NWA5123AC - Wireless Access Point ZYXEL - Free user manual and instructions

USER MANUAL NWA5123AC ZYXEL

KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a User's Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.

Related Documentation

• Quick Start Guide
  The Quick Start Guide shows how to connect the NWA and access the Web Configurator.
  • CLI Reference Guide

The CLI Reference Guide explains how to use the Command-Line Interface (CLI) and CLI commands to configure the NWA.

Note: It is recommended you use the Web Configurator to configure the NWA.

• Web Configurator Online Help

Click the help icon in any screen for help in configuring that screen and supplementary information.

Contents Overview

User's Guide 10

Introduction ...... 11

The Web Configurator ....19

Technical Reference 30

Dashboard 31

Monitor 36

Management Mode 49

Network 53

Wireless 57

User 69

AP Profile 76

MON Profile 94

WDS Profile 98

Certificates 100

System 117

Log and Report 142

File Manager 154

Diagnostics 165

Reboot 167

Shutdown 168

Troubleshooting 169

Table of Contents

Contents Overview ....3

Table of Contents 4

Part I: User's Guide .... 10

Chapter 1

Introduction....11

1.1 Overview ...... 11

1.1.1 Management Mode 12
1.1.2 MBSSID 12
1.1.3 Dual-Radio 13
1.1.4 Root AP 14
1.1.5 Repeater 15

1.2 Ways to Manage the NWA 16
1.3 Good Habits for Managing the NWA 16
1.4 Hardware Connections ...... 16
1.5 LEDs 17
1.6 Starting and Stopping the NWA .... 17

Chapter 2

The Web Configurator 19

2.1 Overview ...... 19
2.2 Access 19
2.3 Navigating the Web Configurator ....20

2.3.1 Title Bar 21
2.3.2 Navigation Panel 24
2.3.3 Warning Messages 27
2.3.4 Tables and Lists ....27

Part II: Technical Reference....30

Chapter 3

Dashboard 31

3.1 Overview ...... 31
3.1.1 What You Can Do in this Chapter ...... 31

4.1 Overview ...... 36
4.1.1 What You Can Do in this Chapter ....36
4.2 What You Need to Know ....36
4.3 Network Status .... 37
4.3.1 Network Status Graph ....38
4.4 Radio List 39
4.4.1 AP Mode Radio Information ....40
4.5 Station List 42
4.6 WDS Link Info 43
4.7 Detected Device 44
4.8 View Log 45

Chapter 5

Management Mode 49

5.1 Overview ......49
5.2 About CAPWAP 49

5.2.1 CAPWAP Discovery and Management 49
5.2.2 Managed AP Finds the Controller 50
5.2.3 CAPWAP and IP Subnets ....50
5.2.4 Notes on CAPWAP 51

5.3 Management Mode Screen ....51

Chapter 6

Network....53

6.1 Overview ....53
6.1.1 What You Can Do in this Chapter ....53
6.2 IP Setting 53
6.3 VLAN 55

Chapter 7

Wireless 57

7.1 Overview ....57

7.1.1 What You Can Do in this Chapter ....57
7.1.2 What You Need to Know ....58

7.2 AP Management ....58
7.3 MON Mode 60
7.3.1 Add/Edit Rogue/Friendly List 61

7.4 Load Balancing 62

7.4.1 Disassociating and Delaying Connections 63

7.5 DCS 64

7.6 Technical Reference 66

Chapter 8

User....69

8.1 Overview ......69

8.1.1 What You Can Do in this Chapter 69
8.1.2 What You Need To Know 69

8.2 User Summary 70

8.2.1 Add/Edit User 70

8.3 Setting 72

8.3.1 Edit User Authentication Timeout Settings 74

Chapter 9

AP Profile....76

9.1 Overview 76

9.1.1 What You Can Do in this Chapter 76
9.1.2 What You Need To Know 76

9.2 Radio 77

9.2.1 Add/Edit Radio Profile 78

9.3 SSID 82

9.3.1 SSID List 82
9.3.2 Add/Edit SSID Profile 83

9.4 Security List 85

9.4.1 Add/Edit Security Profile 86

9.5 MAC Filter List 89

9.5.1 Add/Edit MAC Filter Profile 90

9.6 Layer-2 Isolation List 91

9.6.1 Add/Edit Layer-2 Isolation Profile 92

Chapter 10

MON Profile 94

10.1 Overview 94
10.1.1 What You Can Do in this Chapter 94
10.2 MON Profile 94
10.2.1 Add/Edit MON Profile 95
10.3 Technical Reference 96

Chapter 11

WDS Profile 98

11.1 Overview 98

11.1.1 What You Can Do in this Chapter 98

11.2 WDS Profile 98

11.2.1 Add/Edit WDS Profile 99

Chapter 12

Certificates 100

12.1 Overview ...... 100

12.1.1 What You Can Do in this Chapter ....100

12.1.2 What You Need to Know .... 100

12.1.3 Verifying a Certificate 102

12.2 My Certificates 103

12.2.1 Add My Certificates .... 104

12.2.2 Edit My Certificates .... 108

12.2.3 Import Certificates 110

12.3 Trusted Certificates ...... 111

12.3.1 Edit Trusted Certificates ...... 113

12.3.2 Import Trusted Certificates ...... 115

12.4 Technical Reference 116

Chapter 13

System 117

13.1 Overview 117

13.1.1 What You Can Do in this Chapter .... 117

13.2 Host Name 117

13.3 Date and Time 118

13.3.1 Pre-defined NTP Time Servers List .... 120

13.3.2 Time Server Synchronization 120

13.4 WWW Overview 121

13.4.1 Service Access Limitations .... 122

13.4.2 System Timeout 122

13.4.3 HTTPS 122

13.4.4 Configuring WWW Service Control 123

13.4.5 HTTPS Example 124

13.5 SSH 132

13.5.1 How SSH Works .... 132

13.5.2 SSH Implementation on the NWA 133

13.5.3 Requirements for Using SSH 134

13.5.4 Configuring SSH 134

13.5.5 Examples of Secure Telnet Using SSH 134

13.6 Telnet 136

13.7 FTP 136

13.8 SNMP 137

13.8.1 Supported MIBs 138

13.8.2 SNMP Traps 139
13.8.3 Configuring SNMP 139
13.8.4 Adding or Editing an SNMPv3 User Profile 140

Chapter 14

Log and Report 142

14.1 Overview 142
14.1.1 What You Can Do In this Chapter 142
14.2 Email Daily Report 142
14.3 Log Setting 144
14.3.1 Log Setting 144
14.3.2 Edit System Log Settings 146
14.3.3 Edit Remote Server 148
14.3.4 Active Log Summary 150

Chapter 15

File Manager 154

15.1 Overview 154

15.1.1 What You Can Do in this Chapter ....154
15.1.2 What you Need to Know 154

15.2 Configuration File 155

15.2.1 Example of Configuration File Download Using FTP 159

15.3 Firmware Package 160
15.3.1 Example of Firmware Upload Using FTP 162
15.4 Shell Script 162

Chapter 16

Diagnostics 165

16.1 Overview 165
16.1.1 What You Can Do in this Chapter .... 165
16.2 Diagnostics .... 165

Chapter 17

Reboot 167

17.1 Overview ...... 167
17.1.1 What You Need To Know 167
17.2 Reboot 167

Chapter 18

Shutdown....168

18.1 Overview ...... 168
18.1.1 What You Need To Know .... 168
18.2 Shutdown 168

Chapter 19

Troubleshooting....169

19.1 Overview ...... 169
19.2 Power, Hardware Connections, and LED 169
19.3 NWA Access and Login 170
19.4 Internet Access 171
19.5 Wireless Connections 172
19.6 Resetting the NWA 175
19.7 Getting More Troubleshooting Help 175

Appendix A Importing Certificates 176
Appendix B IPv6 189
Appendix C Customer Support 198
Appendix D Legal Information 204

Index 210

PART I

User's Guide

1.1 Overview

This User's Guide covers the following models: NWA5121-N, NWA5121-NI, and NWA5123-NI. Your NWA is a wireless AP (Access Point). It extends the range of your existing wired network without additional wiring, providing easy network access to mobile users.

Table 1 NWA Series Comparison Table

You can set the NWA to operate in either standalone AP or managed AP mode. When the NWA is in standalone AP mode, it can serve as a normal AP, as an RF monitor to search for rouge APs to help eliminate network threats, or even as a root AP or a wireless repeater to establish wireless links with other APs in a WDS (Wireless Distribution System). A WDS is a wireless connection between two or more APs.

Your NWA's business-class reliability, SMB features, and centralized wireless management make it ideally suited for advanced service delivery in mission-critical networks. It uses Multiple BSSID and VLAN to provide simultaneous independent virtual APs. Additionally, innovations in roaming technology and QoS features eliminate voice call disruptions.

The NWA controls network access with Media Access Control (MAC) address filtering, and rogue Access Point (AP) detection. It also provides a high level of network traffic security, supporting IEEE 802.1x, Wi-Fi Protected Access (WPA), WPA2 and Wired Equivalent Privacy (WEP) data encryption.

Your NWA is easy to install, configure and use. The embedded Web-based configurator enables simple, straightforward management and maintenance. See the Quick Start Guide for how to make hardware connections.

1.1.1 Management Mode

An AP controller can use Control And Provisioning of Wireless Access Points (CAPWAP, see RFC 5415) to discover and configure multiple managed APs.

The NWA is a standalone AP by default. You can switch the NWA from being a standalone AP to acting as a managed AP to allow it to be managed by an AP controller, such as the NXC2500. To change between management modes, see Chapter 5 on page 49.

Table 2 NWA Management Mode Comparison

When the NWA is in standalone AP mode, the NWA is set to have a static management IP address (192.168.1.2) by default. You can use either the web configurator or FTP to upload firmware. See Section 15.3 on page 160 for more information about firmware uploading.

When the NWA is in managed AP mode, it acts as a DHCP client and obtains an IP address from the AP controller. It can be configured ONLY by the AP controller. To change the NWA back to standalone AP mode, you need to check the AP controller for the NWA's IP address and use FTP to upload firmware for standalone AP mode.

1.1.2 MBSSID

A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile.

You can configure multiple SSID profiles, and have all of them active at any one time.

You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs.

To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings.

For example, you might want to set up a wireless network in your office where Internet telephony (VoIP) users have priority. You also want a regular wireless network for standard users, as well as a 'guest' wireless network for visitors. In the following figure, VoIP_SSID users have QoS priority, SSID01 is the wireless network for standard users, and Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network (LAN) behind the AP and can access only the Internet.

Figure 1 Multiple BSSs

graph TD
    A["LAN"] --> B["Router"]
    B --> C["Internet"]
    D["VoIP_SSID"] --> B
    E["SSID01"] --> B
    F["Guest_SSID"] --> B
    B --> G["Server"]
    style A fill:#f9f,stroke:#333
    style D fill:#ccf,stroke:#333
    style E fill:#ccf,stroke:#333
    style F fill:#ccf,stroke:#333
    style B fill:#fff,stroke:#333
    style C fill:#fff,stroke:#333
    style D fill:#fff,stroke:#333
    style E fill:#fff,stroke:#333
    style F fill:#fff,stroke:#333

1.1.3 Dual-Radio

The NWA5123-NI is equipped with dual wireless radios. This means you can configure two different wireless networks to operate simultaneously.

Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference.

You could use the 2.4 GHz band for regular Internet surfing and downloading while using the 5 GHz band for time sensitive traffic like high-definition video, music, and gaming.

Figure 2 Dual-Radio Application

graph TD
    A["Laptop"] --> B["Ethernet"]
    C["Server"] --> B
    B --> D["INTERNET"]
    E["Computer"] --> F["5G"]
    G["Desktop"] --> H["2.4G"]
    style E stroke-dasharray: 5 5

1.1.4 Root AP

In Root AP mode, the NWA (Z) can act as the root AP in a wireless network and also allow repeaters (X and Y) to extend the range of its wireless network at the same time. In the figure below, both clients A, B and C can access the wired network through the root AP.

Figure 3 Root AP Application

graph TD
    A["Printer"] -->|Ethernet| B["Z"]
    C["Server"] -->|Ethernet| B
    D["X"] -->|Internet| E["Cloud"]
    F["Y"] -->|Wireless Signal| B
    G["A"] -->|Wireless Signal| B
    H["B"] -->|Wireless Signal| B
    I["C"] -->|Wireless Signal| B
    style B fill:#f9f,stroke:#333
    style X fill:#ccf,stroke:#333
    style Y fill:#cfc,stroke:#333
    style Z fill:#fcc,stroke:#333

On the NWA in Root AP mode, you can have multiple SSIDs active for regular wireless connections and one SSID for the connection with a repeater (repeater SSID). Wireless clients can use either

SSID to associate with the NWA in Root AP mode. A repeater must use the repeater SSID to connect to the NWA in Root AP mode.

When the NWA is in Root AP mode, repeater security between the NWA and other repeater is independent of the security between the wireless clients and the AP or repeater. When repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 7.2 on page 58 and Section 11.2 on page 98 for more details.

Unless specified, the term "security settings" refers to the traffic between the wireless clients and the AP. At the time of writing, repeater security is compatible with the NWA only.

1.1.5 Repeater

The NWA can act as a wireless network repeater to extend a root AP's wireless network range, and also establish wireless connections with wireless clients.

Using Repeater mode, your NWA can extend the range of the WLAN. In the figure below, the NWA in Repeater mode (Z) has a wireless connection to the NWA in Root AP mode (X) which is connected to a wired network and also has a wireless connection to another NWA in Repeater mode (Y) at the same time. Z and Y act as repeaters that forward traffic between associated wireless clients and the wired LAN. Clients A and B access the AP and the wired network behind the AP through repeaters Z and Y.

Figure 4 Repeater Application

graph TD
    A["Printer"] --> B["Ethernet"]
    C["Computer"] --> B
    D["Server"] --> B
    B --> E["X"]
    E --> F["Z"]
    F --> G["A"]
    H["Internet"] --> I["Y"]
    I --> J["B"]
    style B fill:#f9f,stroke:#333
    style E fill:#ccf,stroke:#333
    style F fill:#cfc,stroke:#333
    style G fill:#fcc,stroke:#333
    style H fill:#cff,stroke:#333
    style I fill:#ffc,stroke:#333

When the NWA is in Repeater mode, repeater security between the NWA and other repeater is independent of the security between the wireless clients and the AP or repeater. When repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 7.2 on page 58 and Section 11.2 on page 98 for more details.

Once the security settings of peer sides match one another, the connection between devices is made.

At the time of writing, repeater security is compatible with the NWA only.

1.2 Ways to Manage the NWA

You can use the following ways to manage the NWA.

Web Configurator

The Web Configurator allows easy NWA setup and management using an Internet browser. This User's Guide provides information about the Web Configurator.

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the NWA. You can access it using remote management (for example, SSH or Telnet). See the Command Reference Guide for more information.

File Transfer Protocol (FTP)

This protocol can be used for firmware upgrades and configuration backup and restore.

Simple Network Management Protocol (SNMP)

The NWA can be monitored by an SNMP manager. See the SNMP chapter in this User's Guide.

1.3 Good Habits for Managing the NWA

Do the following things regularly to make the NWA more secure and to manage it more effectively.

• Change the password often. Use a password that's not easy to guess and that consists of different types of characters, such as numbers and letters.
• Write down the password and put it in a safe place.
• Back up the configuration (and make sure you know how to restore it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the NWA to its factory default settings. If you backed up an earlier configuration file, you won't have to totally re-configure the NWA; you can simply restore your last configuration.

1.4 Hardware Connections

See your Quick Start Guide for information on making hardware connections.

