WAC6103D-I - Wireless Access Point ZYXEL - Free user manual and instructions

USER MANUAL WAC6103D-I ZYXEL

IMPORTANT!

READ CAREFULLY BEFORE USE.

KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a User's Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.

Related Documentation

- Quick Start Guide

The Quick Start Guide shows how to connect the NWA/WAC and access the Web Configurator.

• CLI Reference Guide

The CLI Reference Guide explains how to use the Command-Line Interface (CLI) and CLI commands to configure the NWA/WAC.

Note: It is recommended you use the Web Configurator to configure the NWA/WAC.

• Web Configurator Online Help

Click the help icon in any screen for help in configuring that screen and supplementary information.

- More Information

Go to support.zyxel.com to find other information on the NWA/WAC.

Contents Overview

User's Guide 10

Introduction 11

The Web Configurator 29

Technical Reference 41

Dashboard 42

Monitor 48

Network 60

Wireless 69

User 81

AP Profile 88

MON Profile 108

WDS Profile 112

Certificates 114

System 131

Log and Report 156

File Manager 169

Diagnostics 180

LEDs 182

Antenna Switch 185

Reboot 187

Shutdown 188

Troubleshooting 189

Table of Contents

Contents Overview ....3

Table of Contents 4

Part I: User's Guide....10

Chapter 1

Introduction....11

1.1 Overview ...... 11

1.1.1 Management Mode 13
1.1.2 MBSSID 13
1.1.3 Dual-Radio 14
1.1.4 Root AP 15
1.1.5 Repeater 16

1.2 Ways to Manage the NWA/WAC 17
1.3 Good Habits for Managing the NWA/WAC 17
1.4 Hardware Connections ...... 17
1.5 NWA5301-NJ Hardware 18

1.5.1 110 Punch-Down Block .... 18
1.5.2 Phone Port 19
1.5.3 Console Port 19

1.6 LEDs 20

1.6.1 WAC6502D-E, WAC6502D-S, and WAC6503D-S 21
1.6.2 NWA1123-AC PRO and WAC6103D-I 22
1.6.3 NWA5301-NJ 24
1.6.4 NWA1123-ACv2, NWA5121-N, NWA5121-NI, NWA5123-AC and NWA5123-NI ..... 25
1.6.5 WAC5302D-S 26

1.7 Starting and Stopping the NWA/WAC 27

Chapter 2

The Web Configurator....29

2.1 Overview 29
2.2 Accessing the Web Configurator 29
2.3 Navigating the Web Configurator 30

2.3.1 Title Bar 31
2.3.2 Navigation Panel 34
2.3.3 Warning Messages 37
2.3.4 Tables and Lists 37

Part II: Technical Reference.... 41

Chapter 3

Dashboard....42

3.1 Overview 42

3.1.1 What You Can Do in this Chapter 42

3.2 Dashboard 42

3.2.1 CPU Usage 46

3.2.2 Memory Usage 47

Chapter 4

Monitor 48

4.1 Overview 48

4.1.1 What You Can Do in this Chapter 48

4.2 What You Need to Know 48

4.3 Network Status 49

4.4 Radio List 50

4.4.1 AP Mode Radio Information 51

4.5 Station List 53

4.6 WDS Link Info 54

4.7 Detected Device 55

4.8 View Log 56

Chapter 5

Network....60

5.1 Overview 60

5.1.1 Management Mode 60

5.1.2 What You Can Do in this Chapter 62

5.2 IP Setting 63

5.3 VLAN 64

5.4 AC (AP Controller) Discovery 67

Chapter 6

Wireless 69

6.1 Overview 69

6.1.1 What You Can Do in this Chapter 69

6.1.2 What You Need to Know .... 70

6.2 AP Management 70

6.3 MON Mode 73

6.3.1 Add/Edit Rogue/Friendly List 74

6.4 Load Balancing 75

6.4.1 Disassociating and Delaying Connections 77

6.5 DCS 78

6.6 Technical Reference 78

Chapter 7

User....81

7.1 Overview 81

7.1.1 What You Can Do in this Chapter 81
7.1.2 What You Need To Know 81

7.2 User Summary 82
7.2.1 Add/Edit User 82
7.3 Setting 84
7.3.1 Edit User Authentication Timeout Settings 86

Chapter 8

AP Profile......88

8.1 Overview 88

8.1.1 What You Can Do in this Chapter 88
8.1.2 What You Need To Know 88

8.2 Radio 89

8.2.1 Add/Edit Radio Profile 90

8.3 SSID 95

8.3.1 SSID List 95
8.3.2 Add/Edit SSID Profile 96

8.4 Security List 98
8.4.1 Add/Edit Security Profile 99
8.5 MAC Filter List 103
8.5.1 Add/Edit MAC Filter Profile 103
8.6 Layer-2 Isolation List 104
8.6.1 Add/Edit Layer-2 Isolation Profile 106

Chapter 9

MON Profile....108

9.1 Overview 108
9.1.1 What You Can Do in this Chapter 108
9.2 MON Profile 108
9.2.1 Add/Edit MON Profile 109
9.3 Technical Reference 110

Chapter 10

WDS Profile 112

10.1 Overview 112
10.1.1 What You Can Do in this Chapter 112
10.2 WDS Profile 112
10.2.1 Add/Edit WDS Profile 113

Chapter 11

Certificates 114

11.1 Overview 114

11.1.1 What You Can Do in this Chapter 114
11.1.2 What You Need to Know 114
11.1.3 Verifying a Certificate 116

11.2 My Certificates 117

11.2.1 Add My Certificates .... 118
11.2.2 Edit My Certificates .... 121
11.2.3 Import Certificates 124

11.3 Trusted Certificates 125

11.3.1 Edit Trusted Certificates 126
11.3.2 Import Trusted Certificates ...... 129

11.4 Technical Reference 130

Chapter 12

System....131

12.1 Overview 131

12.1.1 What You Can Do in this Chapter 131

12.2 Host Name 131

12.3 Date and Time 132

12.3.1 Pre-defined NTP Time Servers List 135
12.3.2 Time Server Synchronization 135

12.4 WWW Overview 136

12.4.1 Service Access Limitations 136
12.4.2 System Timeout 136
12.4.3 HTTPS 137
12.4.4 Configuring WWW Service Control 137
12.4.5 HTTPS Example 139

12.5 SSH 146

12.5.1 How SSH Works 146
12.5.2 SSH Implementation on the NWA/WAC 147
12.5.3 Requirements for Using SSH 148
12.5.4 Configuring SSH 148
12.5.5 Examples of Secure Telnet Using SSH 148

12.6 Telnet 150

12.7 FTP 150

12.8 SNMP 151

12.8.1 Supported MIBs 152
12.8.2 SNMP Traps 153
12.8.3 Configuring SNMP 153
12.8.4 Adding or Editing an SNMPv3 User Profile 154

Chapter 13

Log and Report......156

13.1 Overview 156
13.1.1 What You Can Do In this Chapter 156
13.2 Email Daily Report 156
13.3 Log Setting 158
13.3.1 Log Setting Screen 159
13.3.2 Edit System Log Settings 160
13.3.3 Edit Remote Server 163
13.3.4 Active Log Summary 165

Chapter 14

File Manager 169

14.1 Overview 169

14.1.1 What You Can Do in this Chapter 169
14.1.2 What you Need to Know 169

14.2 Configuration File 170
14.2.1 Example of Configuration File Download Using FTP 174
14.3 Firmware Package 175
14.3.1 Example of Firmware Upload Using FTP 176
14.4 Shell Script 177

Chapter 15

Diagnostics 180

15.1 Overview 180
15.1.1 What You Can Do in this Chapter 180
15.2 Diagnostics 180

Chapter 16

LEDs 182

16.1 Overview 182
16.1.1 What You Can Do in this Chapter 182
16.2 Suppression Screen 182
16.3 Locator Screen 183

Chapter 17

Antenna Switch....185

17.1 Overview 185
17.1.1 What You Need To Know 185
17.2 Antenna Switch Screen 185

Chapter 18

Reboot....187

18.1 Overview 187
18.1.1 What You Need To Know 187
18.2 Reboot 187

Chapter 19

Shutdown 188

19.1 Overview 188
19.1.1 What You Need To Know 188
19.2 Shutdown 188

Chapter 20

Troubleshooting....189

20.1 Overview 189
20.2 Power, Hardware Connections, and LED 189
20.3 NWA/WAC Access and Login 190
20.4 Internet Access 191
20.5 Wireless Connections 192
20.6 Resetting the NWA/WAC 197
20.7 Getting More Troubleshooting Help 198

Appendix A Importing Certificates 199

Appendix B IPv6.... 212

Appendix C Customer Support 220

Appendix D Legal Information 226

Index 237

PART I

User's Guide

CHAPTER 1 Introduction

1.1 Overview

This User's Guide covers the following models: NWA1123-ACv2, NWA5121-N, NWA5121-NI, NWA5123-AC, NWA5123-NI, NWA5301-NJ, NWA1123-AC PRO, WAC5302D-S, WAC6502D-E, WAC6502D-S, WAC6503D-S, WAC6553D-E and WAC6103D-I. Your NWA/WAC is a wireless AP (Access Point). It extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.

Table 1 NWA Series Comparison Table

Table 2 WAC Series Comparison Table

You can set the NWA/WAC to operate in either standalone AP or managed AP mode. When the NWA/WAC is in standalone AP mode, it can serve as a normal AP, as an RF monitor to search for rouge APs to help eliminate network threats (if it supports monitor mode and rogue APs detection), or even as a root AP or a wireless repeater to establish wireless links with other APs in a WDS (Wireless Distribution System). A WDS is a wireless connection between two or more APs.

Your NWA/WAC's business-class reliability, SMB features, and centralized wireless management make it ideally suited for advanced service delivery in mission-critical networks. It uses Multiple BSSID and VLAN to provide simultaneous independent virtual APs. Additionally, innovations in roaming technology and QoS features eliminate voice call disruptions.

The NWA/WAC controls network access with Media Access Control (MAC) address filtering, and rogue Access Point (AP) detection. It also provides a high level of network traffic security, supporting IEEE 802.1x, Wi-Fi Protected Access 2 and Wired Equivalent Privacy (WEP) data encryption.

Your NWA/WAC is easy to install, configure and use. The embedded Web-based configurator enables simple, straightforward management and maintenance. See the Quick Start Guide for how to make hardware connections.

1.1.1 Management Mode

The NWA/WAC is a unified AP and can work either in standalone AP mode or in managed AP mode. If the NWA/WAC and a Zyxel AP controller, such as the NXC2500 or NXC5500, are in the same subnet, it will be managed by the controller automatically.

An AP controller uses Control And Provisioning of Wireless Access Points (CAPWAP, see RFC 5415) to discover and configure multiple managed APs.

To set the NWA/WAC to be managed by an AP controller in a different subnet or change between management modes, use the AC (AP Controller) Discovery screen (see Section 5.4 on page 67).

Table 3 NWA/WAC Management Mode Comparison

When the NWA/WAC is in standalone AP mode and connects to a DHCP server, it uses the IP address assigned by the DHCP server. Otherwise, the NWA/WAC uses the default static management IP address (192.168.1.2). You can use the AC Discovery screen to have the NWA/WAC work as a managed AP.

When the NWA/WAC is in managed AP mode, it acts as a DHCP client and obtains an IP address from the AP controller. It can be configured ONLY by the AP controller. To change the NWA/WAC back to standalone AP mode, use the Reset button to restore the default configuration. Alternatively, you need to check the AP controller for the NWA/WAC's IP address and use FTP to upload the default configuration file at conf/system-default.conf to the NWA/WAC and reboot the device.

1.1.2 MBSSID

A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA/WAC provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile.

You can configure multiple SSID profiles, and have all of them active at any one time.

You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs.

To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings.

For example, you might want to set up a wireless network in your office where Internet telephony (VoIP) users have priority. You also want a regular wireless network for standard users, as well as a 'guest' wireless network for visitors. In the following figure, VoIP_SSID users have QoS priority, SSID01 is the wireless network for standard users, and Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network (LAN) behind the AP and can access only the Internet.

Figure 1 Multiple BSSs

graph TD
    A["LAN"] --> B["Internet"]
    B --> C["VoIP_SSID"]
    B --> D["SSID01"]
    B --> E["Guest_SSID"]
    B --> F["Data Bus Icon"]
    style A fill:#cce5ff,stroke:#333
    style B fill:#ffe6cc,stroke:#333
    style C fill:#e6f7ff,stroke:#333
    style D fill:#e6f7ff,stroke:#333
    style E fill:#e6f7ff,stroke:#333
    style F fill:#ffe6cc,stroke:#333

1.1.3 Dual-Radio

Some of the NWA/WAC models are equipped with dual wireless radios. This means you can configure two different wireless networks to operate simultaneously.

Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference.

You could use the 2.4 GHz band for regular Internet surfing and downloading while using the 5 GHz band for time sensitive traffic like high-definition video, music, and gaming.

Figure 2 Dual-Radio Application

In Root AP mode, the NWA/WAC (Z) can act as the root AP in a wireless network and also allow repeaters (X and Y) to extend the range of its wireless network at the same time. In the figure below, both clients A, B and C can access the wired network through the root AP.

Figure 3 Root AP Application

graph TD
    A["Internet"] --> B["Ethernet"]
    B --> C["X"]
    B --> D["Y"]
    B --> E["Z"]
    B --> F["A"]
    B --> G["B"]
    B --> H["C"]

On the NWA/WAC in Root AP mode, you can have multiple SSIDs active for regular wireless connections and one SSID for the connection with a repeater (repeater SSID). Wireless clients can use either SSID to associate with the NWA/WAC in Root AP mode. A repeater must use the repeater SSID to connect to the NWA/WAC in Root AP mode.

When the NWA/WAC is in Root AP mode, repeater security between the NWA/WAC and other repeater is independent of the security between the wireless clients and the AP or repeater. When repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 6.2 on page 70 and Section 10.2 on page 112 for more details.

Unless specified, the term “security settings” refers to the traffic between the wireless clients and the AP. At the time of writing, repeater security is compatible with the NWA/WAC only.

1.1.5 Repeater

The NWA/WAC can act as a wireless network repeater to extend a root AP's wireless network range, and also establish wireless connections with wireless clients.

Using Repeater mode, your NWA/WAC can extend the range of the WLAN. In the figure below, the NWA/WAC in Repeater mode (Z) has a wireless connection to the NWA/WAC in Root AP mode (X) which is connected to a wired network and also has a wireless connection to another NWA/WAC in Repeater mode (Y) at the same time. Z and Y act as repeaters that forward traffic between associated wireless clients and the wired LAN. Clients A and B access the AP and the wired network behind the AP through repeaters Z and Y.

Figure 4 Repeater Application

graph TD
    A["Ethernet"] --> B["X"]
    A --> C["Z"]
    A --> D["Y"]
    A --> E["B"]
    B --> F["Internet"]
    C --> F
    D --> F
    E --> F

When the NWA/WAC is in Repeater mode, repeater security between the NWA/WAC and other repeater is independent of the security between the wireless clients and the AP or repeater. When repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 6.2 on page 70 and Section 10.2 on page 112 for more details.

Once the security settings of peer sides match one another, the connection between devices is made.

At the time of writing, repeater security is compatible with the NWA/WAC only.

1.2 Ways to Manage the NWA/WAC

You can use the following ways to manage the NWA/WAC.

Web Configurator

The Web Configurator allows easy NWA/WAC setup and management using an Internet browser. This User's Guide provides information about the Web Configurator.

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the NWA/WAC. You can access it using remote management (for example, SSH or Telnet). See the Command Reference Guide for more information.

File Transfer Protocol (FTP)

This protocol can be used for firmware upgrades and configuration backup and restore.

Simple Network Management Protocol (SNMP)

The NWA/WAC can be monitored by an SNMP manager. See the SNMP chapter in this User's Guide.

1.3 Good Habits for Managing the NWA/WAC

Do the following things regularly to make the NWA/WAC more secure and to manage it more effectively.

• Change the password often. Use a password that's not easy to guess and that consists of different types of characters, such as numbers and letters.
• Write down the password and put it in a safe place.
• Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the NWA/WAC to its factory default settings. If you backed up an earlier configuration file, you won't have to totally re-configure the NWA/WAC; you can simply restore your last configuration.

1.4 Hardware Connections

See your Quick Start Guide for information on making hardware connections.

1.5 NWA5301-NJ Hardware

1.5.1 110 Punch-Down Block

This section shows you how to use a punch-down tool to seat an 8-wire Ethernet cable to the 110 punch-down block. You can connect a PoE switch to the 110 punch-down block to provide power and Internet access to the NWA through this connection. An 8-pin Ethernet cable has four pairs of color coded wires.

1 Cut out one and a half inches of the jacket from the Ethernet cable to expose the wires.
2 Untwist the wire pairs no more than one inch.
3 Match each wire to the correct slot according to the color codes for wiring shown below.

NWA Rear Panel

PIN#

Table 4 Color Codes for 110 Punch Down Block Wiring

4 Use a punch-down tool to seat the wires down properly into the slot.

5 Trim any excess wires. Place the dust caps over the terminated wires.

1.5.2 Phone Port

Connect a digital telephone to the RJ-45 PHONE port at the bottom of the NWA to forward voice traffic to/from the telephone switchboard that is connected to the RJ-45 PHONE port on the back of the NWA. The NWA does not support VoIP (Voice over Internet Protocol) and the PHONE port is NOT for making calls over the regular networking network (PSTN), either.

1.5.3 Console Port

To use the CLI commands to configure the NWA, connect an RJ-45-to-DB-9 cable to the PHONE port at the bottom of the NWA.

For local management, you can use a computer with terminal emulation software configured to the following parameters:

• VT100 terminal emulation
- 115200 bps
• No parity, 8 data bits, 1 stop bit
- No flow control

The following table shows you the wire color codes and pin assignment for the console cable.

Table 5 RJ45-to-DB-9 Console Cable Color Codes

1.6 LEDs

The LEDs of your WAC6500 and NWA5301 can be controlled by using the Suppression feature such that the LEDs stay lit (ON) or OFF after the device is ready.

The WAC6500 also features Locator LED which allows you to see the actual location of the WAC6500 between several devices in the network.

Following are LED descriptions for the NWA/WAC series models.

1.6.1 WAC6502D-E, WAC6502D-S, and WAC6503D-S

The LEDs will stay ON when the WAC6500 Series is ready. You can change this setting in the Maintenance > LEDs > Suppression screen.

Figure 5 WAC6500 Series LEDs

The following table describes the LEDs.

