NWA3000-N Series. Wireless N Business WLAN 3000 Series Access Point. Default Login Details.

Size: px

Start display at page:

Download "NWA3000-N Series. Wireless N Business WLAN 3000 Series Access Point. Default Login Details."

Elisabeth Williams
6 years ago
Views:

1 NWA3000-N Series Wireless N Business WLAN 3000 Series Access Point NWA3560-N: a/b/g/n Dual-Radio Business Access Point (Indoor) NWA3160-N: a/b/g/n Business Access Point (Indoor) NWA3550-N: a/b/g/n Dual-Radio Outdoor Business Access Point (Outdoor) Default Login Details I P Address https: / / User Nam e adm in Password 1234 Version 2.23 Edition 1, 7/ Copyright 2011 ZyXEL Communications Corporation

3 About This User's Guide About This User's Guide Intended Audience This m anual is intended for people who want to configure a device using the web configurator. You should have at least a basic knowledge of TCP/ I P networking concepts and topology. Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away. I t contains inform ation on setting up your network and configuring for I nternet access. Support Disc Refer to the included CD for support docum ents. ZyXEL Web Site Please refer to for additional support docum entation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related com m ents, questions or suggestions for im provem ent to the following address, or use e-m ail instead. Thank you! The Technical Writing Team, ZyXEL Com m unications Corp. E- m ail: t echwrit ers@zyxel.com.t w NWA3000-N Series User s Guide 3

4 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other im portant inform ation (for exam ple, other things you m ay need to configure or helpful tips) or recom m endations. Syntax Conventions The product in this book m ay be referred to as the device, the device, the AP, or the system in this User s Guide. Product labels, screen nam es, field labels and field choices are all in bold font. A key stroke is denoted by square brackets and uppercase text, for exam ple, [ ENTER] m eans the enter or return key on your keyboard. Enter m eans for you to type one or m ore characters and then press the [ ENTER] key. Select or choose m eans for you to use one of the predefined choices. A right angle bracket ( > ) within a screen nam e denotes a m ouse click. For exam ple, Maintenance > Status > Show Stat istics m eans you first click Maint enance in the navigation panel, then the Status sub m enu and finally the Show St atist ics button to get to t hat screen. Units of m easurem ent m ay denote the m etric value or the scientific value. For exam ple, k for kilo m ay denote 1000 or 1024, M for m ega m ay denote or and so on. e.g., is a shorthand for for instance, and i.e., m eans that is or in other words. Screens reproduced here for dem onstration purposes m ay not exactly m atch the screens on your device. 4 NWA3000-N Series User s Guide

5 Document Conventions Icons Used in Figures Figures in this User s Guide m ay use the following generic icons. The device icon is not an exact represent at ion of your device. device Com puter Notebook com puter Server Printer Firewall Teleph on e Switch Rout er NWA3000-N Series User s Guide 5

6 Safety Warnings Safety Warnings Do NOT use this product near water, for exam ple,in a wet basem ent or near a swim m ing pool. Do NOT expose your device to dam pness, dust or corrosive liquids. Do NOT store things on the device. Do NOT install, use, or service thisdevice during a thunderstorm. There is a rem ote risk of electric shock from lightning. Connect ONLY suitable accessories to the device. ONLY qualified service personnel shouldservice or disassem ble this device. Make sure to connect the cables to the correct ports. Place connecting cables carefully so that no one will step on them or stum ble over them. Always disconnect all cables from this device before servicing or disassem bling. Use ONLY an appropriate power adaptor or cord for your device. Connect the power adaptor or cord to the right supply voltage (for exam ple, 110V AC in North Am erica or 230V AC in Europe). Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord. Do NOT use the device if the power adaptor or cord is dam aged as it m ight cause electrocution. I f the power adaptor or cord is dam aged, rem ove it from the power outlet. Do NOT attem pt to repair the power adaptor or cord. Contact your local vendor to order a new one. Do not use the device outside, and m ake sure all the connections are indoors. There is a rem ote risk of electric shock from lightning. Not to rem ove the plug and plug into a wall outlet by itself; always attach the plug to the power supply first before insert into the wall. ( I n ot her words, do NOT rem ove t he plug and connect it t o a power out let by it self; always at t ach t he plug t o the power adaptor first before connecting it to a power outlet.) Antenna Warning! This device meets ETSI and FCC certification requirem ents when using the included antenna(s). Only use the included antenna(s). I f you wall m ount your device, m ake sure that no electrical lines, gas or water pipes will be dam aged. The PoE (Power over Ethernet) devices that supply or receive power and their connected Ethernet cables m ust all be com pletely indoors. The indoors versions of this product are for indoor use only (utilisation intérieure exclusivem ent). This product is recyclable. Dispose of it properly. 6 NWA3000-N Series User s Guide