1.5 LEDs

The following are the LED descriptions for your NWA.

Figure 5 LED

Table 3 LED

1.6 Starting and Stopping the NWA

Here are some of the ways to start and stop the NWA.

Always use Maintenance > Shutdown or the shutdown command before you turn off the NWA or remove the power. Not doing so can cause the firmware to become corrupt.

Table 4 Starting and Stopping the NWA

The NWA does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources.

The Web Configurator

2.1 Overview

The NWA Web Configurator allows easy management using an Internet browser.

In order to use the Web Configurator, you must:

• Use Internet Explorer 7.0 and later versions, Mozilla Firefox 9.0 and later versions, Safari 4.0 and later versions, or Google Chrome 10.0 and later versions.
• Allow pop-up windows.
• Enable JavaScript (enabled by default).
• Enable Java permissions (enabled by default).
• Enable cookies.

The recommended screen resolution is 1024 x 768 pixels and higher.

2.2 Access

1 Make sure your NWA is working in standalone AP mode (see Section 1.1.1 on page 12) and hardware is properly connected. See the Quick Start Guide.
2 Browse to https://192.168.1.2. The Login screen appears.

3 Enter the user name (default: "admin") and password (default: "1234").

4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears.

The Update Admin Info screen appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore.

2.3 Navigating the Web Configurator

The following summarizes how to navigate the web configurator from the Dashboard screen. This guide uses the NWA5123-NI screens as an example. The screens may vary slightly for different models.

Figure 6 The Web Configurator's Main Screen

The Web Configurator's main screen is divided into these parts:

• A - Title Bar
• B - Navigation Panel
- C - Main Window

2.3.1 Title Bar

The title bar provides some useful links that always appear over the screens below, regardless of how deep into the Web Configurator you navigate.

Figure 7 Title Bar

The icons provide the following functions.

Table 5 Title Bar: Web Configurator Icons

About

Click About to display basic information about the NWA.

Figure 8 About

The following table describes labels that can appear in this screen.

Table 6 About

Site Map

Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen's link to go to that screen.

Figure 9 Site Map

Object Reference

Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.

Figure 10 Object Reference

The fields vary with the type of object. The following table describes labels that can appear in this screen.

Table 7 Object References

CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. These commands appear in a popup window, such as the following.

Figure 11 CLI Messages

Click Clear to remove the currently displayed information.

Note: See the Command Reference Guide for information about the commands.

2.3.2 Navigation Panel

Use the menu items on the navigation panel to open screens to configure NWA features. Click the arrow in the middle of the right edge of the navigation panel to hide the navigation panel menus or drag it to resize them. The following sections introduce the NWA's navigation panel menus and their screens.

Figure 12 Navigation Panel

Dashboard

The dashboard displays general device information, system status, system resource usage, and interface status in widgets that you can re-arrange to suit your needs.

For details on the Dashboard's features, see Chapter 3 on page 31.

Monitor Menu

The monitor menu screens display status and statistics information.

Table 8 Monitor Menu Screens Summary

Configuration Menu

Use the configuration menu screens to configure the NWA's features.

Table 9 Configuration Menu Screens Summary

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the NWA.

Table 10 Maintenance Menu Screens Summary

2.3.3 Warning Messages

Warning messages, such as those resulting from misconfiguration, display in a popup window.

Figure 13 Warning Message

2.3.4 Tables and Lists

The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries.

2.3.4.1 Manipulating Table Display

Here are some of the ways you can manipulate the Web Configurator tables.

1 Click a column heading to sort the table's entries according to that column's criteria.

2 Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:

• Sort in ascending alphabetical order
• Sort in descending (reverse) alphabetical order
• Select which columns to display
• Group entries by field
  • Show entries in groups

- Filter by mathematical operators (<, >, or =) or searching for text.

3 Select a column heading cell's right border and drag to re-size the column.

4 Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column's title when you drag the column to a valid new location.

5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.

2.3.4.2 Working with Table Entries

The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.

Table 11 Common Table Icons

Here are descriptions for the most common table icons.

Table 12 Common Table Icons

2.3.4.3 Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

Figure 14 Working with Lists

PART II

Technical Reference

3.1 Overview

Use the Dashboard screens to check status information about the NWA.

3.1.1 What You Can Do in this Chapter

- The main Dashboard screen (Section 3.2 on page 31) displays the NWA's general device information, system status, system resource usage, and interface status. You can also display other status screens for more information.

3.2 Dashboard

This screen is the first thing you see when you log into the NWA. It also appears every time you click the Dashboard icon in the navigation panel. The Dashboard displays general device information, system status, system resource usage, and interface status in widgets that you can rearrange to suit your needs. You can also collapse, refresh, and close individual widgets.

Figure 15 Dashboard

The following table describes the labels in this screen.

Table 13 Dashboard

3.2.1 CPU Usage

Use this screen to look at a chart of the NWA's recent CPU usage. To access this screen, click CPU Usage in the dashboard.

Figure 16 Dashboard > CPU Usage

The following table describes the labels in this screen.

Table 14 Dashboard > CPU Usage

3.2.2 Memory Usage

Use this screen to look at a chart of the NWA's recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard.

Figure 17 Dashboard > Memory Usage

The following table describes the labels in this screen.

Table 15 Dashboard > Memory Usage

4.1 Overview

Use the Monitor screens to check status and statistics information.

4.1.1 What You Can Do in this Chapter

• The Network Status screen (Section 4.3 on page 37) displays general LAN interface information and packet statistics.
• The Network Status Graph screen (Section 4.3.1 on page 38) displays a line graph of packet statistics for the NWA's physical LAN port.
• The Radio List screen (Section 4.4 on page 39) displays statistics about the wireless radio transmitters in the NWA.
• The Station Info screen (Section 4.5 on page 42) displays information about suspected rogue APs.
• The WDS Link Info screen (Section 4.6 on page 43) displays statistics about the NWA's WDS connections.
• The Detected Device screen (Section 4.7 on page 44) displays information about suspected rogue APs.
• The View Log screen (Section 4.8 on page 45) displays the NWA's current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen.

4.2 What You Need to Know

The following terms and concepts may help as you read through the chapter.

Rogue AP

Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. See Chapter 10 on page 94 for details.

Friendly AP

Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from neighboring networks, for example). See Chapter 10 on page 94 for details.

4.3 Network Status

Use this screen to look at general Ethernet interface information and packet statistics. To access this screen, click Monitor > Network Status.

Figure 18 Monitor > Network Status

The following table describes the labels in this screen.

Table 16 Monitor > Network Status

4.3.1 Network Status Graph

Use the port statistics graph to look at a line graph of packet statistics for the NWA's physical Ethernet port. To view, in the Network Status screen click the Switch to Graphic View button.

Figure 19 Monitor > Network Status > Switch to Graphic View

The following table describes the labels in this screen.

Table 17 Monitor > Network Status > Switch to Graphic View

4.4 Radio List

Use this screen to view statistics for the NWA's wireless radio transmitters. To access this screen, click Monitor > Wireless > AP Information > Radio List.

Figure 20 Monitor > Wireless > AP Information > Radio List

The following table describes the labels in this screen.

Table 18 Monitor > Wireless > AP Information > Radio List

4.4.1 AP Mode Radio Information

This screen allows you to view a selected radio's SSID details, wireless traffic statistics and station count for the preceding 24 hours. To access this window, select a radio and click the More Information button in the Radio List screen.

Figure 21 Monitor > Wireless > AP Information > Radio List > More Information

The following table describes the labels in this screen.

Table 19 Monitor > Wireless > AP Information > Radio List > More Information

4.5 Station List

Use this screen to view statistics pertaining to the associated stations (or "wireless clients"). Click Monitor > Wireless > Station Info to access this screen.

Figure 22 Monitor > Wireless > Station Info

The following table describes the labels in this screen.

Table 20 Monitor > Wireless > Station Info

4.6 WDS Link Info

Use this screen to view the WDS traffic statistics between the NWA and a root AP or repeaters. Click Monitor > Wireless > WDS Link Info to access this screen.

Figure 23 Monitor > Wireless > WDS Link Info

The following table describes the labels in this screen.

Table 21 Monitor > Wireless > WDS Link Info

4.7 Detected Device

Use this screen to view information about suspected rogue APs. Click Monitor > Wireless > Detected Device to access this screen.

Note: The radio or at least one of the NWA's radio must be set to monitor mode (in the Wireless > AP Management screen) in order to detect other wireless devices in its vicinity.

Figure 24 Monitor > Wireless > Detected Device

The following table describes the labels in this screen.

Table 22 Monitor > Wireless > Detected Device

4.8 View Log

Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority.

To access this screen, click Monitor > Log. The log is displayed in the following screen.

Note: When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.

Figure 25 Monitor > Log > View Log

The following table describes the labels in this screen.

Table 23 Monitor > Log > View Log

The Web Configurator saves the filter settings if you leave the View Log screen and return to it later.

Management Mode

5.1 Overview

This chapter discusses using the NWA in management mode, which determines whether the NWA is used in its default standalone mode, or as part of a Control And Provisioning of Wireless Access Points (CAPWAP) network.

5.2 About CAPWAP

The NWA supports CAPWAP. This is ZyXEL's implementation of the CAPWAP protocol (RFC 5415).

The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS).

The following figure illustrates a CAPWAP wireless network. You (U) configure the AP controller (C), which then automatically updates the configurations of the managed APs (M1 \~ M4).

Figure 26 CAPWAP Network Example

graph TD
    U["User"] -->|U| R["Router"]
    DHCP["DHCP"] -->|DHCP| R
    R -->|R| M1["M1"]
    R -->|R| M2["M2"]
    R -->|R| M3["M3"]
    R -->|R| M4["M4"]
    M1 -.-> R
    M2 -.-> R
    M3 -.-> R
    M4 -.-> R
    R -.->|INTERNET| Internet["Internet"]

Note: The NWA can be a standalone AP (default), or a CAPWAP managed AP.

5.2.1 CAPWAP Discovery and Management

The link between CAPWAP-enabled access points proceeds as follows:

1 An AP in managed AP mode joins a wired network (receives a dynamic IP address).
2 The AP sends out a discovery request, looking for a CAPWAP AP controller.
3 If there is an AP controller on the network, it receives the discovery request. If the AP controller is in Manual mode it adds the details of the AP to its Unmanaged Access Points list, and you decide which available APs to manage. If the AP is in Always Accept mode, it automatically adds the AP to its Managed Access Points list and provides the managed AP with default configuration information, as well as securely transmitting the DTLS pre-shared key. The managed AP is ready for association with wireless clients.

5.2.2 Managed AP Finds the Controller

A managed NWA can find the controller in one of the following ways:

• Manually specify the controller's IP address in the Web Configurator's MGNT Mode screen.
• Get the controller's IP address from a DHCP server with the controller's IP address configured as option 138.
• Broadcasting to discover the controller within the broadcast domain.

Note: The AP controller needs to have a static IP address. If it is a DHCP client, set the DHCP server to reserve an IP address for the AP controller.

5.2.3 CAPWAP and IP Subnets

By default, CAPWAP works only between devices with IP addresses in the same subnet.

However, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following.

• Activate DHCP. Your network's DHCP server must support option 138 defined in RFC 5415.
• Configure DHCP option 138 with the IP address of the CAPWAP AP controller on your network.

DHCP Option 138 allows the CAPWAP management request (from the AP in managed AP mode) to reach the AP controller in a different subnet, as shown in the following figure.

Figure 27 CAPWAP and DHCP Option 138

graph TD
    A["AP Controller (Static IP)"] -->|CAPWAP Traffic| B["Switch"]
    C["DHCP Server + Option 138"] --> B
    B --> D["Managed AP"]
    style A fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    style B fill:#ffcccc,stroke:#333
    style D fill:#ffcccc,stroke:#333

5.2.4 Notes on CAPWAP

This section lists some additional features of ZyXEL's implementation of the CAPWAP protocol.

• When the AP controller uses its internal Remote Authentication Dial In User Service (RADIUS) server, managed APs also use the AP controller's authentication server to authenticate wireless clients.
• If a managed AP's link to the AP controller is broken, the managed AP continues to use the wireless settings with which it was last provided.

5.3 Management Mode Screen

Use this screen to configure the NWA as a CAPWAP managed AP, or to use it in its default standalone mode. To access this screen, click Configuration > MGNT Mode.

Note: After you change the operation mode, the NWA resets to its default settings for the mode you set it to, including the IP address of 192.168.1.2 (in standalone AP mode).

Figure 28 Configuration > MGNT Mode

Each field is described in the following table.

Table 24 Configuration > MGNT Mode

6.1 Overview

This chapter describes how you can configure the management IP address and VLAN settings of your NWA.

The Internet Protocol (IP) address identifies a device on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts.

Figure 29 IP Setup

graph LR
    A["Router 192.168.1.2"] --> B["Router 192.168.1.1"]
    C["Internet"] --> B
    D["Subnet Mask 255.255.255.0"]

The figure above illustrates one possible setup of your NWA. The gateway IP address is 192.168.1.1 and the IP address of the NWA is 192.168.1.2 (default). The gateway and the NWA must belong in the same subnet mask to be able to communicate with each other.

6.1.1 What You Can Do in this Chapter

• The IP Setting screen (Section 6.2 on page 53) configures the NWA's LAN IP address.
• The VLAN screen (Section 6.3 on page 55) configures the NWA's VLAN settings.

6.2 IP Setting

Use this screen to configure the IP address for your NWA. To access this screen, click Configuration > Network > IP Setting.

Figure 30 Configuration > Network > IP Setting

Each field is described in the following table.

Table 25 Configuration > Network > IP Setting

6.3 VLAN

This section discusses how to configure the NWA's VLAN settings.

Figure 31 Management VLAN Setup

graph TD
    A["Router A"] --> B["Router B"]
    B --> C["Router C"]
    C --> D["INTERNET"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333

In the figure above, to access and manage the NWA from computer A, the NWA and switch B's ports to which computer A and the NWA are connected should be in the same VLAN.

A Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same group(s); the traffic must first go through a router.

In Multi-Tenant Unit (MTU) applications, VLAN is vital in providing isolation and security among the subscribers. When properly configured, VLAN prevents one subscriber from accessing the network resources of another on the same LAN, thus a user will not see the printers and hard disks of another user in the same building.

VLAN also increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. In traditional switched environments, all broadcast packets go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain.

IEEE 802.1Q Tag

The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges. A VLAN tag includes the 12-bit VLAN ID and 3-bit user priority. The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network.

Use this screen to configure the VLAN settings for your NWA. To access this screen, click Configuration > Network > VLAN.

Figure 32 Configuration > Network > VLAN

Each field is described in the following table.

Table 26 Configuration > Network > VLAN

7.1 Overview

This chapter discusses how to configure the wireless network settings in your NWA.

The following figure provides an example of a wireless network.

Figure 33 Example of a Wireless Network

graph TD
    A["Server 1"] --> R["Router"]
    B["Server 2"] --> R
    C["Server 3"] --> R
    D["Printer"] --> R
    R --> E["AP"]
    subgraph Router
        F["A"]
        G["Laptop"]
        H["Laptop"]
        I["B"]
    end
    style Router fill:#f9f,stroke:#333
    style A fill:#ccf,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#ccf,stroke:#333
    style D fill:#ccf,stroke:#333

The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your NWA is the AP.

7.1.1 What You Can Do in this Chapter

• The AP Management screen (Section 7.2 on page 58) manages the NWA's general wireless settings.
• The MON Mode screen (Section 7.3 on page 60) allows you to assign APs either to the rogue AP list or the friendly AP list.
• The Load Balancing screen (Section 7.4 on page 62) configures network traffic load balancing between the APs and the NWA.
• The DCS screen (Section 7.5 on page 64) configures dynamic radio channel selection.

