Log Settings tab controls which events generate alerts and where alerts are e- mailed.

The Log Settings Summary screen provides a summary of all the settings. You can use the Log Settings Edit screen to maintain the detailed settings (such as log categories, e-mail addresses, server names, etc.) for any log. Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Summary screen to edit this information for all logs at the same time.

16.3.1 Log Setting Summary

To access this screen, click Configuration > Log & Report > Log Setting.

Figure 104 Configuration > Log & Report > Log Setting

The following table describes the labels in this screen.

Table 83 Configuration > Log & Report > Log Setting

16.3.2 Edit Log Settings

This screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen and click the system log Edit icon.

Figure 105 Configuration > Log & Report > Log Setting > Edit

The following table describes the labels in this screen.

Table 84 Configuration > Log & Report > Log Setting > Edit

16.3.3 Edit Remote Server

This screen controls the settings for each log in the remote server (syslog). Go to the Log Settings Summary screen and click a remote server Edit icon.

Figure 106 Configuration > Log & Report > Log Setting > Edit Remote Server

The following table describes the labels in this screen.

Table 85 Configuration > Log & Report > Log Setting > Edit Remote Server

16.3.4 Active Log Summary

This screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for

example, where and how often log information is e-mailed or remote server names). To access this screen, go to the Log Settings Summary screen, and click the Active Log Summary button.

Figure 107 Active Log Summary

This screen provides a different view and a different way of indicating which messages are included in each log and each alert. (The Default category includes debugging messages generated by open source software.)

The following table describes the fields in this screen.

Table 86 Configuration > Log & Report > Log Setting > Active Log Summary

17.1 Overview

Configuration files define the device's settings. Shell scripts are files of commands that you can store on the device and run when you need them. You can apply a configuration file or run a shell script without the device restarting. You can store multiple configuration files and shell script files on the device. You can edit configuration files or shell scripts in a text editor and upload them to the device. Configuration files use a .conf extension and shell scripts use a .zysh extension.

17.1.1 What You Can Do in this Chapter

• The Configuration File screen (Section 17.2 on page 220) stores and names configuration files. You can also download and upload configuration files.
• The Firmware Package screen (Section 17.3 on page 224) checks your current firmware version and uploads firmware to the device.
• The Shell Script screen (Section 17.4 on page 226) stores, names, downloads, uploads and runs shell script files.

17.1.2 What you Need to Know

The following terms and concepts may help as you read this chapter.

Configuration Files and Shell Scripts

When you apply a configuration file, the device uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the device only applies the commands that it contains. Other settings do not change.

These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below

<h1 id="enter-configuration-mode">enter configuration mode</h1>
configure terminal
<h1 id="change-administrator-password">change administrator password</h1>
username admin password 4321 user-type admin
#configure default radio profile, change 2GHz channel to 11 & Tx output power # to 50%
wlan-radio-profile default
2g-channel 11
output-power 50%
exit
write 

While configuration files and shell scripts have the same syntax, the device applies configuration files differently than it runs shell scripts. This is explained below.

Table 87 Configuration Files and Shell Scripts in the device

You have to run the aforementioned example as a shell script because the first command is run in Privilege mode. If you remove the first command, you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode.

Comments in Configuration Files or Shell Scripts

In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the device treat the line as a comment.

Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the device exit sub command mode.

Note: "exit" or "!" must follow sub commands if it is to make the device exit sub command mode.

In the following example lines 1 and 2 are comments. Line 5 exits sub command mode.

! this is from Joe
<h1 id="on-20101205">on 2010/12/05</h1>
wlan-ssid-profile default
ssid Joe-AP
qos wmm
security default
! 

Errors in Configuration Files or Shell Scripts

When you apply a configuration file or run a shell script, the device processes the file line-by-line. The device checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the device finds an error, it stops applying the configuration file or shell script and generates a log.

You can change the way a configuration file or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The device ignores any errors in the configuration file or shell script and applies all of the valid commands. The device still generates a log for any errors.

17.2 Configuration File

Click Maintenance > File Manager > Configuration File to open this screen. Use the Configuration File screen to store, run, and name configuration files. You can also download

configuration files from the device to your computer and upload configuration files from your computer to the device.

Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.

Configuration File Flow at Restart

• If there is not a startup-config.conf when you restart the device (whether through a management interface or by physically turning the power off and back on), the device uses the system-default.conf configuration file with the device's default settings.
• If there is a startup-config.conf, the device checks it for errors and applies it. If there are no errors, the device uses it and copies it to the lastgood.conf configuration file as a back up file. If there is an error, the device generates a log and copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file. If there isn't a lastgood.conf configuration file or it also has an error, the device applies the system-default.conf configuration file.
• You can change the way the startup-config.conf file is applied. Include the setenv-startup stop-on-error off command. The device ignores any errors in the startup-config.conf file and applies all of the valid commands. The device still generates a log for any errors.

Figure 108 Maintenance > File Manager > Configuration File

Do not turn off the device while configuration file upload is in progress.

The following table describes the labels in this screen.