7 Contents Overview Contents Overview User s Guide Introduction...19 The Web Configurator...27 Configuration Basics...43 Tutorials...49 Technical Reference Dashboard...69 Monitor...75 Management Mode...93 LAN Setting...97 Wireless Device HA User AP Profile MON Profile Certificates System Log and Report File Manager Diagnostics Reboot Shutdown Troubleshooting Product Specifications NWA3000-N Series User s Guide 7

8 Contents Overview 8 NWA3000-N Series User s Guide

9 Table of Contents Table of Contents About This User's Guide... 3 Document Conventions...4 Safety Warnings... 6 Contents Overview... 7 Table of Contents... 9 Part I: User s Guide...17 Chapter 1 Introduction Overview Applications for the device AP + Bridge MBSSID Management Mode Ways to Manage the device Good Habits for Managing the device Hardware Connections LEDs Starting and Stopping the device...26 Chapter 2 The Web Configurator Overview Access The Main Screen Title Bar Navigation Panel Warning Messages Site Map Object Reference Tables and Lists...39 Chapter 3 Configuration Basics NWA3000-N Series User s Guide 9

10 Table of Contents 3.1 Overview Object-based Configuration Feature Configuration Overview Feature MGNT Mode LAN Setting Wireless Device HA Objects User AP Profile MON Profile System WWW, SSH, TELNET, FTP, SNMP, and Auth. Server Logs and Reports File Manager Diagnostics Shutdown...47 Chapter 4 Tutorials Sample Network Setup Set the Management Modes Set the LAN IP Address and Management VLAN (vlan99) Set Up Wireless User Authentication Create the AP Profiles (staff, guest) Rogue AP Detection Rogue AP Containment Load Balancing Dynamic Channel Selection...64 Part II: Technical Reference...67 Chapter 5 Dashboard Overview What You Can Do in this Chapter Dashboard CPU Usage Memory Usage NWA3000-N Series User s Guide

11 Table of Contents Chapter 6 Monitor Overview What You Can Do in this Chapter What You Need to Know LAN Status LAN Status Graph AP List Station Count of AP Radio List AP Mode Radio Information Station List Rogue AP Legacy Device Info Legacy Device Info Add or Edit View Log View AP Log...90 Chapter 7 Management Mode Overview About CAPWAP CAPWAP Discovery and Management Managed AP Finds the Controller CAPWAP and IP Subnets Notes on CAPWAP The Management Mode Screen...95 Chapter 8 LAN Setting LAN Setting Overview What You Can Do in this Chapter What You Need to Know LAN Setting Add or Edit a DNS Setting Chapter 9 Wireless Overview What You Can Do in this Chapter What You Need to Know Controller AP Management NWA3000-N Series User s Guide 11

12 Table of Contents Edit AP List MON Mode Add/Edit Rogue/Friendly List Load Balancing Disassociating and Delaying Connections DCS Technical Reference Chapter 10 Device HA Overview What You Can Do in this Chapter What You Need to Know Before You Begin Device HA General Active-Passive Mode Edit Monitored Interface Technical Reference Chapter 11 User Overview What You Can Do in this Chapter What You Need To Know User Summary Add/Edit User Setting Edit User Authentication Timeout Settings Chapter 12 AP Profile Overview What You Can Do in this Chapter What You Need To Know Radio Add/Edit Radio Profile SSID SSID List Security List MAC Filter List Chapter 13 MON Profile NWA3000-N Series User s Guide

13 Table of Contents 13.1 Overview What You Can Do in this Chapter What You Need To Know MON Profile Add/Edit MON Profile Technical Reference Chapter 14 Certificates Overview What You Can Do in this Chapter What You Need to Know Verifying a Certificate My Certificates Add My Certificates Edit My Certificates Import Certificates Trusted Certificates Edit Trusted Certificates Import Trusted Certificates Technical Reference Chapter 15 System Overview What You Can Do in this Chapter Host Name Date and Time Pre-defined NTP Time Servers List Time Server Synchronization Console Speed WWW Overview Service Access Limitations System Timeout HTTPS Configuring WWW Service Control HTTPS Example SSH How SSH Works SSH Implementation on the device Requirements for Using SSH Configuring SSH Examples of Secure Telnet Using SSH NWA3000-N Series User s Guide 13