7.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

Station / Wireless Client

A station or wireless client is any wireless-capable device that can connect to an AP using a wireless signal.

Dynamic Channel Selection (DCS)

Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices.

Load Balancing (Wireless)

Wireless load balancing is the process where you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it so the AP does not become overloaded.

7.2 AP Management

Use this screen to manage the NWA's general wireless settings. Click Configuration > Wireless > AP Management to access this screen.

Figure 34 Configuration > Wireless > AP Management

Each field is described in the following table.

Table 27 Configuration > Wireless > AP Management

7.3 MON Mode

Use this screen to assign APs either to the rogue AP list or the friendly AP list. A rogue AP is a wireless access point operating in a network's coverage area that is not under the control of the network administrator, and which can potentially open up holes in a network's security.

Click Configuration > Wireless > MON Mode to access this screen.

Figure 35 Configuration > Wireless > MON Mode

Each field is described in the following table.

Table 28 Configuration > Wireless > MON Mode

7.3.1 Add/Edit Rogue/Friendly List

Click Add or select an AP and click the Edit button in the Configuration > Wireless > MON Mode table to display this screen.

Figure 36 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly AP List

Each field is described in the following table.

Table 29 Configuration > Wireless > MON Mode > Add/Edit Rogue/Friendly AP List

7.4 Load Balancing

Use this screen to configure wireless network traffic load balancing between the APs on your network. Click Configuration > Wireless > Load Balancing to access this screen.

Figure 37 Configuration > Wireless > Load Balancing

Each field is described in the following table.

Table 30 Configuration > Wireless > Load Balancing

7.4.1 Disassociating and Delaying Connections

When your AP becomes overloaded, there are two basic responses it can take. The first one is to "delay" a client connection. This means that the AP withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another AP. If the client is picked up by another AP then the original AP cannot resume the connection.

For example, here the AP has a balanced bandwidth allotment of 6 Mbps. If laptop R connects and it pushes the AP over its allotment, say to 7 Mbps, then the AP delays the red laptop's connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare.

Figure 38 Delaying a Connection

graph TD
    A["1 Mbps"] -->|6_Mbps["7 Mbps"]| Center
    B["2 Mbps"] -->|6_Mbps["7 Mbps"]| Center
    C["2 Mbps"] -->|6_Mbps["7 Mbps"]| Center
    Center --> D["Server"]
    D -->|2 Mbps| R["2 Mbps"]
    style Center fill:#f9f,stroke:#333
    style Server fill:#ccf,stroke:#333
    note right of Center: 6_Mbps["7 Mbps"]
    note right of R: 2 Mbps

The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotment.

Figure 39 Kicking a Connection

Connections are kicked based on either idle timeout or signal strength. The NWA first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle time. If no connections are idle, the next criteria the NWA analyzes is signal strength. Devices with the weakest signal strength are kicked first.

7.5 DCS

Use this screen to configure dynamic radio channel selection. Click Configuration > Wireless > DCS to access this screen.

Figure 40 Configuration > Wireless > DCS

Each field is described in the following table.

Table 31 Configuration > Wireless > DCS

7.6 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Dynamic Channel Selection

When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of interference. Dynamic channel selection frees the network administrator from this task by letting the AP do it automatically. The AP can scan the area around it looking for the channel with the least amount of interference.

In the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart. Channel 1 is centered on 2.412 GHz while channel 13 is centered on 2.472 GHz.

Figure 41 An Example Three-Channel Deployment

Three channels are situated in such a way as to create almost no interference with one another if used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not interfere with neighboring APs as long as they are also limited to same trio.

Figure 42 An Example Four-Channel Deployment

However, some regions require the use of other channels and often use a safety scheme with the following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other and the three so-called "safe" channels (1,6 and 11) that interference becomes inevitable, the severity of it is dependent upon other factors: proximity to the affected AP, signal strength, activity, and so on.

Finally, there is an alternative four channel scheme for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one.

Figure 43 An Alternative Four-Channel Deployment

Load Balancing

Because there is a hard upper limit on an AP's wireless bandwidth, load balancing can be crucial in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.

There are two kinds of wireless load balancing available on the NWA:

Load balancing by station number limits the number of devices allowed to connect to your AP. If you know exactly how many stations you want to let connect, choose this option.

For example, if your company's graphic design team has their own AP and they have 10 computers, you can load balance for 10. Later, if someone from the sales department visits the graphic design team's offices for a meeting and he tries to access the network, his computer's connection is delayed, giving it the opportunity to connect to a different, neighboring AP. If he still connects to the AP regardless of the delay, then the AP may boot other people who are already connected in order to associate with the new connection.

Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available. If you are uncertain as to the exact number of wireless connections you will have then choose this option. By setting a maximum bandwidth cap, you allow any number of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range.

Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can't possibly know how many connections his AP will have at any given moment. As such, he decides to put a limit on the bandwidth that is available to his customers but not on the actual number of connections he allows. This means anyone can connect to his wireless network as long as the AP has the bandwidth to spare. If too many people connect and the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP.

8.1 Overview

This chapter describes how to set up user accounts and user settings for the NWA.

8.1.1 What You Can Do in this Chapter

• The User screen (see Section 8.2 on page 70) provides a summary of all user accounts.
• The Setting screen (see Section 8.3 on page 72) controls default settings, login settings, lockout settings, and other user settings for the NWA.

8.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

User Account

A user account defines the privileges of a user logged into the NWA. User accounts are used in controlling access to configuration and services in the NWA.

User Types

These are the types of user accounts the NWA uses.

Table 32 Types of User Accounts

Note: The default admin account is always authenticated locally, regardless of the authentication method setting.

8.2 User Summary

The User screen provides a summary of all user accounts. To access this screen click Configuration > Object > User.

Figure 44 Configuration > Object > User

The following table describes the labels in this screen.

Table 33 Configuration > Object > User

8.2.1 Add/Edit User

The User Add/Edit screen allows you to create a new user account or edit an existing one.

8.2.1.1 Rules for User Names

Enter a user name from 1 to 31 characters.

The user name can only contain the following characters:

• Alphanumeric A-z 0-9 (there is no unicode support)
• _ [underscores]
• [dashes]

The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:

• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not 'bob'.
• User names have to be different than user group names.
  • Here are the reserved user names:

- adm

- admin

- any

- bin

- daemon

- debug

- devicehaecived

- ftp

- games

- halt

- Idap-users

• lp

- mail

- news

- nobody

- operator

- radius-users

- root

- shutdown

- sshd

- sync

- uucp

- zyxel

To access this screen, go to the User screen, and click Add or Edit.

Figure 45 Configuration > Object > User > Add/Edit A User

The following table describes the labels in this screen.

Table 34 Configuration > User > User > Add/Edit A User

8.3 Setting

This screen controls default settings, login settings, lockout settings, and other user settings for the NWA.

To access this screen, login to the Web Configurator, and click Configuration > Object > User > Setting.

Figure 46 Configuration > Object > User > Setting

The following table describes the labels in this screen.

Table 35 Configuration > Object > User > Setting

8.3.1 Edit User Authentication Timeout Settings

This screen allows you to set the default authentication timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings.

To access this screen, go to the Configuration > Object > User > Setting screen, select one of the Default Authentication Timeout Settings entry and click the Edit icon.

Figure 47 User > Setting > Edit User Authentication Timeout Settings

The following table describes the labels in this screen.

Table 36 User > Setting > Edit User Authentication Timeout Settings

9.1 Overview

This chapter shows you how to configure preset profiles for the NWA.

9.1.1 What You Can Do in this Chapter

• The Radio screen (Section 9.2 on page 77) creates radio configurations that can be used by the APs.
• The SSID screen (Section 9.3 on page 82) configures three different types of profiles for your networked APs.

9.1.2 What You Need To Know

The following terms and concepts may help as you read this chapter.

Wireless Profiles

At the heart of all wireless AP configurations on the NWA are profiles. A profile represents a group of saved settings that you can use across any number of connected APs. You can set up the following wireless profile types:

• Radio - This profile type defines the properties of an AP's radio transmitter. You can have a maximum of 32 radio profiles on the NWA.
• SSID - This profile type defines the properties of a single wireless network signal broadcast by an AP. Each radio on a single AP can broadcast up to 8 SSIDs. You can have a maximum of 32 SSID profiles on the NWA.
• Security - This profile type defines the security settings used by a single SSID. It controls the encryption method required for a wireless client to associate itself with the SSID. You can have a maximum of 32 security profiles on the NWA.
• MAC Filtering - This profile provides an additional layer of security for an SSID, allowing you to block access or allow access to that SSID based on wireless client MAC addresses. If a client's MAC address is on the list, then it is either allowed or denied, depending on how you set up the MAC Filter profile. You can have a maximum of 32 MAC filtering profiles on the NWA.
• Layer-2 Isolation - This profile defines the MAC addresses of the devices that you want to allow the associated wireless clients to have access to when layer-2 isolation is enabled.

SSID

The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it.

WEP

WEP (Wired Equivalent Privacy) encryption scrambles all data packets transmitted between the AP and the wireless stations associated with it in order to keep network communications private. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption.

WPA and WPA2

Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA(2) and WEP are improved data encryption and user authentication.

IEEE 802.1x

The IEEE 802.1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management. Authentication is done using an external RADIUS server.

9.2 Radio

This screen allows you to create radio profiles for the NWA. A radio profile is a list of settings that an NWA can use to configure its radio transmitter(s). To access this screen click Configuration > Object > AP Profile.

Note: You can have a maximum of 32 radio profiles on the NWA.

Figure 48 Configuration > Object > AP Profile > Radio

The following table describes the labels in this screen.

Table 37 Configuration > Object > AP Profile > Radio

9.2.1 Add/Edit Radio Profile

This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button.

Figure 49 Configuration > Object > AP Profile > Add/Edit Profile

The following table describes the labels in this screen.

Table 38 Configuration > Object > AP Profile > Add/Edit Profile

9.3 SSID

The SSID screens allow you to configure three different types of profiles for your networked APs: an SSID list, which can assign specific SSID configurations to your APs; a security list, which can assign specific encryption methods to the APs when allowing wireless clients to connect to them; and a MAC filter list, which can limit connections to an AP based on wireless clients MAC addresses.

9.3.1 SSID List

This screen allows you to create and manage SSID configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the name of the wireless network to which a wireless client can connect. The SSID appears as readable text to any device capable of scanning for wireless frequencies (such as the WiFi adapter in a laptop), and is displayed as the wireless network name when a person makes a connection to it.

To access this screen click Configuration > Object > AP Profile > SSID.

Note: You can have a maximum of 32 SSID profiles on the NWA.

Figure 50 Configuration > Object > AP Profile > SSID List

The following table describes the labels in this screen.

Table 39 Configuration > Object > AP Profile > SSID List

9.3.2 Add/Edit SSID Profile

This screen allows you to create a new SSID profile or edit an existing one. To access this screen, click the Add button or select an SSID profile from the list and click the Edit button.

Figure 51 Configuration > Object > AP Profile > Add/Edit SSID Profile

The following table describes the labels in this screen.

Table 40 Configuration > Object > AP Profile > Add/Edit SSID Profile

9.4 Security List

This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it.

To access this screen click Configuration > Object > AP Profile > SSID > Security List.

Note: You can have a maximum of 32 security profiles on the NWA.

Figure 52 Configuration > Object > AP Profile > SSID > Security List

The following table describes the labels in this screen.

Table 41 Configuration > Object > AP Profile > SSID > Security List

9.4.1 Add/Edit Security Profile

This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button.

Note: This screen's options change based on the Security Mode selected. Only the default screen is displayed here.

Figure 53 SSID > Security Profile > Add/Edit Security Profile

The following table describes the labels in this screen.

Table 42 SSID > Security Profile > Add/Edit Security Profile

9.5 MAC Filter List

This screen allows you to create and manage security configurations that can be used by your SSIDs. To access this screen click Configuration > Object > AP Profile > SSID > MAC Filter List.

Note: You can have a maximum of 32 MAC filtering profiles on the NWA.

Figure 54 Configuration > Object > AP Profile > SSID > MAC Filter List

The following table describes the labels in this screen.

Table 43 Configuration > Object > AP Profile > SSID > MAC Filter List

9.5.1 Add/Edit MAC Filter Profile

This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button.

Note: Each MAC filtering profile can include a maximum of 512 MAC addresses.

Figure 55 SSID > MAC Filter List > Add/Edit MAC Filter Profile

The following table describes the labels in this screen.

Table 44 SSID > MAC Filter List > Add/Edit MAC Filter Profile

9.6 Layer-2 Isolation List

Layer-2 isolation is used to prevent wireless clients associated with your NWA from communicating with other wireless clients, APs, computers or routers in a network.

In the following example, layer-2 isolation is enabled on the NWA to allow a guest wireless client (A) to access the main network router (B). The router provides access to the Internet and the network printer (C) while preventing the client from accessing other computers and servers on the network. The client can communicate with other wireless clients only if Intra-BSS Traffic blocking is disabled.

Note: Intra-BSS Traffic Blocking is activated when you enable layer-2 isolation.

Figure 56 Layer-2 Isolation Application

graph LR
    A["Laptop"] -->|Data| NWA["NWA"]
    NWA -->|Data| B["Router B"]
    B -->|IP| C["Server C"]
    B -->|IP| D["Server D"]
    B -->|IP| E["Server E"]
    style A fill:#f9f,stroke:#333
    style NWA fill:#ccf,stroke:#333
    style B fill:#cfc,stroke:#333
    style C fill:#fcc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#fcc,stroke:#333

MAC addresses that are not listed in the layer-2 isolation table are blocked from communicating with the NWA's wireless clients except for broadcast packets. Layer-2 isolation does not check the traffic between wireless clients that are associated with the same AP. Intra-BSS traffic allows wireless clients associated with the same AP to communicate with each other.

This screen allows you to specify devices you want the users on your wireless networks to access. To access this screen click Configuration > Object > AP Profile > SSID > Layer-2 Isolation List.

Figure 57 Configuration > Object > AP Profile > SSID > Layer-2 Isolation List

The following table describes the labels in this screen.

Table 45 Configuration > Object > AP Profile > SSID > Layer-2 Isolation List

9.6.1 Add/Edit Layer-2 Isolation Profile

This screen allows you to create a new layer-2 isolation profile or edit an existing one. To access this screen, click the Add button or select a layer-2 isolation profile from the list and click the Edit button.

Note: You need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the NWA's wireless clients.

Figure 58 SSID > MAC Filter List > Add/Edit Layer-2 Isolation Profile

The following table describes the labels in this screen.

Table 46 SSID > MAC Filter List > Add/Edit Layer-2 Isolation Profile

10.1 Overview

This screen allows you to set up monitor mode configurations that allow your NWA to scan for other wireless devices in the vicinity. Once detected, you can use the Wireless > MON Mode screen (Section 7.3 on page 60) to classify them as either rogue or friendly.

10.1.1 What You Can Do in this Chapter

The MON Profile screen (Section 10.2 on page 94) creates preset monitor mode configurations that can be used by the NWA.

10.2 MON Profile

This screen allows you to create monitor mode configurations that can be used by the APs. To access this screen, login to the Web Configurator, and click Configuration > Object > MON Profile.

Figure 59 Configuration > Object > MON Profile

The following table describes the labels in this screen.

Table 47 Configuration > Object > MON Profile

10.2.1 Add/Edit MON Profile

This screen allows you to create a new monitor mode profile or edit an existing one. To access this screen, click the Add button or select and existing monitor mode profile and click the Edit button.

Figure 60 Configuration > Object > MON Profile > Add/Edit MON Profile

The following table describes the labels in this screen.

