ZyXEL Communications P320W 802.11g Wireless Firewall Router User Manual ZyBook

ZyXEL Communications Corporation 802.11g Wireless Firewall Router ZyBook

Users Manual 5

P-320W User’s GuideAppendix C Setting up Your Computer’s IP Address 181Figure 119   Windows XP: Internet Protocol (TCP/IP) Properties8Click OK to close the Internet Protocol (TCP/IP) Properties window.9Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).11Turn on your Prestige and restart your computer (if prompted).Verifying Settings1Click Start, All Programs, Accessories and then Command Prompt.2In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.Macintosh OS 8/9 1Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel.
P-320W User’s Guide182  Appendix C Setting up Your Computer’s IP AddressFigure 120   Macintosh OS 8/9: Apple Menu2Select Ethernet built-in from the Connect via list.Figure 121   Macintosh OS 8/9: TCP/IP3For dynamically assigned settings, select Using DHCP Server from the Configure: list.
P-320W User’s GuideAppendix C Setting up Your Computer’s IP Address 1834For statically assigned settings, do the following:•From the Configure box, select Manually.• Type your IP address in the IP Address box.• Type your subnet mask in the Subnet mask box.• Type the IP address of your Prestige in the Router address box.5Close the TCP/IP Control Panel.6Click Save if prompted, to save changes to your configuration.7Turn on your Prestige and restart your computer (if prompted).Verifying SettingsCheck your TCP/IP properties in the TCP/IP Control Panel window.Macintosh OS X1Click the Apple menu, and click System Preferences to open the System Preferences window.Figure 122   Macintosh OS X: Apple Menu2Click Network in the icon bar.   • Select Automatic from the Location list.• Select Built-in Ethernet from the Show list. • Click the TCP/IP tab.3For dynamically assigned settings, select Using DHCP from the Configure list.
P-320W User’s Guide184  Appendix C Setting up Your Computer’s IP AddressFigure 123   Macintosh OS X: Network4For statically assigned settings, do the following:•From the Configure box, select Manually.• Type your IP address in the IP Address box.• Type your subnet mask in the Subnet mask box.• Type the IP address of your Prestige in the Router address box.5Click Apply Now and close the window.6Turn on your Prestige and restart your computer (if prompted).Verifying SettingsCheck your TCP/IP properties in the Network window.Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version.
P-320W User’s GuideAppendix C Setting up Your Computer’s IP Address 185Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE)Follow the steps below to configure your computer IP address using the KDE. 1Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.Figure 124   Red Hat 9.0: KDE: Network Configuration: Devices 2Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 125   Red Hat 9.0: KDE: Ethernet Device: General
P-320W User’s Guide186  Appendix C Setting up Your Computer’s IP Address• If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the  Address, Subnet mask, and Default Gateway Address fields. 3Click OK to save the changes and close the Ethernet Device General screen. 4If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 126   Red Hat 9.0: KDE: Network Configuration: DNS 5Click the Devices tab. 6Click the Activate button to apply the changes. The following screen displays. Click Ye s to save the changes in all screens.Figure 127   Red Hat 9.0: KDE: Network Configuration: Activate  7After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen.Using Configuration FilesFollow the steps below to edit the network configuration files and set your computer IP address.
P-320W User’s GuideAppendix C Setting up Your Computer’s IP Address 1871Assuming that you have only one network card on the computer, locate the ifconfig-eth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor.• If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field.  The following figure shows an example. Figure 128   Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0  DEVICE=eth0ONBOOT=yesBOOTPROTO=dhcpUSERCTL=noPEERDNS=yesTYPE=Ethernet• If you have a static IP address, enter static in the BOOTPROTO= field. Type IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask. The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 129   Red Hat 9.0: Static IP Address Setting in ifconfig-eth0   DEVICE=eth0ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.1.10NETMASK=255.255.255.0USERCTL=noPEERDNS=yesTYPE=Ethernet2If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory.  The following figure shows an example where two DNS server IP addresses are specified.Figure 130   Red Hat 9.0: DNS Settings in resolv.conf   nameserver 172.23.5.1nameserver 172.23.5.23After you edit and save the configuration files, you must restart the network card. Enter ./network restart in the /etc/rc.d/init.d directory.  The following figure shows an example.