14 Table of Contents 15.7 Telnet FTP SNMP Supported MIBs SNMP Traps Configuring SNMP Adding or Editing an SNMPv3 User Profile Internal RADIUS Server Configuring the Internal RADIUS Server Adding or Editing a Trusted AP Profile Technical Reference Chapter 16 Log and Report Overview What You Can Do In this Chapter Daily Report Log Setting Log Setting Summary Edit Log Settings Edit Remote Server Active Log Summary Chapter 17 File Manager Overview What You Can Do in this Chapter What you Need to Know Configuration File Firmware Package Shell Script Chapter 18 Diagnostics Overview What You Can Do in this Chapter Diagnostics Packet Capture Packet Capture Files Example of Viewing a Packet Capture File Wireless Frame Capture Wireless Frame Capture Files NWA3000-N Series User s Guide

15 Table of Contents Chapter 19 Reboot Overview What You Need To Know Reboot Chapter 20 Shutdown Overview What You Need To Know Shutdown Chapter 21 Troubleshooting Overview Power, Hardware Connections, and LEDs device Access and Login Internet Access Wireless AP Troubleshooting Resetting the device Getting More Troubleshooting Help Chapter 22 Product Specifications Wall-Mounting Instructions Appendix A Log Descriptions Appendix B Importing Certificates Appendix C Wireless LANs Appendix D Open Software Announcements Appendix E Legal Information Index NWA3000-N Series User s Guide 15

16 Table of Contents 16 NWA3000-N Series User s Guide

17 PART I User s Guide 17

18 18

19 CHAPTER 1 Introduction 1.1 Overview Your device s business-class reliability, SMB features, and centralized wireless m anagem ent m ake it ideally suited for advanced service delivery in m ission-critical networks. The device provides secure m obility across the 2.4GHz and 5GHz spectrum s and the I EEE n standard s high bandwidth to support high-perform ance applications. I t uses Multiple BSSI D and VLAN to provide up to eight sim ultaneous independent virtual APs. Additionally, innovations in roam ing technology and QoS features elim inate voice call disruptions. I t can serve as an AP, Bridge or even as an RF m onitor to search for rouge APs to help elim inate network threats. The device controls network access with Media Access Control (MAC) address filtering, rogue Access Point (AP) detection and containm ent, and an internal authentication server. I t also provides a high level of network traffic security, supporting I EEE 802.1x, Wi-Fi Protected Access (WPA), WPA2 and Wired Equivalent Privacy ( WEP) dat a encrypt ion. A device can m anage up to 24 other devices on your network. Configuration profiles let you easily use different WLAN and security settings for various virtual and m anaged APs. Your device is easy to install, configure and use. The em bedded Web-based configurator enables sim ple, straightforward m anagem ent and m aintenance. See the Quick Start Guide for how to m ake hardware connect ions. NWA3000-N Series User s Guide 19

20 Chapter 1 Introduction 1.2 Applications for the device The device can be configured to use the following operating m odes AP + Bridge MBSSID Applications for each operating m ode are shown below. Note: A different channel should be configured for each WLAN interface to reduce the effects of radio interference AP + Bridge I n AP + Bridge m ode, the device supports both AP and bridge connection at the sam e tim e. I n the figure below, A and B use X as an AP to access the wired network, while X and Y com m unicate in bridge m ode. When the device is in AP + Bridge m ode, security between APs (WDS) is independent of the security between the wireless stations and the AP. I f you do not enable WDS security, traffic between APs is not encrypted. When WDS security is enabled, both APs m ust use the sam e preshared key. 20 NWA3000-N Series User s Guide

Chapter 1 Introduction Unless specified, the term security settings refers to the traffic between the wireless stations and the device. Figure 1 AP + Bridge Application X Y A B 1.2.