Table 48 Configuration > Object > MON Profile > Add/Edit MON Profile

10.3 Technical Reference

The following section contains additional technical information about the features described in this chapter.

Rogue APs

Rogue APs are wireless access points operating in a network's coverage area that are not under the control of the network's administrators, and can open up holes in a network's security. Attackers can take advantage of a rogue AP's weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture information from wireless clients. If a scan reveals a rogue AP, you can use commercially-available software to physically locate it.

Figure 61 Rogue AP Example

graph TD
    X["User"] -->|X| Router
    Router -->|RG| A["Computer"]
    A -->|A| Router
    Router -->|B| Computer1["Computer"]
    Router -->|B| Computer2["Computer"]
    Router -->|B| Internet
    Internet -->|C| Router
    Router -->|C| Server
    Server -->|X| Router
    Router -->|X| Router
    Router -->|X| Router
    Router -->|X| Router
    Router -->|X| Router

In the example above, a corporate network's security is compromised by a rogue AP (RG) set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly (A). The company's legitimate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available encryption-cracking software. In this example, the attacker now has access to the company network, including sensitive data stored on the file server (C).

Friendly APs

If you have more than one AP in your wireless network, you should also configure a list of "friendly" APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for example). It is recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points.

11.1 Overview

This chapter shows you how to configure WDS profiles for the NWA to form a WDS with other APs.

11.1.1 What You Can Do in this Chapter

The WDS Profile screen (Section 11.2 on page 98) creates preset WDS configurations that can be used by the NWA.

11.2 WDS Profile

This screen allows you to manage and create WDS profiles that can be used by the APs. To access this screen, click Configuration > Object > WDS Profile.

Figure 62 Configuration > Object > WDS Profile

The following table describes the labels in this screen.

Table 49 Configuration > Object > WDS Profile

11.2.1 Add/Edit WDS Profile

This screen allows you to create a new WDS profile or edit an existing one. To access this screen, click the Add button or select and existing profile and click the Edit button.

Figure 63 Configuration > Object > WDS Profile > Add/Edit WDS Profile

The following table describes the labels in this screen.

Table 50 Configuration > Object > WDS Profile > Add/Edit WDS Profile

12.1 Overview

The NWA can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner's identity and public key. Certificates provide a way to exchange public keys for use in authentication.

12.1.1 What You Can Do in this Chapter

• The My Certificate screens (Section 12.2 on page 103) generate and export self-signed certificates or certification requests and import the NWA's CA-signed certificates.
• The Trusted Certificates screens (Section 12.3 on page 111) save CA certificates and trusted remote host certificates to the NWA. The NWA trusts any valid certificate that you have imported as a trusted certificate. It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate.

12.1.2 What You Need to Know

The following terms and concepts may help as you read this chapter.

When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure.

These keys work like a handwritten signature (in fact, certificates are often referred to as "digital signatures"). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key "writes" your digital signature and your public key allows people to verify whether data was signed by you, or by someone else.

This process works as follows:

1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim's public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim's private key).

5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny's public key to verify the message.

The NWA uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority's public key to verify the certificates.

A certification path is the hierarchy of certification authority certificates that validate a certificate. The NWA does not trust a certificate if any certificate on its path has expired or been revoked.

Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The NWA can check a peer's certificate against a directory server's list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).

Advantages of Certificates

Certificates offer the following benefits.

• The NWA only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.
• Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.

Self-signed Certificates

You can have the NWA act as a certification authority and sign its own certificates.

Factory Default Certificate

The NWA generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate.

Certificate File Formats

Any certificate that you want to import has to be in one of these file formats:

• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The NWA currently allows the importation of a PKS#7 file that contains a single certificate.
• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.

- Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the NWA.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

12.1.3 Verifying a Certificate

Before you import a trusted certificate into the NWA, you should verify that you have the correct certificate. You can do this using the certificate's fingerprint. A certificate's fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate's fingerprint to verify that you have the actual certificate.

1 Browse to where you have the certificate saved on your computer.
2 Make sure that the certificate has a ".cer" or ".crt" file name extension.

3 Double-click the certificate's icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.

4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.

12.2 My Certificates

Click Configuration > Object > Certificate > My Certificates to open this screen. This is the NWA's summary list of certificates and certification requests.

Figure 64 Configuration > Object > Certificate > My Certificates

The following table describes the labels in this screen.

Table 51 Configuration > Object > Certificate > My Certificates

12.2.1 Add My Certificates

Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the Add My Certificates screen. Use this screen to have the NWA create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.

Figure 65 Configuration > Object > Certificate > My Certificates > Add

The following table describes the labels in this screen.

Table 52 Configuration > Object > Certificate > My Certificates > Add

If you configured the Add My Certificates screen to have the NWA enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the Add My Certificates screen. Click Return and check your information in the Add My Certificates screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the NWA to enroll a certificate online.

12.2.2 Edit My Certificates

Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name.

Figure 66 Configuration > Object > Certificate > My Certificates > Edit

The following table describes the labels in this screen.

Table 53 Configuration > Object > Certificate > My Certificates > Edit

Table 53 Configuration > Object > Certificate > My Certificates > Edit

12.2.3 Import Certificates

Click Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the NWA.

Note: You can import a certificate that matches a corresponding certification request that was generated by the NWA. You can also import a certificate in PKCS#12 format, including the certificate's public and private keys.

The certificate you import replaces the corresponding request in the My Certificates screen.

You must remove any spaces in the certificate's filename before you can import it.

Figure 67 Configuration > Object > Certificate > My Certificates > Import

The following table describes the labels in this screen.

Table 54 Configuration > Object > Certificate > My Certificates > Import

12.3 Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you have set the NWA to accept as trusted. The NWA also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates.

Figure 68 Configuration > Object > Certificate > Trusted Certificates

The following table describes the labels in this screen.

Table 55 Configuration > Object > Certificate > Trusted Certificates

12.3.1 Edit Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates and then a certificate's Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate's name and set whether or not you want the NWA to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority.

Figure 69 Configuration > Object > Certificate > Trusted Certificates > Edit

The following table describes the labels in this screen.

Table 56 Configuration > Object > Certificate > Trusted Certificates > Edit

12.3.2 Import Trusted Certificates

Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Import Trusted Certificates screen. Follow the instructions in this screen to save a trusted certificate to the NWA.

Note: You must remove any spaces from the certificate's filename before you can import the certificate.

Figure 70 Configuration > Object > Certificate > Trusted Certificates > Import

The following table describes the labels in this screen.

Table 57 Configuration > Object > Certificate > Trusted Certificates > Import

12.4 Technical Reference

The following section contains additional technical information about the features described in this chapter.

OCSP

OCSP (Online Certificate Status Protocol) allows an application or device to check whether a certificate is valid. With OCSP the NWA checks the status of individual certificates instead of downloading a Certificate Revocation List (CRL). OCSP has two main advantages over a CRL. The first is real-time status information. The second is a reduction in network traffic since the NWA only gets information on the certificates that it needs to verify, not a huge list. When the NWA requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response.

13.1 Overview

Use the system screens to configure general NWA settings.

13.1.1 What You Can Do in this Chapter

• The Host Name screen (Section 13.2 on page 117) configures a unique name for the NWA in your network.
• The Date/Time screen (Section 13.3 on page 118) configures the date and time for the NWA.
• The WWW screens (Section 13.4 on page 121) configure settings for HTTP or HTTPS access to the NWA.
• The SSH screen (Section 13.5 on page 132) configures SSH (Secure SHell) for securely accessing the NWA's command line interface.
• The Telnet screen (Section 13.6 on page 136) configures Telnet for accessing the NWA's command line interface.
• The FTP screen (Section 13.7 on page 136) specifies FTP server settings. You can upload and download the NWA's firmware and configuration files using FTP. Please also see Chapter 15 on page 154 for more information about firmware and configuration files.
• The SNMP screens (Section 13.8 on page 137) configure the device's SNMP settings, including profiles that define allowed SNMPv3 access.

13.2 Host Name

A host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open this screen.

Figure 71 Configuration > System > Host Name

The following table describes the labels in this screen.

Table 58 Configuration > System > Host Name

13.3 Date and Time

For effective scheduling and logging, the NWA system time must be accurate. The NWA has a software mechanism to set the time manually or get the current time and date from an external server.

To change your NWA's time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the NWA's time and date or have the NWA get the date and time from a time server.

Figure 72 Configuration > System > Date/Time

The following table describes the labels in this screen.

Table 59 Configuration > System > Date/Time

13.3.1 Pre-defined NTP Time Servers List

When you turn on the NWA for the first time, the date and time start at 2003-01-01 00:00:00. The NWA then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.

The NWA continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.

Table 60 Default Time Servers

When the NWA uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the NWA goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.

13.3.2 Time Server Synchronization

Click the Sync. Now button to get the time and date from the time server you specified in the Time Server Address field.

When the Loading message appears, you may have to wait up to one minute.

Figure 73 Loading

The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.

If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen.

To manually set the NWA date and time:

1 Click System > Date/Time.
2 Select Manual under Time and Date Setup.
3 Enter the NWA's time in the New Time field.
4 Enter the NWA's date in the New Date field.
5 Under Time Zone Setup, select your Time Zone from the list.
6 As an option you can select the Enable Daylight Saving check box to adjust the NWA clock for daylight savings.
7 Click Apply.

To get the NWA date and time from a time server:

1 Click System > Date/Time.
2 Select Get from Time Server under Time and Date Setup.
3 Under Time Zone Setup, select your Time Zone from the list.
4 Under Time and Date Setup, enter a Time Server Address.
5 Click Apply.

13.4 WWW Overview

The following figure shows secure and insecure management of the NWA coming in from the WAN. HTTPS and SSH access are secure. HTTP, Telnet, and FTP management access are not secure.

Figure 74 Secure and Insecure Service Access From the WAN

graph LR
    LAN["LAN"] -->|Wireless| Router["Router"]
    Router -->|HTTP| INTERNET["INTERNET"]
    INTERNET -->|HTTP| LAN
    INTERNET -->|Telnet| LAN
    INTERNET -->|FTP| LAN
    LAN -->|Wireless| Laptop["Laptop"]
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN
    LAN -->|Wireless| LAN

13.4.1 Service Access Limitations

A service cannot be used to access the NWA when you have disabled that service in the corresponding screen.

13.4.2 System Timeout

There is a lease timeout for administrators. The NWA automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.

Each user is also forced to log in the NWA for authentication again when the reauthentication time expires.

You can change the timeout settings in the User screens.

13.4.3 HTTPS

You can set the NWA to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions.

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys (see Chapter 12 on page 100 for more information).

HTTPS on the NWA is used so that you can securely access the NWA using the Web Configurator. The SSL protocol specifies that the HTTPS server (the NWA) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the NWA), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the NWA a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the NWA.

Please refer to the following figure.

1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the NWA's web server.
2 HTTP connection requests from a web browser go to port 80 (by default) on the NWA's web server.

Figure 75 HTTP/HTTPS Implementation

Note: If you disable HTTP in the WWW screen, then the NWA blocks all HTTP connection attempts.

13.4.4 Configuring WWW Service Control

Click Configuration > System > WWW to open the WWW screen. Use this screen to specify HTTP or HTTPS settings.

Figure 76 Configuration > System > WWW > Service Control

The following table describes the labels in this screen.

Table 61 Configuration > System > WWW > Service Control

13.4.5 HTTPS Example

If you haven't changed the default HTTPS port on the NWA, then in your browser enter "https://NWA IP Address/" as the web site address where "NWA IP Address" is the IP address or domain name of the NWA you wish to access.

13.4.5.1 Internet Explorer Warning Messages

When you attempt to access the NWA HTTPS server, you will see the error message shown in the following screen.

Figure 77 Security Alert Dialog Box (Internet Explorer)

Select Continue to this website. to proceed to the Web Configurator login screen. Otherwise, select Click here to close this webpage. to block the access.

13.4.5.2 Mozilla Firefox Warning Messages

When you attempt to access the NWA HTTPS server, a The Connection is Untrusted screen appears as shown in the following screen. Click Technical Details if you want to verify more information about the certificate from the NWA.

Select I Understand the Risks and then click Add Exception to add the NWA to the security exception list. Click Confirm Security Exception.

Figure 78 Security Certificate 1 (Firefox)

Figure 79 Security Certificate 2 (Firefox)

13.4.5.3 Avoiding Browser Warning Messages

Here are the main reasons your browser displays warnings about the NWA's HTTPS server certificate and what you can do to avoid seeing the warnings:

- The issuing certificate authority of the NWA's HTTPS server certificate is not one of the browser's trusted certificate authorities. The issuing certificate authority of the NWA's factory default certificate is the NWA itself since the certificate is a self-signed certificate.

• For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.
• To have the browser trust the certificates issued by a certificate authority, import the certificate authority's certificate into your operating system as a trusted certificate. Refer to Appendix A on page 176 for details.

13.4.5.4 Enrolling and Importing SSL Client Certificates

The SSL client needs a certificate if Authenticate Client Certificates is selected on the NWA.

You must have imported at least one trusted CA to the NWA in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).

Apply for a certificate from a Certification Authority (CA) that is trusted by the NWA (see the NWA's Trusted Certificates Web Configurator screen).

Figure 80 Trusted Certificates

The CA sends you a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).

13.4.5.5 Installing the CA's Certificate

1 Double click the CA's trusted certificate to produce a screen similar to the one shown next.

2 Click Install Certificate and follow the wizard as shown earlier in this appendix.

13.4.5.6 Installing a Personal Certificate

You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next

1 Click Next to begin the wizard.

2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.

3 Enter the password given to you by the CA.

4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.

5 Click Finish to complete the wizard and begin the import process.

6 You should see the following screen when the certificate is correctly installed on your computer.

13.4.5.7 Using a Certificate When Accessing the NWA

To access the NWA via HTTPS:

1 Enter 'https://NWA IP Address/ in your browser's web address field.

2 When Authenticate Client Certificates is selected on the NWA, the following screen asks you to select a personal certificate to send to the NWA. This screen displays even if you only have a single certificate as in the example.

3 You next see the Web Configurator login screen.

13.5 SSH

You can use SSH (Secure SHell) to securely access the NWA's command line interface.

SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer B on the Internet uses SSH to securely connect to the NWA (A) for a management session.

Figure 81 SSH Communication Over the WAN Example

graph LR
    A["Device A"] --> B["Device B"]
    B --> C["Internet Secure Connection"]
    C --> D["Device D"]

13.5.1 How SSH Works

The following figure is an example of how a secure connection is established between two remote hosts using SSH v1.

Figure 82 How SSH v1 Works Example

graph TD
    A["Internet"] -->|Connection request| B["SSH Server"]
    B -->|Host Key, Server Key| C["SSH Client"]
    C -->|Session Key| B
    B -->|Host Identification Pass / Fail| D["Authentication Pass / Fail"]
    D -->|Encryption method to use| E["Password / User name"]
    E -->|Data Transmission| F["Data Transmission"]

1 Host Identification

The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.

The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.

2 Encryption Method

Once the identification is verified, both the client and server must agree on the type of encryption method to use.

3 Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.

13.5.2 SSH Implementation on the NWA

Your NWA supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the NWA for management using port 22 (by default).

13.5.3 Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the NWA over SSH.

13.5.4 Configuring SSH

Click Configuration > System > SSH to open the following screen. Use this screen to configure your NWA's Secure Shell settings.

Note: It is recommended that you disable Telnet and FTP when you configure SSH for secure connections.

Figure 83 Configuration > System > SSH

The following table describes the labels in this screen.

Table 62 Configuration > System > SSH

13.5.5 Examples of Secure Telnet Using SSH

This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the NWA. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user's guide.