P-320W User’s Guide188  Appendix C Setting up Your Computer’s IP AddressFigure 131   Red Hat 9.0: Restart Ethernet Card  [root@localhost init.d]# network restartShutting down interface eth0:                 [OK]Shutting down loopback interface:             [OK]Setting network parameters:                   [OK]Bringing up loopback interface:               [OK]Bringing up interface eth0:                   [OK]Verifying SettingsEnter ifconfig in a terminal screen to check your TCP/IP properties.  Figure 132   Red Hat 9.0: Checking TCP/IP Properties  [root@localhost]# ifconfig eth0      Link encap:Ethernet  HWaddr 00:50:BA:72:5B:44            inet addr:172.23.19.129  Bcast:172.23.19.255  Mask:255.255.255.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:717 errors:0 dropped:0 overruns:0 frame:0          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:100           RX bytes:730412 (713.2 Kb)  TX bytes:1570 (1.5 Kb)          Interrupt:10 Base address:0x1000 [root@localhost]#
P-320W User’s GuideAppendix D PPPoE 189APPENDIX DPPPoEPPPoE in ActionAn ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 133 on page 190).  One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.Benefits of PPPoEPPPoE offers the following benefits:It provides you with a familiar dial-up networking (DUN) user interface.It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users.  For GSTN (PSTN and ISDN), the switching fabric is already in place.It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services.Traditional Dial-up ScenarioThe following diagram depicts a typical hardware configuration where the computers use traditional dial-up networking.
P-320W User’s Guide190  Appendix D PPPoEFigure 133   Single-Computer per Router Hardware ConfigurationHow PPPoE WorksThe PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).  Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.  The L2TP tunnel is capable of carrying multiple PPP sessions.With PPPoE, the VC (Virtual Circuit) is equivalent to the dial-up connection and is between the modem and the AC, as opposed to all the way to the ISP.  However, the PPP negotiation is between the computer and the ISP. ZyWALL as a PPPoE ClientWhen using the ZyWALL as a PPPoE client, the computers on the LAN see only Ethernet and are not aware of PPPoE.  This alleviates the administrator from having to manage the PPPoE clients on the individual computers.Figure 134   ZyWALL as a PPPoE Client
P-320W User’s GuideAppendix E PPTP 191APPENDIX EPPTPWhat is PPTP?PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a computer to a broadband modem over Ethernet?A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the computer and the modem over Ethernet. For the rest of the connection, the PPP frames are transported with PPP over AAL5 (RFC 2364) The PPP connection, however, is still between the computer and the ISP. The various connections in this setup are depicted in the following diagram. The drawback of this solution is that it requires one separate ATM VC per destination. Figure 135   Transport PPP frames over Ethernet PPTP and the ZyWALLWhen the ZyWALL is deployed in such a setup, it appears as a computer to the ANT.In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98 and NT clients to an NT server in a remote location. The pass-through feature allows users on the network to access a different remote server using the ZyWALL's Internet connection. In SUA/NAT mode, the ZyWALL is able to pass the PPTP packets to the internal PPTP server (i.e. NT server) behind the NAT. You need to configure port forwarding for port 1723 to have the ZyWALL forward PPTP packets to the server. In the case above as the remote PPTP Client initializes the PPTP connection, the user must configure the PPTP clients. The ZyWALL initializes the PPTP connection hence; there is no need to configure the remote PPTP clients.
P-320W User’s Guide192  Appendix E PPTPPPTP Protocol OverviewPPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the PPP frames to the PNS. The PPTP user is not necessarily a PPP client (can be a PPP server too). Both the PNS and the PAC must have IP connectivity; however, the PAC must in addition have dial-up capability. The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the PAC and the PNS.Figure 136   PPTP Protocol OverviewMicrosoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the computer, and hence the ZyWALL, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server. Control & PPP ConnectionsEach PPTP session has distinct control connection and PPP data connection.Call ConnectionThe control connection runs over TCP. Similar to L2TP, a tunnel control connection is first established before call control messages can be exchanged. Please note that a tunnel control connection supports multiple call sessions.The following diagram depicts the message exchange of a successful call setup between a computer and an ANT.