21 Chapter 1 Introduction Unless specified, the term security settings refers to the traffic between the wireless stations and the device. Figure 1 AP + Bridge Application X Y A B MBSSID A Basic Service Set (BSS) is the set of devices form ing a single wireless network (usually an access point and one or m ore wireless clients). The Service Set I Dentifier (SSI D) is the nam e of a BSS. I n Multiple BSS (MBSSI D) m ode, the device provides m ultiple virtual APs, each form ing its own BSS and using its own individual SSI D profile. You can assign different wireless and security settings to each SSI D profile. This allows you to com partm entalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs. To the wireless clients in the network, each SSI D appears to be a different access point. As in any wireless network, clients can associate only with the SSI Ds for which they have the correct security settings. See Section 4.1 on page 49 for an exam ple of using MBSS. NWA3000-N Series User s Guide 21

22 Chapter 1 Introduction 1.3 Management Mode One device uses Control And Provisioning of Wireless Access Points (CAPWAP, see RFC 5415) to allow one AP to configure and m anage up to 24 others. This centralized m anagem ent can greatly reduce the effort of setting up and m aintaining m ultiple devices. An device in this group (ZLD-based m odels) can m anage other APs in this group 1. NWA3160- N NWA3550- N NWA3560- N I t can also use legacy device inform ation hyper-links to connect to the Web Configurators of the following ZyNOS- based NWA series APs: NWA NWA NWA NWA NWA The following figure illustrates a CAPWAP wireless network. The user (U) configures the controller AP (C), which then autom atically updates the configurations of the m anaged APs (M1 ~ M4 ). Figure 2 CAPWAP Network Exam ple U C M1 M2 M3 M4 1.4 Ways to Manage the device You can use the following ways to m anage the device. 1. Not all of these models were available at the time of writing. 22 NWA3000-N Series User s Guide

23 Chapter 1 Introduction Web Configurator The Web Configurator allows easy device setup and m anagem ent using an I nternet browser. This User s Guide provides inform ation about t he Web Configurat or. Command-Line Interface (CLI) The CLI allows you to use text-based com m ands to configure the device. You can access it using rem ote m anagem ent (for exam ple, SSH or Telnet) or via the console port. See the Com m and Reference Guide for m ore inform ation. Console Port You can use the console port to m anage the device using CLI com m ands. See the Com m and Reference Guide for m ore inform ation about the CLI. The default settings for the console port are as follows. Table 1 Console Port Default Set t ings SETTING Speed Data Bits 8 Parity Stop Bit 1 Flow Control VALUE bps None Off File Transfer Protocol (FTP) This protocol can be used for firm ware upgrades and configuration backup and restore. Simple Network Management Protocol (SNMP) The device can be m onitored by an SNMP m anager. See the SNMP chapter in this User s Guide. Controller Set one device to be a controller and set other devices to be m anaged by it. 1.5 Good Habits for Managing the device Do the following things regularly to m ake the device m ore secure and to m anage it m ore effect ively. Change the password often. Use a password that snot easy to guess and that consists of different types of characters, such as num bers and letters. Write down the password and put it in a safe place. NWA3000-N Series User s Guide 23

24 Chapter 1 Introduction Back up the configuration (and m ake sure you know how to restore it). Restoring an earlier working configuration m ay be useful if the device becom es unstable or even crashes. I f you forget your password, you will have to reset the device to its factory default settings. I f you backed up an earlier configuration file, you won t have to totally re-configure the device; you can sim ply restore your last configuration. 1.6 Hardware Connections See your Quick Start Guide for inform ation on m aking hardware connections. 24 NWA3000-N Series User s Guide

25 Chapter 1 Introduction 1.7 LEDs The following are the LED descriptions for your device. Figure 3 LEDs Table 2 LEDs LABEL COLOR STATUS DESCRIPTION WLAN Green On The wireless LAN is active. Off Blinking The wireless LAN is active, and transm itting or receiving data. The wireless LAN is not active. ETHERNET Green On The device has a 10/ 100 Mbps Ethernet connection. Blinking The device has a 10/ 100 Mbps Ethernet connection and is sending or receiving data. Yellow On The device has a 1000 Mbps Ethernet connection. Blinking Off The device has a 1000 Mbps Ethernet connection and is sending/ receiving data. The device does not have an Ethernet connection. NWA3000-N Series User s Guide 25