13.5.5.1 Example 1: Microsoft Windows

This section describes how to access the NWA using the Secure Shell Client program.

1 Launch the SSH client and specify the connection information (IP address, port number) for the NWA.
2 Configure the SSH client to accept connection using SSH version 1.
3 A window displays prompting you to store the host key in you computer. Click Yes to continue.

Figure 84 SSH Example 1: Store Host Key

Enter the password to log in to the NWA. The CLI screen displays next.

13.5.5.2 Example 2: Linux

This section describes how to access the NWA using the OpenSSH client program that comes with most Linux distributions.

1 Test whether the SSH service is available on the NWA.

Enter "telnet 192.168.1.2 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the NWA (using the default IP address of 192.168.1.2).

A message displays indicating the SSH protocol version supported by the NWA.

Figure 85 SSH Example 2: Test

$ telnet 192.168.1.2 22
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
SSH-1.5-1.0.0 

2 Enter "ssh -1 192.168.1.2". This command forces your computer to connect to the NWA using SSH version 1. If this is the first time you are connecting to the NWA using SSH, a message displays prompting you to save the host information of the NWA. Type "yes" and press [ENTER].

Then enter the password to log in to the NWA.

Figure 86 SSH Example 2: Log in

$ ssh -1 192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (RSA1) to the list of known hosts.
Administrator@192.168.1.2's password: 

3 The CLI screen displays next.

13.6 Telnet

You can use Telnet to access the NWA's command line interface. Click Configuration > System > TELNET to configure your NWA for remote Telnet access. Use this screen to enable or disable Telnet and set the server port number.

Figure 87 Configuration > System > TELNET

The following table describes the labels in this screen.

Table 63 Configuration > System > TELNET

13.7 FTP

You can upload and download the NWA's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. See Chapter 15 on page 154 for more information about firmware and configuration files.

To change your NWA's FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify FTP settings.

Figure 88 Configuration > System > FTP

The following table describes the labels in this screen.

Table 64 Configuration > System > FTP

13.8 SNMP

Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your NWA supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA through the network. The NWA supports SNMP version one (SNMPv1), version two (SNMPv2c), and version three (SNMPv3). The next figure illustrates an SNMP management operation.

Figure 89 SNMP Management Model

graph TD
    A["MANAGER"] --> B["AGENT"]
    A --> C["AGENT"]
    A --> D["AGENT"]
    B --> E["Managed Device"]
    C --> F["Managed Device"]
    D --> G["Managed Device"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#ccf,stroke:#333
    style D fill:#ccf,stroke:#333
    note right of A: SNMP
    note left of B: MIB
    note right of C: MIB

An SNMP managed network consists of two main types of component: agents and a manager.

An agent is a management software module that resides in a managed device (the NWA). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.

SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

• Get - Allows the manager to retrieve an object variable from the agent.
• GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
• Set - Allows the manager to set values for object variables within an agent.
• Trap - Used by the agent to inform the manager of some events.

13.8.1 Supported MIBs

The NWA supports MIB II that is defined in RFC-1213 and RFC-1215. The NWA also supports private MIBs (ZYXEL-ES-CAPWAP.MIB, ZYXEL-ES-COMMON.MIB, ZYXEL-ES-HYBRIDAP.MIB, ZYXEL-ES-PROWLAN.MIB, ZYXEL-ES-RFMGMT.MIB, ZYXEL-ES-SMI.MIB, and ZYXEL-ES-WIRELESS.MIB) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs

is to let administrators collect statistical data and monitor status and performance. You can download the NWA's MIBs from www.zyxel.com.

13.8.2 SNMP Traps

The NWA will send traps to the SNMP manager when any one of the following events occurs.

Table 65 SNMP Traps

13.8.3 Configuring SNMP

To change your NWA's SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings. You can also configure user profiles that define allowed SNMPv3 access.

Figure 90 Configuration > System > SNMP

The following table describes the labels in this screen.

Table 66 Configuration > System > SNMP

13.8.4 Adding or Editing an SNMPv3 User Profile

This screen allows you to add or edit an SNMPv3 user profile. To access this screen, click the Configuration > System > SNMP screen's Add button or select a SNMPv3 user profile from the list and click the Edit button.

Figure 91 Configuration > System > SNMP > Add

The following table describes the labels in this screen.

Table 67 Configuration > System > SNMP

Log and Report

14.1 Overview

Use the system screens to configure daily reporting and log settings.

14.1.1 What You Can Do In this Chapter

• The Email Daily Report screen (Section 14.2 on page 142) configures how and where to send daily reports and what reports to send.
• The Log Setting screens (Section 14.3 on page 144) specify which logs are e-mailed, where they are e-mailed, and how often they are e-mailed.

14.2 Email Daily Report

Use this screen to start or stop data collection and view various statistics about traffic passing through your NWA.

Note: Data collection may decrease the NWA's traffic throughput rate.

Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the NWA e-mail you system statistics every day.

Figure 92 Configuration > Log & Report > Email Daily Report

The following table describes the labels in this screen.

Table 68 Configuration > Log & Report > Email Daily Report

14.3 Log Setting

These screens control log messages and alerts. A log message stores the information for viewing (for example, in the Monitor > View Log screen) or regular e-mailing later, and an alert is e-mailed immediately. Usually, alerts are used for events that require more serious attention, such as system errors and attacks.

The NWA provides a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log screen, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers.

The Log Setting tab also controls what information is saved in each log. For the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed.

For alerts, the Log Setting screen controls which events generate alerts and where alerts are e- mailed.

The Log Setting screen provides a summary of all the settings. You can use the Edit Log Setting screen to maintain the detailed settings (such as log categories, e-mail addresses, server names, etc.) for any log. Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Summary screen to edit this information for all logs at the same time.

14.3.1 Log Setting

To access this screen, click Configuration > Log & Report > Log Setting.

Figure 93 Configuration > Log & Report > Log Setting

The following table describes the labels in this screen.

Table 69 Configuration > Log & Report > Log Setting

14.3.2 Edit System Log Settings

This screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Select a system log entry in the Log Setting screen and click the Edit icon.

Figure 94 Configuration > Log & Report > Log Setting > Edit System Log Setting

The following table describes the labels in this screen.

Table 70 Configuration > Log & Report > Log Setting > Edit System Log Setting

14.3.3 Edit Remote Server

This screen controls the settings for each log in the remote server (syslog). Select a remote server entry in the Log Setting screen and click the Edit icon.

Figure 95 Configuration > Log & Report > Log Setting > Edit Remote Server

The following table describes the labels in this screen.

Table 71 Configuration > Log & Report > Log Setting > Edit Remote Server

14.3.4 Active Log Summary

This screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names). To access this screen, go to the Log Setting screen, and click the Active Log Summary button.

Figure 96 Active Log Summary

This screen provides a different view and a different way of indicating which messages are included in each log and each alert. (The Default category includes debugging messages generated by open source software.)

The following table describes the fields in this screen.

Table 72 Configuration > Log & Report > Log Setting > Active Log Summary

15.1 Overview

Configuration files define the NWA's settings. Shell scripts are files of commands that you can store on the NWA and run when you need them. You can apply a configuration file or run a shell script without the NWA restarting. You can store multiple configuration files and shell script files on the NWA. You can edit configuration files or shell scripts in a text editor and upload them to the NWA. Configuration files use a .conf extension and shell scripts use a .zysh extension.

15.1.1 What You Can Do in this Chapter

• The Configuration File screen (Section 15.2 on page 155) stores and names configuration files. You can also download and upload configuration files.
• The Firmware Package screen (Section 15.3 on page 160) checks your current firmware version and uploads firmware to the NWA.
• The Shell Script screen (Section 15.4 on page 162) stores, names, downloads, uploads and runs shell script files.

15.1.2 What you Need to Know

The following terms and concepts may help as you read this chapter.

Configuration Files and Shell Scripts

When you apply a configuration file, the NWA uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the NWA only applies the commands that it contains. Other settings do not change.

These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below

<h1 id="enter-configuration-mode">enter configuration mode</h1>
configure terminal
<h1 id="change-administrator-password">change administrator password</h1>
username admin password 4321 user-type admin
#configure default radio profile, change 2GHz channel to 11 & Tx output power # to 50%
wlan-radio-profile default
2g-channel 11
output-power 50%
exit
write 

While configuration files and shell scripts have the same syntax, the NWA applies configuration files differently than it runs shell scripts. This is explained below.

Table 73 Configuration Files and Shell Scripts in the NWA

You have to run the aforementioned example as a shell script because the first command is run in Privilege mode. If you remove the first command, you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode.

Comments in Configuration Files or Shell Scripts

In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the NWA treat the line as a comment.

Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the NWA exit sub command mode.

Note: "exit" or "!" must follow sub commands if it is to make the NWA exit sub command mode.

In the following example lines 1 and 2 are comments. Line 5 exits sub command mode.

! this is from Joe
<h1 id="on-20101205">on 2010/12/05</h1>
wlan-ssid-profile default
ssid Joe-AP
qos wmm
security default
! 

Errors in Configuration Files or Shell Scripts

When you apply a configuration file or run a shell script, the NWA processes the file line-by-line. The NWA checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the NWA finds an error, it stops applying the configuration file or shell script and generates a log.

You can change the way a configuration file or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The NWA ignores any errors in the configuration file or shell script and applies all of the valid commands. The NWA still generates a log for any errors.

15.2 Configuration File

Click Maintenance > File Manager > Configuration File to open this screen. Use the Configuration File screen to store, run, and name configuration files. You can also download

configuration files from the NWA to your computer and upload configuration files from your computer to the NWA.

Once your NWA is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.

Configuration File Flow at Restart

• If there is not a startup-config.conf when you restart the NWA (whether through a management interface or by physically turning the power off and back on), the NWA uses the system-default.conf configuration file with the NWA's default settings.
• If there is a startup-config.conf, the NWA checks it for errors and applies it. If there are no errors, the NWA uses it and copies it to the lastgood.conf configuration file as a back up file. If there is an error, the NWA generates a log and copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file. If there isn't a lastgood.conf configuration file or it also has an error, the NWA applies the system-default.conf configuration file.
• You can change the way the startup-config.conf file is applied. Include the setenv-startup stop-on-error off command. The NWA ignores any errors in the startup-config.conf file and applies all of the valid commands. The NWA still generates a log for any errors.

Figure 97 Maintenance > File Manager > Configuration File

Do not turn off the NWA while configuration file upload is in progress.

The following table describes the labels in this screen.

Table 74 Maintenance > File Manager > Configuration File

LABEL	DESCRIPTION
Rename	Use this button to change the label of a configuration file on the NWA. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files.You cannot rename a configuration file to the name of another configuration file in the NWA.Click a configuration file's row to select it and click Rename to open the Rename File screen.Specify the new name for the configuration file. Use up to 25 characters (including a-zA-Z0-9;~!@#%^&(_)+[]'.',=-.Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.
Remove	Click a configuration file's row to select it and click Remove to delete it from the NWA. You can only delete manually saved configuration files. You cannot delete the system-default.conf, startup-config.conf and lastgood.conf files.A pop-up window asks you to confirm that you want to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file.
Download	Click a configuration file's row to select it and click Download to save the configuration to your computer.
CopyApply	Use this button to save a duplicate of a configuration file on the NWA.Click a configuration file's row to select it and click Copy to open the Copy File screen.Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;~!@#%^&(_)+[]{'.',=-.Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.Use this button to have the NWA use a specific configuration file.Click a configuration file's row to select it and clickApplyto have the NWA use that configuration file. The NWA does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.The following screen gives you options for what the NWA is to do if it encounters an error in the configuration file.
	Immediately stop applying the configuration file- this is not recommended because it would leave the rest of the configuration blank. If the interfaces were not configured before the first error, the console port may be the only way to access the device.Immediately stop applying the configuration file and roll back to the previous configuration- this gets the NWA started with a fully valid configuration file as quickly as possible.Ignore errors and finish applying the configuration file- this applies the valid parts of the configuration file and generates error logs for all of the configuration file's errors. This lets the NWA apply most of your configuration and you can refer to the logs for what to fix.Ignore errors and finish applying the configuration file and then roll back to the previous configuration- this applies the valid parts of the configuration file, generates error logs for all of the configuration file's errors, and starts the NWA with a fully valid configuration file.ClickOKto have the NWA start applying the configuration file or clickCancelto close the screen
#	This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.
File Name	This column displays the label that identifies a configuration file.You cannot delete the following configuration files or change their file names.The system-default.conf file contains the NWA's default settings. Select this file and click Apply to reset all of the NWA settings to the factory defaults. This configuration file is included when you upload a firmware package.The startup-config.conf file is the configuration file that the NWA is currently using. If you make and save changes during your management session, the changes are applied to this configuration file. The NWA applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK. It applies configuration changes made via commands when you use the write command.The lastgood.conf is the most recently used (valid) configuration file that was saved when the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Size	This column displays the size (in KB) of a configuration file.
Last Modified	This column displays the date and time that the individual configuration files were last changed or saved.
Upload Configuration File	The bottom part of the screen allows you to upload a new or previously saved configuration file from your computer to your NWAYou cannot upload a configuration file named system-default.conf or lastgood.conf.If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings.
File Path	Type in the location of the file you want to upload in this field or click Browse ... to find it.
Browse...	Click Browse... to find the .conf file you want to upload. The configuration file must use a ".conf" filename extension. You will receive an error message if you try to upload a fie of a different format. Remember that you must decompress compressed (.zip) files before you can upload them.
Upload	Click Upload to begin the upload process. This process may take up to two minutes.

15.2.1 Example of Configuration File Download Using FTP

The following example gets a configuration file named startup-config.conf from the NWA and saves it on the computer.

1 Connect your computer to the NWA.
2 The FTP server IP address of the NWA in standalone AP mode is 192.168.1.2, so set your computer to use a static IP address from 192.168.1.3 \~192.168.1.254.
3 Use an FTP client on your computer to connect to the NWA. For example, in the Windows command prompt, type ftp 192.168.1.2. Keep the console session connected in order to see when the firmware recovery finishes.
4 Enter your user name when prompted.
5 Enter your password as requested.
6 Use "cd" to change to the directory that contains the files you want to download.
7 Use "dir" or "ls" if you need to display a list of the files in the directory.

8 Use "get" to download files. Transfer the configuration file on the NWA to your computer. Type get followed by the name of the configuration file. This examples uses get startup-config.conf.

C:\>ftp 192.168.1.2
Connected to 192.168.1.2.
220---- Welcome to Pure-FTPd [privsep] [TLS] ----
220-You are user number 1 of 5 allowed.
220-Local time is now 21:28. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 600 minutes of inactivity.
User (192.168.1.2:(none)): admin
331 User admin OK. Password required
Password:
230 OK. Current restricted directory is /
ftp> cd conf
250 OK. Current directory is /conf
ftp> ls
200 PORT command successful
150 Connecting to port 5001
lastgood.conf
startup-config.conf
system-default.conf
226 3 matches total
ftp: 57 bytes received in 0.33Seconds 0.17Kbytes/sec.
ftp> get startup-config.conf
200 PORT command successful
150 Connecting to port 5002
226-File successfully transferred
226 0.002 seconds (measured here), 1.66 Mbytes per second
ftp: 2928 bytes received in 0.02Seconds 183.00Kbytes/sec.
ftp> 

9 Wait for the file transfer to complete.

10 Enter "quit" to exit the ftp prompt.

15.3 Firmware Package

Click Maintenance > File Manager > Firmware Package to open this screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the NWA.

Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

Find the firmware package at www.zyxel.com in a file that (usually) uses a .bin extension.

The firmware update can take up to five minutes. Do not turn off or reset the NWA while the firmware update is in progress!