Table 6 WAC6500 Series LEDs

LED	COLOR	STATUS	DESCRIPTION
PWR/SYS	Red	Slow Blinking (On for 1s, Off for 1s)	The WAC is booting up.
	Green	On
	Red	Off	The WAC is ready for use.
	Green	On
	Red	On	There is system error and the WAC cannot boot up, or the WAC suffered a system failure.
	Green	Off
	Red	Fast Blinking (on for 50ms, Off for 50ms)	The WAC is doing firmware upgrade.
	Green	Off
	Red	Slow Blinking (blink for 3 times, Off for 3s)	The Uplink port is disconnected.
	Green	Off
	Red	Slow Blinking (blink for 2 times, Off for 3s)	The wireless module of the WAC is disabled or failed.
	Green	Off
Management	Green	On	The WAC AP is managed by a controller.
		Slow Blinking (blink for 3 times, Off for 3s)	The WAC AP is searching (discovery) for a controller.
		Off	The WAC AP is in standalone mode.
WLAN	Green	On	The 2.4 GHz WLAN is active.
		Off	The 2.4 GHz WLAN is not active.
WLAN	Green	On	The 5 GHz WLAN is active.
		Off	The 5 GHz WLAN is not active.
UPLINK	Amber/Green	On	Amber - The port is operating as a 100-Mbps connection.Green - The port is operating as a Gigabit connection (1000 Mbps).
		Blinking	The WAC is sending/receiving data through the port.
		Off	The port is not connected.
LAN	Amber/Green	On	Amber - The port is operating as a 100-Mbps connection.Green - The port is operating as a Gigabit connection (1000 Mbps).
		Blinking	The LAN port is sending/receiving data through the port.
		Off	The LAN port is not connected.
Locator	White	Blinking	The Locator is activated and will show the actual location of the WAC between several devices in the network.
		Off	The Locator function is off.

1.6.2 NWA1123-AC PRO and WAC6103D-I

The LEDs will stay ON when the NWA1123-AC PRO or WAC6103D-I is ready. You can change this setting in the Maintenance > LEDs > Suppression screen.

Figure 6 NWA1123-AC PRO and WAC6103D-I LEDs

The following table describes the LEDs.

Table 7 NWA1123-AC PRO and WAC6103D-I LEDs

1.6.3 NWA5301-NJ

The LEDs automatically turn off when the NWA5301-NJ is ready. You can press the LED ON button for one second to turn on the LEDs again. The LEDs will blink and turn off after two minutes.

Figure 7 NWA5301-NJ LEDs

The following are the LED descriptions for your NWA5301-NJ.

Table 8 NWA5301-NJ LEDs

LABEL	COLOR	STATUS	DESCRIPTION
PWR/SYS[2082]	Amber	Slow Blinking (On for 1s, Off for 1s)	The NWA is booting up.
	Green	On
	Amber	Off	The NWA is ready for use.
	Green	On
	Amber	Slow Blinking (blink for 3 times, Off for 3s)	The NWA is discovering an AP controller
	Green	On
	Amber	On	The NWA failed to boot up or is experiencing system failure.
	Green	Off
	Amber	Fast Blinking (On for 50ms times, Off for 50ms)	The NWA is undergoing firmware upgrade.
	Green	Off
	Amber	Slow Blinking (blink for 3 times, Off for 3s)	The Uplink port is disconnected.
	Green	Off
	Amber	Slow Blinking (blink for 2 times, Off for 3s)	The wireless module of the WAC is disabled or failed.
	Green	Off
PoE	Green	On	Power is supplied to the yellow PoE Ethernet port (LAN1).
		Off	There is no power supply.
WLAN	Green	On	The WLAN is active.
		Off	The WLAN is not active.
UPLINK	Green	On	The port is connected.
		Blinking	The NWA is sending/receiving data through the port.
		Off	The port is not connected.
LAN1-3	Green	On	The port is connected.
		Blinking	The NWA is sending/receiving data through the port.
		Off	The port is not connected.

1.6.4 NWA1123-ACv2, NWA5121-N, NWA5121-NI, NWA5123-AC and NWA5123-NI

The following are the LED descriptions for your NWA1123/5120 series.

Figure 8 NWA1123/5120 Series LED

The following are the LED descriptions for your NWA1123/5120 series.

Table 9 NWA1123/5120 Series LED

1.6.5 WAC5302D-S

The LEDs automatically turn off when the WAC5302D-S is ready. You can press the LED ON button for one second to turn on the LEDs again. The LEDs will blink and turn off after two minutes.

Figure 9 WAC5302D-S LEDs

The following table describes the LEDs.

Table 10 WAC5302D-S LEDs

LED	COLOR	STATUS	DESCRIPTION
PWR/SYS	Red	Slow Blinking (On for 1s, Off for 1s)	The WAC is booting up.
	Green	On
	Red	Off	The WAC is ready for use.
	Green	On
	Red	On	There is system error and the WAC cannot boot up, or the WAC suffered a system failure.
	Green	Off
	Red	Fast Blinking (on for 50ms, Off for 50ms)	The WAC is doing firmware upgrade.
	Green	Off
	Red	Slow Blinking (blink for 3 times, Off for 3s)	The Uplink port is disconnected.
	Green	Off
	Red	Slow Blinking (blink for 2 times, Off for 3s)	The wireless module of the WAC is disabled or failed.
	Green	Off
Management	Green	On	The WAC AP is managed by a controller.
		Slow Blinking (blink for 3 times, Off for 3s)	The WAC AP is searching (discovery) for a controller.
		Off	The WAC AP is in standalone mode.
UPLINK	Amber/Green	On	Amber - The port is operating as a 10/100-Mbps connection.Green - The port is operating as a Gigabit connection (1000 Mbps).
		Blinking	The WAC is sending/receiving data through the port.
		Off	The port is not connected.
WLAN----	Green	On	The 2.4 GHz WLAN is active.
		Off	The 2.4 GHz WLAN is not active.
WLAN	Green	On	The 5 GHz WLAN is active.
		Off	The 5 GHz WLAN is not active.
LAN	Amber/Green	On	Amber - The port is operating as a 10/100-Mbps connection.Green - The port is operating as a Gigabit connection (1000 Mbps).
		Blinking	The LAN port is sending/receiving data through the port.
		Off	The LAN port is not connected.

1.7 Starting and Stopping the NWA/WAC

Here are some of the ways to start and stop the NWA/WAC.

Always use Maintenance > Shutdown or the shutdown command before you turn off the NWA/WAC or remove the power. Not doing so can cause the firmware to become corrupt.

Table 11 Starting and Stopping the NWA/WAC

The NWA/WAC does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources.

CHAPTER 2

The Web Configurator

2.1 Overview

The NWA/WAC Web Configurator allows easy management using an Internet browser. Browsers supported are:

• Firefox 36.0.1 or later
• Chrome 41.0 or later
• IE 10 or later

The recommended screen resolution is 1024 x 768 pixels and higher.

2.2 Accessing the Web Configurator

1 Make sure your NWA/WAC is working in standalone AP mode (see Section 1.1.1 on page 13) and hardware is properly connected. See the Quick Start Guide.
2 If the NWA/WAC and your computer are not connected to a DHCP server, make sure your computer's IP address is in the range between "192.168.1.3" and "192.168.1.254".
3 Browse to the NWA/WAC's DHCP-assigned IP address or http://192.168.1.2. The Login screen appears.

4 Enter the user name (default: "admin") and password (default: "1234").

5 Click Login. If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears.

The Update Admin Info screen appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore.

2.3 Navigating the Web Configurator

The following summarizes how to navigate the web configurator from the Dashboard screen. This guide uses the NWA1123-AC PRO screens as an example. The screens may vary slightly for different models.

Figure 10 The Web Configurator's Main Screen

The Web Configurator's main screen is divided into these parts:

• A - Title Bar
• B - Navigation Panel
- C - Main Window

2.3.1 Title Bar

The title bar provides some useful links that always appear over the screens below, regardless of how deep into the Web Configurator you navigate.

Figure 11 Title Bar

The icons provide the following functions.

Table 12 Title Bar: Web Configurator Icons

About

Click About to display basic information about the NWA/WAC.

Figure 12 About

The following table describes labels that can appear in this screen.

Table 13 About

Site Map

Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen's link to go to that screen.

Figure 13 Site Map

Object Reference

Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.

Figure 14 Object Reference

The fields vary with the type of object. The following table describes labels that can appear in this screen.

Table 14 Object References

CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following.

Figure 15 CLI Messages

Click Clear to remove the currently displayed information.

Note: See the Command Reference Guide for information about the commands.

2.3.2 Navigation Panel

Use the menu items on the navigation panel to open screens to configure NWA/WAC features. Click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them. The following sections introduce the NWA/WAC's navigation panel menus and their screens.

Figure 16 Navigation Panel

Dashboard

The dashboard displays general device information, system status, system resource usage, and interface status in widgets that you can re-arrange to suit your needs.

For details on the Dashboard's features, see Chapter 3 on page 42.

Monitor Menu

The monitor menu screens display status and statistics information.

Table 15 Monitor Menu Screens Summary

Configuration Menu

Use the configuration menu screens to configure the NWA/WAC's features.

Table 16 Configuration Menu Screens Summary

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the NWA/WAC.

Table 17 Maintenance Menu Screens Summary

2.3.3 Warning Messages

Warning messages, such as those resulting from misconfiguration, display in a pop up window.

Figure 17 Warning Message

2.3.4 Tables and Lists

The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries.

2.3.4.1 Manipulating Table Display

Here are some of the ways you can manipulate the Web Configurator tables.

1 Click a column heading to sort the table's entries according to that column's criteria.

2 Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:

• Sort in ascending alphabetical order
• Sort in descending (reverse) alphabetical order
• Select which columns to display
• Group entries by field
  • Show entries in groups

- Filter by mathematical operators (<, >, or =) or searching for text.

3 Select a column heading cell's right border and drag to re-size the column.

4 Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column's title when you drag the column to a valid new location.

5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.

2.3.4.2 Working with Table Entries

The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.

Table 18 Common Table Icons

Here are descriptions for the most common table icons.

Table 19 Common Table Icons

2.3.4.3 Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

Figure 18 Working with Lists

PART II

Technical Reference

CHAPTER 3 Dashboard

3.1 Overview

Use the Dashboard screens to check status information about the NWA/WAC.

3.1.1 What You Can Do in this Chapter

- The main Dashboard screen (Section 3.2 on page 42) displays the NWA/WAC's general device information, system status, system resource usage, and interface status. You can also display other status screens for more information.

3.2 Dashboard

This screen is the first thing you see when you log into the NWA/WAC. It also appears every time you click the Dashboard icon in the navigation panel. The Dashboard displays general device information, system status, system resource usage, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets.

Figure 19 Dashboard

The following table describes the labels in this screen.

Table 20 Dashboard

3.2.1 CPU Usage

Use this screen to look at a chart of the NWA/WAC's recent CPU usage. To access this screen, click CPU Usage in the dashboard.

Figure 20 Dashboard > CPU Usage

The following table describes the labels in this screen.

Table 21 Dashboard > CPU Usage

3.2.2 Memory Usage

Use this screen to look at a chart of the NWA/WAC's recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard.

Figure 21 Dashboard > Memory Usage

The following table describes the labels in this screen.

Table 22 Dashboard > Memory Usage

CHAPTER 4 Monitor

4.1 Overview

Use the Monitor screens to check status and statistics information.

4.1.1 What You Can Do in this Chapter

• The Network Status screen (Section 4.3 on page 49) displays general LAN interface information and packet statistics.
• The AP Information > Radio List screen (Section 4.4 on page 50) displays statistics about the wireless radio transmitters in the NWA/WAC.
• The Station Info screen (Section 4.5 on page 53) displays statistics pertaining to the associated stations.
• The WDS Link Info screen (Section 4.6 on page 54) displays statistics about the NWA/WAC's WDS (Wireless Distribution System) connections.
• The Detected Device screen (Section 4.7 on page 55) displays information about suspected rogue APs.
• The View Log screen (Section 4.8 on page 56) displays the NWA/WAC's current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen.

4.2 What You Need to Know

The following terms and concepts may help as you read through the chapter.

Rogue AP

Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. See Chapter 9 on page 108 for details.

Friendly AP

Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from neighboring networks, for example). See Chapter 9 on page 108 for details.

4.3 Network Status

Use this screen to look at general Ethernet interface information and packet statistics. To access this screen, click Monitor > Network Status.

Figure 22 Monitor > Network Status

The following table describes the labels in this screen.

Table 23 Monitor > Network Status

4.4 Radio List

Use this screen to view statistics for the NWA/WAC's wireless radio transmitters. To access this screen, click Monitor > Wireless > AP Information > Radio List.

Figure 23 Monitor > Wireless > AP Information > Radio List

The following table describes the labels in this screen.

Table 24 Monitor > Wireless > AP Information > Radio List

4.4.1 AP Mode Radio Information

This screen allows you to view a selected radio's SSID details, wireless traffic statistics and station count for the preceding 24 hours. To access this window, select a radio and click the More Information button in the Radio List screen.

Figure 24 Monitor > Wireless > AP Information > Radio List > More Information

The following table describes the labels in this screen.

Table 25 Monitor > Wireless > AP Information > Radio List > More Information

4.5 Station List

Use this screen to view statistics pertaining to the associated stations (or “wireless clients”). Click Monitor > Wireless > Station Info to access this screen.

Figure 25 Monitor > Wireless > Station Info

The following table describes the labels in this screen.

Table 26 Monitor > Wireless > Station Info

4.6 WDS Link Info

Use this screen to view the WDS traffic statistics between the NWA/WAC and a root AP or repeaters. Click Monitor > Wireless > WDS Link Info to access this screen.

Figure 26 Monitor > Wireless > WDS Link Info

The following table describes the labels in this screen.

Table 27 Monitor > Wireless > WDS Link Info

4.7 Detected Device

Use this screen to view information about suspected rogue APs. Click Monitor > Wireless > Detected Device to access this screen. Not all NWA/WACs support monitor mode and rogue APs detection.

Note: The radio or at least one of the NWA/WAC's radio must be set to monitor mode (in the Wireless > AP Management screen) in order to detect other wireless devices in its vicinity.

Figure 27 Monitor > Wireless > Detected Device

The following table describes the labels in this screen.

Table 28 Monitor > Wireless > Detected Device

4.8 View Log

Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority.

To access this screen, click Monitor > Log. The log is displayed in the following screen.

Note: When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.

Figure 28 Monitor > Log > View Log

The following table describes the labels in this screen.

Table 29 Monitor > Log > View Log

The Web Configurator saves the filter settings if you leave the View Log screen and return to it later.

CHAPTER 5 Network

5.1 Overview

This chapter describes how you can configure the management IP address and VLAN settings of your NWA/WAC.

The Internet Protocol (IP) address identifies a device on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.

Figure 29 IP Setup

The figure above illustrates one possible setup of your NWA/WAC. The gateway IP address is 192.168.1.1 and the managed IP address of the NWA/WAC is 192.168.1.2 (default), but if the NWA/WAC is assigned an IP address by a DHCP server, the default (192.168.1.2) will not be used. The gateway and the NWA/WAC must belong in the same IP subnet to be able to communicate with each other.

5.1.1 Management Mode

This discusses using the NWA/WAC in management mode, which determines whether the NWA/WAC is used in its standalone mode, or as part of a Control And Provisioning of Wireless Access Points (CAPWAP) network.

About CAPWAP

The NWA/WAC supports CAPWAP. This is Zyxel's implementation of the CAPWAP protocol (RFC 5415).

The CAPWAP data flow is protected by Datagram Transport Layer Security (DTLS).

The following figure illustrates a CAPWAP wireless network. You (U) configure the AP controller (C), which then automatically updates the configurations of the managed APs (M1 \~ M4).

Figure 30 CAPWAP Network Example

graph TD
    U["User"] --> C["Central Node"]
    DHCP["DHCP"] --> C
    C --> M1["M1"]
    C --> M2["M2"]
    C --> M3["M3"]
    C --> M4["M4"]
    M1 --> M2
    M2 --> M3
    M3 --> M4
    M4 --> Internet["Internet"]
    style Internet fill:#cce5ff,stroke:#333
    style M1,M2,M3,M4 fill:#cce5ff,stroke:#333

Note: The NWA/WAC can be a standalone AP (default), or a CAPWAP managed AP.

CAPWAP Discovery and Management

The link between CAPWAP-enabled access points proceeds as follows:

1 An AP in managed AP mode joins a wired network (receives a dynamic IP address).
2 The AP sends out a discovery request, looking for a CAPWAP AP controller.
3 If there is an AP controller on the network, it receives the discovery request. If the AP controller is in Manual mode it adds the details of the AP to its Unmanaged Access Points list, and you decide which available APs to manage. If the AP controller is in Always Accept mode, it automatically adds the AP to its Managed Access Points list and provides the managed AP with default configuration information, as well as securely transmitting the DTLS pre-shared key. The managed AP is ready for association with wireless clients.

Managed AP Finds the Controller

A managed NWA/WAC can find the controller in one of the following ways:

• Manually specify the controller's IP address in the Web Configurator's AC (AP Controller) Discovery screen.

• Get the controller's IP address from a DHCP server with the controller's IP address configured as option 138.

• Get the controller's IP address from a DNS server SRV (Service) record.

• Broadcasting to discover the controller within the broadcast domain.

Note: The AP controller needs to have a static IP address. If it is a DHCP client, set the DHCP server to reserve an IP address for the AP controller.

CAPWAP and IP Subnets

By default, CAPWAP works only between devices with IP addresses in the same subnet.

However, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following.

• Activate DHCP. Your network's DHCP server must support option 138 defined in RFC 5415.
• Configure DHCP option 138 with the IP address of the CAPWAP AP controller on your network.

DHCP Option 138 allows the CAPWAP management request (from the AP in managed AP mode) to reach the AP controller in a different subnet, as shown in the following figure.

Figure 31 CAPWAP and DHCP Option 138

graph TD
    A["AP Controller (Static IP)"] -->|CAPWAP Traffic| B((Center))
    B --> C["Managed AP"]
    C --> D["DHCP Server + Option 138"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333

Notes on CAPWAP

This section lists some additional features of Zyxel's implementation of the CAPWAP protocol.

• When the AP controller uses its internal Remote Authentication Dial In User Service (RADIUS) server, managed APs also use the AP controller's authentication server to authenticate wireless clients.
• If a managed AP's link to the AP controller is broken, the managed AP continues to use the wireless settings with which it was last provided.

5.1.2 What You Can Do in this Chapter

• The IP Setting screen (Section 5.2 on page 63) configures the NWA/WAC's LAN IP address.
• The VLAN screen (Section 5.3 on page 64) configures the NWA/WAC's VLAN settings.

- The AC (AP Controller) Discovery screen (Section 5.3 on page 64) configures the NWA/WAC's AP Controller settings.

5.2 IP Setting

Use this screen to configure the IP address for your NWA/WAC. To access this screen, click Configuration > Network > IP Setting.

Figure 32 Configuration > Network > IP Setting (Retake screenshot)

Each field is described in the following table.

Table 30 Configuration > Network > IP Setting

5.3 VLAN

This section discusses how to configure the NWA/WAC's VLAN settings.

Figure 33 Management VLAN Setup

graph LR
    A["Computer"] -->|A| B["Router"]
    B --> C["Internet"]
    style A fill:#cce5ff,stroke:#333
    style B fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    note bottom left of A: VLAN

In the figure above, to access and manage the NWA/WAC from computer A, the NWA/WAC and switch B's ports to which computer A and the NWA/WAC are connected should be in the same VLAN.

A Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same group(s); the traffic must first go through a router.

VLAN also increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. In traditional switched environments, all broadcast packets go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain.

IEEE 802.1Q Tag

The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges. A VLAN tag includes the 12-bit VLAN ID and 3-bit user priority. The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network.

Use this screen to configure the VLAN settings for your NWA/WAC. To access this screen, click Configuration > Network > VLAN.

Figure 34 Configuration > Network > VLAN

Each field is described in the following table.

Table 31 Configuration > Network > VLAN

5.4 AC (AP Controller) Discovery

This section discusses how to configure the NWA/WAC's AC (AP Controller) Discovery settings. You can have the NWA/WAC managed by an AP controller on your network. When you do this, the NWA/WAC can be configured ONLY by the AP controller. See Section 5.1.1 on page 60 for more information on management mode and AP Controller.

Note: The AC(AP Controller) Discovery settings are not available in the NWA1123-ACv2 and NWA1123-AC PRO.

If you want to return the NWA/WAC to standalone AP mode, you can do one of the two following options:

• Press the Reset button.
• Check the AP controller for the NWA/WAC's IP address and use FTP to upload the default configuration file to the NWA/WAC. You can get the configuration file at conf/system-default.conf. You must reboot the device after uploading the configuration file.

To access the Controller Discover screen, click Configuration > Network > AC Discovery.

Figure 35 Configuration > Network > AC Discovery

Each field is described in the following table.

Table 32 Configuration > Network > AC Discovery

6.1 Overview

This chapter discusses how to configure the wireless network settings in your NWA/WAC.

The following figure provides an example of a wireless network.

Figure 36 Example of a Wireless Network

graph TD
    A["Server"] --> E["Ethernet"]
    B["Computer"] --> E
    C["Server"] --> E
    D["A"] --> E
    E --> F["AP"]
    F --> G["B"]
    F --> H["A"]
    style E fill:#f9f,stroke:#333
    style F fill:#ccf,stroke:#333
    style G fill:#cfc,stroke:#333
    style H fill:#fcc,stroke:#333

The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your NWA/WAC is the AP.

6.1.1 What You Can Do in this Chapter

• The AP Management screen (Section 6.2 on page 70) manages the NWA/WAC's general wireless settings.
• The MON Mode screen (Section 6.3 on page 73) allows you to assign APs either to the rogue AP list or the friendly AP list.
• The Load Balancing screen (Section 6.4 on page 75) configures network traffic load balancing between the APs and the NWA/WAC.
• The DCS screen (Section 6.5 on page 78) configures dynamic radio channel selection.

6.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

Station / Wireless Client

A station or wireless client is any wireless-capable device that can connect to an AP using a wireless signal.

Dynamic Channel Selection (DCS)

Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices.

Load Balancing (Wireless)

Wireless load balancing is the process where you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it so the AP does not become overloaded.

6.2 AP Management

Use this screen to manage the NWA/WAC's general wireless settings. Click Configuration > Wireless > AP Management to access this screen.

Figure 37 Configuration > Wireless > AP Management

Each field is described in the following table.

Table 33 Configuration > Wireless > AP Management

6.3 MON Mode

Use this screen to assign APs either to the rogue AP list or the friendly AP list. A rogue AP is a wireless access point operating in a network's coverage area that is not under the control of the network administrator, and which can potentially open up holes in a network's security.

Click Configuration > Wireless > MON Mode to access this screen.

Figure 38 Configuration > Wireless > MON Mode

Each field is described in the following table.

Table 34 Configuration > Wireless > MON Mode

6.3.1 Add/Edit Rogue/Friendly List

Click Add or select an AP and click the Edit button in the Configuration > Wireless > MON Mode table to display this screen.

Figure 39 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly AP List

Each field is described in the following table.

Table 35 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly AP List

6.4 Load Balancing

Use this screen to configure wireless network traffic load balancing between the APs on your network. Click Configuration > Wireless > Load Balancing to access this screen.

Figure 40 Configuration > Wireless > Load Balancing

Each field is described in the following table.

Table 36 Configuration > Wireless > Load Balancing

6.4.1 Disassociating and Delaying Connections

When your AP becomes overloaded, there are two basic responses it can take. The first one is to “delay” a client connection. This means that the AP withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another AP. If the client is picked up by another AP then the original AP cannot resume the connection.

For example, here the AP has a balanced bandwidth allotment of 6 Mbps. If laptop R connects and it pushes the AP over its allotment, say to 7 Mbps, then the AP delays the red laptop's connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare.

Figure 41 Delaying a Connection

graph TD
    A["Device A"] -->|1 Mbps| B["Device B"]
    B -->|2 Mbps| C["Device C"]
    C -->|2 Mbps| D["Router R"]
    D -->|6_Mbps["7 Mbps"]| E["Central Network Device"]
    style A fill:#cce5ff,stroke:#333
    style B fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    style D fill:#cce5ff,stroke:#333
    style E fill:#cce5ff,stroke:#333

The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment.

Figure 42 Kicking a Connection

graph TD
    A["Device A"] -->|1 Mbps| B["Device B"]
    B -->|2 Mbps| C["Device C"]
    C -->|2 Mbps| R["Router R"]
    style A fill:#cce5ff,stroke:#333
    style B fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    style R fill:#cce5ff,stroke:#333
    note right of B "6_Mbps["7 Mbps"]"
    note right of R "2 Mbps"

Connections are kicked based on either idle timeout or signal strength. The NWA/WAC first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle time. If no connections are idle, the next criteria the NWA/WAC analyzes is signal strength. Devices with the weakest signal strength are kicked first.

6.5 DCS

Use this screen to configure dynamic radio channel selection. Click Configuration > Wireless > DCS to access this screen.

Figure 43 Configuration > Wireless > DCS

Each field is described in the following table.

Table 37 Configuration > Wireless > DCS

6.6 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Dynamic Channel Selection

When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of interference. Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically. The AP can scan the area around it looking for the channel with the least amount of interference.

In the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart. Channel 1 is centered on 2.412 GHz while channel 13 is centered on 2.472 GHz.

Figure 44 An Example Three-Channel Deployment

Three channels are situated in such a way as to create almost no interference with one another if used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not interfere with neighboring APs as long as they are also limited to same trio.

Figure 45 An Example Four-Channel Deployment

However, some regions require the use of other channels and often use a safety scheme with the following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other and the three so-called “safe” channels (1,6 and 11) that interference becomes inevitable, the severity of it is dependent upon other factors: proximity to the affected AP, signal strength, activity, and so on.

Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one.

Figure 46 An Alternative Four-Channel Deployment

Load Balancing

Because there is a hard upper limit on an AP's wireless bandwidth, load balancing can be crucial in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the

available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.

There are three kinds of wireless load balancing available on the NWA/WAC:

Load balancing by station number limits the number of devices allowed to connect to your AP. If you know exactly how many stations you want to let connect, choose this option.

For example, if your company's graphic design team has their own AP and they have 10 computers, you can load balance for 10. Later, if someone from the sales department visits the graphic design team's offices for a meeting and he tries to access the network, his computer's connection is delayed, giving it the opportunity to connect to a different, neighboring AP. If he still connects to the AP regardless of the delay, then the AP may boot other people who are already connected in order to associate with the new connection.

Load balancing by smart classroom also limits the number of devices allowed to connect to your AP. But any new connections will be just rejected when the AP is overloaded.

Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available. If you are uncertain as to the exact number of wireless connections you will have then choose this option. By setting a maximum bandwidth cap, you allow any number of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range.

Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can't possibly know how many connections his AP will have at any given moment. As such, he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows. This means anyone can connect to his wireless network as long as the AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP.

7.1 Overview

This chapter describes how to set up user accounts and user settings for the NWA/WAC.

7.1.1 What You Can Do in this Chapter

• The User screen (see Section 7.2 on page 82) provides a summary of all user accounts.
• The Setting screen (see Section 7.3 on page 84) controls default settings, login settings, lockout settings, and other user settings for the NWA/WAC.

7.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

User Account

A user account defines the privileges of a user logged into the NWA/WAC. User accounts are used in controlling access to configuration and services in the NWA/WAC.

User Types

These are the types of user accounts the NWA/WAC uses.

Table 38 Types of User Accounts

Note: The default admin account is always authenticated locally, regardless of the authentication method setting.

7.2 User Summary

The User screen provides a summary of all user accounts. To access this screen click Configuration > Object > User.

Figure 47 Configuration > Object > User

The following table describes the labels in this screen.

Table 39 Configuration > Object > User

7.2.1 Add/Edit User

The User Add/Edit screen allows you to create a new user account or edit an existing one.

7.2.1.1 Rules for User Names

Enter a user name from 1 to 31 characters.

The user name can only contain the following characters:

• Alphanumeric A-z 0-9 (there is no unicode support)
- _ [underscores]
- [dashes]

The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:

• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not 'bob'.
• User names have to be different than user group names.
  • Here are the reserved user names:

- adm

- admin

- any

- bin

- daemon

- debug

- devicehaecived

ftp

- games

- halt

- ldap-users

• lp

- mail

- news

- nobody

- operator

- radius-users

- root

- shutdown

- sshd

- sync

- uucp

- zyxel

To access this screen, go to the User screen, and click Add or Edit.

Figure 48 Configuration > Object > User > Add/Edit A User

The following table describes the labels in this screen.

Table 40 Configuration > User > User > Add/Edit A User

7.3 Setting

This screen controls default settings, login settings, lockout settings, and other user settings for the NWA/WAC.

To access this screen, login to the Web Configurator, and click Configuration > Object > User > Setting.

Figure 49 Configuration > Object > User > Setting

The following table describes the labels in this screen.

Table 41 Configuration > Object > User > Setting

7.3.1 Edit User Authentication Timeout Settings

This screen allows you to set the default authentication timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings.

To access this screen, go to the Configuration > Object > User > Setting screen, select one of the Default Authentication Timeout Settings entry and click the Edit icon.

Figure 50 User > Setting > Edit User Authentication Timeout Settings

The following table describes the labels in this screen.

Table 42 User > Setting > Edit User Authentication Timeout Settings

CHAPTER 8 AP Profile

8.1 Overview

This chapter shows you how to configure preset profiles for the NWA/WAC.

8.1.1 What You Can Do in this Chapter

• The Radio screen (Section 8.2 on page 89) creates radio configurations that can be used by the APs.
• The SSID screen (Section 8.3 on page 95) configures three different types of profiles for your networked APs.

8.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

Wireless Profiles

At the heart of all wireless AP configurations on the NWA/WAC are profiles. A profile represents a group of saved settings that you can use across any number of connected APs. You can set up the following wireless profile types:

• Radio - This profile type defines the properties of an AP's radio transmitter. You can have a maximum of 32 radio profiles on the NWA/WAC.
• SSID - This profile type defines the properties of a single wireless network signal broadcast by an AP. Each radio on a single AP can broadcast up to 8 SSIDs. You can have a maximum of 32 SSID profiles on the NWA/WAC.
• Security - This profile type defines the security settings used by a single SSID. It controls the encryption method required for a wireless client to associate itself with the SSID. You can have a maximum of 32 security profiles on the NWA/WAC.
• MAC Filtering - This profile provides an additional layer of security for an SSID, allowing you to block access or allow access to that SSID based on wireless client MAC addresses. If a client's MAC address is on the list, then it is either allowed or denied, depending on how you set up the MAC Filter profile. You can have a maximum of 32 MAC filtering profiles on the NWA/WAC.
• Layer-2 Isolation - This profile defines the MAC addresses of the devices that you want to allow the associated wireless clients to have access to when layer-2 isolation is enabled.

SSID

The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it.

WEP

WEP (Wired Equivalent Privacy) encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.

WPA2

WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA2 and WEP are improved data encryption and user authentication.

IEEE 802.1x

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication is done using an external RADIUS server.

8.2 Radio

This screen allows you to create radio profiles for the NWA/WAC. A radio profile is a list of settings that an NWA/WAC can use to configure its radio transmitter(s). To access this screen click Configuration > Object > AP Profile.

Note: You can have a maximum of 32 radio profiles on the NWA/WAC.

Figure 51 Configuration > Object > AP Profile > Radio

The following table describes the labels in this screen.

Table 43 Configuration > Object > AP Profile > Radio

8.2.1 Add/Edit Radio Profile

This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button.

Figure 52 Configuration > Object > AP Profile > Add/Edit Profile

The following table describes the labels in this screen.

Table 44 Configuration > Object > AP Profile > Add/Edit Profile

8.3 SSID

The SSID screens allow you to configure three different types of profiles for your networked APs: an SSID list, which can assign specific SSID configurations to your APs; a security list, which can assign specific encryption methods to the APs when allowing wireless clients to connect to them; and a MAC filter list, which can limit connections to an AP based on wireless clients MAC addresses.

8.3.1 SSID List

This screen allows you to create and manage SSID configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the name of the wireless network to which a wireless client can connect. The SSID appears as readable text to any device capable of scanning for wireless frequencies (such as the WiFi adapter in a laptop), and is displayed as the wireless network name when a person makes a connection to it.

To access this screen click Configuration > Object > AP Profile > SSID.

Note: You can have a maximum of 32 SSID profiles on the NWA/WAC.

Figure 53 Configuration > Object > AP Profile > SSID List

The following table describes the labels in this screen.

Table 45 Configuration > Object > AP Profile > SSID List

8.3.2 Add/Edit SSID Profile

This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select a SSID profile from the list and click the Edit button.

Figure 54 Configuration > Object > AP Profile > Add/Edit SSID Profile

The following table describes the labels in this screen.

Table 46 Configuration > Object > AP Profile > Add/Edit SSID Profile

8.4 Security List

This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it.

To access this screen click Configuration > Object > AP Profile > SSID > Security List.

Note: You can have a maximum of 32 security profiles on the NWA/WAC.

Figure 55 Configuration > Object > AP Profile > SSID > Security List

The following table describes the labels in this screen.

Table 47 Configuration > Object > AP Profile > SSID > Security List

8.4.1 Add/Edit Security Profile

This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button.

Note: This screen's options change based on the Security Mode selected. Only the default screen is displayed here.

Figure 56 Configuration > Object > AP Profile > SSID > Security List > Add/Edit Security Profile

The following table describes the labels in this screen.

Table 48 Configuration > Object > AP Profile > SSID > Security List > Add/Edit Security Profile

8.5 MAC Filter List

This screen allows you to create and manage security configurations that can be used by your SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter List.

Note: You can have a maximum of 32 MAC filtering profiles on the NWA/WAC.

Figure 57 Configuration > Object > AP Profile > SSID > MAC Filter List

The following table describes the labels in this screen.

Table 49 Configuration > Object > AP Profile > SSID > MAC Filter List

8.5.1 Add/Edit MAC Filter Profile

This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button.

Note: Each MAC filtering profile can include a maximum of 512 MAC addresses.

Figure 58 Configuration > Object > AP Profile > SSID > MAC Filter List > Add/Edit MAC Filter Profile

The following table describes the labels in this screen.

Table 50 Configuration > Object > AP Profile > SSID > MAC Filter List > Add/Edit MAC Filter Profile

8.6 Layer-2 Isolation List

Layer-2 isolation is used to prevent wireless clients associated with your NWA/WAC from communicating with other wireless clients, APs, computers or routers in a network.

In the following example, layer-2 isolation is enabled on the NWA/WAC to allow a guest wireless client (A) to access the main network router (B). The router provides access to the Internet and the network printer (C) while preventing the client from accessing other computers and servers on the network. The client can communicate with other wireless clients only if Intra-BSS Traffic blocking is disabled.

Note: Intra-BSS Traffic Blocking is activated when you enable layer-2 isolation.

Figure 59 Layer-2 Isolation Application

graph TD
    A["A"] -->|Wireless Signal| NWA["NWA"]
    NWA -->|Green Checkmark| B["B"]
    B -->|Green Checkmark| C["C"]
    C --> D["Server 1"]
    C --> E["Server 2"]
    C --> F["Server 3"]
    D --> G["Internet"]
    E --> G
    F --> G

MAC addresses that are not listed in the layer-2 isolation table are blocked from communicating with the NWA/WAC's wireless clients except for broadcast packets. Layer-2 isolation does not check the traffic between wireless clients that are associated with the same AP. Intra-BSS traffic allows wireless clients associated with the same AP to communicate with each other.

This screen allows you to specify devices you want the users on your wireless networks to access. To access this screen click Configuration > Object > AP Profile > SSID > Layer-2 Isolation List.

Figure 60 Configuration > Object > AP Profile > SSID > Layer-2 Isolation List

The following table describes the labels in this screen.

Table 51 Configuration > Object > AP Profile > SSID > Layer-2 Isolation List

8.6.1 Add/Edit Layer-2 Isolation Profile

This screen allows you to create a new layer-2 isolation profile or edit an existing one. To access this screen, click the Add button or select a layer-2 isolation profile from the list and click the Edit button.

Note: You need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the NWA/WAC's wireless clients.

Figure 61 Configuration > Object > AP Profile > SSID > Layer-2 Isolation List > Add/Edit Layer-2 Isolation Profile

The following table describes the labels in this screen.

Table 52 Configuration > Object > AP Profile > SSID > Layer-2 Isolation List > Add/Edit Layer-2 Isolation Profile

CHAPTER 9 MON Profile

9.1 Overview

This screen allows you to set up monitor mode configurations that allow your NWA/WAC to scan for other wireless devices in the vicinity. Once detected, you can use the Wireless > MON Mode screen (Section 6.3 on page 73) to classify them as either rogue or friendly.

Not all NWA/WACs support monitor mode and rogue APs detection.

9.1.1 What You Can Do in this Chapter

The MON Profile screen (Section 9.2 on page 108) creates preset monitor mode configurations that can be used by the NWA/WAC.

9.2 MON Profile

This screen allows you to create monitor mode configurations that can be used by the APs. To access this screen, login to the Web Configurator, and click Configuration > Object > MON Profile.

Figure 62 Configuration > Object > MON Profile

The following table describes the labels in this screen.

Table 53 Configuration > Object > MON Profile

9.2.1 Add/Edit MON Profile

This screen allows you to create a new monitor mode profile or edit an existing one. To access this screen, click the Add button or select and existing monitor mode profile and click the Edit button.

Figure 63 Configuration > Object > MON Profile > Add/Edit MON Profile

The following table describes the labels in this screen.

Table 54 Configuration > Object > MON Profile > Add/Edit MON Profile

9.3 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Rogue APs

Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. Attackers can take advantage of a rogue AP's weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture information from wireless clients. If a scan reveals a rogue AP, you can use commercially-available software to physically locate it.

Figure 64 Rogue AP Example

graph TD
    A["Internet"] --> B["Server C"]
    A --> C["Server X"]
    A --> D["Server A"]
    B --> E["Central Network Node"]
    C --> E
    D --> E
    E --> F["Server B"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#cff,stroke:#333

In the example above, a corporate network's security is compromised by a rogue AP (RG) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company's legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software. In this example, the attacker now has access to the company network, including sensitive data stored on the file server (C).