Table 88 Maintenance > File Manager > Configuration File

LABEL DESCRIPTION
Rename Use this button to change the label of a configuration file on the device. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files.You cannot rename a configuration file to the name of another configuration file in the device.Click a configuration file's row to select it and click Rename to open the Rename File screen.Specify the new name for the configuration file. Use up to 25 characters (including a-zA-Z0-9;~!@#%^&()_+[]',=-.Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.
Remove	Click a configuration file's row to select it and click Remove to delete it from the device. You can only delete manually saved configuration files. You cannot delete the system-default.conf, startup-config.conf and lastgood.conf files.A pop-up window asks you to confirm that you want to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file.
Download	Click a configuration file's row to select it and click Download to save the configuration to your computer.
Copy	Use this button to save a duplicate of a configuration file on the device.Click a configuration file's row to select it and click Copy to open the Copy File screen.Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;~!@#%^&()_+[]{}',=-.Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.
Apply Use this button to have the device use a specific configuration file.Click a configuration file's row to select it and clickApplyto have the device use that configuration file. The device does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.The following screen gives you options for what the device is to do if it encounters an error in the configuration file.
	Apply Configuration FileFile Name:system-default.confIf applying the configuration file encounters an error:Immediately stop applying the configuration fileImmediately stop applying the configuration file and roll back to the previous configurationIgnore errors and finish applying the configuration fileIgnore errors and finish applying the configuration file and then roll back to the previous configurationOK Cancel
	Immediately stop applying the configuration file- this is not recommended because it would leave the rest of the configuration blank. If the interfaces were not configured before the first error, the console port may be the only way to access the device.Immediately stop applying the configuration file and roll back to the previous configuration- this gets the device started with a fully valid configuration file as quickly as possible.Ignore errors and finish applying the configuration file- this applies the valid parts of the configuration file and generates error logs for all of the configuration file's errors. This lets the device apply most of your configuration and you can refer to the logs for what to fix.Ignore errors and finish applying the configuration file and then roll back to the previous configuration- this applies the valid parts of the configuration file, generates error logs for all of the configuration file's errors, and starts the device with a fully valid configuration file.Click OK to have the device start applying the configuration file or click Cancel to close the screen
#	This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
File Name This column displays the label that identifies a configuration file.
Size This column displays the size (in KB) of a configuration file.
Last Modified	This column displays the date and time that the individual configuration files were last changed or saved.
Upload Configuration File	The bottom part of the screen allows you to upload a new or previously saved configuration file from your computer to your deviceYou cannot upload a configuration file named system-default.conf or lastgood.conf.If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings.
File Path	Type in the location of the file you want to upload in this field or click Browse ... to find it.
Browse...	Click Browse... to find the .conf file you want to upload. The configuration file must use a ".conf" filename extension. You will receive an error message if you try to upload a file of a different format. Remember that you must decompress compressed (.zip) files before you can upload them.
Upload	Click Upload to begin the upload process. This process may take up to two minutes.

17.3 Firmware Package

Click Maintenance > File Manager > Firmware Package to open this screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the device.

Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

Find the firmware package at www.zyxel.com in a file that (usually) uses a .bin extension.

The firmware update can take up to five minutes. Do not turn off or reset the device while the firmware update is in progress!

Figure 109 Maintenance > File Manager > Firmware Package

The following table describes the labels in this screen.

Table 89 Maintenance > File Manager > Firmware Package

After you see the Firmware Upload in Process screen, wait two minutes before logging into the device again.

Note: The device automatically reboots after a successful upload.

The device automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

Figure 110 Network Temporarily Disconnected

After five minutes, log in again and check your new firmware version in the Dashboard screen.

17.4 Shell Script

Use shell script files to have the device use commands that you specify. Use a text editor to create the shell script files. They must use a ".zysh" filename extension.

Click Maintenance > File Manager > Shell Script to open this screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the device at the same time.

Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the device restarts. You could use multiple write commands in a long script.

Figure 111 Maintenance > File Manager > Shell Script

Each field is described in the following table.

Table 90 Maintenance > File Manager > Shell Script

18.1 Overview

Use the diagnostics screens for troubleshooting.

18.1.1 What You Can Do in this Chapter

• The Diagnostics screen (Section 18.2 on page 229) generates a file containing the device's configuration and diagnostic information if you need to provide it to customer support during troubleshooting.
• The Packet Capture screen (Section 18.3 on page 230) captures data packets going through the device.
• The Wireless Frame Capture screens (Section 18.4 on page 233) capture network traffic going through the AP interfaces connected to your device.

18.2 Diagnostics

This screen provides an easy way for you to generate a file containing the device's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.

Click Maintenance > Diagnostics to open the Diagnostic screen.

Figure 112 Maintenance > Diagnostics

The following table describes the labels in this screen.

Table 91 Maintenance > Diagnostics

18.3 Packet Capture

Use this screen to capture network traffic going through the device's interfaces. Studying these packet captures may help you identify network problems.

Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen.

Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this.

Figure 113 Maintenance > Diagnostics > Packet Capture > Capture

The following table describes the labels in this screen.

Table 92 Maintenance > Diagnostics > Packet Capture

18.3.1 Packet Capture Files

Click Maintenance > Diagnostics > Packet Capture > Files to open the packet capture files screen. This screen lists the files of packet captures the device has performed. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark.

Figure 114 Maintenance > Diagnostics > Packet Capture > Files

The following table describes the labels in this screen.

Table 93 Maintenance > Diagnostics > Packet Capture > Files

18.3.2 Example of Viewing a Packet Capture File

Here is an example of a packet capture file viewed in the Wireshark packet analyzer. Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The device

truncated the frame because the capture screen's Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes.

Figure 115 Packet Capture File Example

18.4 Wireless Frame Capture

Use this screen to capture wireless network traffic going through the AP interfaces connected to your device. Studying these frame captures may help you identify network problems.

Click Maintenance > Diagnostics > Wireless Frame Capture to display this screen.

Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this.

Figure 116 Maintenance > Diagnostics > Wireless Frame Capture > Capture

The following table describes the labels in this screen.

Table 94 Maintenance > Diagnostics > Wireless Frame Capture > Capture

18.4.1 Wireless Frame Capture Files

Click Maintenance > Diagnostics > Wireless Frame Capture > Files to open this screen. This screen lists the files of wireless frame captures the device has performed. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark.

Figure 117 Maintenance > Diagnostics > Wireless Frame Capture > Files

The following table describes the labels in this screen.

Table 95 Maintenance > Diagnostics > Wireless Frame Capture > Files

19.1 Overview

Use this to restart the device.