Figure 98 Maintenance > File Manager > Firmware Package

The following table describes the labels in this screen.

Table 75 Maintenance > File Manager > Firmware Package

After you see the Firmware Upload in Process screen, wait two minutes before logging into the NWA again.

Note: The NWA automatically reboots after a successful upload.

The NWA automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.

Figure 99 Network Temporarily Disconnected

After five minutes, log in again and check your new firmware version in the Dashboard screen.

15.3.1 Example of Firmware Upload Using FTP

This procedure requires the NWA's firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "410AAHY1C0.bin". Do the following after you have obtained the firmware file.

1 Connect your computer to the NWA.
2 The FTP server IP address of the NWA in standalone AP mode is 192.168.1.2, so set your computer to use a static IP address from 192.168.1.3 \~192.168.1.254.
3 Use an FTP client on your computer to connect to the NWA. For example, in the Windows command prompt, type ftp 192.168.1.2. Keep the console session connected in order to see when the firmware recovery finishes.
4 Enter your user name when prompted.
5 Enter your password as requested.
6 Enter "hash" for FTP to print a `#' character for every 1024 bytes of data you upload so that you can watch the file transfer progress.
7 Enter "bin" to set the transfer mode to binary.
8 Transfer the firmware file from your computer to the NWA. Type put followed by the path and name of the firmware file. This examples uses put C:\ftproot\NWA_FW\410AAHY1C0.bin.

C:\>ftp 192.168.1.2
Connected to 192.168.1.2.
220---- Welcome to Pure-FTPd [privsep] [TLS] ----
220-You are user number 1 of 5 allowed.
220-Local time is now 21:28. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 600 minutes of inactivity.
User (192.168.1.2:(none)): admin
331 User admin OK. Password required
Password:
230 OK. Current restricted directory is /
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> bin
200 TYPE is now 8-bit binary
ftp> put C:\ftproot\NWA_FW\410AAHY1C0.bin 

9 Wait for the file transfer to complete.

10 Enter "quit" to exit the ftp prompt.

15.4 Shell Script

Use shell script files to have the NWA use commands that you specify. Use a text editor to create the shell script files. They must use a ".zysh" filename extension.

Click Maintenance > File Manager > Shell Script to open this screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the NWA at the same time.

Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the NWA restarts. You could use multiple write commands in a long script.

Figure 100 Maintenance > File Manager > Shell Script

Each field is described in the following table.

Table 76 Maintenance > File Manager > Shell Script

16.1 Overview

Use the diagnostics screen for troubleshooting.

16.1.1 What You Can Do in this Chapter

- The Diagnostics screen (Section 16.2 on page 165) generates a file containing the NWA's configuration and diagnostic information if you need to provide it to customer support during troubleshooting.

16.2 Diagnostics

This screen provides an easy way for you to generate a file containing the NWA's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.

Click Maintenance > Diagnostics to open the Diagnostic screen.

Figure 101 Maintenance > Diagnostics

The following table describes the labels in this screen.

Table 77 Maintenance > Diagnostics

Table 77 Maintenance > Diagnostics

17.1 Overview

Use this screen to restart the device.

17.1.1 What You Need To Know

If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot. Otherwise, the changes are lost when you reboot.

Reboot is different to reset; reset returns the device to its default configuration.

17.2 Reboot

This screen allows remote users can restart the device. To access this screen, click Maintenance > Reboot.

Figure 102 Maintenance > Reboot

Click the Reboot button to restart the NWA. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser.

You can also use the CLI command reboot to restart the NWA.

18.1 Overview

Use this screen to shutdown the device.

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the NWA or remove the power. Not doing so can cause the firmware to become corrupt.

18.1.1 What You Need To Know

Shutdown writes all cached data to the local storage and stops the system processes. Shutdown is different to reset; reset returns the device to its default configuration.

18.2 Shutdown

To access this screen, click Maintenance > Shutdown.

Figure 103 Maintenance > Shutdown

Click the Shutdown button to shut down the NWA. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power.

You can also use the CLI command shutdown to shutdown the NWA.

Troubleshooting

19.1 Overview

This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories.

• Power, Hardware Connections, and LED
• NWA Access and Login
- Internet Access
- Wireless Connections
- Resetting the NWA

19.2 Power, Hardware Connections, and LED

The NWA does not turn on. The LED is not on.

1 Make sure you are using the power adaptor included with the NWA or a PoE power injector.
2 Make sure the power adaptor or PoE power injector is connected to the NWA and plugged in to an appropriate power source. Make sure the power source is turned on.
3 Disconnect and re-connect the power adaptor or PoE power injector.
4 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
5 If none of these steps work, you may have faulty hardware and should contact your NWA vendor.

The LED does not behave as expected.

1 Make sure you understand the normal behavior of the LED. See Section 1.5 on page 17.
2 Check the hardware connections. See the Quick Start Guide.
3 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
4 Disconnect and re-connect the power adaptor or PoE power injector to the NWA.

5 If the problem continues, contact the vendor.

19.3 NWA Access and Login

I forgot the IP address for the NWA.

1 The default IP address (in standalone AP mode) is 192.168.1.2.
2 If you changed the IP address and have forgotten it, you have to reset the device to its factory defaults. See Section 19.6 on page 175.
3 If your NWA is a DHCP client, you can find your IP address from the DHCP server. This information is only available from the DHCP server which allocates IP addresses on your network. Find this information directly from the DHCP server or contact your system administrator for more information.

I cannot see or access the Login screen in the web configurator.

1 Make sure you are using the correct IP address.
- The default IP address (in standalone AP mode) is 192.168.1.2.
- If you changed the IP address, use the new IP address.
- If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the NWA.
2 Check the hardware connections, and make sure the LED is behaving as expected. See the Quick Start Guide and Section 1.5 on page 17.
3 Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled.
4 Make sure your computer is in the same subnet as the NWA. (If you know that there are routers between your computer and the NWA, skip this step.)
- If there is a DHCP server on your network, make sure your computer is using a dynamic IP address.
- If there is no DHCP server on your network, make sure your computer's IP address is in the same subnet as the NWA.
5 Reset the device to its factory defaults, and try to access the NWA with the default IP address. See Section 19.6 on page 175.
6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

• Try to access the NWA using another service, such as Telnet. If you can access the NWA, check the remote management settings to find out why the NWA does not respond to HTTP.
• If your computer is connected wirelessly, use a computer that is connected to a LAN/ETHERNET port.

I forgot the password.

1 The default password is 1234.
2 If this does not work, you have to reset the device to its factory defaults. See Section 19.6 on page 175.

I can see the Login screen, but I cannot log in to the NWA.

1 Make sure you have entered the user name and password correctly. The default password is 1234. This fields are case-sensitive, so make sure [Caps Lock] is not on.
2 You cannot log in to the web configurator while someone is using Telnet to access the NWA. Log out of the NWA in the other session, or ask the person who is logged in to log out.
3 Disconnect and re-connect the power adaptor or PoE power injector to the NWA.
4 If this does not work, you have to reset the device to its factory defaults. See Section 19.6 on page 175.

I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.

See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser.

19.4 Internet Access

I cannot access the Internet.

1 Check the hardware connections, and make sure the LED is behaving as expected. See the Quick Start Guide and Section 19.2 on page 169.

2 Make sure the NWA is connected to a broadband modem or router with Internet access and your computer is set to obtain an dynamic IP address.
3 If you are trying to access the Internet wirelessly, make sure the wireless settings on the wireless client are the same as the settings on the NWA.
4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again.
5 If the problem continues, contact your ISP.

I cannot access the Internet anymore. I had access to the Internet (with the NWA), but my Internet connection is not available anymore.

1 Check the hardware connections, and make sure the LED is behaving as expected. See the Quick Start Guide and Section 1.5 on page 17.
2 Reboot the NWA.
3 If the problem continues, contact your ISP.

The Internet connection is slow or intermittent.

1 There might be a lot of traffic on the network. Look at the LED, and check Section 1.5 on page 17. If the NWA is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications.
2 Check the signal strength. If the signal is weak, try moving the NWA closer to the NWA (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on).
3 Reboot the NWA.
4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.

Advanced Suggestions

Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications.

19.5 Wireless Connections

I cannot access the NWA or ping any computer from the WLAN.

1 Make sure the wireless LAN (wireless radio) is enabled on the NWA.
2 Make sure the radio or at least one of the NWA's radios is operating in AP mode.
3 Make sure the wireless adapter (installed on your computer) is working properly.
4 Make sure the wireless adapter (installed on your computer) is IEEE 802.11 compatible and supports the same wireless standard as the NWA's active radio.
5 Make sure your computer (with a wireless adapter installed) is within the transmission range of the NWA.
6 Check that both the NWA and your computer are using the same wireless and wireless security settings.

Hackers have accessed my WEP-encrypted wireless LAN.

WEP is extremely insecure. Its encryption can be broken by an attacker, using widely-available software. It is strongly recommended that you use a more effective security mechanism. Use the strongest security mechanism that all the wireless devices in your network support. WPA2 or WPA2-PSK is recommended.

The wireless security is not following the re-authentication timer setting I specified.

If a RADIUS server authenticates wireless stations, the re-authentication timer on the RADIUS server has priority. Change the RADIUS server's configuration if you need to use a different re-authentication timer setting.

I cannot get a certificate to import into the NWA.

1 For My Certificates, you can import a certificate that matches a corresponding certification request that was generated by the NWA. You can also import a certificate in PKCS#12 format, including the certificate's public and private keys.
2 You must remove any spaces from the certificate's filename before you can import the certificate.
3 Any certificate that you want to import has to be in one of these file formats:
- Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
- PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
- Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The NWA currently allows the importation of a PKS#7 file that contains a single certificate.

• PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.
• Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the NWA.

Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default.

I can only see newer logs. Older logs are missing.

When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

The commands in my configuration file or shell script are not working properly.

• In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the NWA treat the line as a comment.
• Your configuration files or shell scripts can use "exit" or a command line consisting of a single "!" to have the NWA exit sub command mode.
• Include write commands in your scripts. Otherwise the changes will be lost when the NWA restarts. You could use multiple write commands in a long script.

Note: "exit" or "!" must follow sub commands if it is to make the NWA exit sub command mode.

I cannot get the firmware uploaded using the commands.

The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.

Wireless clients are not being load balanced among my APs.

• Make sure that all the APs used by the wireless clients in question share the same SSID, security, and radio settings.
• Make sure that all the APs are in the same broadcast domain.
• Make sure that the wireless clients are in range of the other APs; if they are only in range of a single AP, then load balancing may not be as effective.

In the Monitor > Wireless > AP Information > Radio List screen, there is no load balancing indicator associated with any APs assigned to the load balancing task.

• Check to be sure that the AP profile which contains the load balancing settings is correctly assigned to the APs in question.
• The load balancing task may have been terminated because further load balancing on the APs in question is no longer required.

19.6 Resetting the NWA

If you cannot access the NWA by any method, try restarting it by turning the power off and then on again. If you still cannot access the NWA by any method or you forget the administrator password(s), you can reset the NWA to its factory-default settings. Any configuration files or shell scripts that you saved on the NWA should still be available afterwards.

Use the following procedure to reset the NWA to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.

Note: This procedure removes the current configuration.

1 Make sure the LED is on and not blinking.
2 Press the RESET button and hold it until the LED begins to blink. (This usually takes about five seconds.)
3 Release the RESET button, and wait for the NWA to restart.

You should be able to access the NWA using the default settings.

19.7 Getting More Troubleshooting Help

Search for support information for your model at www.zyxel.com for more troubleshooting suggestions.

Importing Certificates

This appendix shows you how to import public key certificates into your web browser.

Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate.

Many ZyXEL products, such as the NWA, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority.

Note: You can see if you are browsing on a secure website if the URL in your web browser's address bar begins with https:// or there is a sealed padlock icon ( ) somewhere in the main browser window (not all browsers show the padlock in the same location).

Internet Explorer

The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista.

1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.

2 Click Continue to this website (not recommended).
3 In the Address Bar, click Certificate Error > View certificates.

4 In the Certificate dialog box, click Install Certificate.

5 In the Certificate Import Wizard, click Next.

6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9.

7 Otherwise, select Place all certificates in the following store and then click Browse.

8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK.

9 In the Completing the Certificate Import Wizard screen, click Finish.

10 If you are presented with another Security Warning, click Yes.

11 Finally, click OK when presented with the successful certificate installation message.

12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page's Website Identification information.

Installing a Stand-Alone Certificate File in Internet Explorer

Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

1 Double-click the public key certificate file.

2 In the security warning dialog box, click Open.

3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 176 to complete the installation process.

Removing a Certificate in Internet Explorer

This section shows you how to remove a public key certificate in Internet Explorer 7 on Windows XP.

1 Open Internet Explorer and click Tools > Internet Options.

2 In the Internet Options dialog box, click Content > Certificates.

3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove.

4 In the Certificates confirmation, click Yes.

5 In the Root Certificate Store dialog box, click Yes.

6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.

Firefox

The following example uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platforms.

1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error.
2 Select Accept this certificate permanently and click OK.

3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page's security information.

Installing a Stand-Alone Certificate File in Firefox

Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you.

1 Open Firefox and click Tools > Options.

2 In the Options dialog box, click Advanced > Encryption > View Certificates.

3 In the Certificate Manager dialog box, click Web Sites > Import.

4 Use the Select File dialog box to locate the certificate and then click Open.

5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page's security information.

Removing a Certificate in Firefox

This section shows you how to remove a public key certificate in Firefox 2.

1 Open Firefox and click Tools > Options.

2 In the Options dialog box, click Advanced > Encryption > View Certificates.

3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete.

4 In the Delete Web Site Certificates dialog box, click OK.

5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.

Overview

IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 × 10^38 IP addresses.

IPv6 Addressing

The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.

IPv6 addresses can be abbreviated in two ways:

• Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0.
• Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.

Prefix and Prefix Length

Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as "/x" where x is a number. For example,

2001:db8:1a2b:15::1a2f:0/32

means that the first 32 bits (2001:db8) is the subnet prefix.

Link-local Address

A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a "private IP address" in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows.

Table 78 Link-local Unicast Address Format

Global Address

A global address uniquely identifies a device on the Internet. It is similar to a "public IP address" in IPv4. A global unicast address starts with a 2 or 3.

Unspecified Address

An unspecified address (0:0:0:0:0:0:0:0 or ::) is used as the source address when a device does not have its own address. It is similar to "0.0.0.0" in IPv4.

Loopback Address

A loopback address (0:0:0:0:0:0:0:1 or ::1) allows a host to send packets to itself. It is similar to "127.0.0.1" in IPv4.

Multicast Address

In IPv6, multicast addresses provide the same functionality as IPv4 broadcast addresses. Broadcasting is not supported in IPv6. A multicast address allows a host to send packets to all hosts in a multicast group.

Multicast scope allows you to determine the size of the multicast group. A multicast address has a predefined prefix of ff00::/8. The following table describes some of the predefined multicast addresses.

Table 79 Predefined Multicast Address

The following table describes the multicast addresses which are reserved and can not be assigned to a multicast group.

Table 80 Reserved Multicast Address

Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 \~ 10, A \~ F). Each block's 16 bits are then represented by four hexadecimal characters. For example, FFFF:FFFF:FFFF:FFFF:FC00:0000:0000:0000.

Interface ID

In IPv6, an interface ID is a 64-bit identifier. It identifies a physical interface (for example, an Ethernet port) or a virtual interface (for example, the management IP address for a VLAN). One interface should have a unique interface ID.