Friendly APs

If you have more than one AP in your wireless network, you should also configure a list of “friendly” APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points.

10.1 Overview

This chapter shows you how to configure WDS (Wireless Distribution System) profiles for the NWA/WAC to form a WDS with other APs.

10.1.1 What You Can Do in this Chapter

The WDS Profile screen (Section 10.2 on page 112) creates preset WDS configurations that can be used by the NWA/WAC.

10.2 WDS Profile

This screen allows you to manage and create WDS profiles that can be used by the APs. To access this screen, click Configuration > Object > WDS Profile.

Figure 65 Configuration > Object > WDS Profile

The following table describes the labels in this screen.

Table 55 Configuration > Object > WDS Profile

10.2.1 Add/Edit WDS Profile

This screen allows you to create a new WDS profile or edit an existing one. To access this screen, click the Add button or select and existing profile and click the Edit button.

Figure 66 Configuration > Object > WDS Profile > Add/Edit WDS Profile

The following table describes the labels in this screen.

Table 56 Configuration > Object > WDS Profile > Add/Edit WDS Profile

CHAPTER 11 Certificates

11.1 Overview

The NWA/WAC can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner's identity and public key. Certificates provide a way to exchange public keys for use in authentication.

11.1.1 What You Can Do in this Chapter

• The My Certificate screens (Section 11.2 on page 117) generate and export self-signed certificates or certification requests and import the NWA/WAC's CA-signed certificates.
• The Trusted Certificates screens (Section 11.3 on page 125) save CA certificates and trusted remote host certificates to the NWA/WAC. The NWA/WAC trusts any valid certificate that you have imported as a trusted certificate. It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate.

11.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure.

These keys work like a handwritten signature (in fact, certificates are often referred to as “digital signatures”). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key “writes” your digital signature and your public key allows people to verify whether data was signed by you, or by someone else.

This process works as follows:

1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim's public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim's private key).

5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny's public key to verify the message.

The NWA/WAC uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority's public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate. The NWA/WAC does not trust a certificate if any certificate on its path has expired or been revoked.

Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The NWA/WAC can check a peer's certificate against a directory server's list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).

Advantages of Certificates

Certificates offer the following benefits.

• The NWA/WAC only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

Self-signed Certificates

You can have the NWA/WAC act as a certification authority and sign its own certificates.

Factory Default Certificate

The NWA/WAC generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate.

Certificate File Formats

Any certificate that you want to import has to be in one of these file formats:

• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The NWA/WAC currently allows the importation of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.

- Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the NWA/WAC.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

11.1.3 Verifying a Certificate

Before you import a trusted certificate into the NWA/WAC, you should verify that you have the correct certificate. You can do this using the certificate's fingerprint. A certificate's fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate's fingerprint to verify that you have the actual certificate.

1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a “.cer” or “.crt” file name extension.

3 Double-click the certificate's icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.

4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.

11.2 My Certificates

Click Configuration > Object > Certificate > My Certificates to open this screen. This is the NWA/WAC's summary list of certificates and certification requests.

Figure 67 Configuration > Object > Certificate > My Certificates

The following table describes the labels in this screen.

Table 57 Configuration > Object > Certificate > My Certificates

11.2.1 Add My Certificates

Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the Add My Certificates screen. Use this screen to have the NWA/WAC create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.

Figure 68 Configuration > Object > Certificate > My Certificates > Add

The following table describes the labels in this screen.

Table 58 Configuration > Object > Certificate > My Certificates > Add

If you configured the Add My Certificates screen to have the NWA/WAC enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the Add My Certificates screen. Click Return and check your information in the Add My Certificates screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NWA/WAC to enroll a certificate online.

11.2.2 Edit My Certificates

Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name.

Figure 69 Configuration > Object > Certificate > My Certificates > Edit

The following table describes the labels in this screen.

Table 59 Configuration > Object > Certificate > My Certificates > Edit

Table 59 Configuration > Object > Certificate > My Certificates > Edit

11.2.3 Import Certificates

Click Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the NWA/WAC.

Note: You can import a certificate that matches a corresponding certification request that was generated by the NWA/WAC. You can also import a certificate in PKCS#12 format, including the certificate's public and private keys.

The certificate you import replaces the corresponding request in the My Certificates screen.

You must remove any spaces in the certificate's filename before you can import it.

Figure 70 Configuration > Object > Certificate > My Certificates > Import

The following table describes the labels in this screen.

Table 60 Configuration > Object > Certificate > My Certificates > Import

11.3 Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you have set the NWA/WAC to accept as trusted. The NWA/WAC also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates.

Figure 71 Configuration > Object > Certificate > Trusted Certificates

The following table describes the labels in this screen.

Table 61 Configuration > Object > Certificate > Trusted Certificates

11.3.1 Edit Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates and then a certificate's Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate,

change the certificate's name and set whether or not you want the NWA/WAC to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority.

Figure 72 Configuration > Object > Certificate > Trusted Certificates > Edit

The following table describes the labels in this screen.

Table 62 Configuration > Object > Certificate > Trusted Certificates > Edit

11.3.2 Import Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Import Trusted Certificates screen. Follow the instructions in this screen to save a trusted certificate to the NWA/WAC.

Note: You must remove any spaces from the certificate's filename before you can import the certificate.

Figure 73 Configuration > Object > Certificate > Trusted Certificates > Import

The following table describes the labels in this screen.

Table 63 Configuration > Object > Certificate > Trusted Certificates > Import

11.4 Technical Reference

The following section contains additional technical information about the features described in this chapter.

OCSP

OCSP (Online Certificate Status Protocol) allows an application or device to check whether a certificate is valid. With OCSP the NWA/WAC checks the status of individual certificates instead of downloading a Certificate Revocation List (CRL). OCSP has two main advantages over a CRL. The first is real-time status information. The second is a reduction in network traffic since the NWA/WAC only gets information on the certificates that it needs to verify, not a huge list. When the NWA/WAC requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response.

12.1 Overview

Use the system screens to configure general NWA/WAC settings.

12.1.1 What You Can Do in this Chapter

• The Host Name screen (Section 12.2 on page 131) configures a unique name for the NWA/WAC in your network.
• The Date/Time screen (Section 12.3 on page 132) configures the date and time for the NWA/WAC.
• The WWW screens (Section 12.4 on page 136) configure settings for HTTP or HTTPS access to the NWA/WAC.
• The SSH screen (Section 12.5 on page 146) configures SSH (Secure SHell) for securely accessing the NWA/WAC's command line interface.
• The Telnet screen (Section 12.6 on page 150) configures Telnet for accessing the NWA/WAC's command line interface.
• The FTP screen (Section 12.7 on page 150) specifies FTP server settings. You can upload and download the NWA/WAC's firmware and configuration files using FTP. Please also see Chapter 14 on page 169 for more information about firmware and configuration files.
• The SNMP screens (Section 12.8 on page 151) configure the device's SNMP settings, including profiles that define allowed SNMPv3 access.

12.2 Host Name

A host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open this screen.

Figure 74 Configuration > System > Host Name

The following table describes the labels in this screen.

Table 64 Configuration > System > Host Name

12.3 Date and Time

For effective scheduling and logging, the NWA/WAC system time must be accurate. The NWA/WAC has a software mechanism to set the time manually or get the current time and date from an external server.

To change your NWA/WAC's time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the NWA/WAC's time and date or have the NWA/WAC get the date and time from a time server.

Figure 75 Configuration > System > Date/Time

The following table describes the labels in this screen.

Table 65 Configuration > System > Date/Time

12.3.1 Pre-defined NTP Time Servers List

When you turn on the NWA/WAC for the first time, the date and time start at 2003-01-01 00:00:00. The NWA/WAC then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.

The NWA/WAC continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.

Table 66 Default Time Servers

When the NWA/WAC uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the NWA/WAC goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.

12.3.2 Time Server Synchronization

Click the Sync. Now button to get the time and date from the time server you specified in the Time Server Address field.

When the Loading message appears, you may have to wait up to one minute.

Figure 76 Loading

The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.

If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen.

To manually set the NWA/WAC date and time:

1 Click System > Date/Time.
2 Select Manual under Time and Date Setup.
3 Enter the NWA/WAC's time in the New Time field.
4 Enter the NWA/WAC's date in the New Date field.
5 Under Time Zone Setup, select your Time Zone from the list.
6 As an option you can select the Enable Daylight Saving check box to adjust the NWA/WAC clock for daylight savings.
7 Click Apply.

To get the NWA/WAC date and time from a time server:

1 Click System > Date/Time.
2 Select Get from Time Server under Time and Date Setup.
3 Under Time Zone Setup, select your Time Zone from the list.
4 Under Time and Date Setup, enter a Time Server Address.
5 Click Apply.

12.4 WWW Overview

The following figure shows secure and insecure management of the NWA/WAC coming in from the WAN. HTTPS and SSH access are secure. HTTP, Telnet, and FTP management access are not secure.

Figure 77 Secure and Insecure Service Access From the WAN

graph TD
    A["LAN"] --> B["Wi"]
    B --> C["WAN"]
    C --> D["Internet"]
    D --> E["HTTPS"]
    D --> F["SSH"]
    D --> G["HTTP"]
    D --> H["Telnet"]
    D --> I["FTP"]

12.4.1 Service Access Limitations

A service cannot be used to access the NWA/WAC when you have disabled that service in the corresponding screen.

12.4.2 System Timeout

There is a lease timeout for administrators. The NWA/WAC automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.

Each user is also forced to log in the NWA/WAC for authentication again when the reauthentication time expires.

You can change the timeout settings in the User screens.

12.4.3 HTTPS

You can set the NWA/WAC to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions.

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys (see Chapter 11 on page 114 for more information).

HTTPS on the NWA/WAC is used so that you can securely access the NWA/WAC using the Web Configurator. The SSL protocol specifies that the HTTPS server (the NWA/WAC) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the NWA/WAC), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the NWA/WAC a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the NWA/WAC.

Please refer to the following figure.

1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the NWA/WAC's web server.
2 HTTP connection requests from a web browser go to port 80 (by default) on the NWA/WAC's web server.

Figure 78 HTTP/HTTPS Implementation

Note: If you disable HTTP in the WWW screen, then the NWA/WAC blocks all HTTP connection attempts.

12.4.4 Configuring WWW Service Control

Click Configuration > System > WWW to open the WWW screen. Use this screen to specify HTTP or HTTPS settings.

Figure 79 Configuration > System > WWW > Service Control

The following table describes the labels in this screen.

Table 67 Configuration > System > WWW > Service Control

12.4.5 HTTPS Example

If you haven't changed the default HTTPS port on the NWA/WAC, then in your browser enter "https://NWA/WAC IP Address/" as the web site address where "NWA/WAC IP Address" is the IP address or domain name of the NWA/WAC you wish to access.

12.4.5.1 Internet Explorer Warning Messages

When you attempt to access the NWA/WAC HTTPS server, you will see the error message shown in the following screen.

Figure 80 Security Alert Dialog Box (Internet Explorer)

Select Continue to this website. to proceed to the Web Configurator login screen. Otherwise, select Click here to close this webpage. to block the access.

12.4.5.2 Mozilla Firefox Warning Messages

When you attempt to access the NWA/WAC HTTPS server, a The Connection is Untrusted screen appears as shown in the following screen. Click Technical Details if you want to verify more information about the certificate from the NWA/WAC.

Select I Understand the Risks and then click Add Exception to add the NWA/WAC to the security exception list. Click Confirm Security Exception.

Figure 81 Security Certificate 1 (Firefox)

Figure 82 Security Certificate 2 (Firefox)

12.4.5.3 Avoiding Browser Warning Messages

Here are the main reasons your browser displays warnings about the NWA/WAC's HTTPS server certificate and what you can do to avoid seeing the warnings:

- The issuing certificate authority of the NWA/WAC's HTTPS server certificate is not one of the browser's trusted certificate authorities. The issuing certificate authority of the NWA/WAC's factory default certificate is the NWA/WAC itself since the certificate is a self-signed certificate.

• For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.
• To have the browser trust the certificates issued by a certificate authority, import the certificate authority's certificate into your operating system as a trusted certificate. Refer to Appendix A on page 199 for details.

12.4.5.4 Enrolling and Importing SSL Client Certificates

The SSL client needs a certificate if Authenticate Client Certificates is selected on the NWA/WAC.

You must have imported at least one trusted CA to the NWA/WAC in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).

Apply for a certificate from a Certification Authority (CA) that is trusted by the NWA/WAC (see the NWA/WAC's Trusted Certificates Web Configurator screen).

Figure 83 Trusted Certificates

The CA sends you a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).

12.4.5.5 Installing the CA's Certificate

1 Double click the CA's trusted certificate to produce a screen similar to the one shown next.

2 Click Install Certificate and follow the wizard as shown.

12.4.5.6 Installing a Personal Certificate

You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next.

1 Click Next to begin the wizard.

2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.

3 Enter the password given to you by the CA.

4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.

5 Click Finish to complete the wizard and begin the import process.

6 You should see the following screen when the certificate is correctly installed on your computer.

12.4.5.7 Using a Certificate When Accessing the NWA/WAC

To access the NWA/WAC via HTTPS:

1 Enter 'https://NWA/WAC IP Address/' in your browser's web address field.

2 When Authenticate Client Certificates is selected on the NWA/WAC, the following screen asks you to select a personal certificate to send to the NWA/WAC. This screen displays even if you only have a single certificate as in the example.

3 You next see the Web Configurator login screen.

12.5 SSH

You can use SSH (Secure SHell) to securely access the NWA/WAC's command line interface.

SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer B on the Internet uses SSH to securely connect to the NWA/WAC (A) for a management session.

Figure 84 SSH Communication Over the WAN Example

graph LR
    A["Internet"] --> B["Secure Connection"]
    B --> C["Computer"]

12.5.1 How SSH Works

The following figure is an example of how a secure connection is established between two remote hosts using SSH v1.

Figure 85 How SSH v1 Works Example

graph TD
    A["Internet"] -->|Z| B["SSH Client"]
    C["SSH Server"] -->|Connection Request| A
    C -->|Host Key, Server Key| A
    C -->|Session Key| A
    C -->|Host Identification Pass/Fail| B
    C -->|Encryption Method to Use| B
    C -->|Password / User Name| B
    C -->|Authentication Pass/Fail| B
    C -->|Data Transmission| B

1 Host Identification

The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.

The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.

2 Encryption Method

Once the identification is verified, both the client and server must agree on the type of encryption method to use.

3 Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.

12.5.2 SSH Implementation on the NWA/WAC

Your NWA/WAC supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the NWA/WAC for management using port 22 (by default).

12.5.3 Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the NWA/WAC over SSH.

12.5.4 Configuring SSH

Click Configuration > System > SSH to open the following screen. Use this screen to configure your NWA/WAC's Secure Shell settings.

Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

Figure 86 Configuration > System > SSH

The following table describes the labels in this screen.

Table 68 Configuration > System > SSH

12.5.5 Examples of Secure Telnet Using SSH

This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the NWA/WAC. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user's guide.

12.5.5.1 Example 1: Microsoft Windows

This section describes how to access the NWA/WAC using the Secure Shell Client program.

1 Launch the SSH client and specify the connection information (IP address, port number) for the NWA/WAC.
2 Configure the SSH client to accept connection using SSH version 1.
3 A window displays prompting you to store the host key in you computer. Click Yes to continue.

Figure 87 SSH Example 1: Store Host Key

Enter the password to log in to the NWA/WAC. The CLI screen displays next.

12.5.5.2 Example 2: Linux

This section describes how to access the NWA/WAC using the OpenSSH client program that comes with most Linux distributions.

1 Test whether the SSH service is available on the NWA/WAC.

Enter "telnet 192.168.1.2 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the NWA/WAC (using the default IP address of 192.168.1.2).

A message displays indicating the SSH protocol version supported by the NWA/WAC.

Figure 88 SSH Example 2: Test

$ telnet 192.168.1.2 22
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
SSH-1.5-1.0.0 

2 Enter "ssh -1 192.168.1.2". This command forces your computer to connect to the NWA/WAC using SSH version 1. If this is the first time you are connecting to the NWA/WAC using SSH, a message displays prompting you to save the host information of the NWA/WAC. Type "yes" and press [ENTER].

Then enter the password to log in to the NWA/WAC.

Figure 89 SSH Example 2: Log in

$ ssh -1 192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (RSA1) to the list of known hosts.
Administrator@192.168.1.2's password: 

3 The CLI screen displays next.

12.6 Telnet

You can use Telnet to access the NWA/WAC's command line interface. Click Configuration > System > TELNET to configure your NWA/WAC for remote Telnet access. Use this screen to enable or disable Telnet and set the server port number.

Figure 90 Configuration > System > TELNET

The following table describes the labels in this screen.

Table 69 Configuration > System > TELNET

12.7 FTP

You can upload and download the NWA/WAC's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. See Chapter 14 on page 169 for more information about firmware and configuration files.

To change your NWA/WAC's FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify FTP settings.

Figure 91 Configuration > System > FTP

The following table describes the labels in this screen.

Table 70 Configuration > System > FTP

12.8 SNMP

Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your NWA/WAC supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA/WAC through the network. The NWA/WAC supports SNMP version one (SNMPv1), version two (SNMPv2c), and version three (SNMPv3). The next figure illustrates an SNMP management operation.