26 Chapter 1 Introduction Table 2 LEDs ( cont inued) LABEL COLOR STATUS DESCRIPTION POWER/ SYS Green On The device is receiving power and functioning properly. Off Red Blinking Either The device is not receiving power. I f the LED blinks during the boot up process, the system is starting up. or I f the LED blinks after the boot up process, the system has failed. Off The device successfully boots up. 1.8 Starting and Stopping the device Here are som e of the ways to start and stop the device. Always use Maintenance > Shutdown or the shutdown command before you turn off the device or remove the power. Not doing so can cause the firmware to become corrupt. Table 3 Starting and Stopping the device METHOD Turning on the power Rebooting the device Using the RESET button Clicking Maintenance > Shutdow n > Shutdow n or using the shutdown com m and Disconnecting the power DESCRIPTION A cold start occurs when you turn on the power to the device. The device powers up, checks the hardware, and starts the system processes. A warm start (without powering down and powering up again) occurs when you use the Reboot button in the Reboot screen or when you use the reboot com m and. The device writes all cached data to the local storage, stops the system processes, and then does a warm start. I f you press the RESET button, the device sets the configuration to its default values and then reboots. Clicking Maintenance > Shut dow n > Shutdow n or using the shutdown com m and writes all cached data to the local storage and stops the system processes. Wait for the device to shut down and then m anually turn off or rem ove the power. I t does not turn off the power. Power off occurs when you turn off the power to the device. The device sim ply turns off. I t does not stop the system processes or write cached data to local storage. The device does not stop or start the system processes when you apply configuration files or run shell scripts although you m ay tem porarily lose access to network resources. 26 NWA3000-N Series User s Guide

CHAPTER 2 The Web Configurator 2.1 Overview The device Web Configurator allows easy m anagem ent using an I nternet browser. I n order to use the Web Configurator, you m ust: Use I nternet Explorer 7.

27 CHAPTER 2 The Web Configurator 2.1 Overview The device Web Configurator allows easy m anagem ent using an I nternet browser. I n order to use the Web Configurator, you m ust: Use I nternet Explorer 7.0 and later or Firefox 1.5and later Allow pop- up windows Enable JavaScript ( enabled by default) Enable Java perm issions (enabled by default) Enable cookies The recom m ended screen resolution is 1024 x 768 pixels and higher. 2.2 Access 1 Make sure your device hardware is properly connected. See the Quick Start Guide. 2 Browse to https: / / The Login screen appears. 3 Enter the user nam e (default: adm in ) and password (default: 1234 ). NWA3000-N Series User s Guide 27

Chapter 2 The Web Configurator 4 Click Login. I f you logged in using the default user nam e and password, the Update Adm in I nfo screen appears. Otherwise, the dashboard appears.

28 Chapter 2 The Web Configurator 4 Click Login. I f you logged in using the default user nam e and password, the Update Adm in I nfo screen appears. Otherwise, the dashboard appears. This screen appears every tim e you log in using the default user nam e and default password. I f you change the password for the default user account, this screen does not appear anym ore. 28 NWA3000-N Series User s Guide

29 Chapter 2 The Web Configurator 2.3 The Main Screen The Web Configurator s m ain screen is divided into these parts: Figure 4 The Web Configurator s Main Screen A B C A - Title Bar Title Bar B - Navigation Panel C - Main Window The title bar provides som e useful links that always appear over the screens below, regardless of how deep into the Web Configurator you navigate. Figure 5 Title Bar NWA3000-N Series User s Guide 29

30 Chapter 2 The Web Configurator The icons provide t he following funct ions. Table 4 Title Bar: Web Configurator I cons LABEL Logout Help About Site Map Object Reference Console CLI DESCRIPTION Click this to log out of the Web Configurator. Click this to open the help page for the current screen. Click this to display basic inform ation about the device. Click this to see an overview of links to the Web Configurator screens. Click this to open a screen where you can check which configuration item s reference an object. Click this to open the console in which you can use the com m and line interface (CLI ). See the device CLI Reference Guide for details. Click this to open a popup window that displays the CLI com m ands sent by the Web Configurator Navigation Panel Use the m enu item s on the navigation panel to open screens to configure device features. Click the arrow in the m iddle of the right edge of the navigation panel to hide the navigation panel m enus or drag it to resize them. The following sections introduce the device s navigation panel m enus and t heir screens. Figure 6 Navigation Panel Dashboard The dashboard displays general device inform ation, system status, system resource usage, and interface status in widgets that you can re-arrange to suit your needs. For details on the Dashboard s features, see Chapter 5 on page NWA3000-N Series User s Guide