EUI-64

The EUI-64 (Extended Unique Identifier) defined by the IEEE (Institute of Electrical and Electronics Engineers) is an interface ID format designed to adapt with IPv6. It is derived from the 48-bit (6-byte) Ethernet MAC address as shown next. EUI-64 inserts the hex digits fffe between the third and fourth bytes of the MAC address and complements the seventh bit of the first byte of the MAC address. See the following example.

Table 81

With stateless autoconfiguration in IPv6, addresses can be uniquely and automatically generated. Unlike DHCPv6 (Dynamic Host Configuration Protocol version six) which is used in IPv6 stateful autoconfiguration, the owner and status of addresses don't need to be maintained by a DHCP server. Every IPv6 device is able to generate its own and unique IP address automatically when IPv6 is initiated on its interface. It combines the prefix and the interface ID (generated from its own Ethernet MAC address, see Interface ID and EUI-64) to form a complete IPv6 address.

When IPv6 is enabled on a device, its interface automatically generates a link-local address (beginning with fe80).

When the interface is connected to a network with a router and the NWA is set to automatically obtain an IPv6 network prefix from the router for the interface, it generates ^1 another address which

combines its interface ID and global and subnet information advertised from the router. This is a routable global IP address.

DHCPv6

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, RFC 3315) is a server-client protocol that allows a DHCP server to assign and pass IPv6 network addresses, prefixes and other configuration information to DHCP clients. DHCPv6 servers and clients exchange DHCP messages using UDP.

Each DHCP client and server has a unique DHCP Unique IDentifier (DUID), which is used for identification when they are exchanging DHCPv6 messages. The DUID is generated from the MAC address, time, vendor assigned ID and/or the vendor's private enterprise number registered with the IANA. It should not change over time even after you reboot the device.

Identity Association

An Identity Association (IA) is a collection of addresses assigned to a DHCP client, through which the server and client can manage a set of related IP addresses. Each IA must be associated with exactly one interface. The DHCP client uses the IA assigned to an interface to obtain configuration from a DHCP server for that interface. Each IA consists of a unique IAID and associated IP information.

The IA type is the type of address in the IA. Each IA holds one type of address. IA_NA means an identity association for non-temporary addresses and IA_TA is an identity association for temporary addresses. An IA_NA option contains the T1 and T2 fields, but an IA_TA option does not. The DHCPv6 server uses T1 and T2 to control the time at which the client contacts with the server to extend the lifetimes on any addresses in the IA_NA before the lifetimes expire. After T1, the client sends the server (S1) (from which the addresses in the IA_NA were obtained) a Renew message. If the time T2 is reached and the server does not respond, the client sends a Rebind message to any available server (S2). For an IA_TA, the client may send a Renew or Rebind message at the client's discretion.

graph LR
    A["T1"] --> B["T2"]
    B --> C["..."]
    C --> D["Rebind to S2"]
    B --> E["Rebind to S2"]
    B --> F["Renew to S1"]
    B --> G["Renew to S1"]
    B --> H["Renew to S1"]
    B --> I["Renew to S1"]
    style A fill:#fff,stroke:#000
    style B fill:#fff,stroke:#000
    style C fill:#fff,stroke:#000
    style D fill:#fff,stroke:#000
    style E fill:#fff,stroke:#000
    style F fill:#fff,stroke:#000
    style G fill:#fff,stroke:#000
    style H fill:#fff,stroke:#000
    style I fill:#fff,stroke:#000

DHCP Relay Agent

A DHCP relay agent is on the same network as the DHCP clients and helps forward messages between the DHCP server and clients. When a client cannot use its link-local address and a well-known multicast address to locate a DHCP server on its network, it then needs a DHCP relay agent to send a message to a DHCP server that is not attached to the same network.

The DHCP relay agent can add the remote identification (remote-ID) option and the interface-ID option to the Relay-Forward DHCPv6 messages. The remote-ID option carries a user-defined string,

such as the system name. The interface-ID option provides slot number, port information and the VLAN ID to the DHCPv6 server. The remote-ID option (if any) is stripped from the Relay-Reply messages before the relay agent sends the packets to the clients. The DHCP server copies the interface-ID option from the Relay-Forward message into the Relay-Reply message and sends it to the relay agent. The interface-ID should not change even after the relay agent restarts.

Prefix Delegation

Prefix delegation enables an IPv6 router to use the IPv6 prefix (network address) received from the ISP (or a connected uplink router) for its LAN. The NWA uses the received IPv6 prefix (for example, 2001:db2::/48) to generate its LAN IP address. Through sending Router Advertisements (RAs) regularly by multicast, the NWA passes the IPv6 prefix information to its LAN hosts. The hosts then can use the prefix to generate their IPv6 addresses.

ICMPv6

Internet Control Message Protocol for IPv6 (ICMPv6 or ICMP for IPv6) is defined in RFC 4443. ICMPv6 has a preceding Next Header value of 58, which is different from the value used to identify ICMP for IPv4. ICMPv6 is an integral part of IPv6. IPv6 nodes use ICMPv6 to report errors encountered in packet processing and perform other diagnostic functions, such as "ping".

Neighbor Discovery Protocol (NDP)

The Neighbor Discovery Protocol (NDP) is a protocol used to discover other IPv6 devices and track neighbor's reachability in a network. An IPv6 device uses the following ICMPv6 messages types:

• Neighbor solicitation: A request from a host to determine a neighbor's link-layer address (MAC address) and detect if the neighbor is still reachable. A neighbor being "reachable" means it responds to a neighbor solicitation message (from the host) with a neighbor advertisement message.
• Neighbor advertisement: A response from a node to announce its link-layer address.
• Router solicitation: A request from a host to locate a router that can act as the default router and forward packets.
• Router advertisement: A response to a router solicitation or a periodical multicast advertisement from a router to advertise its presence and other parameters.

IPv6 Cache

An IPv6 host is required to have a neighbor cache, destination cache, prefix list and default router list. The NWA maintains and updates its IPv6 caches constantly using the information from response messages. In IPv6, the NWA configures a link-local address automatically, and then sends a neighbor solicitation message to check if the address is unique. If there is an address to be resolved or verified, the NWA also sends out a neighbor solicitation message. When the NWA receives a neighbor advertisement in response, it stores the neighbor's link-layer address in the neighbor cache. When the NWA uses a router solicitation message to query for a router and receives a router advertisement message, it adds the router's information to the neighbor cache, prefix list and destination cache. The NWA creates an entry in the default router list cache if the router can be used as a default router.

When the NWA needs to send a packet, it first consults the destination cache to determine the next hop. If there is no matching entry in the destination cache, the NWA uses the prefix list to

determine whether the destination address is on-link and can be reached directly without passing through a router. If the address is onlink, the address is considered as the next hop. Otherwise, the NWA determines the next-hop from the default router list or routing table. Once the next hop IP address is known, the NWA looks into the neighbor cache to get the link-layer address and sends the packet when the neighbor is reachable. If the NWA cannot find an entry in the neighbor cache or the state for the neighbor is not reachable, it starts the address resolution process. This helps reduce the number of IPv6 solicitation and advertisement messages.

Multicast Listener Discovery

The Multicast Listener Discovery (MLD) protocol (defined in RFC 2710) is derived from IPv4's Internet Group Management Protocol version 2 (IGMPv2). MLD uses ICMPv6 message types, rather than IGMP message types. MLDv1 is equivalent to IGMPv2 and MLDv2 is equivalent to IGMPv3.

MLD allows an IPv6 switch or router to discover the presence of MLD listeners who wish to receive multicast packets and the IP addresses of multicast groups the hosts want to join on its network.

MLD snooping and MLD proxy are analogous to IGMP snooping and IGMP proxy in IPv4.

MLD filtering controls which multicast groups a port can join.

MLD Messages

A multicast router or switch periodically sends general queries to MLD hosts to update the multicast forwarding table. When an MLD host wants to join a multicast group, it sends an MLD Report message for that address.

An MLD Done message is equivalent to an IGMP Leave message. When an MLD host wants to leave a multicast group, it can send a Done message to the router or switch. The router or switch then sends a group-specific query to the port on which the Done message is received to determine if other devices connected to this port should remain in the group.

Example - Enabling IPv6 on Windows XP/2003/Vista

By default, Windows XP and Windows 2003 support IPv6. This example shows you how to use the ipv6 install command on Windows XP/2003 to enable IPv6. This also displays how to use the ipconfig command to see auto-generated IP addresses.

C:\>ipv6 install
Installing...
Succeeded.

C:\>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.1.46
Subnet Mask . . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . . : fe80::2d0:59ff:feb8:103c%4
Default Gateway . . . . . . . . . : 10.1.1.254 

IPv6 is installed and enabled by default in Windows Vista. Use the ipconfig command to check your automatic configured IPv6 address as well. You should see at least one IPv6 address available for the interface on your computer.

Example - Enabling DHCPv6 on Windows XP

Windows XP does not support DHCPv6. If your network uses DHCPv6 for IP address assignment, you have to additionally install a DHCPv6 client software on your Windows XP. (Note: If you use static IP addresses or Router Advertisement for IPv6 address assignment in your network, ignore this section.)

This example uses Dibbler as the DHCPv6 client. To enable DHCPv6 client on your computer:

1 Install Dibbler and select the DHCPv6 client option on your computer.
2 After the installation is complete, select Start > All Programs > Dibbler-DHCPv6 > Client Install as service.
3 Select Start > Control Panel > Administrative Tools > Services.
4 Double click Dibbler - a DHCPv6 client.

5 Click Start and then OK.

6 Now your computer can obtain an IPv6 address from a DHCPv6 server.

Example - Enabling IPv6 on Windows 7

Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer.

To enable IPv6 in Windows 7:

1 Select Control Panel > Network and Sharing Center > Local Area Connection.
2 Select the Internet Protocol Version 6 (TCP/IPv6) checkbox to enable it.
3 Click OK to save the change.

4 Click Close to exit the Local Area Connection Status screen.
5 Select Start > All Programs > Accessories > Command Prompt.
6 Use the ipconfig command to check your dynamic IPv6 address. This example shows a global address (2001:b021:2d::1000) obtained from a DHCP server.

C:>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:b021:2d::1000
Link-local IPv6 Address . . . . . : fe80::25d8:dcab:c80a:5189%11
IPv4 Address. . . . . . . . . . . . : 172.16.100.61
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::213:49ff:feaa:7125%11
172.16.100.254 

Customer Support

In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional websites are listed below (see also http://www.zyxel.com/about_zyxel/zyxel_worldwide.shtml). Please have the following information ready when you contact an office.

Required Information

• Product model and serial number.
- Warranty Information.
- Date that you received your device.
- Brief description of the problem and the steps you took to solve it.

Corporate Headquarters (Worldwide)

Taiwan

• ZyXEL Communications Corporation
- http://www.zyxel.com

Asia

China

• ZyXEL Communications (Shanghai) Corp.
• ZyXEL Communications (Beijing) Corp.
• ZyXEL Communications (Tianjin) Corp.
• http://www.zyxel.cn

India

• ZyXEL Technology India Pvt Ltd
- http://www.zyxel.in

Kazakhstan

• ZyXEL Kazakhstan
• http://www.zyxel.kz

Korea

• ZyXEL Korea Corp.
• http://www.zyxel.kr

Malaysia

• ZyXEL Malaysia Sdn Bhd.
- http://www.zyxel.com.my

Pakistan

• ZyXEL Pakistan (Pvt.) Ltd.
- http://www.zyxel.com.pk

Philippines

• ZyXEL Philippines
• http://www.zyxel.com.ph

Singapore

• ZyXEL Singapore Pte Ltd.
- http://www.zyxel.com.sg

Taiwan

• ZyXEL Communications Corporation
- http://www.zyxel.com

Thailand

• ZyXEL Thailand Co., Ltd
- http://www.zyxel.co.th

Vietnam

• ZyXEL Communications Corporation-Vietnam Office
- http://www.zyxel.com/vn/vi

Europe

Austria

• ZyXEL Lithuania
• http://www.zyxel.com/lt/lt/homepage.shtml

Netherlands

• ZyXEL Benelux
• http://www.zyxel.nl

Norway

• ZyXEL Communications
- http://www.zyxel.no

Poland

• ZyXEL Communications Poland
- http://www.zyxel.pl

Romania

• ZyXEL Romania
• http://www.zyxel.com/ro/ro

Russia

• ZyXEL Russia
• http://www.zyxel.ru

Slovakia

• ZyXEL Communications Czech s.r.o. organizacna zlozka
- http://www.zyxel.sk

Spain

• ZyXEL Spain
• http://www.zyxel.es

Sweden

• ZyXEL Communications
- http://www.zyxel.se

Switzerland

• Studerus AG
• http://www.zyxel.ch/

Turkey

• ZyXEL Turkey A.S.
• http://www.zyxel.com.tr

UK

• ZyXEL Communications UK Ltd.
- http://www.zyxel.co.uk

Ukraine

• ZyXEL Ukraine
• http://www.ua.zyxel.com

Latin America

Argentina

• ZyXEL Communication Corporation
- http://www.zyxel.com/ec/es/

Ecuador

• ZyXEL Communication Corporation
- http://www.zyxel.com/ec/es/

Middle East

Egypt

• ZyXEL Communication Corporation
- http://www.zyxel.com/homepage.shtml

Middle East

• ZyXEL Communication Corporation
- http://www.zyxel.com/homepage.shtml

North America

USA

• ZyXEL Communications, Inc. - North America Headquarters
• http://www.us.zyxel.com/

Oceania

Australia

• ZyXEL Communications Corporation
- http://www.zyxel.com/au/en/

Africa

South Africa

• Nology (Pty) Ltd.
• http://www.zyxel.co.za

Legal Information

Copyright

Copyright © 2014 by ZyXEL Communications Corporation.

The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.

Published by ZyXEL Communications Corporation. All rights reserved.

Disclaimers

ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice.

Your use of the NWA is subject to the terms and conditions of any related service providers.

Trademarks

Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.

Certifications

Federal Communications Commission (FCC) Interference Statement

The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

• This device may not cause harmful interference.
- This device must accept any interference received, including interference that may cause undesired operations.

This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.

If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

1 Reorient or relocate the receiving antenna.
2 Increase the separation between the equipment and the receiver.
3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4 Consult the dealer or an experienced radio/TV technician for help.

FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment.

FCC Radiation Exposure Statement

• This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
• For operation within 5.15 \~ 5.25GHz frequency range, it is restricted to indoor environment.
• IEEE 802.11b, 802.11g or 802.11n (20MHz) operation of this product in the U.S.A. is firmware-limited to channels 1 through 11. IEEE 802.11n (40MHz) operation of this product in the U.S.A. is firmware-limited to channels 3 through 9.
• To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons.

Industry Canada Statement

This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions:

1) this device may not cause interference and
2) this device must accept any interference, including interference that may cause undesired operation of the device
This device has been designed to operate with an antenna having a maximum gain of 3dBi.

Antenna having a higher gain is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.

To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the EIRP is not more than required for successful communication.

IC Radiation Exposure Statement

This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. End users must follow the specific operating instructions for satisfying RF exposure compliance.

注意！

依據 低功率電波輻射性電機管理辦法

Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.

This Class B digital apparatus complies with Canadian ICES-003.

Network standby power consumption < 12W and Off mode power consumption < 0.5W.

ErP (Energy-related Products) Declaration of Conformity

All ZyXEL products put on the EU market in compliance with the requirement of the European Parliament and the Council published Directive 2009/125/EC establishing a framework for the setting of ecodesign requirements for energy-related products (recast), so called as "ErP Directive (Energy-related Products directive).