P-320W User’s GuideAppendix E PPTP 193Figure 137   Example Message Exchange between Computer and an ANTPPP Data ConnectionThe PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
P-320W User’s Guide194  Appendix E PPTP
P-320W User’s GuideAppendix F Wireless LANs 195APPENDIX FWireless LANsWireless LAN TopologiesThis section discusses ad-hoc and infrastructure wireless LAN topologies.Ad-hoc Wireless LAN ConfigurationThe simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an Ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an Ad-hoc wireless LAN. Figure 138   Peer-to-Peer Communication in an Ad-hoc NetworkBSSA Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS is enabled, wireless station A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless station A and B can still access the wired network but cannot communicate with each other.
P-320W User’s Guide196  Appendix F Wireless LANsFigure 139   Basic Service SetESSAn Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless stations within the same ESS must have the same ESSID in order to communicate.
P-320W User’s GuideAppendix F Wireless LANs 197Figure 140   Infrastructure WLANChannelA channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11.RTS/CTSA hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other.
P-320W User’s Guide198  Appendix F Wireless LANsFigure 141   RTS/CTSWhen station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked.When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission.Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy.Fragmentation ThresholdA Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames.
P-320W User’s GuideAppendix F Wireless LANs 199A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference.If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.Preamble TypeA preamble is used to synchronize the transmission timing in your wireless network. There are two preamble modes: Long and Short. Short preamble takes less time to process and minimizes overhead, so it should be used in a good wireless network environment when all wireless stations support it. Select Long if you have a ‘noisy’ network or are unsure of what preamble mode your wireless stations support as all IEEE 802.11b compliant wireless adapters must support long preamble. However, not all wireless adapters support short preamble. Use long preamble if you are unsure what preamble mode the wireless adapters support, to ensure interpretability between the AP and the wireless stations and to provide more reliable communication in ‘noisy’ networks.  Select Dynamic to have the AP automatically use short preamble when all wireless stations support it, otherwise the AP uses long preamble.Note: The AP and the wireless stations MUST use the same preamble mode in order to communicate.IEEE 802.11g Wireless LANIEEE 802.11g is fully compatible with the IEEE 802.11b standard.  This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:Table 85   IEEE802.11gDATA RATE (MBPS) MODULATION1DBPSK (Differential Binary Phase Shift Keyed)2DQPSK (Differential Quadrature Phase Shift Keying)5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing)
P-320W User’s Guide200  Appendix F Wireless LANsIEEE 802.1xIn June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:• User based identification that allows for roaming.• Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless stations. RADIUSRADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:• Authentication Determines the identity of the users.• AuthorizationDetermines the network services available to authenticated users once they are connected to the network.• AccountingKeeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless station and the network RADIUS server. Types of RADIUS MessagesThe following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:• Access-RequestSent by an access point requesting authentication.• Access-RejectSent by a RADIUS server rejecting access.• Access-AcceptSent by a RADIUS server allowing access.
P-320W User’s GuideAppendix F Wireless LANs 201• Access-ChallengeSent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:• Accounting-RequestSent by the access point requesting accounting.• Accounting-ResponseSent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. EAP AuthenticationEAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server or the AP. The following figure shows an overview of authentication when you specify a RADIUS server on your access point.Figure 142   EAP AuthenticationThe details below provide a general description of how IEEE 802.1x EAP authentication works. For an example list of EAP-MD5 authentication steps, see the IEEE 802.1x appendix. 1The wireless station sends a “start” message to the device. 2The device sends a “request identity” message to the wireless station for identity information.
P-320W User’s Guide202  Appendix F Wireless LANs3The wireless station replies with identity information, including username and password. 4The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station.Types of  Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.EAP-MD5 (Message-Digest Algorithm 5)MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless station. The wireless station ‘proves’ that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security)With EAP-TLS, digital certifications are needed by both the server and the wireless stations for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
P-320W User’s GuideAppendix F Wireless LANs 203PEAP (Protected EAP)   Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.LEAPLEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. WEP EncryptionWEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key. WEP Authentication StepsThree different methods can be used to authenticate wireless stations to the network: Open System, Shared Key, and Auto. The following figure illustrates the steps involved.