Figure 92 SNMP Management Model

graph TD
    A["MANAGER"] --> B["AGENT"]
    A --> C["AGENT"]
    A --> D["AGENT"]
    B --> E["Managed Device"]
    C --> F["Managed Device"]
    D --> G["Managed Device"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#ccf,stroke:#333
    style D fill:#ccf,stroke:#333
    linkStyle 0 stroke:#000,stroke-width:2px
    linkStyle 1 stroke:#000,stroke-width:2px
    linkStyle 2 stroke:#000,stroke-width:2px
    linkStyle 3 stroke:#000,stroke-width:2px
    linkStyle 4 stroke:#000,stroke-width:2px
    linkStyle 5 stroke:#000,stroke-width:2px
    linkStyle 6 stroke:#000,stroke-width:2px
    linkStyle 7 stroke:#000,stroke-width:2px
    linkStyle 8 stroke:#000,stroke-width:2px
    linkStyle 9 stroke:#000,stroke-width:2px
    linkStyle 10 stroke:#000,stroke-width:2px
    linkStyle 11 stroke:#000,stroke-width:2px
    linkStyle 12 stroke:#000,stroke-width:2px
    linkStyle 13 stroke:#000,stroke-width:2px
    linkStyle 14 stroke:#000,stroke-width:2px
    linkStyle 15 stroke:#000,stroke-width:2px
    linkStyle 16 stroke:#000,stroke-width:2px
    linkStyle 17 stroke:#000,stroke-width:2px
    linkStyle 18 stroke:#000,stroke-width:2px
    linkStyle 19 stroke:#000,stroke-width:2px
    linkStyle 20 stroke:#000,stroke-width:2px
    linkStyle 21 stroke:#000,stroke-width:2px
    linkStyle 22 stroke:#000,stroke-width:2px
    linkStyle 23 stroke:#000,stroke-width:2px
    linkStyle 24 stroke:#000,stroke-width:2px
    linkStyle 25 stroke:#000,stroke-width:2px
    linkStyle 26 stroke:#000,stroke-width:2px
    linkStyle 27 stroke:#000,stroke-width:2px
    linkStyle 28 stroke:#000,stroke-width:2px
    linkStyle 29 stroke:#000,stroke-width:2px
    linkStyle 30 stroke:#000,stroke-width:2px
    linkStyle 31 stroke:#000,stroke-width:2px
    linkStyle 32 stroke:#000,stroke-width:2px
    linkStyle 33 stroke:#000,stroke-width:2px
    linkStyle 34 stroke:#000,stroke-width:2px
    linkStyle 35 stroke:#000,stroke-width:2px
    linkStyle 36 stroke:#000,stroke-width:2px
    linkStyle 37 stroke:#000,stroke-width:2px
    linkStyle 38 stroke:#000,stroke-width:2px
    linkStyle 39 stroke:#000,stroke-width:2px
    linkStyle 40 stroke:#000,stroke-width:2px
    linkStyle 41 stroke:#000,stroke-width:2px
    linkStyle 42 stroke:#000,stroke-width:2px
    linkStyle 43 stroke:#000,stroke-width:2px
    linkStyle 44 stroke:#000,stroke-width:2px
    linkStyle 45 stroke:#000,stroke-width:2px
    linkStyle 46 stroke:#000,stroke-width:2px
    linkStyle 47 stroke:#000,stroke-width:2px
    linkStyle 48 stroke:#000,stroke-width:2px
    linkStyle 49 stroke:#000,stroke-width:2px
    linkStyle 50 stroke:#000,stroke-width:2px

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the NWA/WAC). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

• Get - Allows the manager to retrieve an object variable from the agent.
• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
• Set - Allows the manager to set values for object variables within an agent.
• Trap - Used by the agent to inform the manager of some events.

12.8.1 Supported MIBs

The NWA/WAC supports MIB II that is defined in RFC-1213 and RFC-1215. The NWA/WAC also supports private MIBs (ZYXEL-ES-CAPWAP.MIB, ZYXEL-ES-COMMON.MIB, ZYXEL-ES-ZyXELAPMgmt.MIB, ZYXEL-ES-PROWLAN.MIB, ZYXEL-ES-RFMGMT.MIB, ZYXEL-ES-SMI.MIB, and ZYXEL-ES-WIRELESS.MIB) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let

administrators collect statistical data and monitor status and performance. You can download the NWA/WAC's MIBs from www.zyxel.com.

12.8.2 SNMP Traps

The NWA/WAC will send traps to the SNMP manager when any one of the following events occurs.

Table 71 SNMP Traps

12.8.3 Configuring SNMP

To change your NWA/WAC's SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings. You can also configure user profiles that define allowed SNMPv3 access.

Figure 93 Configuration > System > SNMP

The following table describes the labels in this screen.

Table 72 Configuration > System > SNMP

12.8.4 Adding or Editing an SNMPv3 User Profile

This screen allows you to add or edit an SNMPv3 user profile. To access this screen, click the Configuration > System > SNMP screen's Add button or select a SNMPv3 user profile from the list and click the Edit button.

Figure 94 Configuration > System > SNMP > Add

The following table describes the labels in this screen.

Table 73 Configuration > System > SNMP

CHAPTER 13

Log and Report

13.1 Overview

Use the system screens to configure daily reporting and log settings.

13.1.1 What You Can Do In this Chapter

• The Email Daily Report screen (Section 13.2 on page 156) configures how and where to send daily reports and what reports to send.
• The Log Setting screens (Section 13.3 on page 158) specify which logs are e-mailed, where they are e-mailed, and how often they are e-mailed.

13.2 Email Daily Report

Use this screen to start or stop data collection and view various statistics about traffic passing through your NWA/WAC.

Note: Data collection may decrease the NWA/WAC's traffic throughput rate.

Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the NWA/WAC e-mail you system statistics every day.

Figure 95 Configuration > Log & Report > Email Daily Report

The following table describes the labels in this screen.

Table 74 Configuration > Log & Report > Email Daily Report

13.3 Log Setting

These screens control log messages and alerts. A log message stores the information for viewing (for example, in the Monitor > View Log screen) or regular e-mailing later, and an alert is e-mailed immediately. Usually, alerts are used for events that require more serious attention, such as system errors and attacks.

The NWA/WAC provides a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log screen, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers.

The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed.

For alerts, the Log Setting screen controls which events generate alerts and where alerts are e-mailed.

The Log Setting screen provides a summary of all the settings. You can use the Edit Log Setting screen to maintain the detailed settings (such as log categories, e-mail addresses, server names, etc.) for any log. Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Summary screen to edit this information for all logs at the same time.

13.3.1 Log Setting Screen

To access this screen, click Configuration > Log & Report > Log Setting.

Figure 96 Configuration > Log & Report > Log Setting

The following table describes the labels in this screen.

Table 75 Configuration > Log & Report > Log Setting

13.3.2 Edit System Log Settings

This screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Select a system log entry in the Log Setting screen and click the Edit icon.

Figure 97 Configuration > Log & Report > Log Setting > Edit System Log Setting

The following table describes the labels in this screen.

Table 76 Configuration > Log & Report > Log Setting > Edit System Log Setting

13.3.3 Edit Remote Server

This screen controls the settings for each log in the remote server (syslog). Select a remote server entry in the Log Setting screen and click the Edit icon.

Figure 98 Configuration > Log & Report > Log Setting > Edit Remote Server

The following table describes the labels in this screen.

Table 77 Configuration > Log & Report > Log Setting > Edit Remote Server

13.3.4 Active Log Summary

This screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names). To access this screen, go to the Log Setting screen, and click the Active Log Summary button.

Figure 99 Active Log Summary

This screen provides a different view and a different way of indicating which messages are included in each log and each alert. (The Default category includes debugging messages generated by open source software.)

The following table describes the fields in this screen.

Table 78 Configuration > Log & Report > Log Setting > Active Log Summary

14.1 Overview

Configuration files define the NWA/WAC's settings. Shell scripts are files of commands that you can store on the NWA/WAC and run when you need them. You can apply a configuration file or run a shell script without the NWA/WAC restarting. You can store multiple configuration files and shell script files on the NWA/WAC. You can edit configuration files or shell scripts in a text editor and upload them to the NWA/WAC. Configuration files use a .conf extension and shell scripts use a .zysh extension.

14.1.1 What You Can Do in this Chapter

• The Configuration File screen (Section 14.2 on page 170) stores and names configuration files. You can also download and upload configuration files.
• The Firmware Package screen (Section 14.3 on page 175) checks your current firmware version and uploads firmware to the NWA/WAC.
• The Shell Script screen (Section 14.4 on page 177) stores, names, downloads, uploads and runs shell script files.

14.1.2 What you Need to Know

The following terms and concepts may help as you read this chapter.

Configuration Files and Shell Scripts

When you apply a configuration file, the NWA/WAC uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the NWA/WAC only applies the commands that it contains. Other settings do not change.

These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below.

Figure 100 Configuration File / Shell Script: Example

<h1 id="enter-configuration-mode">enter configuration mode</h1>
configure terminal
<h1 id="change-administrator-password">change administrator password</h1>
username admin password 4321 user-type admin
#configure default radio profile, change 2GHz channel to 11 & Tx output power # to 50%
wlan-radio-profile default
2g-channel 11
output-power 50%
exit
write 

While configuration files and shell scripts have the same syntax, the NWA/WAC applies configuration files differently than it runs shell scripts. This is explained below.

Table 79 Configuration Files and Shell Scripts in the NWA/WAC

You have to run the aforementioned example as a shell script because the first command is run in Privilege mode. If you remove the first command, you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode.

Comments in Configuration Files or Shell Scripts

In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the NWA/WAC treat the line as a comment.

Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the NWA/WAC exit sub command mode.

Note: "exit" or "!" must follow sub commands if it is to make the NWA/WAC exit sub command mode.

In the following example lines 1 and 2 are comments. Line 7 exits sub command mode.

! this is from Joe
<h1 id="on-20101205">on 2010/12/05</h1>
wlan-ssid-profile default
ssid Joe-AP
qos wmm
security default
! 

Errors in Configuration Files or Shell Scripts

When you apply a configuration file or run a shell script, the NWA/WAC processes the file line-by-line. The NWA/WAC checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the NWA/WAC finds an error, it stops applying the configuration file or shell script and generates a log.

You can change the way a configuration file or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The NWA/WAC ignores any errors in the configuration file or shell script and applies all of the valid commands. The NWA/WAC still generates a log for any errors.

14.2 Configuration File

Click Maintenance > File Manager > Configuration File to open this screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the NWA/WAC to your computer and upload configuration files from your computer to the NWA/WAC.

Once your NWA/WAC is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.

Configuration File Flow at Restart

• If there is not a startup-config.conf when you restart the NWA/WAC (whether through a management interface or by physically turning the power off and back on), the NWA/WAC uses the system-default.conf configuration file with the NWA/WAC's default settings.
• If there is a startup-config.conf, the NWA/WAC checks it for errors and applies it. If there are no errors, the NWA/WAC uses it and copies it to the lastgood.conf configuration file as a back up file. If there is an error, the NWA/WAC generates a log and copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file. If there isn't a lastgood.conf configuration file or it also has an error, the NWA/WAC applies the system-default.conf configuration file.
• You can change the way the startup-config.conf file is applied. Include the setenv-startup stop-on-error off command. The NWA/WAC ignores any errors in the startup-config.conf file and applies all of the valid commands. The NWA/WAC still generates a log for any errors.

Figure 101 Maintenance > File Manager > Configuration File

Do not turn off the NWA/WAC while configuration file upload is in progress.

The following table describes the labels in this screen.

Table 80 Maintenance > File Manager > Configuration File

LABEL	DESCRIPTION
Rename	Use this button to change the label of a configuration file on the NWA/WAC. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files.You cannot rename a configuration file to the name of another configuration file in the NWA/WAC.Click a configuration file's row to select it and click Rename to open the Rename File screen.
	Specify the new name for the configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#%^&()_+[]''.=-).Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.
Remove	Click a configuration file's row to select it and click Remove to delete it from the NWA/WAC. You can only delete manually saved configuration files. You cannot delete the system-default.conf, startup-config.conf and lastgood.conf files.A pop-up window asks you to confirm that you want to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file.
Download	Click a configuration file's row to select it and click Download to save the configuration to your computer.
Copy	Use this button to save a duplicate of a configuration file on the NWA/WAC.Click a configuration file's row to select it and click Copy to open the Copy File screen.
	Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#%^&()_+[]{''.=-).Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.
Apply	Use this button to have the NWA/WAC use a specific configuration file.Click a configuration file's row to select it and clickApplyto have the NWA/WAC use that configuration file. The NWA/WAC does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.The following screen gives you options for what the NWA/WAC is to do if it encounters an error in the configuration file.Immediately stop applying the configuration file- this is not recommended because it would leave the rest of the configuration blank. If the interfaces were not configured before the first error, the console port may be the only way to access the device.Immediately stop applying the configuration file and roll back to the previous configuration - this gets the NWA/WAC started with a fully valid configuration file as quickly as possible.Ignore errors and finish applying the configuration file- this applies the valid parts of the configuration file and generates error logs for all of the configuration file's errors. This lets the NWA/WAC apply most of your configuration and you can refer to the logs for what to fix.Ignore errors and finish applying the configuration file and then roll back to the previous configuration- this applies the valid parts of the configuration file, generates error logs for all of the configuration file's errors, and starts the NWA/WAC with a fully valid configuration file.Click OKto have the NWA/WAC start applying the configuration file or clickCancelto close the screen
#	This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
File Name	This column displays the label that identifies a configuration file.You cannot delete the following configuration files or change their file names.Thesystem-default.conffile contains the NWA/WAC's default settings. Select this file and clickApplyto reset all of the NWA/WAC settings to the factory defaults. This configuration file is included when you upload a firmware package.Thestartup-config.conffile is the configuration file that the NWA/WAC is currently using. If you make and save changes during your management session, the changes are applied to this configuration file. The NWA/WAC applies configuration changes made in the Web Configurator to the configuration file when you clickApplyorOK. It applies configuration changes made via commands when you use the write command.Thelastgood.confis the most recently used (valid) configuration file that was saved when the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Size	This column displays the size (in KB) of a configuration file.
Last Modified	This column displays the date and time that the individual configuration files were last changed or saved.
Upload Configuration File	The bottom part of the screen allows you to upload a new or previously saved configuration file from your computer to your NWA/WACYou cannot upload a configuration file named system-default.conf or lastgood.conf.If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings.
File Path	Type in the location of the file you want to upload in this field or click Browse... to find it.
Browse...	Click Browse... to find the .conf file you want to upload. The configuration file must use a “.conf” filename extension. You will receive an error message if you try to upload a fie of a different format. Remember that you must decompress compressed (.zip) files before you can upload them.
Upload	Click Upload to begin the upload process. This process may take up to two minutes.

14.2.1 Example of Configuration File Download Using FTP

The following example gets a configuration file named startup-config.conf from the NWA/WAC and saves it on the computer.

1 Connect your computer to the NWA/WAC.
2 The FTP server IP address of the NWA/WAC in standalone AP mode is 192.168.1.2, so set your computer to use a static IP address from 192.168.1.3 \~ 192.168.1.254.
3 Use an FTP client on your computer to connect to the NWA/WAC. For example, in the Windows command prompt, type ftp 192.168.1.2. Keep the console session connected in order to see when the firmware recovery finishes.
4 Enter your user name when prompted.
5 Enter your password as requested.
6 Use "cd" to change to the directory that contains the files you want to download.
7 Use "dir" or "ls" if you need to display a list of the files in the directory.
8 Use "get" to download files. Transfer the configuration file on the NWA/WAC to your computer. Type get followed by the name of the configuration file. This examples uses get startup-config.conf.

C:\>ftp 192.168.1.2
Connected to 192.168.1.2.
220---- Welcome to Pure-FTPd [privsep] [TLS] ----
220-You are user number 1 of 5 allowed.
220-Local time is now 21:28. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 600 minutes of inactivity.
User (192.168.1.2:(none)): admin
331 User admin OK. Password required
Password:
230 OK. Current restricted directory is /
ftp> cd conf
250 OK. Current directory is /conf
ftp> ls
200 PORT command successful
150 Connecting to port 5001
lastgood.conf
startup-config.conf
system-default.conf
226 3 matches total
ftp: 57 bytes received in 0.33Seconds 0.17Kbytes/sec.
ftp> get startup-config.conf
200 PORT command successful
150 Connecting to port 5002
226-File successfully transferred
226 0.002 seconds (measured here), 1.66 Mbytes per second
ftp: 2928 bytes received in 0.02Seconds 183.00Kbytes/sec.
ftp> 

9 Wait for the file transfer to complete.

10 Enter "quit" to exit the ftp prompt.

14.3 Firmware Package

Click Maintenance > File Manager > Firmware Package to open this screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the NWA/WAC.

Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

Find the firmware package at www.zyxel.com in a file that (usually) uses a .bin extension.

The firmware update can take up to five minutes. Do not turn off or reset the NWA/WAC while the firmware update is in progress!

Figure 102 Maintenance > File Manager > Firmware Package

The following table describes the labels in this screen.

Table 81 Maintenance > File Manager > Firmware Package

After you see the Firmware Upload in Process screen, wait two minutes before logging into the NWA/WAC again.

Note: The NWA/WAC automatically reboots after a successful upload.

The NWA/WAC automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

Figure 103 Network Temporarily Disconnected

After five minutes, log in again and check your new firmware version in the Dashboard screen.

14.3.1 Example of Firmware Upload Using FTP

This procedure requires the NWA/WAC's firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "420AAHY1C0.bin". Do the following after you have obtained the firmware file.

1 Connect your computer to the NWA/WAC.
2 The FTP server IP address of the NWA/WAC in standalone AP mode is 192.168.1.2, so set your computer to use a static IP address from 192.168.1.3 \~ 192.168.1.254.
3 Use an FTP client on your computer to connect to the NWA/WAC. For example, in the Windows command prompt, type ftp 192.168.1.2. Keep the console session connected in order to see when the firmware recovery finishes.
4 Enter your user name when prompted.
5 Enter your password as requested.
6 Enter "hash" for FTP to print a `#` character for every 1024 bytes of data you upload so that you can watch the file transfer progress.
7 Enter "bin" to set the transfer mode to binary.
8 Transfer the firmware file from your computer to the NWA/WAC. Type put followed by the path and name of the firmware file. This examples uses put C:\ftproot\NWA/WAC_FW\500ABFH0C0.bin.

C:\>ftp 192.168.1.2
Connected to 192.168.1.2.
220---- Welcome to Pure-FTPd [privsep] [TLS] ----
220-You are user number 1 of 5 allowed.
220-Local time is now 21:28. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 600 minutes of inactivity.
User (192.168.1.2:(none)): admin
331 User admin OK. Password required
Password:
230 OK. Current restricted directory is /
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> bin
200 TYPE is now 8-bit binary
ftp> put C:\ftproot\NWA/WAC_FW\500ABFH0C0.bin 

9 Wait for the file transfer to complete.

10 Enter "quit" to exit the ftp prompt.

14.4 Shell Script

Use shell script files to have the NWA/WAC use commands that you specify. Use a text editor to create the shell script files. They must use a “.zysh” filename extension.

Click Maintenance > File Manager > Shell Script to open this screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the NWA/WAC at the same time.

Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the NWA/WAC restarts. You could use multiple write commands in a long script.

Figure 104 Maintenance > File Manager > Shell Script

Each field is described in the following table.

Table 82 Maintenance > File Manager > Shell Script

CHAPTER 15 Diagnostics

15.1 Overview

Use the diagnostics screen for troubleshooting.

15.1.1 What You Can Do in this Chapter

- The Diagnostics screen (Section 15.2 on page 180) generates a file containing the NWA/WAC's configuration and diagnostic information if you need to provide it to customer support during troubleshooting.

15.2 Diagnostics

This screen provides an easy way for you to generate a file containing the NWA/WAC's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.

Click Maintenance > Diagnostics to open the Diagnostic screen.

Figure 105 Maintenance > Diagnostics

The following table describes the labels in this screen.

Table 83 Maintenance > Diagnostics

16.1 Overview

The LEDs of your NWA/WAC can be controlled such that they stay lit (ON) or OFF after the NWA/WAC is ready. There are two features that control the LEDs of your NWA/WAC - Locator and Suppression.

16.1.1 What You Can Do in this Chapter

• The Suppression screen (Section 16.2 on page 182)) allows you to set how you want the LEDs to behave after the device is ready.
• The Locator screen (Section 16.3 on page 183) allows users to see the actual location of the NWA/WAC between several devices in the network.

16.2 Suppression Screen

The LED Suppression feature allows you to control how the LEDs of your NWA/WAC behave after it's ready. The default LED suppression setting of your AP is different depending on your NWA/WAC model.