This product has been outside the scope of Energy efficiency limitation requirement in the light of the terms of Regulation (EC) No 1275/2008, Annex II:

1. Four years after this Regulation has come into force:

(c) Availability of off mode and/or standby mode

Equipment shall, except where this is inappropriate for the intended use, provide off mode and/or standby mode, and/or another condition which does not exceed the applicable power consumption requirements for off mode and/or standby mode when the equipment is connected to the mains power source.

-another condition which does not exceed the applicable power consumption requirements for off mode and/or standby mode when the equipment is connected to the mains power source. The power anagement function shall be activated before delivery.

1. Information to be provided by manufacturers:

(c) the characteristics of equipment relevant for assessing conformity with the requirements set out in point 1(c), or the requirements set out in points 2(c) and/or 2(d), as applicable, including the time taken to automatically reach standby, or off mode, or another condition which does not exceed the applicable power consumption requirements for off mode and/or standby mode.

In particular, if applicable, the technical justification shall be provided that the requirements set out in point 1(c), or the requirements set out in points 2(c) and/or 2(d), are inappropriate for the intended use of equipment.

EU Directive & Regulation:

ErP Directive: Directive 2009/125/EC

Standby & off mode: Regulation (EC) No 1275/2008,

Guidance accompanying Commission Regulation (EC) No 1275/2008,

source: http://ec.europa.eu/energy/efficiency/ecodesign/eco_design_en.htm

Viewing Certifications

Go to http://www.zyxel.com to view this product's documentation and certifications.

ZyXEL Limited Warranty

ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized ZyXEL local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

Note

Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser.

To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/support_warranty_info.php.

Registration

Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com.

Open Source Licenses

This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. If you cannot find it there, contact your vendor or ZyXEL Technical Support at support@zyxel.com.tw.

To obtain the source code covered under those Licenses, please contact your vendor or ZyXEL Technical Support at support@zyxel.com.tw.

Regulatory Information

European Union

The following information applies if you use the product within the European Union.

Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive)

Compliance Information for 2.4GHz and 5GHz Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999/5/EC (R&TTE Directive)

CE

National Restrictions

This product may be used in all EU countries (and other countries following the EU directive 1999/5/EC) without any limitation except for the countries mentioned below:

In the majority of the EU and other European countries, the 2, 4- and 5-GHz bands have been made available for the use of wireless local area networks (LANs). Later in this document you will find an overview of countries in which additional restrictions or requirements or both are applicable.

The requirements for any country may evolve. ZyXEL recommends that you check with the local authorities for the latest status of their national regulations for both the 2,4- and 5-GHz wireless LANs.

The following countries have restrictions and/or requirements in addition to those given in the table labeled "Overview of Regulatory Requirements for Wireless LANs":.

Belgium

The Belgian Institute for Postal Services and Telecommunications (BIPT) must be notified of any outdoor wireless link having a range exceeding 300 meters. Please check http://www.bipt.be for more details.

In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage.

This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this wireless LAN product is operating within the boundaries of the owner's property, its use requires a "general authorization." Please check http://www.sviluppoeconomico.gov.it/ for more details.

The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http://www.esd.lv for more details.

2.4 GHz frekvenèu joslas izmantoðanai ârpus telpâm nepiecieðama atïauja no Elektronisko sakaru direkcijas. Vairâk informâcijas: http://www.esd.lv.

Notes:

1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries.
2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm).

List of national codes

Safety Warnings

• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
  • Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
  • Always disconnect all cables from this device before servicing or disassembling.
• Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the device and the power source.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.
• Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s).
• If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged.
• The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables must all be completely indoors.
• This product is for indoor use only (utilisation intérieure exclusivement).
  • FOR COUNTRY CODE SELECTION USAGE (WLAN DEVICES)
  Note: The country code selection is for non-US model only and is not available to all US model. Per FCC regulation, all Wi-Fi product marketed in US must fixed to US operation channels only.

Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately.

Environmental Product Declaration

English		Deutsch (German)		Español (Spanish)		Français (French)
Environmental product declarationRoHS Directive 2011/65/EUWEEE Directive 2012/19/EUPPW Directive 94/62/ECREACH Regulation (EC) No 1907/2006ErP Directive 2009/125/ECCName/ title : Raymond Huang / Quality & Customer Service Division Assistant VPSignature : Date (dd/mm/yyyy) : 01/10/2013Raymond Huay		Produkt-UmweltdeklarationRoHS Richtlinie 2011/65/EUWEEE Richtlinie 2012/19/EUPPW Richtlinie 94/62/EGREACH VERORDNUNG (EG) Nr. 1907/2006ErP Richtlinie 2009/125/EGName/ titel : Raymond Huang / Quality & Customer Service Division Assistant VPUnterschrift : Datum (jjj/mm/tt): 2013/10/01Raymond Huay		Declaraciones Ambientales de ProductoRoHS Directiva 2011/65/UEWEEE Directiva 2012/19/UEPPW Directiva 94/62/CEREACH REGLAMENTO (CE) n° 1907/2006ErP Directiva 2009/125/CENombre/ Raymond Huang / Quality & Customer titulo : Service Division Assistant VPFirma : Fecha (aaaa/mm/dd): 2013/10/01Raymond Huay		Profil environnemental de produitRoHS Directive 2011/65/UEWEEE Directive 2012/19/UEPPW Directive 94/62/CEREACH RÉGLEMENT (CE) N° 1907/2006ErP Directive 2009/125/ECNom/ titre : Raymond Huang / Quality & Customer Service Division Assistant VPSignature : Date (aaaa/mm/j): 2013/10/01Raymond Huay
Italiano (Italian)		Nederlands (Dutch)		Svenska (Swedish)		Suomi (Finnish)
Dichiarazione ambientale di prodottoRoHS Direttiva 2011/65/UEWEEE Direttiva 2012/19/UEPPW Direttiva 94/62/CREACH REGOLAMENTO (CE) n. 1907/2006ErP Direttiva 2009/125/CENome/ titolo : Raymond Huang / Quality & Customer Service Division Assistant VPFirma : Data (aaaa/mm/gg): 2013/10/01Raymond Huay[RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERified] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHs VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED]		MilieuproductverklaringRoHS Richtlijn 2011/65/EUWEEE Richtlijn 2012/19/EUPPW Richtlijn 94/62/EGREACH Verordening (EG) nr. 1907/2006ErP Richtlijn 2009/125/EGNaam/ titel : Raymond Huang / Quality & Customer Service Division Assistant VPHandtekening : Datum (dd/mm/jaar): 01/10/2013Raymond Huay[RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED][RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED] [RoHG VERIFIED]		MiljöproduktdeklarationRoHS Direktiv 2011/65/EUWEEE Direktiv 2012/19/EUPPW Direktiv 94/62/EGREACH Fördning (EG) nr 1907/2006ErP Direktiv 2009/125/EGNamn/ titel : Raymond Huang / Quality & Customer Service Division Assistant VPNamnteckning : Datum (dd/mm/äååå): 01/10/2013Raymond Huay[RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED][RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED][RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED][RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] Standardiin perustuva ympäristötuoteselosteRoHS Direktivi 2011/65/EUWEEE Direktivi 2012/19/EUPPW Direktivi 94/62/EYREACH ASETUS (EY) N:o 1907/2006ErP Direktivi 2009/125/EYNimi/ Raymond Huang / Quality & Customer Service Division Assistant VPAlekirjoitus : Päivämäärä (pp/kk/vwwv): 01/10/2013Raymond Huay[RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED] [RoHS VERIFIED]<

Index

Symbols

A

access 19

access privileges 12

access users 69

see also users 69

admin users 69

multiple logins 74

see also users 69

alerts 144, 147, 148, 150, 151, 152

AP 11

applications

MBSSID 12

Repeater 15

B

backing up configuration files 156

Basic Service Set

see BSS

boot module 161

BSS 12

C

CA

and certificates 101

CA (Certificate Authority), see certificates

CAPWAP 49, 51

CEF (Common Event Format) 145, 150

Certificate Authority (CA)

see certificates

Certificate Management Protocol (CMP) 107

Certificate Revocation List (CRL) 101

vs OCSP 116

certificates 100

advantages of 101

and CA 101

and FTP 137

and HTTPS 122

and SSH 134

and WWW 124

certification path 101, 109, 114

expired 101

factory-default 101

file formats 101

fingerprints 110, 115

importing 104

not used for encryption 101

revoked 101

self-signed 101, 106

serial number 109, 114

storage space 103, 112

thumbprint algorithms 102

thumbprints 102

used for authentication 101

verifying fingerprints 102

certification requests 106, 107

certifications 204

notices 205

viewing 205

channel 13

CLI 16, 24

button 24

messages 24

popup window 24

Reference Guide 2

cold start 18

commands 16

sent by Web Configurator 24

Common Event Format (CEF) 145, 150

comparison table 11

configuration 12

information 165

configuration files 154

at restart 156

backing up 156

downloading 157

downloading with FTP 136

editing 154

how applied 155

lastgood.conf 156, 159

managing 155

startup-config.conf 159

startup-config-bad.conf 156

syntax 154

system-default.conf 159

uploading 159

uploading with FTP 136

use without restart 154

contact information 198

Control and Provisioning of Wireless Access Points See CAPWAP

cookies 19

copyright 204

CPU usage 32, 34

current date/time 32, 118

daylight savings 119

setting manually 121

time server 121

customer support 198

D

date 118

daylight savings 119

DCS 58

DHCP 118

and domain name 118

diagnostics 165

Digital Signature Algorithm public-key algorithm, see DSA

disclaimer 204

documentation

related 2

domain name 118

DSA 106

DTLS 49

dual radios 13

dual-radio application 13

dynamic channel selection 58

E

e-mail

daily statistics report 142

encryption 15

RSA 109

ESSID 173

Extended Service Set IDentification 76

F

FCC interference statement 204

file extensions

configuration files 154

shell scripts 154

file manager 154

Firefox 19

firmware

and restart 160

boot module, see boot module

current version 32, 161

getting updated 160

uploading 160, 161

uploading with FTP 136

flash usage 32

FTP 16, 136

and certificates 137

with Transport Layer Security (TLS) 137

G

Guide

CLI Reference 2

Quick Start 2

H

HTTP

over SSL, see HTTPS

redirect to HTTPS 124

vs HTTPS 123

HTTPS 122

and certificates 122

authenticating clients 122

avoiding warning messages 126

example 124

vs HTTP 123

with Internet Explorer 124

with Netscape Navigator 125

HyperText Transfer Protocol over Secure Socket Layer, see HTTPS

|

IEEE 802.1x 77

installation 12

interface

status 33

interfaces

as DHCP servers 118

interference 13

Internet Explorer 19

Internet Protocol version 6, see IPv6

Internet telephony 12

IP Address 53

gateway IP address 53

IPv6 189

addressing 189

EUI-64 191

global address 190

interface ID 191

link-local address 189

Neighbor Discovery Protocol 189

ping 189

prefix 189

prefix length 189

stateless autoconfiguration 191

unspecified address 190

J

Java

permissions 19

JavaScript 19

K

key pairs 100

L

lastgood.conf 156, 159

layer-2 isolation 91

example 91

MAC 91

LEDs 17

Blinking 17

Flashing 17

Off 17

load balancing 58

log messages

categories 148, 150, 151, 152

debugging 45

regular 45

types of 45

logout

Web Configurator 21

logs

e-mail profiles 144

e-mailing log messages 47,147

formats 145

log consolidation 148

settings 144

syslog servers 144

system 144

types of 144

M

MAC address

range 32

maintenance 12

management 12

Management Information Base (MIB) 138

Management Mode

CAPWAP and DHCP 50

CAPWAP and IP Subnets 50

managed AP 49

standalone mode 49

management mode 12

managing the device

good habits 16

using FTP. See FTP.

MBSSID 12

memory usage 32, 34

message bar 27

messages

CLI 24

warning 27

mode 11

managed mode 12

standalone 12

mode change 12

model name 32

My Certificates, see also certificates 103

N

Netscape Navigator 19

network access control 11

Network Time Protocol (NTP) 120

O

objects

certificates 100

users, account

user 69

Online Certificate Status Protocol (OCSP) 116

vs CRL 116

operating mode 11

other documentation 2

overview 11

P

packet

statistics 38

physical ports

packet statistics 38

pop-up windows 19

power off 18

power on 18

product registration 206

Public-Key Infrastructure (PKI) 101

public-private key pairs 100

Q

Quick Start Guide 2

R

radio 13

reboot 18, 167

vs reset 167

Reference Guide, CLI 2

registration

product 206

related documentation 2

remote management

FTP, see FTP

Telnet 136

WWW, see WWW

reports

daily 142

daily e-mail 142

reset 175

vs reboot 167

vs shutdown 168

RESET button 18, 175

restart 167

RF interference 13

RFC

2510 (Certificate Management Protocol or CMP) 107

Rivest, Shamir and Adleman public-key algorithm (RSA) 106

root AP 11

RSA 106, 109, 115

RSSI threshold 81

S

SCEP (Simple Certificate Enrollment Protocol) 107

screen resolution 19

Secure Socket Layer, see SSL

serial number 32

service control

and users 122

limitations 122

timeouts 122

Service Set 76

Service Set Identifier see SSID

shell scripts 154

downloading 163

editing 162

how applied 155

managing 163

syntax 154

uploading 164

shutdown 18, 168

vs reset 168

Simple Certificate Enrollment Protocol (SCEP) 107

Simple Network Management Protocol, see SNMP

SNMP 137, 138

agents 138

Get 138

GetNext 138

Manager 138

managers 138

MIB 138

network components 138

Set 138

Trap 138

traps 139

versions 137

SSH 132

and certificates 134

client requirements 134

encryption methods 133

for secure Telnet 134

how connection is established 132

versions 133

with Linux 135

with Microsoft Windows 134

SSID 12

SSID profile

pre-configured 12

SSID profiles 12

SSL 122

starting the device 17

startup-config.conf 159

if errors 156

missing at restart 156

present at restart 156

startup-config-bad.conf 156

station 58

statistics

daily e-mail report 142

status 31

status bar 27

warning message popup 27

stopping the device 17

subnet mask 53

supported browsers 19

syslog 145, 150

syslog servers, see also logs

system log, see logs

system name 32, 118

system uptime 32

system-default.conf 159

T

Telnet 136

with SSH 134

time 118

time servers (default) 120

trademarks 204

Transport Layer Security (TLS) 137

troubleshooting 165

Trusted Certificates, see also certificates 111

U

upgrading

firmware 160

uploading

configuration files 159

firmware 160

shell scripts 162

usage

CPU 32, 34

flash 32

memory 32, 34

onboard flash 32

use 12

user authentication 69

user name

rules 70

user objects 69

users 69

access, see also access users

admin (type) 69

admin, see also admin users

and service control 122

currently logged in 32

default lease time 73, 75

default reauthentication time 73, 75

lease time 72

limited-admin (type) 69

lockout 74

reauthentication time 72

types of 69

user (type) 69

user names 70

V

Vantage Report (VRPT) 145, 150

Virtual Local Area Network 56

VLAN 56

introduction 56

VoIP 12

VRPT (Vantage Report) 145, 150

W

warm start 18

warning message popup 27

warranty 205

note 205

WDS 11, 15

Web Configurator 16, 19

access 19

requirements 19

supported browsers 19

web configurator 12

WEP (Wired Equivalent Privacy) 77

Wi-Fi Protected Access 77

wireless channel 173

wireless client 58

Wireless Distribution System (WDS) 15

wireless LAN 173

Wireless network

overview 57

wireless network

example 57

wireless profile 76

layer-2 isolation 76

MAC filtering 76

radio 76

security 76

SSID 76

wireless repeater 11

wireless security 12, 173

wireless station 58

WLAN interface 13

WPA 77

WPA2 77

WWW 123

and certificates 124

see also HTTP, HTTPS 123