P-320W User’s Guide204  Appendix F Wireless LANsFigure 143   WEP Authentication StepsOpen system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.Shared key authentication involves a four-message procedure. A wireless station sends a shared key authentication request to the AP, which will then reply with a challenge text message. The wireless station must then use the AP’s default WEP key to encrypt the challenge text and return it to the AP, which attempts to decrypt the message using the AP’s default WEP key. If the decrypted message matches the challenge text, the wireless station is authenticated. When your device authentication method is set to open system, it will only accept open system authentication requests. The same is true for shared key authentication. However, when it is set to auto authentication, the device will accept either type of authentication request and the device will fall back to use open authentication if the shared key does not match. Dynamic WEP Key ExchangeThe AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and store keys here, but they will not be used while Dynamic WEP is enabled.
P-320W User’s GuideAppendix F Wireless LANs 205Note: EAP-MD5 cannot be used with Dynamic WEP Key ExchangeFor added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.Table 86   Comparison of EAP Authentication TypesEAP-MD5 EAP-TLS EAP-TTLS PEAP LEAPMutual Authentication No Yes Yes Yes YesCertificate – Client No Yes Optional Optional NoCertificate – Server No Yes Yes Yes NoDynamic Key Exchange No Yes Yes Yes YesCredential Integrity None Strong Strong Strong ModerateDeployment Difficulty Easy Hard Moderate Moderate ModerateClient Identity Protection No No Yes Yes NoWPAUser Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless stations using an external RADIUS database. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. It includes a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless stations. This all happens in the background automatically.AES (Advanced Encryption Standard) also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data.
P-320W User’s Guide206  Appendix F Wireless LANsThe Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), TKIP makes it much more difficult to decrypt data on a Wi-Fi network than WEP, making it difficult for an intruder to break into the network. The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA-PSK susceptible to brute-force password-guessing attacks but it’s still an improvement over WEP as it employs an easier-to-use, consistent, single, alphanumeric password.Security Parameters SummaryRefer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.Table 87   Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOLENCRYPTION METHODENTER MANUAL KEY ENABLE IEEE 802.1X Open  None No  NoOpen WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP KeyYes Disable Shared WEP  No Enable with Dynamic WEP KeyYes Enable without Dynamic WEP KeyYes Disable WPA  WEP No YesWPA  TKIP No YesWPA-PSK  WEP Yes Yes WPA-PSK TKIP Yes YesRoamingA wireless station is a device with an IEEE 802.11 mode compliant wireless adapter. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area. A wireless station can associate with a particular access point only if it is within the access point’s coverage area.
P-320W User’s GuideAppendix F Wireless LANs 207In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the access points on the LAN about the change. The new information is then propagated to the other access points on the LAN. An example is shown in  Figure 144.If the roaming feature is not enabled on the access points, information is not communicated between the access points when a wireless station moves between coverage areas.  The wireless station may not be able to communicate with other wireless stations on the network and vice versa.Figure 144   Roaming ExampleThe steps below describe the roaming process.1As wireless station Y moves from the coverage area of access point P1 to that of access point 2P2, it scans and uses the signal of access point P2. 3Access point P2 acknowledges the presence of wireless station Y and relays this information to access point P1 through the wired LAN. 4Access point P1 updates the new position of wireless station.5Wireless station Y sends a request to access point P2 for re-authentication.
P-320W User’s Guide208  Appendix F Wireless LANsRequirements for RoamingThe following requirements must be met in order for wireless stations to roam between the coverage areas. 1All the access points must be on the same subnet and configured with the same ESSID. 2If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station.3The adjacent access points should use different radio channels when their coverage areas overlap. 4All access points must use the same port number to relay roaming information. 5The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment.