19.1.1 What You Need To Know

If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot. Otherwise, the changes are lost when you reboot.

Reboot is different to reset; reset returns the device to its default configuration.

19.2 Reboot

This screen allows remote users can restart the device. To access this screen, click Maintenance > Reboot.

Figure 118 Maintenance > Reboot

Click the Reboot button to restart the device. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser.

You can also use the CLI command reboot to restart the device.

20.1 Overview

Use this screen to shutdown the device.

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the device or remove the power. Not doing so can cause the firmware to become corrupt.

20.1.1 What You Need To Know

Shutdown writes all cached data to the local storage and stops the system processes. Shutdown is different to reset; reset returns the device to its default configuration.

20.2 Shutdown

To access this screen, click Maintenance > Shutdown.

Figure 119 Maintenance > Shutdown

Click the Shutdown button to shut down the device. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power.

You can also use the CLI command shutdown to shutdown the device.

Troubleshooting

21.1 Overview

This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories.

• Power, Hardware Connections, and LEDs
• device Access and Login
- Internet Access
• Wireless AP Troubleshooting
- Resetting the device

21.2 Power, Hardware Connections, and LEDs

The device does not turn on. None of the LEDs turn on.

1 Make sure you are using the power adaptor included with the device or a PoE power injector.
2 Make sure the power adaptor or PoE power injector is connected to the device and plugged in to an appropriate power source. Make sure the power source is turned on.
3 Disconnect and re-connect the power adaptor or PoE power injector.
4 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
5 If none of these steps work, you may have faulty hardware and should contact your device vendor.

One of the LEDs does not behave as expected.

1 Make sure you understand the normal behavior of the LED. See Section 1.7 on page 25.
2 Check the hardware connections. See the Quick Start Guide.
3 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
4 Disconnect and re-connect the power adaptor or PoE power injector to the device.

5 If the problem continues, contact the vendor.

21.3 device Access and Login

I forgot the IP address for the device.

1 The default IP address is 192.168.1.2.
2 Use the commands through the console port to check the IP address. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.
3 If this does not work, you have to reset the device to its factory defaults. See Section 21.6 on page 249.

I cannot see or access the Login screen in the web configurator.

1 Make sure you are using the correct IP address.
• The default IP address is 192.168.1.2.
- If you changed the IP address, use the new IP address.
- If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the device.
2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page 25.
3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled.
4 Make sure your computer is in the same subnet as the device. (If you know that there are routers between your computer and the device, skip this step.)
- If there is no DHCP server on your network, make sure your computer's IP address is in the same subnet as the device.
5 Reset the device to its factory defaults, and try to access the device with the default IP address. See your Quick Start Guide.
6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

• Try to access the device using another service, such as Telnet. If you can access the device, check the remote management settings to find out why the device does not respond to HTTP.
• If your computer is connected wirelessly, use a computer that is connected to a LAN/ETHERNET port.
• If you've forgotten the device's IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed.

I forgot the password.

1 The default password is 1234.

2 If this does not work, you have to reset the device to its factory defaults. See Section 21.6 on page 249.

I can see the Login screen, but I cannot log in to the device.

1 Make sure you have entered the user name and password correctly. The default password is 1234. This fields are case-sensitive, so make sure [Caps Lock] is not on.
2 You cannot log in to the web configurator while someone is using Telnet to access the device. Log out of the device in the other session, or ask the person who is logged in to log out.
3 Disconnect and re-connect the power adaptor or PoE power injector to the device.
4 If this does not work, you have to reset the device to its factory defaults. See Section 21.6 on page 249.

I cannot access the device via the console port.

1 Check to see if the device is connected to your computer's console port.
2 Check to see if the communications program is configured correctly. The communications software should be configured as follows:

VT100 terminal emulation.

115200 bps is the default speed on leaving the factory. Try other speeds in case the speed has been changed.

No parity, 8 data bits, 1 stop bit, data flow set to none.

I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.

See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.

21.4 Internet Access

I cannot access the Internet.

1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 21.2 on page 241.
2 Make sure you entered your ISP account information correctly. These fields are case-sensitive, so make sure [Caps Lock] is not on.
3 If you are trying to access the Internet wirelessly, make sure the wireless settings on the wireless client are the same as the settings on the AP.
4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
5 If the problem continues, contact your ISP.

I cannot access the Internet anymore. I had access to the Internet (with the device), but my Internet connection is not available anymore.

1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page 25.
2 Reboot the device.
3 If the problem continues, contact your ISP.

The Internet connection is slow or intermittent.

1 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.7 on page 25. If the device is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications.

2 Check the signal strength. If the signal is weak, try moving the device closer to the AP (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on).
3 Reboot the device.
4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications.

21.5 Wireless AP Troubleshooting

I cannot access the device or ping any computer from the WLAN.

1 Make sure the wireless LAN is enabled on the device
2 Make sure the wireless adapter on the wireless station is working properly.
3 Make sure the wireless adapter (installed on your computer) is IEEE 802.11 compatible and supports the same wireless standard as the device.
4 Make sure your computer (with a wireless adapter installed) is within the transmission range of the device.
5 Check that both the device and your wireless station are using the same wireless and wireless security settings.
6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the device.
7 Make sure you allow the device to be remotely accessed through the WLAN interface. Check your remote management settings.

Hackers have accessed my WEP-encrypted wireless LAN.

WEP is extremely insecure. Its encryption can be broken by an attacker, using widely-available software. It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2-PSK is recommended.

The wireless security is not following the re-authentication timer setting I specified.

If a RADIUS server authenticates wireless stations, the re-authentication timer on the RADIUS server has priority. Change the RADIUS server's configuration if you need to use a different re-authentication timer setting.

Device HA is not working.