You can go to the Maintenance > LEDs > Suppression screen to see the default LED behavior and change the LED suppression setting. After you make changes in the suppression screen, it will be stored as the default when the NWA/WAC is restarted. See (Section 1.6 on page 20) for information on default values for different models.

Note: When the NWA/WAC is booting or performing firmware upgrade, the LEDs will lit regardless of the setting in LED suppression.

To access this screen, click Maintenance > LEDs > Suppression.

Figure 106 Maintenance > LEDs > Suppression

The following table describes fields in the above screen.

Table 84 Maintenance > LED > Suppression

16.3 Locator Screen

The Locator feature identifies the location of your WAC among several devices in the network. You can run this feature and set a timer in this screen.

To run the locator feature, enter a number of minutes and click Turn On button to have the WAC find its location. The Locator LED will start to blink for the number of minutes set in the Locator screen. The default setting is 10 minutes. While the locator is running, the turn on button will grey out and return after it's finished. If you make changes to the time default setting, it will be stored as the default when the WAC restarts.

Note: The Locator feature is not affected by the Suppression setting.

To access this screen, click Maintenance > LEDs > Locator.

Figure 107 Maintenance > LEDs > Locator

The following table describes fields in the above screen.

Table 85 Maintenance > LED > Locator

CHAPTER 17

Antenna Switch

17.1 Overview

Use this screen to adjust coverage depending on the orientation of the antenna.

17.1.1 What You Need To Know

Positioning the antennas properly increases the range and coverage area of a wireless LAN.

On the NWA/WAC that comes with internal antennas and also has an antenna switch, you can adjust coverage depending on the orientation of the antenna for the NWA/WAC radios using the web configurator, the command line interface (CLI) or a physical switch. Check Table 1 on page 11 and Table 2 on page 12 to see if your NWA/WAC has an antenna switch.

Figure 108 WAC6103D-I Physical Antenna Switch

Note: With the physical antenna switch, you apply the same antenna orientation settings to both radios. You can set the radios to have different settings while using the web configurator or the command line interface.
Note: The antenna switch in the web configurator has priority over the physical antenna switch after you Enable Software Control in the Maintenance > Antenna screen. By default, software control is disabled.

17.2 Antenna Switch Screen

To access this screen, click Maintenance > Antenna.

Figure 109 Maintenance > Antenna > Antenna Switch

Select the Enable Software Control option to use the Web configurator to adjust coverage depending on each radio's antenna orientation for better coverage. Select Wall if you mount the NWA/WAC to a wall. Select Ceiling if the the NWA/WAC is mounted on a ceiling. You can switch from Wall to Ceiling if there are still wireless dead zones, and vice versa.

CHAPTER 18 Reboot

18.1 Overview

Use this screen to restart the device.

18.1.1 What You Need To Know

If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot. Otherwise, the changes are lost when you reboot.

Reboot is different to reset; reset returns the device to its default configuration.

18.2 Reboot

This screen allows remote users can restart the device. To access this screen, click Maintenance > Reboot.

Figure 110 Maintenance > Reboot

Click the Reboot button to restart the NWA/WAC. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser.

You can also use the CLI command reboot to restart the NWA/WAC.

CHAPTER 19 Shutdown

19.1 Overview

Use this screen to shut down the device.

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the NWA/WAC or remove the power. Not doing so can cause the firmware to become corrupt.

19.1.1 What You Need To Know

Shutdown writes all cached data to the local storage and stops the system processes. Shutdown is different to reset; reset returns the device to its default configuration.

19.2 Shutdown

To access this screen, click Maintenance > Shutdown.

Figure 111 Maintenance > Shutdown

Click the Shutdown button to shut down the NWA/WAC. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power.

You can also use the CLI command shutdown to shut down the NWA/WAC.

20.1 Overview

This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories.

• Power, Hardware Connections, and LED
• NWA/WAC Access and Login
- Internet Access
- Wireless Connections
- Resetting the NWA/WAC

20.2 Power, Hardware Connections, and LED

The NWA/WAC does not turn on. The LED is not on.

1 Make sure you are using the power adaptor included with the NWA/WAC or a PoE power injector/ switch.
2 Make sure the power adaptor or PoE power injector/switch is connected to the NWA/WAC and plugged in to an appropriate power source. Make sure the power source is turned on.
3 Disconnect and re-connect the power adaptor or PoE power injector/switch.
4 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
5 If none of these steps work, you may have faulty hardware and should contact your NWA/WAC vendor.

The LED does not behave as expected.

1 Make sure you understand the normal behavior of the LED. See Section 1.6 on page 20.
2 Check the hardware connections. See the Quick Start Guide.
3 Inspect your cables for damage. Contact the vendor to replace any damaged cables.

4 Disconnect and re-connect the power adaptor or PoE power injector to the NWA/WAC.
5 If the problem continues, contact the vendor.

20.3 NWA/WAC Access and Login

I forgot the IP address for the NWA/WAC.

1 The default IP address (in standalone AP mode) is 192.168.1.2.
2 If you changed the IP address and have forgotten it, you have to reset the device to its factory defaults. See Section 20.6 on page 197.
3 If your NWA/WAC is a DHCP client, you can find your IP address from the DHCP server. This information is only available from the DHCP server which allocates IP addresses on your network. Find this information directly from the DHCP server or contact your system administrator for more information.

I cannot see or access the Login screen in the web configurator.

1 Make sure you are using the correct IP address.
- The default IP address (in standalone AP mode) is 192.168.1.2.
- If you changed the IP address, use the new IP address.
- If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the NWA/WAC.

2 Check the hardware connections, and make sure the LED is behaving as expected. See the Quick Start Guide and Section 1.6 on page 20.

3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled.

4 Make sure your computer is in the same subnet as the NWA/WAC. (If you know that there are routers between your computer and the NWA/WAC, skip this step.)

• If there is a DHCP server on your network, make sure your computer is using a dynamic IP address.
• If there is no DHCP server on your network, make sure your computer's IP address is in the same subnet as the NWA/WAC.

5 Reset the device to its factory defaults, and try to access the NWA/WAC with the default IP address. See Section 20.6 on page 197.

6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

• Try to access the NWA/WAC using another service, such as Telnet. If you can access the NWA/WAC, check the remote management settings to find out why the NWA/WAC does not respond to HTTP.
• If your computer is connected wirelessly, use a computer that is connected to a LAN/ETHERNET port.

I forgot the password.

1 The default password is 1234.
2 If this does not work, you have to reset the device to its factory defaults. See Section 20.6 on page 197.

I can see the Login screen, but I cannot log in to the NWA/WAC.

1 Make sure you have entered the user name and password correctly. The default password is 1234. This fields are case-sensitive, so make sure [Caps Lock] is not on.
2 You cannot log in to the web configurator while someone is using Telnet to access the NWA/WAC. Log out of the NWA/WAC in the other session, or ask the person who is logged in to log out.
3 Disconnect and re-connect the power adaptor or PoE power injector to the NWA/WAC.
4 If this does not work, you have to reset the device to its factory defaults. See Section 20.6 on page 197.

I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.

See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.

20.4 Internet Access

I cannot access the Internet.

1 Check the hardware connections, and make sure the LED is behaving as expected. See the Quick Start Guide and Section 20.2 on page 189.
2 Make sure the NWA/WAC is connected to a broadband modem or router with Internet access and your computer is set to obtain an dynamic IP address.

3 If you are trying to access the Internet wirelessly, make sure the wireless settings on the wireless client are the same as the settings on the NWA/WAC.
4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
5 If the problem continues, contact your ISP.

I cannot access the Internet anymore. I had access to the Internet (with the NWA/WAC), but my Internet connection is not available anymore.

1 Check the hardware connections, and make sure the LED is behaving as expected. See the Quick Start Guide and Section 1.6 on page 20.
2 Reboot the NWA/WAC.
3 If the problem continues, contact your ISP.

The Internet connection is slow or intermittent.

1 There might be a lot of traffic on the network. Look at the LED, and check Section 1.6 on page 20. If the NWA/WAC is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications.
2 Check the signal strength. If the signal is weak, try moving the NWA/WAC closer to the NWA/WAC (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on).
3 Reboot the NWA/WAC.
4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications.

20.5 Wireless Connections

I cannot access the NWA/WAC or ping any computer from the WLAN.

1 Make sure the wireless LAN (wireless radio) is enabled on the NWA/WAC.

2 Make sure the radio or at least one of the NWA/WAC's radios is operating in AP mode.
3 Make sure the wireless adapter (installed on your computer) is working properly.
4 Make sure the wireless adapter (installed on your computer) is IEEE 802.11 compatible and supports the same wireless standard as the NWA/WAC's active radio.
5 Make sure your computer (with a wireless adapter installed) is within the transmission range of the NWA/WAC.
6 Check that both the NWA/WAC and your computer are using the same wireless and wireless security settings.

Hackers have accessed my WEP-encrypted wireless LAN.

WEP is extremely insecure. Its encryption can be broken by an attacker, using widely-available software. It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2-PSK is recommended.

The wireless security is not following the re-authentication timer setting I specified.

If a RADIUS server authenticates wireless stations, the re-authentication timer on the RADIUS server has priority. Change the RADIUS server's configuration if you need to use a different re-authentication timer setting.

I cannot get a certificate to import into the NWA/WAC.

1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the NWA/WAC. You can also import a certificate in PKCS#12 format, including the certificate's public and private keys.
2 You must remove any spaces from the certificate's filename before you can import the certificate.
3 Any certificate that you want to import has to be in one of these file formats:
- Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
- PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
- Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The NWA/WAC currently allows the importation of a PKS#7 file that contains a single certificate.
- PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.

- Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the NWA/WAC.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

I can only see newer logs. Older logs are missing.

When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

The commands in my configuration file or shell script are not working properly.

• In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the NWA/WAC treat the line as a comment.
• Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the NWA/WAC exit sub command mode.
• Include write commands in your scripts. Otherwise the changes will be lost when the NWA/WAC restarts. You could use multiple write commands in a long script.

Note: "exit" or "!" must follow sub commands if it is to make the NWA/WAC exit sub command mode.

I cannot get the firmware uploaded using the commands.

The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

Wireless clients are not being load balanced among my APs.

• Make sure that all the APs used by the wireless clients in question share the same SSID, security, and radio settings.
• Make sure that all the APs are in the same broadcast domain.
• Make sure that the wireless clients are in range of the other APs; if they are only in range of a single AP, then load balancing may not be as effective.

In the Monitor > Wireless > AP Information > Radio List screen, there is no load balancing indicator associated with any APs assigned to the load balancing task.

• Check to be sure that the AP profile which contains the load balancing settings is correctly assigned to the APs in question.
• The load balancing task may have been terminated because further load balancing on the APs in question is no longer required.

How do I remove the WAC6500 series indoor AP from its mounting bracket?

- Find the down arrow close to the Ethernet ports, then use a thin flat tool (for example, a flat screw driver) to lift up a clip beneath the down arrow.

- Turn the WAC6500 series indoor AP counter-clockwise.

- Detach the WAC6500 series indoor AP from the mounting bracket.

How do I remove the NWA1123-AC PRO and WAC6103D-I indoor AP from its mounting bracket?

- Find the down arrow close to the Ethernet ports, then use a thin flat tool (for example, a flat screw driver) to lift up a clip beneath 5GHz LED.

- Turn the NWA1123-AC PRO or WAC6103D-I indoor AP counter-clockwise to detach it from the mounting bracket.

20.6 Resetting the NWA/WAC

If you cannot access the NWA/WAC by any method, try restarting it by turning the power off and then on again. If you still cannot access the NWA/WAC by any method or you forget the administrator password(s), you can reset the NWA/WAC to its factory-default settings. Any configuration files or shell scripts that you saved on the NWA/WAC should still be available afterwards.

Use the following procedure to reset the NWA/WAC to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.

Note: This procedure removes the current configuration.

1 Make sure the Power LED is on and not blinking.
2 Press the RESET button and hold it until the Power LED begins to blink. (This usually takes about ten seconds.)
3 Release the RESET button, and wait for the NWA/WAC to restart.
You should be able to access the NWA/WAC using the default settings.

20.7 Getting More Troubleshooting Help

Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.

APPENDIX A

Importing Certificates

This appendix shows you how to import public key certificates into your web browser.

Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate.

Many Zyxel products, such as the NWA/WAC, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the Zyxel-created certificate into your web browser and flag that certificate as a trusted authority.

Note: You can see if you are browsing on a secure website if the URL in your web browser's address bar begins with https:// or there is a sealed padlock icon ( ) somewhere in the main browser window (not all browsers show the padlock in the same location).

Internet Explorer

The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista.

1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.

2 Click Continue to this website (not recommended).
3 In the Address Bar, click Certificate Error > View certificates.

4 In the Certificate dialog box, click Install Certificate.

5 In the Certificate Import Wizard, click Next.

6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9.

7 Otherwise, select Place all certificates in the following store and then click Browse.

8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK.

9 In the Completing the Certificate Import Wizard screen, click Finish.

10 If you are presented with another Security Warning, click Yes.

11 Finally, click OK when presented with the successful certificate installation message.

12 The next time you start Internet Explorer and go to a Zyxel Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page's Website Identification information.

Installing a Stand-Alone Certificate File in Internet Explorer

Rather than browsing to a Zyxel Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

1 Double-click the public key certificate file.

CA.cer

2 In the security warning dialog box, click Open.

3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 199 to complete the installation process.

Removing a Certificate in Internet Explorer

This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP.

1 Open Internet Explorer and click Tools > Internet Options.

2 In the Internet Options dialog box, click Content > Certificates.

3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove.

4 In the Certificates confirmation, click Yes.

5 In the Root Certificate Store dialog box, click Yes.

6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.

Firefox

The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms.

1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
2 Select Accept this certificate permanently and click OK.

3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page's security information.

Installing a Stand-Alone Certificate File in Firefox

Rather than browsing to a Zyxel Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

1 Open Firefox and click Tools > Options.

2 In the Options dialog box, click Advanced > Encryption > View Certificates.

3 In the Certificate Manager dialog box, click Web Sites > Import.

4 Use the Select File dialog box to locate the certificate and then click Open.

5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page's security information.

Removing a Certificate in Firefox

This section shows you how to remove a public key certificate in Firefox 2.

1 Open Firefox and click Tools > Options.

2 In the Options dialog box, click Advanced > Encryption > View Certificates.

3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete.

4 In the Delete Web Site Certificates dialog box, click OK.

5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.

Overview

IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 × 10^38 IP addresses.

IPv6 Addressing

The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.

IPv6 addresses can be abbreviated in two ways:

• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0.
• Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.

Prefix and Prefix Length

Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as "/x" where x is a number. For example,

2001:db8:1a2b:15::1a2f:0/32

means that the first 32 bits (2001:db8) is the subnet prefix.

Link-local Address

A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a “private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows.

Table 86 Link-local Unicast Address Format

Global Address

A global address uniquely identifies a device on the Internet. It is similar to a “public IP address” in IPv4. A global unicast address starts with a 2 or 3.

Unspecified Address

An unspecified address (0:0:0:0:0:0:0 or ::) is used as the source address when a device does not have its own address. It is similar to "0.0.0.0" in IPv4.

Loopback Address

A loopback address (0:0:0:0:0:0:1 or ::1) allows a host to send packets to itself. It is similar to "127.0.0.1" in IPv4.

Multicast Address

In IPv6, multicast addresses provide the same functionality as IPv4 broadcast addresses. Broadcasting is not supported in IPv6. A multicast address allows a host to send packets to all hosts in a multicast group.

Multicast scope allows you to determine the size of the multicast group. A multicast address has a predefined prefix of ff00::/8. The following table describes some of the predefined multicast addresses.

Table 87 Predefined Multicast Address

The following table describes the multicast addresses which are reserved and can not be assigned to a multicast group.

Table 88 Reserved Multicast Address

Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 \~ 10, A \~ F). Each block's 16 bits are then represented by four hexadecimal characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.

Interface ID

In IPv6, an interface ID is a 64-bit identifier. It identifies a physical interface (for example, an Ethernet port) or a virtual interface (for example, the management IP address for a VLAN). One interface should have a unique interface ID.

EUI-64

The EUI-64 (Extended Unique Identifier) defined by the IEEE (Institute of Electrical and Electronics Engineers) is an interface ID format designed to adapt with IPv6. It is derived from the 48-bit (6-byte) Ethernet MAC address as shown next. EUI-64 inserts the hex digits fffe between the third and fourth bytes of the MAC address and complements the seventh bit of the first byte of the MAC address. See the following example.

Table 89

With stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the owner and status of addresses don't need to be maintained by a DHCP server. Every IPv6 device is able to generate its own and unique IP address automatically when IPv6 is initiated on its interface. It combines the prefix and the interface ID (generated from its own Ethernet MAC address, see Interface ID and EUI-64) to form a complete IPv6 address.

When IPv6 is enabled on a device, its interface automatically generates a link-local address (beginning with fe80).

When the interface is connected to a network with a router and the NWA/WAC is set to automatically obtain an IPv6 network prefix from the router for the interface, it generates ^1 another address which combines its interface ID and global and subnet information advertised from the router. This is a routable global IP address.

DHCPv6

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages using UDP.

Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for identification when they are exchanging DHCPv6 messages. The DUID is generated from the MAC address, time, vendor assigned ID and/or the vendor's private enterprise number registered with the IANA. It should not change over time even after you reboot the device.

Identity Association

An Identity Association (IA) is a collection of addresses assigned to a DHCP client, through which the server and client can manage a set of related IP addresses. Each IA must be associated with exactly one interface. The DHCP client uses the IA assigned to an interface to obtain configuration from a DHCP server for that interface. Each IA consists of a unique IAID and associated IP information.

The IA type is the type of address in the IA. Each IA holds one type of address. IA_NA means an identity association for non-temporary addresses and IA_TA is an identity association for temporary addresses. An IA_NA option contains the T1 and T2 fields, but an IA_TA option does not. The DHCPv6 server uses T1 and T2 to control the time at which the client contacts with the server to extend the lifetimes on any addresses in the IA_NA before the lifetimes expire. After T1, the client sends the server (S1) (from which the addresses in the IA_NA were obtained) a Renew message. If the time T2 is reached and the server does not respond, the client sends a Rebind message to any available server (S2). For an IA_TA, the client may send a Renew or Rebind message at the client's discretion.

graph LR
    A["T1"] --> B["T2"]
    B --> C["..."]
    C --> D["Rebind to S2"]
    B --> E["Rebind to S2"]
    B --> F["Renew to S1"]
    B --> G["Renew to S1"]
    B --> H["Renew to S1"]
    style A fill:#fff,stroke:#000
    style B fill:#fff,stroke:#000
    style C fill:#fff,stroke:#000
    style D fill:#fff,stroke:#000
    style E fill:#fff,stroke:#000
    style F fill:#fff,stroke:#000
    style G fill:#fff,stroke:#000
    style H fill:#fff,stroke:#000

DHCP Relay Agent

A DHCP relay agent is on the same network as the DHCP clients and helps forward messages between the DHCP server and clients. When a client cannot use its link-local address and a well-known multicast address to locate a DHCP server on its network, it then needs a DHCP relay agent to send a message to a DHCP server that is not attached to the same network.