31 Chapter 2 The Web Configurator Monitor Menu The m onitor m enu screens display status and statistics inform ation. Table 5 Monitor Menu Screens Sum m ary FOLDER OR LINK TAB FUNCTION LAN Status Wireless Configuration Menu Displays general LAN interface inform ation and packet statistics. AP I nfo Radio List Displays inform ation about the radios of the connected APs. Station I nfo Rogue AP Legacy Device I nfo AP List Displays which APs are currently connected to the device. This is available when the device is in controller m ode. Displays inform ation about the connected stations. Displays inform ation about suspected rogue APs. Use these screens to connect to legacy device 3000 APs. This is available when the device is in controller m ode. Log View Log Displays log entries for the device. View AP Log Use the configuration m enu screens to configure the device s features. Table 6 Configuration Menu Screens Sum m ary FOLDER OR LINK TAB FUNCTION MGNT Mode LAN Setting Wireless Controller AP Managem ent MON Mode Load Balancing DCS Displays logs for connected APs. Set whether the device is controlling other devices, working as a standalone AP, or being m anaged by another device. Manage the LAN Ethernet interface including VLAN settings. Configure how the device handles APs that newly connect to the network. This is available when the device is in controller m ode. Edit wireless AP inform ation, rem ove APs, and reboot them. Configure how the device m onitors for rogue APs. Configure load balancing for traffic m oving to and from wireless clients. Configure dynam ic wireless channel selection. Device HA General Configure device HA global settings, and see the status of each interface m onitored by device HA. Device HA is available when the device is in controller m ode. Object Active-Passive Mode Configure active- passive m ode device HA. Users User Create and m anage users. Setting Manage default settings for all users, general settings for user sessions, and rules to force user authentication. NWA3000-N Series User s Guide 31

32 Chapter 2 The Web Configurator Table 6 Configurat ion Menu Screens Sum m ary ( cont inued) FOLDER OR LINK TAB FUNCTION AP Profile Radio Create and m anage wireless radio settings files that can be associated with different APs. MON Profile Maintenance Menu SSI D Create and m anage wireless SSI D, security, and MAC filtering settings files that can be associated with different APs. Create and m anage rogue AP m onitoring files that can be associated with different APs. Certificate My Certificates Create and m anage the device s certificates. System Host Nam e Date/ Tim e Console Speed WWW SSH TELNET FTP SNMP Auth. Server Log & Report Em ail Daily Report Log Setting Trusted Certificates I m port and m anage certificates from trusted sources. Configure the system and dom ain nam e for the device. Configure the current date, tim e, and tim e zone in the device. Set the console speed. Configure HTTP, HTTPS, and general authentication. Configure SSH server and SSH service settings. Configure telnet server settings for the device. Configure FTP server settings. Configure SNMP com m unities and services. Configure settings for the device s built-in authentication server. Configure where and how to send daily reports and what reports to send. Configure the system log, e-m ail logs, and rem ote syslog servers. Use the m aintenance m enu screens to m anage configuration and firm ware files, run diagnostics, and reboot or shut down the device. Table 7 Maintenance Menu Screens Sum m ary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the device. Firm ware Package Shell Script View the current firm ware version and to upload firm ware. Manage and run shell script files for the device. Diagnostics Diagnostic Collect diagnostic inform ation. Reboot Shutdown Packet Capture Wireless Fram e Capture Capture packets for analysis. Capture wireless fram es from APs for analysis. Restart the device. Turn off the device. 32 NWA3000-N Series User s Guide

33 Chapter 2 The Web Configurator Warning Messages Warning m essages, such as those resulting from m isconfiguration, display in a popup window. Figure 7 Warning Message Site Map Click Sit e MAP to see an overview of links to the Web Configurator screens. Click a screen s link to go to that screen. Figure 8 Site Map Object Reference Click Object Reference to open the Obj ect Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. The NWA3000-N Series User s Guide 33

Chapter 2 The Web Configurator following exam ple shows which configuration settings reference the ldap-users user object (in this case the first firewall rule).