• You may need to disable STP (Spanning Tree Protocol).
• The master and its backups must all use the same device HA mode (active-passive).
• Configure a static IP address for each interface that you will have device HA monitor.
• Configure a separate management IP address for each interface. You can use it to access the device for management whether the device is the master or a backup. The management IP address should be in the same subnet as the interface IP address.
• Enable monitoring for the same interfaces on the master and backup devices.
• Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master device.
• If you have multiple device virtual routers on your network, use a different cluster ID to identify each virtual router. There can only be one master device in each virtual router (same cluster ID).

A broadcast storm results when I turn on Device HA.

Do not connect the bridge interfaces on two devices without device HA activated on both. Either activate device HA before connecting the bridge interfaces or disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces.

I cannot get the Device HA synchronization to work.

Only devices of the same model and firmware version can synchronize.

I cannot get a certificate to import into the device.

1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the device. You can also import a certificate in PKCS# 12 format, including the certificate's public and private keys.
2 You must remove any spaces from the certificate's filename before you can import the certificate.
3 Any certificate that you want to import has to be in one of these file formats:
- Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
- PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.

• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The device currently allows the importation of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS# 7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS# 7 certificate into a printable form.
• Binary PKCS# 12: This is a format for transferring public key and private key certificates. The private key in a PKCS # 12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS # 12 file creates this and you must provide it to decrypt the contents when you import the file into the device.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

I can only see newer logs. Older logs are missing.

When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

The commands in my configuration file or shell script are not working properly.

• In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the device treat the line as a comment.
• Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the device exit sub command mode.
• Include write commands in your scripts. Otherwise the changes will be lost when the device restarts. You could use multiple write commands in a long script.

Note: “exit” or “!” must follow sub commands if it is to make the device exit sub command mode.

I cannot get the firmware uploaded using the commands.

The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

My packet capture captured less than I wanted or failed.

The packet capture screen's File Size sets a maximum size limit for the total combined size of all the capture files on the device, including any existing capture files and any new capture files you

generate. If you have existing capture files you may need to set this size larger or delete existing capture files.

The device stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires.

My earlier packet capture files are missing.

New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this.

Wireless clients cannot connect to an AP.

• There may be a configuration mismatch between the wireless clients and the AP, or an incorrect VLAN topology. See Chapter 4 on page 49 for a simple primer on basic network topology and management.
• The wireless client's MAC address may be on the MAC filtering list. See Section 12.3.3 on page 147 for details on managing the device MAC Filter.
• The wireless client may not be able to get an IP:

Check the wireless client's own network configuration settings to ensure that it is set up to receive its IP address automatically.

If the device or a connected Internet access device are managing the network with static IPs, make sure that the server settings for issuing those IPs are properly configured.

Check the wireless client's own network settings to ensure it is already set up with its static IP address.

• Authentication of the wireless client with the authentication server may have failed. Ensure the AP profile assigned to the AP uses a security profile that is properly configured and which is matches the security settings in use by the device. For example, if the security mode on the AP is set to WPA/WPA2 then make sure the authentication server is running and able to complete the 802.1x authentication sequence. See Chapter 12 on page 135 and Section 15.10 on page 200 for more.
• If you cannot solve the problem on your own, before contacting Customer Support use the built-in wireless frame capture tools (Chapter 18 on page 229) to capture data that can be used for more granular troubleshooting procedures. To use the built-in wireless frame capture tool, first set up a second device nearby to act as a Monitor AP (Chapter 9 on page 101).

The AP status is registered as offline even though it is on.

• Check the network connections between the device and the AP to ensure they are still intact.
• The AP may be suffering from instability. Disconnect it to turn its power off, wait some time, then reconnect it and see if that resolves the issue.
• The CAPWAP daemon may be down. Use the device's built-in diagnostic tools and CLI console to get CAPWAP debug messages which can later be sent to customer service for analysis.

Wireless clients are not being load balanced among my APs.

• Make sure that all the APs used by the wireless clients in question share the same SSID, security, and radio settings.
• Make sure that all the APs are in the same broadcast domain.
• Make sure that the wireless clients are in range of the other APs; if they are only in range of a single AP, then load balancing may not be as effective.

In the Monitor > Wireless > AP Information > Radio List page, there is no load balancing indicator associated with any APs assigned to the load balancing task.

• Check to be sure that the AP profile which contains the load balancing settings is correctly assigned to the APs in question.
• The load balancing task may have been terminated because further load balancing on the APs in question is no longer required.

21.6 Resetting the device

If you cannot access the device by any method, try restarting it by turning the power off and then on again. If you still cannot access the device by any method or you forget the administrator password(s), you can reset the device to its factory-default settings. Any configuration files or shell scripts that you saved on the device should still be available afterwards.

Use the following procedure to reset the device to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.

Note: This procedure removes the current configuration.

1 Make sure the PWR\ SYS LED is on and not blinking.
2 Press the RESET button and hold it until the PWR\ SYS LED begins to blink. (This usually takes about five seconds.)
3 Release the RESET button, and wait for the device to restart.

You should be able to access the device using the default settings.

21.7 Getting More Troubleshooting Help

Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.

Product Specifications

The following tables summarize the device's hardware and firmware features.

Table 96 Hardware Specifications

Table 96 Hardware Specifications

Table 97 Firmware Specifications

Table 97 Firmware Specifications

22.1 Wall-Mounting Instructions

Complete the following steps to hang your device on a wall.

Note: See Table 96 on page 251 for the size of screws to use and how far apart to place them.

1 Select a position free of obstructions on a sturdy wall.
2 Drill two holes for the screws.

Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws.

3 Do not insert the screws all the way into the wall. Leave a small gap of about 0.5 cm between the heads of the screws and the wall.
4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the device with the connection cables.
5 Align the holes on the back of the device with the screws on the wall. Hang the device on the screws.

Figure 120 Wall-mounting Example

The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm).

Figure 121 Masonry Plug and M4 Tap Screw

Log Descriptions

This appendix provides descriptions of example log messages.