P-320W User’s GuideAppendix G Antenna Selection and Positioning Recommendation 209APPENDIX GAntenna Selection and Positioning RecommendationAn antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Choosing the right antennas and positioning them properly increases the range and coverage area of a wireless LAN. Antenna CharacteristicsFrequencyAn antenna in the frequency of 2.4GHz (IEEE 802.11b) or 5GHz (IEEE 802.11a) is needed to communicate efficiently in a wireless LAN. Radiation PatternA radiation pattern is a diagram that allows you to visualize the shape of the antenna’s coverage area. Antenna GainAntenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment.Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides.
P-320W User’s Guide210  Appendix G Antenna Selection and Positioning RecommendationTypes of Antennas For WLANThere are two types of antennas used for wireless LAN applications.• Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. • Directional antennas concentrate the RF signal in a beam, like a flashlight. The angle of the beam width determines the direction of the coverage pattern; typically ranges from 20 degrees (less directional) to 90 degrees (very directional). The directional antennas are ideal for hallways and outdoor point-to-point applications.Positioning AntennasIn general, antennas should be mounted as high as practically possible and free of obstructions. In point-to –point application, position both transmitting and receiving antenna at the same height and in a direct line of sight to each other to attend the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible.For directional antennas, point the antenna in the direction of the desired coverage area.
P-320W User’s Guide 211IndexNumerics110V AC 6230V AC 6802.1x 70AAbnormal Working Conditions 7AC 6Accessories 6Acts of God 7Airflow 6Alternative Subnet Mask Notation 167American Wire Gauge 6AntennaDirectional 210Omni-directional 210Antenna gain 209AP (access point) 197Authentication 203Authority 4AWG 6BBackup 147Basement 6Basic wireless security 49BSS 195CCA 202Cables, Connecting 6Certificate Authority 202Certifications 5Changes or Modifications 4Channel 197Interference 197Channel ID 64Charge 7Circuit 4Class B 4Communications 4Compliance, FCC 4Components 7Condition 7Configuration 41, 95Connecting Cables 6Consequential Damages 7Contact Information 8Contacting Customer Support 8Copyright 3Correcting Interference 4Corrosive Liquids 6Covers 6CTS (Clear to Send) 198Customer Support 8DDamage 6Dampness 6Danger 6Dealer 4Default 148Defective 7Denmark, Contact Information 8DHCP 41, 93, 95, 96, 136DHCP Table Summary 41DHCP_client list 97Disclaimer 3Discretion 7Domain Name 102Dust 6
P-320W User’s Guide212   Dynamic DNS 136Dynamic WEP Key Exchange 204DYNDNS Wildcard 136EEAP 61EAP Authentication 201, 202ECHO 102Electric Shock 6Electrical Pipes 6Electrocution 6Encryption 205Equal Value 7ESS 196Ethernet 163Ethernet Encapsulation 102Europe 6Exposure 6Extended Service Set 196Extended Service Set IDentification 64Extended wireless security 50FFactory LAN Defaults 93Failure 7FCC 4Compliance 4Rules, Part 15 4FCC Rules 4Federal Communications Commission 4Finger 102Finland, Contact Information 8Firewall 109, 110Firmware FileMaintenance 146Fitness 7Fragmentation Threshold 198Fragmentation threshold 198France, Contact Information 8FTP 93, 102, 119, 136FTP Restrictions 119Functionally Equivalent 7GGas Pipes 6General Setup 135General wireless LAN screen 63Germany, Contact Information 8Global 100God, act of 7HHarmful Interference 4Hidden node 197High Voltage Points 6Host 136Host IDs 165HTTP 102IIBSS 195IEEE 802.11g 30, 199IEEE 802.11i 30Independent Basic Service Set 195Indirect Damages 7initialization vector (IV) 205Inside 100Inside Global Address 99Inside Local Address 99Install UPnPWindows XP 128Insurance 7Interference 4Interference Correction Measures 4Interference Statement 4Internet Access Setup 152IP Address 41, 94, 97, 101, 102, 104, 105IP Addressing 165IP Classes 165IP Pool 96IP Pool Setup 93