34 Chapter 2 The Web Configurator following exam ple shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 9 Obj ect Reference The fields vary with the type of object. The following table describes labels that can appear in this screen. Table 8 Obj ect References LABEL Object Nam e DESCRIPTION This identifies the object for which the configuration settings that use it are displayed. Click the object s nam e to display the object s configuration screen in the m ain window. # This field is a sequential value, and it is not associated with any entry. Service Priority Nam e Description Refresh Cancel This is the type of setting that references the selected object. Click a service s nam e to display the service s configuration screen in the m ain window. I f it is applicable, this field lists the referencing configuration item s position in its list, otherwise N / A displays. This field identifies the configuration item that references the object. I f the referencing configuration item has a description configured, it displays here. Click this to update the inform ation in this screen. Click Cancel to close the screen. 34 NWA3000-N Series User s Guide

35 Chapter 2 The Web Configurator CLI Messages Click CLI to look at the CLI com m ands sent by the Web Configurator. These com m ands appear in a popup window, such as t he following. Figure 10 CLI Messages Console Click Clear to rem ove the currently displayed inform ation. Note: See the Com m and Reference Guide for inform ation about the com m ands. The Console allows you to use CLI com m ands from directly within the Web Configurator rather than having to use a separate term inal program. I n addition to logging in directly to the device s CLI, you can also log into other devices on the network through this Console. I t uses SSH to establish a connect ion. NWA3000-N Series User s Guide 35

36 Chapter 2 The Web Configurator Note: To view the functions in the Web Configurator user interface that correspond directly to specific device CLI com m ands, use the CLI Messages window (see Section on page 35) in tandem with this one. Figure 11 Console The following table describes the elem ents in this screen. Table 9 Console LABEL Com m and Line DESCRIPTION Enter com m ands for the device that you are currently logged into here. I f you are logged into the device, see the CLI Reference Guide for details on using the com m and line to configure it. Device I P Address This is the I P address of the device that you are currently logged into. Logged-I n User This displays the usernam e of the account currently logged into the device through the Console Window. Note: You can log into the Web Configurator with a different account than used to log into the device through the Console. 36 NWA3000-N Series User s Guide

Chapter 2 The Web Configurator Table 9 Console ( cont inued) LABEL Connection Status DESCRIPTION Tx/ RX Activity Monitor This displays the connection status of the account currently logged in.

37 Chapter 2 The Web Configurator Table 9 Console ( cont inued) LABEL Connection Status DESCRIPTION Tx/ RX Activity Monitor This displays the connection status of the account currently logged in. I f you are logged in and connected, then this displays Connected. I f you lose the connection, get disconnected, or logout, then this displays Not Connected. Before you use the Console, ensure that: Your web browser of choice allows pop-up windows from the I P address assigned to your device. Your web browser allows Java program s. You are using the latest version of the Java program (http: / / ). To login in through the Console: This displays the current upload / download activity. The faster and m ore frequently an LED flashes, the faster the data connection. 1 Click the Console button on the Web Configurator title bar. 2 Enter the I P address of the device and click OK. NWA3000-N Series User s Guide 37

38 Chapter 2 The Web Configurator 3 Next, enter the User Nam e of the account being used to log into your target device and then click OK. 4 You m ay be prom pted to authenticate your account password, depending on the type of device that you are logging into. Enter the password and click OK. 5 I f your login is successful, the com m and line appears and the status bar at the bottom of the Console updates to reflect your connection state. 38 NWA3000-N Series User s Guide

Chapter 2 The Web Configurator 2.3.6 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries. 2.3.6.1 Manipulating Table Display Here are som e of the ways you can m anipulate the Web Configurator tables.

The options available vary depending on the type of fields in the colum n.

39 Chapter 2 The Web Configurator Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries Manipulating Table Display Here are som e of the ways you can m anipulate the Web Configurator tables. 1 Click a colum n heading to sort the table s entries according to that colum n s criteria. 2 Click the down arrow next to a colum n heading for m ore options about how to display the entries. The options available vary depending on the type of fields in the colum n. Here are som e exam ples of what you can do: Sort in ascending alphabet ical order Sort in descending ( reverse) alphabet ical order Select which colum ns to display Group entries by field Show entries in groups Filter by m athem atical operators (<, >, or = ) or searching for text. NWA3000-N Series User s Guide 39

Chapter 2 The Web Configurator 3 Select a colum n heading cell s right border and drag to re-size the colum n.

A green check m ark displays next to the colum n s title when you drag the colum n to a valid new location.