The ZySH logs deal with internal system errors.

Table 98 ZySH Logs

Table 99 User Logs

Table 100 Built-in Services Logs

Table 101 System Logs

Table 102 Device HA Logs

Table 103 Certificate Path Verification Failure Reason Codes

Table 104 WLAN Logs

Table 105 Account Logs

Table 106 File Manager Logs

Table 107 DHCP Logs

Table 108 E-mail Daily Report Logs

Table 109 CAPWAP Server Logs

Table 109 CAPWAP Server Logs

Table 109 CAPWAP Server Logs

Table 110 CAPWAP Client Logs

Table 110 CAPWAP Client Logs

Table 111 AP Load Balancing Logs

Table 112 Rogue AP Logs

Table 113 Wireless Frame Capture Logs

Table 114 DCS Logs

Importing Certificates

This appendix shows you how to import public key certificates into your web browser.

Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate.

Many ZyXEL products, such as the NSA-2401, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority.

Note: You can see if you are browsing on a secure website if the URL in your web browser's address bar begins with https:// or there is a sealed padlock icon ( ) somewhere in the main browser window (not all browsers show the padlock in the same location.)

Internet Explorer

The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista.

1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.

2 Click Continue to this website (not recommended).
3 In the Address Bar, click Certificate Error > View certificates.

4 In the Certificate dialog box, click Install Certificate.

5 In the Certificate Import Wizard, click Next.

6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9.

7 Otherwise, select Place all certificates in the following store and then click Browse.

8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK.

9 In the Completing the Certificate Import Wizard screen, click Finish.

10 If you are presented with another Security Warning, click Yes.

11 Finally, click OK when presented with the successful certificate installation message.

12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page's Website Identification information.

Installing a Stand-Alone Certificate File in Internet Explorer

Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

1 Double-click the public key certificate file.

GA CER

2 In the security warning dialog box, click Open.

3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 273 to complete the installation process.

Removing a Certificate in Internet Explorer

This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP.

1 Open Internet Explorer and click Tools > Internet Options.

2 In the Internet Options dialog box, click Content > Certificates.

3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove.

4 In the Certificates confirmation, click Yes.

5 In the Root Certificate Store dialog box, click Yes.

6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.

Firefox

The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms.

1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.

2 Select Accept this certificate permanently and click OK.

3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page's security information.

Installing a Stand-Alone Certificate File in Firefox

Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

1 Open Firefox and click Tools > Options.

2 In the Options dialog box, click Advanced > Encryption > View Certificates.

3 In the Certificate Manager dialog box, click Web Sites > Import.

4 Use the Select File dialog box to locate the certificate and then click Open.

5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page's security information.

Removing a Certificate in Firefox

This section shows you how to remove a public key certificate in Firefox 2.

1 Open Firefox and click Tools > Options.

2 In the Options dialog box, click Advanced > Encryption > View Certificates.

3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete.

4 In the Delete Web Site Certificates dialog box, click OK.

5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.

Wireless LANs

Wireless LAN Topologies

This section discusses ad-hoc and infrastructure wireless LAN topologies.

Ad-hoc Wireless LAN Configuration

The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN.

Figure 122 Peer-to-Peer Communication in an Ad-hoc Network

BSS

A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP).

Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is

disabled, wireless client A and B can still access the wired network but cannot communicate with each other.

Figure 123 Basic Service Set

graph TD
    A["Server"] --> B["Ethernet"]
    C["Client"] --> D["AP"]
    E["Printer"] --> F["BSS"]
    G["Computer"] --> H["AP"]
    I["Client"] --> J["BSS"]
    style A fill:#f9f,stroke:#333
    style C fill:#f9f,stroke:#333
    style E fill:#f9f,stroke:#333
    style G fill:#f9f,stroke:#333
    style I fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style F fill:#ccf,stroke:#333
    style H fill:#ccf,stroke:#333
    style J fill:#ccf,stroke:#333

ESS

An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).

This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.

An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate.

Figure 124 Infrastructure WLAN

graph TD
    A["Server"] --> B["Ethernet"]
    C["Printer"] --> B
    D["Computer"] --> B
    B --> E["AP 1"]
    B --> F["AP 2"]
    E --> G["BSS 1"]
    E --> H["BSS 2"]
    F --> I["BSS 2"]
    G --> J["A"]
    H --> K["B"]
    I --> L["C"]
    style E fill:#f9f,stroke:#333
    style F fill:#f9f,stroke:#333
    style G fill:#ccf,stroke:#333
    style H fill:#ccf,stroke:#333
    style I fill:#ccf,stroke:#333
    style J fill:#dfd,stroke:#333
    style K fill:#dfd,stroke:#333
    style L fill:#dfd,stroke:#333

Channel

A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.

Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.

RTS/CTS

A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they

cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.

Figure 125 RTS/CTS

graph TD
    subgraph Wireless Station
        A["AP"] -->|RTS| B["AP"]
        A -->|CTS| B
        A -->|Data| B
        A -->|ACK| B
    end
    subgraph CTS Range
        C["AP"] --> D["AP"]
        D --> E["AP"]
        D --> F["B"]
        E --> D
        F --> D
    end
    style Wireless Station fill:#f9f,stroke:#333
    style CTS Range fill:#bbf,stroke:#333
    note right of D: Stations cannot hear each other. They can hear the AP.
    note right of D: Stations cannot hear each other. They can hear the AP.

When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

RTS/ CTS is designed to prevent collisions due to hidden nodes. An RTS/ CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.

When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.

Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake.

You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake.

If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.

Fragmentation Threshold

A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.

A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.

If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

Preamble Type

Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet.

Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble.

Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks.

Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications.

Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the device uses long preamble.

Note: The wireless devices MUST use the same preamble mode in order to communicate.