P-320W User’s Guide 213LLabor 7LAN Setup 81, 93LAN TCP/IP 93Legal Rights 7Liability 3License 3Lightning 6Liquids, Corrosive 6Local 100MMAC Address Filter Action 77MAC Address Filtering 76MAC Filter 76MAC filter 62Management Information Base (MIB) 121Materials 7Merchantability 7Message Integrity Check (MIC) 205Metric 82, 117Modifications 4NNAT 101, 102Definitions 99How NAT Works 100Server Sets 102What NAT does 100Navigation Panel 39Network Management 102New 7NNTP 102North America 6North America Contact Information 8Norway, Contact Information 8OOpening 6Operating Condition 7OTIST 72OTIST Wizard 51Out-dated Warranty 7Outlet 4Outside 100PPacket statistics 42Pairwise Master Key (PMK) 205Parts 7Patent 3Permission 3Photocopying 3Pipes 6Point-to-Point Tunneling Protocol 87, 102Pool 6POP3 102Port Numbers 102Postage Prepaid. 7Power Adaptor 6Power Cord 6Power Outlet 6Power Supply 6Power Supply, repair 6PPPoE 189PPTP 102Preamble Mode 199Product Model 8Product Page 5Product Serial Number 8Products 7Proof of Purchase 7Proper Operating Condition 7Purchase, Proof of 7Purchaser 7QQualified Service Personnel 6RRadio Communications 4
P-320W User’s Guide214   Radio Frequency Energy 4Radio Interference 4Radio Reception 4Radio Technician 4RADIUS 200Shared Secret Key 201RADIUS Message Types 200RADIUS Messages 200Receiving Antenna 4Registered 3Registered Trademark 3Regular Mail 8Related Documentation 25Relocate 4Re-manufactured 7Remote Management and NAT 119Remote Management Limitations 119Removing 6Reorient 4Repair 6, 7Replace 7Replacement 7Reproduction 3Restore 7, 147Return Material Authorization (RMA) Number 7Returned Products 7Returns 7RF (Radio Frequency) 30Rights 3Rights, Legal 7Risk 6Risks 6RMA 7Roaming 78, 206Example 207Requirements 208RTS (Request To Send) 198RTS Threshold 197, 198SSafety Warnings 6Security Parameters 206Separation Between Equipment and Receiver 4Serial Number 8Service 6, 7Service Personnel 6Service Set 64Service Type 152Services 102, 111Shipping 7Shock, Electric 6SMTP 102SNMP 102, 110, 121Manager 121MIBs 122Spain, Contact Information 9Stateful Inspection 109Static DHCP 96Static Route 115SUA 102, 103Subnet Mask 94Subnet Masks 166Subnetting 166Supply Voltage 6Support E-mail 8Sweden, Contact Information 9Swimming Pool 6Syntax Conventions 25System information 46System Timeout 120TTam pe rin g 7TCP/IP 94Telecommunication Line Cord. 6Telephone 8Television Interference 4Television Reception 4Temporal Key Integrity Protocol (TKIP) 205TFTP Restrictions 119Thunderstorm 6Time Zone 137Trademark 3Trademark Owners 3Trademarks 3Traffic Redirect 90Translation 3Trigger Port ForwardingProcess 106TV Technician 4
P-320W User’s Guide 215UUndesired Operations 4Universal Plug and Play (UPnP) 125User Authentication 205User Name 137VValue 7Vendor 6Ventilation Slots 6Viewing Certifications 5Voltage Supply 6Voltage, High 6VPN 87WWall Mount 6WAN advanced 89WAN MAC address 57WAN Wizard 52Warnings 6Warranty 7Warranty Information 8Warranty Period 7Water 6Water Pipes 6Web 120Web Configurator 35, 37Web Site 8WEP (Wired Equivalent Privacy) 31WEP Encryption 66, 68WEP encryption 65, 203Wet Basement 6Wi-Fi Protected Access 67Wi-Fi Protected Access (WPA) 30Wireless association list summary 42Wireless Client WPA Supplicants 69Wireless LAN MAC Address Filtering 31Wireless LAN Wizard 47Wireless security 61WLANInterference 197Security parameters 206Workmanship 7Worldwide Contact Information 8WPA 67Written Permission 3ZZyNOS 3ZyXEL Communications Corporation 3ZyXEL Home Page 5ZyXEL Limited WarrantyNote 7ZyXEL Network Operating System 3

Navigation menu