The DHCP relay agent can add the remote identification (remote-ID) option and the interface-ID option to the Relay-Forward DHCPv6 messages. The remote-ID option carries a user-defined string, such as the system name. The interface-ID option provides slot number, port information and the VLAN ID to the DHCPv6 server. The remote-ID option (if any) is stripped from the Relay-Reply messages before the relay agent sends the packets to the clients. The DHCP server copies the interface-ID option from the Relay-Forward message into the Relay-Reply message and sends it to the relay agent. The interface-ID should not change even after the relay agent restarts.

Prefix Delegation

Prefix delegation enables an IPv6 router to use the IPv6 prefix (network address) received from the ISP (or a connected uplink router) for its LAN. The NWA/WAC uses the received IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through sending Router Advertisements (RAs) regularly by multicast, the NWA/WAC passes the IPv6 prefix information to its LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.

ICMPv6

Internet Control Message Protocol for IPv6 (ICMPv6 or ICMP for IPv6) is defined in RFC 4443. ICMPv6 has a preceding Next Header value of 58, which is different from the value used to identify ICMP for IPv4. ICMPv6 is an integral part of IPv6. IPv6 nodes use ICMPv6 to report errors encountered in packet processing and perform other diagnostic functions, such as "ping".

Neighbor Discovery Protocol (NDP)

The Neighbor Discovery Protocol (NDP) is a protocol used to discover other IPv6 devices and track neighbor's reachability in a network. An IPv6 device uses the following ICMPv6 messages types:

• Neighbor solicitation: A request from a host to determine a neighbor's link-layer address (MAC address) and detect if the neighbor is still reachable. A neighbor being “reachable” means it responds to a neighbor solicitation message (from the host) with a neighbor advertisement message.
• Neighbor advertisement: A response from a node to announce its link-layer address.
• Router solicitation: A request from a host to locate a router that can act as the default router and forward packets.
• Router advertisement: A response to a router solicitation or a periodical multicast advertisement from a router to advertise its presence and other parameters.

IPv6 Cache

An IPv6 host is required to have a neighbor cache, destination cache, prefix list and default router list. The NWA/WAC maintains and updates its IPv6 caches constantly using the information from response messages. In IPv6, the NWA/WAC configures a link-local address automatically, and then sends a neighbor solicitation message to check if the address is unique. If there is an address to be resolved or verified, the NWA/WAC also sends out a neighbor solicitation message. When the NWA/WAC receives a neighbor advertisement in response, it stores the neighbor's link-layer address in the neighbor cache. When the NWA/WAC uses a router solicitation message to query for a router and receives a router advertisement message, it adds the router's information to the neighbor cache, prefix list and destination cache. The NWA/WAC creates an entry in the default router list cache if the router can be used as a default router.

When the NWA/WAC needs to send a packet, it first consults the destination cache to determine the next hop. If there is no matching entry in the destination cache, the NWA/WAC uses the prefix list to determine whether the destination address is on-link and can be reached directly without passing through a router. If the address is onlink, the address is considered as the next hop. Otherwise, the NWA/WAC determines the next-hop from the default router list or routing table. Once the next hop IP address is known, the NWA/WAC looks into the neighbor cache to get the link-layer address and sends the packet when the neighbor is reachable. If the NWA/WAC cannot find an entry in the neighbor cache or the state for the neighbor is not reachable, it starts the address resolution process. This helps reduce the number of IPv6 solicitation and advertisement messages.

Multicast Listener Discovery

The Multicast Listener Discovery (MLD) protocol (defined in RFC 2710) is derived from IPv4's Internet Group Management Protocol version 2 (IGMPv2). MLD uses ICMPv6 message types, rather than IGMP message types. MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3.

MLD allows an IPv6 switch or router to discover the presence of MLD listeners who wish to receive multicast packets and the IP addresses of multicast groups the hosts want to join on its network.

MLD snooping and MLD proxy are analogous to IGMP snooping and IGMP proxy in IPv4.

MLD filtering controls which multicast groups a port can join.

MLD Messages

A multicast router or switch periodically sends general queries to MLD hosts to update the multicast forwarding table. When an MLD host wants to join a multicast group, it sends an MLD Report message for that address.

An MLD Done message is equivalent to an IGMP Leave message. When an MLD host wants to leave a multicast group, it can send a Done message to the router or switch. The router or switch then sends a group-specific query to the port on which the Done message is received to determine if other devices connected to this port should remain in the group.

Example - Enabling IPv6 on Windows XP/2003/Vista

By default, Windows XP and Windows 2003 support IPv6. This example shows you how to use the ipv6 install command on Windows XP/2003 to enable IPv6. This also displays how to use the ipconfig command to see auto-generated IP addresses.

C:\>ipv6 install
Installing...
Succeeded.

C:\>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.46
Subnet Mask . . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . . : fe80::2d0:59ff:feb8:103c%4
Default Gateway . . . . . . . . . : 10.1.1.254 

IPv6 is installed and enabled by default in Windows Vista. Use the ipconfig command to check your automatic configured IPv6 address as well. You should see at least one IPv6 address available for the interface on your computer.

Example - Enabling DHCPv6 on Windows XP

Windows XP does not support DHCPv6. If your network uses DHCPv6 for IP address assignment, you have to additionally install a DHCPv6 client software on your Windows XP. (Note: If you use static IP addresses or Router Advertisement for IPv6 address assignment in your network, ignore this section.)

This example uses Dibbler as the DHCPv6 client. To enable DHCPv6 client on your computer:

1 Install Dibbler and select the DHCPv6 client option on your computer.
2 After the installation is complete, select Start > All Programs > Dibbler-DHCPv6 > Client Install as service.
3 Select Start > Control Panel > Administrative Tools > Services.
4 Double click Dibbler - a DHCPv6 client.

5 Click Start and then OK.

6 Now your computer can obtain an IPv6 address from a DHCPv6 server.

Example - Enabling IPv6 on Windows 7

Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer.

To enable IPv6 in Windows 7:

1 Select Control Panel > Network and Sharing Center > Local Area Connection.
2 Select the Internet Protocol Version 6 (TCP/IPv6) checkbox to enable it.
3 Click OK to save the change.

4 Click Close to exit the Local Area Connection Status screen.
5 Select Start > All Programs > Accessories > Command Prompt.
6 Use the ipconfig command to check your dynamic IPv6 address. This example shows a global address (2001:b021:2d::1000) obtained from a DHCP server.

C:\>ipconfig 

Windows IP Configuration 

Ethernet adapter Local Area Connection: 

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:b021:2d::1000
Link-local IPv6 Address . . . . . : fe80::25d8:dcab:c80a:5189%11
IPv4 Address. . . . . . . . . . . : 172.16.100.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::213:49ff:feaa:7125%11
172.16.100.254 

APPENDIX C

Customer Support

In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a Zyxel office for the region in which you bought the device.

See http://www.zyxel.com/homepage.shtml and also

http://www.zyxel.com/about_zyxel/zyxel_worldwide.shtml for the latest information.

Please have the following information ready when you contact an office.

Required Information

• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.

Corporate Headquarters (Worldwide)

Taiwan

• Zyxel Communications Corporation
- http://www.zyxel.com

Asia

China

• Zyxel Communications (Shanghai) Corp.

Zyxel Communications (Beijing) Corp.

Zyxel Communications (Tianjin) Corp.

- http://www.zyxel.cn

India

• Zyxel Technology India Pvt Ltd
- http://www.zyxel.in

Kazakhstan

• Zyxel Kazakhstan
• http://www.zyxel.kz

Korea

• Zyxel Korea Corp.
• http://www.zyxel.kr

Malaysia

• Zyxel Malaysia Sdn Bhd.
- http://www.zyxel.com.my

Pakistan

• Zyxel Pakistan (Pvt.) Ltd.
- http://www.zyxel.com.pk

Philippines

• Zyxel Philippines
• http://www.zyxel.com.ph

Singapore

• Zyxel Singapore Pte Ltd.
- http://www.zyxel.com.sg

Taiwan

• Zyxel Communications Corporation
- http://www.zyxel.com/tw/zh/

Thailand

• Zyxel Thailand Co., Ltd
- http://www.zyxel.co.th

Vietnam

• Zyxel Communications Corporation-Vietnam Office
- http://www.zyxel.com/vn/vi

Europe

Austria

• Zyxel Lithuania
• http://www.zyxel.com/lt/lt/homepage.shtml

Netherlands

• Zyxel Benelux
• http://www.zyxel.nl

Norway

• Zyxel Communications
- http://www.zyxel.no

Poland

• Zyxel Communications Poland
- http://www.zyxel.pl

Romania

• Zyxel Romania
• http://www.zyxel.com/ro/ro

Russia

• Zyxel Russia
• http://www.zyxel.ru

Slovakia

• Zyxel Communications Czech s.r.o. organizacna zlozka
- http://www.zyxel.sk

Spain

• Zyxel Communications ES Ltd
- http://www.zyxel.es

Sweden

• Zyxel Communications
- http://www.zyxel.se

Switzerland

- Studerus AG

- http://www.zyxel.ch/

Turkey

• Zyxel Turkey A.S.
• http://www.zyxel.com.tr

UK

• Zyxel Communications UK Ltd.
- http://www.zyxel.co.uk

Ukraine

• Zyxel Ukraine
• http://www.ua.zyxel.com

Latin America

Argentina

• Zyxel Communication Corporation
- http://www.zyxel.com/ec/es/

Brazil

• Zyxel Communications Brasil Ltda.
- https://www.zyxel.com/br/pt/

Ecuador

• Zyxel Communication Corporation
- http://www.zyxel.com/ec/es/

Middle East

Israel

• Zyxel Communication Corporation
- http://il.zyxel.com/homepage.shtml

Middle East

• Zyxel Communication Corporation
- http://www.zyxel.com/me/en/

North America

USA

• Zyxel Communications, Inc. - North America Headquarters
- http://www.zyxel.com/us/en/

Oceania

Australia

• Zyxel Communications Corporation
- http://www.zyxel.com/au/en/

Africa

South Africa

• Nology (Pty) Ltd.
• http://www.zyxel.co.za

APPENDIX D

Legal Information

Copyright

Copyright © 2017 by Zyxel Communications Corporation.

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of Zyxel Communications Corporation.

Published by Zyxel Communications Corporation. All rights reserved.

Disclaimers

Zyxel does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. Zyxel further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Your use of the NWA/WAC is subject to the terms and conditions of any related service providers.

Trademarks

Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

Regulatory Notice and Statement

UNITED STATES of AMERICA

The following information applies if you use the product within USA area.

FCC EMC Statement

• This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and
  (2) this device must accept any interference received, including interference that may cause undesired operation.
• Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the device.
• This product has been tested and complies with the specifications for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy and, if not installed and used according to the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.
• If this device does cause harmful interference to radio or television reception, which is found by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
  • Reorient or relocate the receiving antenna
• Increase the separation between the devices
• Connect the equipment to an outlet other than the receiver's
• Consult a dealer or an experienced radio/TV technician for assistance

FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.

FCC Radiation Exposure Statement

• This device complies with FCC RF radiation exposure limits set forth for an uncontrolled environment.
- This transmitter must be at least 20 cm from the user and must not be co-located or operating in conjunction with any other antenna or transmitter. This transmitter must be at least 22 cm(NWA5123-NI) from the user and must not be co-located or operating in conjunction with any other antenna or transmitter. This transmitter must be at least 30 cm(WAC6553D-E) from the user and must not be co-located or operating in conjunction with any other antenna or transmitter.
• Country Code selection feature to be disabled for products marketed to the US/CANADA
• Operation of this device is restricted to indoor use only. (WAC6553D-E is a device for outdoor use.)

CANADA

The following information applies if you use the product within Canada area.

Industry Canada ICES statement

CAN ICES-3 (B)/NMB-3(B)

Industry Canada RSS-GEN & RSS-247 statement

• This device complies with Industry Canada license-exempt RSS standard(s). Operation is subject to the following two conditions: (1) this device may not cause interference, and (2) this device must accept any interference, including interference that may cause undesired operation of the device.
• This radio transmitter (2468C-NWA5123AC (NWA5123-AC, NWA1123-AC v2), 2468C-WAC6502D-E (WAC6502D-S, WAC6502D-E), 2468C-WAC6503D-S (WAC6503D-S), 2468C-WAC6553D-E (WAC6553D-E), 2468C-WAC6103DI (WAC6103DI), 2468C-WAC5302DS (WAC5302D-S)) has been approved by Industry Canada to operate with the antenna types listed below with the maximum permissible gain and required antenna impedance for each antenna type indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device.

Antenna Information

If the product with 5G wireless function operating in 5150-5250 MHz and 5725-5850 MHz, the following attention must be paid,
- The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems.
- For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and
- The worst-case tilt angle(s) necessary to remain compliant with the e.i.r.p. elevation mask requirement set forth in Section 6.2.2(3) of RSS 247 shall be clearly indicated.
If the product with 5G wireless function operating in 5250-5350 MHz and 5470-5725 MHz, the following attention must be paid.

Industry Canada radiation exposure statement

This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20cm between the radiator and your body.

This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 22cm (NWA5123-NI) between the radiator and your body.

This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 30 cm (WAC6553D-E) between the radiator and your body.

(i) the device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
(ii) the maximum antenna gain permitted for devices in the bands 5250-5350 MHz and 5470-5725 MHz shall comply with the e.i.r.p. limit; and
(iii) the maximum antenna gain permitted for devices in the band 5725-5825 MHz shall comply with the e.i.r.p. limits specified for point-to-point and non point-to-point operation as appropriate.
(iv) Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5250-5350 MHz and 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices.
(v) WAC6553D-E is an outdoor device and only uses 5G Band 4 (5725-5850 MHz).

Avertissement:

The following information applies if you use the product within the European Union.

Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive)

Compliance information for 2.4GHz and/or 5GHz wireless products relevant to the EU and other Countries following the EU Directive 1999/5/EC (R&TTE). This device is restricted to indoor use only when operating in the 5150 to 5350 MHz frequency range

- This device is restricted to indoor use only when operating in the 5150 to 5350 MHz frequency range.

National Restrictions

This product may be used in all EU countries (and other countries following the EU Directive 1999/5/EC) without any limitation except for the countries mentioned below:

In the majority of the EU and other European countries, the 2.4GHz and 5GHz bands have been made available for the use of wireless local area networks (LANs). Later in this document you will find an overview of countries in which additional restrictions or requirements or both are applicable.

The requirements for any country may evolve. Zyxel recommends that you check with the local authorities for the latest status of their national regulations for both the 2.4GHz and 5GHz wireless LANs.

The following countries have restrictions and/or requirements in addition to those given in the table labeled “Overview of Regulatory Requirements for Wireless LANs”:

Belgium

The Belgian Institute for Postal Services and Telecommunications (BIPT) must be notified of any outdoor wireless link having a range exceeding 300 meters. Please check http://www.bipt.be for more details.

In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage.

This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this wireless LAN product is operating within the boundaries of the owner's property, its use requires a “general authorization.” Please check http://www.sviluppoeconomico.gov.it/ for more details.

The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http://www.esd.lv for more details.

2.4 GHz frekvenèu joslas izmantoðanai árpus telpâm nepiecieðama atiauja no Elektronisko sakaru direkcijas. Vairâk informâcijas: http://www.esd.lv.

Notes:

1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries.

2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm).

List of national codes

Professional installation instruction (WAC6553D-E)

Please be advised that due to the unique function supplied by this product, the device is intended for use with our interactive entertainment software and licensed third-party only. The product will be distributed through controlled distribution channel and installed by trained professional and will not be sold directly to the general public through retail store.

1 Installation personal

This product is designed for specific application and needs to be installed by a qualified personal who has RF and related rule knowledge. The general user shall not attempt to install or change the setting.

2 Installation location

The product shall be installed at a location where the radiating antenna can be kept 30 cm from nearby person in normal operation condition to meet regulatory RF exposure requirement.

3 External antenna

Use only the antennas which have been approved by Zyxel Communications Corporation. The non-approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/IC limit and is prohibited.

4 Installation procedure

Please refer to user's manual for the detail.

5 Warning

Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty.

• Do not use this product near water, for example, in a wet basement or near a swimming pool.
• Do not expose your device to dampness, dust or corrosive liquids.
• Do not store things on the device.
• Do not obstruct the device ventilation slots as insufficient airflow may harm your device. For example, do not place the device in an enclosed space such as a box or on a very soft surface such as a bed or sofa.

- Do not install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.

- Connect ONLY suitable accessories to the device.

- Do not open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.

• Make sure to connect the cables to the correct ports.

- Place connecting cables carefully so that no one will step on them or stumble over them.

• Always disconnect all cables from this device before servicing or disassembling.

- Do not remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet.

- Do not allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.

- Please use the provided or designated connection cables/power cables/adaptors. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). If the power adaptor or cord is damaged, it might cause electrocution. Remove it from the device and the power source, repairing the power adapter or cord is prohibited. Contact your local vendor to order a new one.

- Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.

- CAUTION: Risk of explosion if battery is replaced by an incorrect type, dispose of used batteries according to the instruction. Dispose them at the applicable collection point for the recycling of electrical and electronic devices. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.

- The following warning statements apply, where the disconnect device is not incorporated in the device or where the plug on the power supply cord is intended to serve as the disconnect device,

- For permanently connected devices, a readily accessible disconnect device shall be incorporated external to the device;

- For pluggable devices, the socket-outlet shall be installed near the device and shall be easily accessible.

Environment statement

ErP (Energy-related Products)

Zyxel products put on the EU market in compliance with the requirement of the European Parliament and the Council published

Directive 2009/125/EC establishing a framework for the setting of ecodesign requirements for energy-related products (recast), so called as "ErP Directive (Energy-related Products directive) as well as ecodesign requirement laid down in applicable implementing measures, power consumption has satisfied regulation requirements which are:

Network standby power consumption < 8W, and/or

Off mode power consumption < 0.5W, and/or

Standby mode power consumption < 0.5W.

For wireless setting, please refer to Chapter 6 on page 69 chapter for more detail.

European Union - Disposal and Recycling Information

The symbol below means that according to local regulations your product and/or its battery shall be disposed of separately from domestic waste. If this product is end of life, take it to a recycling station designated by local authorities. At the time of disposal, the separate collection of your product and/or its battery will help save natural resources and ensure that the environment is sustainable development.