IEEE 802.11g Wireless LAN

IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:

Table 115 IEEE 802.11g

Wireless Security Overview

Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network.

Wireless security methods available on the device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the device identity.

The following figure shows the relative effectiveness of these wireless security methods available on your device.

Table 116 Wireless Security Levels

Note: You must enable the same wireless security settings on the device and on all wireless clients that you want to associate with it.

IEEE 802.1x

In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:

• User based identification that allows for roaming.
• Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server.
• Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.

RADIUS

RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

• Authentication
  Determines the identity of the users.
• Authorization
  Determines the network services available to authenticated users once they are connected to the network.
• Accounting
  Keeps track of the client's network activity.

RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.

Types of RADIUS Messages

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

• Access-Request
  Sent by an access point requesting authentication.
• Access-Reject
  Sent by a RADIUS server rejecting access.

- Access-Accept

Sent by a RADIUS server allowing access.

- Access-Challenge

Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.

The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

• Accounting-Request
  Sent by the access point requesting accounting.
• Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

Types of EAP Authentication

This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types.

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x.

For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled.

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.

Table 117 Comparison of EAP Authentication Types

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA.

Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.

If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN.

If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not.

Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2.

Encryption

WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP).

TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm

called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.

WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network.

The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it's still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP)

User Authentication

WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.

Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again.

Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.

Wireless Client WPA Supplicants

A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.

The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it.

WPA(2) with RADIUS Application Example

To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.

1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly.
3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client.
4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

Figure 126 WPA(2) with RADIUS Application Example

graph TD
    A["Laptop 1"] -->|Wireless Signal| B["DS"]
    C["Laptop 2"] -->|Wireless Signal| B["DS"]
    D["Laptop 3"] -->|Wireless Signal| B["DS"]
    B --> E["Server A"]
    F["INTERNET"] --> G["Cloud"]

WPA(2)-PSK Application Example

A WPA(2)-PSK application looks as follows.

1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).
2 The AP checks each wireless client's password and allows it to join the network only if the password matches.
3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID.

4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them.

Figure 127 WPA(2)-PSK Authentication

graph LR
    A["Laptop"] <-->|PSK| B["Internet"]
    C["Laptop"] <-->|PSK| B["INTERNET"]
    D["Laptop"] <-->|PSK| B["INTERNET"]

Security Parameters Summary

Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features.

Table 118 Wireless Security Relational Matrix

Open Software Announcements

End-User License Agreement for "NWA3160-N"

WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM. IF YOU DO NOT AGREE TO THESE TERMS, THEN ZyXEL IS UNWILLING TO LICENSE THE SOFTWARE TO YOU, IN WHICH EVENT YOU SHOULD RETURN THE UNINSTALLED SOFTWARE AND PACKAGING TO THE PLACE FROM WHICH IT WAS ACQUIRED OR ZyXEL, AND YOUR MONEY WILL BE REFUNDED. HOWEVER, CERTAIN ZYXEL'S PRODUCTS MAY CONTAIN-IN PART-SOME THIRD PARTY'S FREE AND OPEN SOFTWARE PROGRAMS WHICH ALLOW YOU TO FREELY COPY, RUN, DISTRIBUTE, MODIFY AND IMPROVE THE SOFTWARE UNDER THE APPLICABLE TERMS OF SUCH THRID PARTY'S LICENSES ("OPEN-SOURCED COMPONENTS"). THE OPEN-SOURCED COMPONENTS ARE LISTED IN THE NOTICE OR APPENDIX BELOW. ZYXEL MAY HAVE DISTRIBUTED TO YOU HARDWARE AND/OR SOFTWARE, OR MADE AVAILABLE FOR ELECTRONIC DOWNLOADS THESE FREE SOFTWARE PROGRAMS OF THRID PARTIES AND YOU ARE LICENSED TO FREELY COPY, MODIFY AND REDISTIBUTE THAT SOFTWARE UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY. NONE OF THE STATEMENTS OR DOCUMENTATION FROM ZYXEL INCLUDING ANY RESTRICTIONS OR CONDITIONS STATED IN THIS END USER LICENSE AGREEMENT SHALL RESTRICT ANY RIGHTS AND LICENSES YOU MAY HAVE WITH RESPECT TO THE OPEN-SOURCED COMPONENTS UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY.

1. Grant of License for Personal Use

ZyXEL Communications Corp. ("ZyXEL") grants you a non-exclusive, non-sublicense, non-transferable license to use the program with which this license is distributed (the "Software"), including any documentation files accompanying the Software ("Documentation"), for internal business use only, for up to the number of users specified in sales order and invoice. You have the right to make one backup copy of the Software and Documentation solely for archival, back-up or disaster recovery purposes. You shall not exceed the scope of the license granted hereunder. Any rights not expressly granted by ZyXEL to you are reserved by ZyXEL, and all implied licenses are disclaimed.

2. Ownership

You have no ownership rights in the Software. Rather, you have a license to use the Software as long as this License Agreement remains in full force and effect. Ownership of the Software, Documentation and all intellectual property rights therein shall remain at all times with ZyXEL. Any other use of the Software by any other entity is strictly forbidden and is a violation of this License Agreement.

3. Copyright

The Software and Documentation contain material that is protected by international copyright law, trade secret law, international treaty provisions, and the applicable national laws of each respective country. All rights not granted to you herein are expressly reserved by ZyXEL. You may not remove any proprietary notice of ZyXEL or any of its licensors from any copy of the Software or Documentation.

4. Restrictions

You may not publish, display, disclose, sell, rent, lease, modify, store, loan, distribute, or create derivative works of the Software, or any part thereof. You may not assign, sublicense, convey or otherwise transfer, pledge as security or otherwise encumber the rights and licenses granted hereunder with respect to the Software. ZyXEL is not obligated to provide any maintenance, technical or other support for the resultant modified Software. You may not copy, reverse engineer, decompile, reverse compile, translate, adapt, or disassemble the Software, or any part thereof, nor shall you attempt to create the source code from the object code for the Software. Except as and only to the extent expressly permitted in this License, you may not market, co-brand, and private label or otherwise permit third parties to link to the Software, or any part thereof. You may not use the Software, or any part thereof, in the operation of a service bureau or for the benefit of any other person or entity. You may not cause, assist or permit any third party to do any of the foregoing. Portions of the Software utilize or include third party software and other copyright material. Acknowledgements, licensing terms and disclaimers for such material are contained in the License Notice as below for the third party software, and your use of such material is exclusively governed by their respective terms. ZyXEL has provided, as part of the Software package, access to certain third party software as a convenience. To the extent that the Software contains third party software, ZyXEL has no express or implied obligation to provide any technical or other support for such software other than compliance with the applicable license terms of such third party, and makes no warranty (express, implied or statutory) whatsoever with respect thereto. Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products.

5. Confidentiality

You acknowledge that the Software contains proprietary trade secrets of ZyXEL and you hereby agree to maintain the confidentiality of the Software using at least as great a degree of care as you use to maintain the confidentiality of your own most confidential information. You agree to reasonably communicate the terms and conditions of this License Agreement to those persons employed by you who come into contact with the Software, and to use reasonable best efforts to ensure their compliance with such terms and conditions, including, without limitation, not knowingly permitting such persons to use any portion of the Software for the purpose of deriving the source code of the Software.

6. No Warranty

THE SOFTWARE IS PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY LAW, ZyXEL DISCLAIMS ALL WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. ZyXEL DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET ANY REQUIREMENTS OR NEEDS YOU MAY HAVE, OR THAT THE SOFTWARE WILL OPERATE ERROR FREE, OR IN AN UNINTERUPTED FASHION, OR THAT ANY DEFECTS OR ERRORS IN THE SOFTWARE WILL BE CORRECTED, OR THAT THE SOFTWARE IS COMPATIBLE WITH ANY PARTICULAR PLATFORM. SOME JURISDICTIONS DO NOT ALLOW THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU. IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION, THEN ALL EXPRESS AND IMPLIED WARRANTIES SHALL BE LIMITED IN DURATION TO A PERIOD OF

THIRTY (30) DAYS FROM THE DATE OF PURCHASE OF THE SOFTWARE, AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD.

7. Limitation of Liability

IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, INDIRECT, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE OR PROGRAM, OR FOR ANY CLAIM BY ANY OTHER PARTY, EVEN IF ZyXEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ZyXEL's TOTAL AGGREGATE LIABILITY WITH RESPECT TO ITS OBLIGATIONS UNDER THIS AGREEMENT OR OTHERWISE WITH RESPECT TO THE SOFTWARE AND DOCUMENTATION OR OTHERWISE SHALL BE EQUAL TO THE PURCHASE PRICE, BUT SHALL IN NO EVENT EXCEED THE PRODUCT'S PRICE. BECAUSE SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

8. Export Restrictions

THIS LICENSE AGREEMENT IS EXPRESSLY MADE SUBJECT TO ANY APPLICABLE LAWS, REGULATIONS, ORDERS, OR OTHER RESTRICTIONS ON THE EXPORT OF THE SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME. YOU SHALL NOT EXPORT THE SOFTWARE, DOCUMENTATION OR INFORMATION ABOUT THE SOFTWARE AND DOCUMENTATION WITHOUT COMPLYING WITH SUCH LAWS, REGULATIONS, ORDERS, OR OTHER RESTRICTIONS. YOU AGREE TO INDEMNIFY ZyXEL AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE ATTORNEYS' FEES, TO THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8.

9. Audit Rights

ZyXEL SHALL HAVE THE RIGHT, AT ITS OWN EXPENSE, UPON REASONABLE PRIOR NOTICE, TO PERIODICALLY INSPECT AND AUDIT YOUR RECORDS TO ENSURE YOUR COMPLIANCE WITH THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.

10. Termination

This License Agreement is effective until it is terminated. You may terminate this License Agreement at any time by destroying or returning to ZyXEL all copies of the Software and Documentation in your possession or under your control. ZyXEL may terminate this License Agreement for any reason, including, but not limited to, if ZyXEL finds that you have violated any of the terms of this License Agreement. Upon notification of termination, you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies, including backup copies, have been destroyed. All provisions relating to confidentiality, proprietary rights, and non-disclosure shall survive the termination of this Software License Agreement.

11. General

This License Agreement shall be construed, interpreted and governed by the laws of Republic of China without regard to conflicts of laws provisions thereof. The exclusive forum for any disputes arising out of or relating to this License Agreement shall be an appropriate court or Commercial Arbitration Association sitting in ROC, Taiwan if the parties agree to a binding arbitration. This License Agreement shall constitute the entire Agreement between the parties hereto. This License Agreement, the rights granted hereunder, the Software and Documentation shall not be assigned by you without the prior written consent of ZyXEL. Any waiver or modification of this License

Agreement shall only be effective if it is in writing and signed by both parties hereto. If any part of this License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties.

NOTE: Some components of this product incorporate free software programs covered under the open source code licenses which allows you to freely copy, modify and redistribute the software. For at least three (3) years from the date of distribution of the applicable product or software, we will give to anyone who contacts us at the ZyXEL Technical Support (support@zyxel.com.tw), for a charge of no more than our cost of physically performing source code distribution, a complete machine-readable copy of the complete corresponding source code for the version of the Programs that we distributed to you if we are in possession of such.

Notice

Information herein is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, except the express written permission of ZyXEL Communications Corporation.

This Product includes ntp software under the NTP License

NTP License

Copyright (c) David L. Mills 1992-2004

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both the copyright notice and this permission notice appear in supporting documentation, and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty.