Environmental Product Declaration

Български (Bulgarian)		Čeština (Czech)		Dansk (Danish)		Deutsch (German)
Екологична продуктува декларация		Environmentálni prohlášeni o produktu		Miljavaredeklaration		Produkt-Umweltdeklaration
RoHS Direktiva 2011/65/EWEEE Direktiva 2012/19/EPPW Direktiva 94/62/EOREACH PEPTAMENT (EO) Nr 1907/2006ErP Direktiva 2009/125/EO		RoHS Směrnica 2011/65/EWEEE Směrnica 2012/19/EUPPW Směrnica 94/62/ESREACH Naženzi (ES) č. 1907/2006ErP Směrnica 2009/125/ESJméno/ titl : Richard Hsu / Quality Management Division Senior ManagerPodpis : Datum (dd/mm/yyyy)01/10/2014		RoHS Direktiv 2011/65/EWEEE Direktiv 2012/19/EUPPW Direktiv 94/62/EEREACH Forðing (EF) nr. 1907/2006ErP Direktiv 2009/125/EFNavn/ titl : Richard Hsu / Quality Management Division Senior ManagerUnderskrit : Dato (dd/mm/kákl).10/10/2014		RoHS Direktiv 2011/65/EWEEE Direktiv 2012/19/EUPPW Direktiv 94/62/EEREACH VERORDNUNG (EG) Nr. 1907/2006ErP Direktiv 2009/125/EGName/ titl : Richard Hsu / Quality Management Division Senior ManagerUnterschrift : Datum (g/mm/lt):2014/10/01
Ivea nantЯка [IMAGE]
Eesti keel (Estonian)		English		Español (Spanish)		Français (French)
Toote keskkonnadeklaratsiooni		Environmental product declaration		Declaraciones Ambientales de Producto		Profil environnemental de produit
RoHS Direktiv 2011/65/EWEEE Direktiv 2012/19/ELPW Direktiv 94/62/EOREACH MAARUS (EU) nr 1907/2006ErP Direktiv 2009/125/EU		RoHS Directive 2011/65/EWEEE Directive 2012/19/EUPPW Directive 94/62/ECREACH Regulation (EC) No 1907/2006ErP Directive 2009/125/ECName/ titl : Richard Hsu / Quality Management Division Senior ManagerSignature : Date (dd/mm/yyyy)01/10/2014		RoHS Directive 2011/65/EWEEE Directive 2012/19/EUPPW Directive 94/62/CEREACH REGLAMENTO (CE) no 1907/2006ErP Directive 2009/125/ECNombre/ : Richard Hsu / Quality Management titl: Division Senior ManagerFirma :Fecha (aaaa/mm/dd):2014/10/01		RoHS Directive 2011/65/EWEEEE Directive 2012/19/EUPPW Directive 94/62/CEREACH REGLAMENT (CE) N° 1907/2006ErP Directive 2009/125/CENon/ titre : Richard Hsu / Quality Management Division Senior ManagerSignature : Date (aaaa/mm/yyyy):2014/10/01[DB44]
Nmi/ Richard Hsu / Quality Management pesikuri : Division Senior ManagerAlkin : Kuplav (pp/kk/aaaa):01/10/2014
Hrvatski (Croatian)		Italiano (Italian)		Latviešu valoda (Latvian)		Lietuvič kalba (Lithuanian)
Deklaraciju o zbrinjavanju proizvoda		Dichiarazione ambientale di prodotto		Produkta vides ietekmějuma deklaracija		Aplinkosauginę gamino deklaracija
RoHS Direktiva 2011/65/EWEEE Direktiva 2012/19/EUPPW Direktiv 94/62/EREACH Uredbe (EZ) br. 1907/2006ErP Direktiv 2009/125/EZIme/ naslov : Richard Hsu / Quality Management Division Senior ManagerPotpis : Datum (dd/mm/yyyy)01/10/2014		RoHS Direktiva 2011/65/EWEEE Direktiva 2012/19/EUPPW Direktiv 94/62/CEREACH REGOLAMENTO (CE) n. 1907/2006ErP Direktiv 2009/125/CEName/ titl: Richard Hsu / Quality Management Division Senior ManagerFirma : Data (aaaa/mm/jg):2014/10/01		RoHS Direktiva 2011/65/EWEEE Direktiva 2012/19/EUPPW Direktiv 94/62/EEREACH Regula (EK) Nr. 1907/2006ErP Direktiv 2009/125/ECNosakums/ Richard Hsu / Quality Management titl: Division Senior ManagerParakats : Daturns (dd/mm/jgg):01/10/2014		RoHS Direktiva 2011/65/EWEEEE Direktiva 2012/19/EUPPW Direktiv 94/62/EREACH REGLAMENTAS (EB) Nr. 1907/2006ErP Direktiv 2009/125/EBVandas/ Richard Hsu / Quality Management titulas : Division Senior ManagerParadas : Data (aaaa/mm/yyyy):01/10/2014
Magyar (Hungarian)		Malti (Maltese)		Nederlands (Dutch)		Polski (Polish)
Kömyezetvédelmi terméknyilatkozatot		Dikjarazzjoni Ambientali dwar il-Prodott		Mileuproductverklaring		Deklarację środowiskową produktu
RoHS 2011/65/EU IrniyelveWEEE 2012/19/EU Irniyelve94/62/EREYREACH 1907/2006/EK RendelsateErP 2009/125/EK Irniyelve		RoHS Direktiva 2011/65/EWEEE Direktiva 2012/19/EUPPW Direktiv 94/62/CEREACH REGOLAMENT (KE) NRU 1907/2006ErP Direktiv 2009/125/CE		RoHS Richtijn 2011/65/EWEEEE Richtijn 2012/19/EUPPW Richtijn 94/62/EEREACH Verdörning (EG) nr. 1907/2006ErP Richtijn 2009/125/EGNaem/ titre : Richard Hsu / Quality Management Division Senior ManagerHandtakering : Datum (dd/mm/jaar):01/10/2014		RoHS Dysktywa 2011/65/EWEEEE Dysktywa 2012/19/EUPPW Dysktywa 94/62/WEREACH Ruzpozajdzene (WE) nr 1907/2006ErP Dysktywa 2009/125/WERazwisko/ Richard Hsu / Quality Management tyful Division Senior ManagerPodpis : Data (mm/mm/yyyy):2014/10/01
Nev cilm : Richard Hsu / Quality Management Alakrás : Datum (dd/mm/yyyy):2014/10/01		Iemi/ titl: Richard Hsu / Quality Management Division Senior ManagerFirma : Data (aaaa/mm/jg):2014/10/01		Nam/ titre : Richard Hsu / Quality Management Division Senior ManagerHandtakering : Datum (dd/mm/jaar):01/10/2014		Nazwisko/ Richard Hsu / Quality Management tyful Division Senior ManagerPodpis : Data (mm/mm/yyyy):2014/10/01
Português (Portuguese)		Română (Romanian)		Slovenčina (Slovak)		Slovenščina (Slovene)
Declaração ambiental do produto		Declarație de mediu privind produsele		Vyhlăsienie o environamentálnom výrobku		Okoljsko deklaracijo izdelka
RoHS Directiva 2011/65/EWEEE Directiva 2012/19/EUPPW Directiva 94/62/EREACH Regulamento (CE) n° 1907/2006ErP Directiva 2009/125/CE		RoHS Direktiva 2011/65/EWEEE Direktiva 2012/19/EUPPW Direktiv 94/62/CEREACH REGULAMENTUL (CE) NR. 1907/2006ErP Direktiv 2009/125/CE		RoHS Smernica 2011/65/EWEEEE Smernica 2012/19/EUPPW Smernica 94/62/ESREACH Narladenie (ES) c. 1907/2006ErP Smernica 2009/125/ESMen/ titre : Richard Hsu / Quality Management Division Senior ManagerPodpis : Datum (dd/mm/yyyy):01/10/2014		RoHS Direktiva 2011/65/EWEEEE Direktiva 2012/19/EUPPW Direktiv 94/62/EREACH Uredba (ES) lt. 1907/2006ErP Direktiva 2009/125/ESIme/ naziv : Richard Hsu / Quality Management Division Senior ManagerPodpis : Datum (dd/mm/yyyy):01/10/2014
Nome/ titre : Richard Hsu / Quality Management Division Senior ManagerAsinatura : Data (dd/mm/yyyy):01/10/2014[6D4Z]		Numele/ Richard Hsu / Quality Management titl: Division Senior ManagerSemnătura : Data (zzl/aaaa):01/10/2014		Jovru/ Richard Hsu / Quality Management titl: Division Senior ManagerYmoyoga: Hungary (y/y/y/tzx):01/10/2014[82TT]		Norsk (Norwegian)
Suomi (Finnish)		Svenska (Swedish)		Ελληνικά (Greek)		Miljadeklarasjon
Standardin perustuva ympäristótuoteseloste		Miljôproduktdeklaration		Πρεβαλονπική δήλωση προλόντος		RoHS Direktiv 2011/65/EWEEEE Direktiv 2012/19/EUPPW Direktiv 94/62/EREACH Uredba (ES) lt. 1907/2006ErP Direktiv 2009/125/ESIme/ naziv : Richard Hsu / Quality Management Division Senior ManagerPodpis : Datum (dd/mm/yyyy):01/10/2014
RoHS Direktiva 2011/65/EWEEE Directiva 2012/19/EUPPW Directiva 94/62/EREACH ASETUS (EI) No 1907/2006ErP Direktiva 2009/125/EY		RoHS Direktiv 2011/65/EWEEE Directiv 2012/19/EUPPW Direktiv 94/62/EGREACH Forðing (EG) nr 1907/2006ErP Direktiv 2009/125/EGName/ titre : Richard Hsu / Quality Management Division Senior ManagerNamteckning : Datum (dd/mm/yyyy):01/10/2014[8DXG]		RoHS OÖnyo 2011/65/EWEEEE OÖnyo 2012/19/EEPW OÖnyo 94/62/EREACH I, dvivnújouo (EK) q-pát. 1907/2006ErP OÖnyo 2009/125/ESJovru/ Richard Hsu / Quality Management titl: Division Senior ManagerYmoyoga: Hungary (y/y/y/tzx):01/10/2014[82TT]		RoHS Direktiv 2011/65/EWEEEE Direktiv 2012/19/EUPPW Direktiv 94/62/EREACH Uredba (ES) lt. 1907/2006ErP Direktiv 2009/125/ESIme/ naziv : Richard Hsu / Quality Management Division Senior ManagerPodpis : Datum (dd/m/yyyy):01/10/2014
Nmi/ Richard Hsu / Quality Management istakto : Division Senior ManagerAlakrjutus : Pavlámáša (pp/kk/yyyy):01/10/2014		Namteckning : Republic - Division Senior ManagerNamteckning : Datum (dd/mm/yyyy):01/10/2014[8DXG]		Jovru/ Richard Hsu / Quality Management titl: Division Senior ManagerYmoyoga: Hungary (y/y/y/tzx):01/10/2014[82TT]		Navih' titre : Richard Hsu / Quality Management Division Senior ManagerSignatur : Dato (dd/mm/yyyy):01/10/2014

台灣

以下訊息僅適用於產品銷售至台灣地區

Viewing Certifications

Go to http://www.zyxel.com to view this product's documentation and certifications.

Zyxel Limited Warranty

Zyxel warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized Zyxel local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, Zyxel will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of Zyxel. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.

To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.

Registration

Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com.

Open Source Licenses

This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. If you cannot find it there, contact your vendor or Zyxel Technical Support at support@zyxel.com.tw.

To obtain the source code covered under those Licenses, please contact your vendor or Zyxel Technical Support at support@zyxel.com.tw.

Index

Symbols

A

access 29

access privileges 13

access users 81

see also users 81

admin users 81

multiple logins 86

see also users 81

alerts 159, 162, 163, 165, 166, 167

antenna switch 185

AP 12

applications

MBSSID 13

Repeater 16

B

backing up configuration files 171

Basic Service Set

see BSS

boot module 176

BSS 13

C

CA

and certificates 115

CA (Certificate Authority), see certificates

CAPWAP 60, 62

CEF (Common Event Format) 160, 165

Certificate Authority (CA)

see certificates

Certificate Management Protocol (CMP) 121

Certificate Revocation List (CRL) 115

vs OCSP 130

certificates 114

advantages of 115

and CA 115

and FTP 151

and HTTPS 137

and SSH 148

and WWW 138

certification path 115, 123, 128

expired 115

factory-default 115

file formats 115

fingerprints 124, 129

importing 118

not used for encryption 115

revoked 115

self-signed 115, 120

serial number 123, 128

storage space 117, 126

thumbprint algorithms 116

thumbprints 116

used for authentication 115

verifying fingerprints 116

certification requests 120, 121

certifications

viewing 235

channel 14

CLI 17,34

button 34

messages 34

popup window 34

Reference Guide 2

cold start 28

commands 17

sent by Web Configurator 34

Common Event Format (CEF) 160, 165

comparison table 11, 12

configuration 12

information 180

configuration files 169

at restart 171

backing up 171

downloading 172

downloading with FTP 150

editing 169

how applied 170

lastgood.conf 171, 173

managing 170

startup-config.conf 173

startup-config-bad.conf 171

syntax 169

system-default.conf 173

uploading 174

uploading with FTP 150

use without restart 169

contact information 220

Control and Provisioning of Wireless Access Points

See CAPWAP

copyright 226

CPU usage 44, 46

current date/time 44, 132

daylight savings 134

setting manually 135

time server 136

customer support 220

D

date 132

daylight savings 134

DCS 70

DHCP 132

and domain name 132

diagnostics 180

disclaimer 226

domain name 132

DTLS 60

dual radios 14

dual-radio application 14

dynamic channel selection 70

E

e-mail

daily statistics report 156

encryption 16

ESSID 192

Extended Service Set IDentification 88

F

FCC interference statement 226

file extensions

configuration files 169

shell scripts 169

file manager 169

firmware

and restart 175

boot module, see boot module

current version 43, 176

getting updated 175

uploading 175, 176

uploading with FTP 150

flash usage 44

FTP 17, 150

and certificates 151

with Transport Layer Security (TLS) 151

G

Guide

CLI Reference 2

H

HTTP

over SSL, see HTTPS

redirect to HTTPS 138

vs HTTPS 137

HTTPS 137

and certificates 137

authenticating clients 137

avoiding warning messages 140

example 139

vs HTTP 137

with Internet Explorer 139

with Netscape Navigator 139

HyperText Transfer Protocol over Secure Socket Layer, see HTTPS

|

IEEE 802.1x 89

installation 12

interface

status 45

interfaces

as DHCP servers 132

interference 14

Internet Protocol version 6, see IPv6

IP Address 60

gateway IP address 60

IP subnet 60

IPv6 212

addressing 212

EUI-64 214

global address 212

interface ID 214

link-local address 212

Neighbor Discovery Protocol 212

ping 212

prefix 212

prefix length 212

stateless autoconfiguration 214

unspecified address 213

K

key pairs 114

L

lastgood.conf 171, 173

layer-2 isolation 104

example 105

MAC 105

LED suppression 182

LEDs 20

Blinking 21, 23, 27

Flashing 21, 23, 24, 25, 27

Off 21, 23, 24, 26, 27

load balancing 70

Locator LED 183

log messages

categories 163, 165, 166, 167

debugging 56

regular 56

types of 56

logout

Web Configurator 31

logs

e-mail profiles 158

e-mailing log messages 58, 162

formats 160

log consolidation 163

settings 158

syslog servers 158

system 158

types of 158

M

MAC address

range 43

maintenance 12

management 12

Management Information Base (MIB) 152

Management Mode

CAPWAP and DHCP 61

CAPWAP and IP Subnets 62

managed AP 61

standalone mode 60

management mode 13

managing the device

good habits 17

using FTP. See FTP.

MBSSID 13

memory usage 44, 47

message bar 37

messages

CLI 34

warning 37

mode 12

model name 43

My Certificates, see also certificates 117

N

network access control 12

Network Time Protocol (NTP) 135

O

objects

certificates 114

users, account

user 81

Online Certificate Status Protocol (OCSP) 130

vs CRL 130

operating mode 12

overview 11

P

power off 28

power on 28

product registration 236

Public-Key Infrastructure (PKI) 115

public-private key pairs 114

R

radio 14

reboot 28,187

vs reset 187

Reference Guide, CLI 2

registration

product 236

remote management

FTP, see FTP

Telnet 150

WWW, see WWW

reports

daily 156

daily e-mail 156

reset 197

vs reboot 187

vs shutdown 188

RESET button 28, 197

restart 187

RF interference 14

RFC

2510 (Certificate Management Protocol or CMP) 121

Rivest, Shamir and Adleman public-key algorithm (RSA) 120

root AP 12

RSA 120, 128, 129

RSSI threshold 94

S

SCEP (Simple Certificate Enrollment Protocol) 121

Secure Socket Layer, see SSL

serial number 43

service control

and users 136

limitations 136

timeouts 136

Service Set 88

Service Set Identifier

see SSID

shell scripts 169

downloading 178

editing 177

how applied 170

managing 177

syntax 169

uploading 179

shutdown 28,188

vs reset 188

Simple Certificate Enrollment Protocol (SCEP) 121

Simple Network Management Protocol, see SNMP

SNMP 151, 152

agents 152

Get 152

GetNext 152

Manager 152

managers 152

MIB 152

network components 152

Set 152

Trap 152

traps 153

versions 151

SSH 146

and certificates 148

client requirements 148

encryption methods 147

for secure Telnet 148

how connection is established 146

versions 147

with Linux 149

with Microsoft Windows 148

SSID 13

SSID profile

pre-configured 13

SSID profiles 13

SSL 137

starting the device 27

startup-config.conf 173

if errors 171

missing at restart 171

present at restart 171

startup-config-bad.conf 171

station 70

statistics

daily e-mail report 156

status 42

status bar 37

warning message popup 37

stopping the device 27

supported browsers 29

syslog 160, 165

syslog servers, see also logs

system log, see logs

system name 43, 132

system uptime 44

system-default.conf 173

T

Telnet 150

with SSH 148

time 132

time servers (default) 135

trademarks 226

Transport Layer Security (TLS) 151

troubleshooting 180

Trusted Certificates, see also certificates 125

U

upgrading

firmware 175

uploading

configuration files 174

firmware 175

shell scripts 177

usage

CPU 44, 46

flash 44

memory 44, 47

onboard flash 44

use 12

user authentication 81

user name

rules 82

user objects 81

users 81

access, see also access users

admin (type) 81

admin, see also admin users

and service control 136

currently logged in 44

default lease time 85, 87

default reauthentication time 85, 87

lease time 84

limited-admin (type) 81

lockout 86

reauthentication time 84

types of 81

user (type) 81

user names 82

V

Vantage Report (VRPT) 160, 165

Virtual Local Area Network 65

VLAN 65

introduction 65

VRPT (Vantage Report) 160, 165

W

warm start 28

warning message popup 37

warranty 236

note 236

WDS 12, 16

Web Configurator 17, 29

access 29

requirements 29

supported browsers 29

web configurator 12

WEP (Wired Equivalent Privacy) 89

wireless channel 192

wireless client 70

Wireless Distribution System (WDS) 16

wireless LAN 192

Wireless network

overview 69

wireless network

example 69

wireless profile 88

layer-2 isolation 88

MAC filtering 88

radio 88

security 88

SSID 88

wireless repeater 12

wireless security 13, 192

wireless station 70

WLAN interface 14

WPA2 89

WWW 137

and certificates 138

see also HTTP, HTTPS 137