This Product includes expat software under the Expat License

Expat License

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to

the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This Product includes libtecla software under the an X11-style License

an X11-style license

This is a Free Software License

- This license is compatible with The GNU General Public License, Version 1

- This license is compatible with The GNU General Public License, Version 2

This is just like a Simple Permissive license, but it requires that a copyright notice be maintained.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to

the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

This Product includes openssl software under the OpenSSL License

OpenSSL

LICENSE ISSUES

The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit.

See below for the actual license texts. Actually both licenses are BSD-style

Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License

/ *

* Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.

* 3. All advertising materials mentioning features or use of this

* software must display the following acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit. (http://www.openssl.org/)

* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

* endorse or promote products derived from this software without

* prior written permission. For written permission, please contact

* openssl-core@openssl.org.

* 5. Products derived from this software may not be called "OpenSSL"

* nor may "OpenSSL" appear in their names without prior written

* permission of the OpenSSL Project.

* 6. Redistributions of any form whatsoever must retain the following

* acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit (http://www.openssl.org/)

* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.

*

* This product includes cryptographic software written by Eric Young

* (eay@cryptsoft.com). This product includes software written by Tim

* Hudson (tjh@cryptsoft.com).

* /

Original SSLeay License

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

* All rights reserved.

* This package is an SSL implementation written

* by Eric Young (eay@cryptsoft.com).

* The implementation was written so as to conform with Netscapes SSL.

* This library is free for commercial and non-commercial use as long as

* the following conditions are aheared to. The following conditions

* apply to all code found in this distribution, be it the RC4, RSA,
* Ihash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).

* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.

* This can be in the form of a textual message at program startup or

* in documentation (online or textual) provided with the package.

* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:

* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* "This product includes cryptographic software written by

* Eric Young (eay@cryptsoft.com)"

* The word 'cryptographic' can be left out if the rouines from the library

* being used are not cryptographic related :-).

* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:

* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* The licence and distribution terms for any publicly available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence

This Product includes libevent and xinetd software under the a 3-clause BSD License

a 3-clause BSD-style license

This is a Free Software License

• This license is compatible with The GNU General Public License, Version 1
• This license is compatible with The GNU General Public License, Version 2

This is the BSD license without the obnoxious advertising clause. It's also known as the "modified BSD license." Note that the University of California now prefers this license to the BSD license with advertising clause, and now allows BSD itself to be used under the three-clause license.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of [original copyright holder] nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This Product includes bind and dhcp software under the ISC License

ISC license

Copyright (c) 4-digit year, Company or Person's Name

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

This Product includes httpd software developed by the Apache Software Foundation under Apache License.

Apache License

Version 2.0, January 2004

http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions.

"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

1. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
2. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
3. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works hereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
   (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
   (b) You must cause any modified files to carry prominent notices stating that You changed the files; and

(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and

(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

1. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.

2. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

3. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

4. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.

5. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

Version 1.1

Copyright (c) 1999-2003 The Apache Software Foundation. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.

The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org.

Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see http://www.apache.org/.

Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign.

This Product includes gmp under LGPL license.

GNU LESSER GENERAL PUBLIC LICENSE

Version 2.1, February 1999

Copyright (C) 1991, 1999 Free Software Foundation, Inc.

59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts

as the successor of the GNU Library Public License, version 2, hence the version number 2.1.

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.

When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get

it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.

To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.

For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.

To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.

Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.

Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.

When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.

We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers. Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.

For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.

GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

1. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License").

Each licensee is addressed as "you".

A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)

"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.

1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote

it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on

the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

1. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

2. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not

compelled to copy the source along with the object code.

1. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

1. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding

machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a

copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.

1. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.

2. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

3. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.

4. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the

recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.

1. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to

refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

1. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

2. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.

3. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing

and reuse of software generally.

NO WARRANTY

1. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

1. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.

END OF TERMS AND CONDITIONS.

This Product includes arp-sk, bridge-utils, busybox, dhcpd, dhcp-helper, freeradius-server, gd, hostapd, iproute2, ipset, iptables, keepalived, kismet, libeeprog, libol, Linux kernel, msmtp, netkit-telnet, pam, pptp, ppp, proftpd, rp-pppoe, vlan, syslog-ng, tzcode, quagga, and wireless_tools software under GPL license.

GNU GENERAL PUBLIC LICENSE

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc.

59 Temple Place - Suite 330, Boston, MA 02111-1307, USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
   a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
   b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

1. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the

scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

1. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

2. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

3. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

4. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

5. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

6. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

7. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

1. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

2. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS

All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.

This Product includes ppp, tcpdump, unzip, zip, libnet, openssh, hostapd and ftp-tls software under BSD license

BSD

Copyright (c) [dates as appropriate to package]

The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

Neither the name of the University nor of the Laboratory may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS `` AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This Product includes net-snmp software under BSD like license

Various copyrights apply to this package, listed in various separate parts below. Please make sure that you read all the parts.

---- Part 1: CMU/UCD copyright notice: (BSD like) ----

Copyright 1989, 1991, 1992 by Carnegie Mellon University

Derivative Work - 1996, 1998-2000

Copyright 1996, 1998-2000 The Regents of the University of California

All Rights Reserved

Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission.

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) ----

Copyright (c) 2001-2003, Networks Associates Technology, Inc All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promote

products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----

Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the

documentation and/or other materials provided with the distribution.

* The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

---- Part 4: Sun Microsystems, Inc. copyright notice (BSD) ----

Copyright © 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.

Use is subject to license terms below.

This distribution may include materials developed by third parties.

Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the Sun Microsystems, Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

---- Part 5: Sparta, Inc copyright notice (BSD) ----

Copyright (c) 2003-2009, Sparta, Inc

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Sparta, Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;

OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

---- Part 6: Cisco/BUPTNIC copyright notice (BSD) ----

Copyright (c) 2004, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications. All rights reserved.