40 Chapter 2 The Web Configurator 3 Select a colum n heading cell s right border and drag to re-size the colum n. 4 Select a colum n heading and drag and drop it to change the colum n order. A green check m ark displays next to the colum n s title when you drag the colum n to a valid new location. 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how m any entries display at a tim e Working with Table Entries The tables have icons for working with table entries. A sam ple is shown next. You can often use the [ Shift] or [ Ctrl] key to select m ultiple entries to rem ove, activate, or deactivate. 40 NWA3000-N Series User s Guide

41 Chapter 2 The Web Configurator Table 10 Com m on Table I cons Here are descriptions for the m ost com m on table icons. Table 11 Com m on Table I cons LABEL Add Edit Rem ove Activate I nactivate Object Reference Move Working with Lists DESCRIPTION When a list of available entries displays next to a list of selected entries, you can often just doubleclick an entry to m ove it from one list to the other. I n som e lists you can also use the [ Shift] or [ Ctrl] key to select m ultiple entries, and then use the arrow button to m ove them to the other list. Figure 12 Working with Lists Click this to create a new entry. For features where the entry s position in the num bered list is im portant (features where the device applies the table s entries in order like the firewall for exam ple), you can select an entry and click Add to create a new entry after the selected entry. Double-click an entry or select it and click Edit to open a screen where you can m odify the entry s settings. I n som e tables you can just click a table entry and edit it directly in the table. For those types of tables sm all red triangles display for table entries with changes that you have not yet applied. To rem ove an entry, select it and click Rem ove. The device confirm s you want to rem ove it before doing so. To turn on an entry, select it and click Activate. To turn off an entry, select it and click I nactivate. Select an entry and click Object Reference to open a screen that shows which settings use the entry. To change an entry s position in a num bered list, select it and click Move to display a field to type a num ber for where you want to put that entry and press [ ENTER] to m ove the entry to the num ber that you typed. For exam ple, if you type 6, the entry you are m oving becom es num ber 6 and the previous entry 6 ( if there is one) gets pushed up (or down) one. NWA3000-N Series User s Guide 41

42 Chapter 2 The Web Configurator 42 NWA3000-N Series User s Guide

43 CHAPTER 3 Configuration Basics 3.1 Overview This section provides inform ation to help you configure the device effectively. Som e of it is helpful when you are just getting started. Som e of it is provided for your reference when you configure various features in the device. 3.2 Object-based Configuration The device stores inform ation or settings as objects. You use these objects to configure m any of the device s features and settings. Once you configure an object, you can reuse it in configuring other features. When you change an object s settings, the device autom atically updates all the settings or rules that use the object. For exam ple, if you create a local certificate object, you can have HTTPS, FTP, SSH, and other settings use it. I f you m odify the local certificate object, all the HTTPS, FTP, SSH, and other settings that are linked to that object autom atically apply the updated settings. You can use the Configuration > Objects screens to create objects before you configure features that use them. I f you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object. Use the Obj ect Reference screen to see what objects are configured and which configuration settings reference specific objects. 3.3 Feature Configuration Overview This section provides inform ation about configuring the m ain features in the device. The features are listed in the sam e sequence as the m enu item (s) in the Web Configurator. Each feature descript ion is organized as shown below Feature This provides a brief description. See the appropriate chapter(s) in this User s Guide for m ore inform ation about any feature. MENU ITEM(S) This shows you the sequence of m enu item s and tabs you should click to find the m ain screen(s) for this feature. See the web help or the related User s Guide chapter for inform ation about each screen. NWA3000-N Series User s Guide 43

44 Chapter 3 Configuration Basics These are other features you should configure before you configure the m ain screen(s) for this feature. PREREQUISITES I f you did not configure one of the prerequisites first, you can often select an option to create a new object. After you create the object you return to the m ain screen to finish configuring the feature. You m ay not have to configure everything in the list of prerequisites. For exam ple, you do not have to create a schedule for a policy route unless tim e is one of the criterion. There are two uses for this. WHERE USED These are other features you should usually configure or check right after you configure the m ain screen(s) for this feature. You have to delete the references to this feature before you can delete any settings. Note: PREQUI SI TES or W HERE USED does not appear if there are no prerequisites or references in other features to this one. For exam ple, no other features reference AP m anagem ent entries, so there is no W HERE USED entry MGNT Mode Use this screen to set the device to control other devices, work as a standalone AP, or be m anaged by another device. MENU ITEM(S) Configuration > MGNT Mode LAN Setting Use this screen to configure the LAN Ethernet interface including VLAN settings. MENU ITEM(S) Configuration > LAN Setting Wireless Use these screens to m anage your wireless Access Points. MENU ITEM(S) PREREQUISITES Configuration > W ireless. Radio profiles, SSI D profiles, and security profiles Device HA To increase network reliability, device HA lets a backup device autom atically take over if a m aster device fails. Device HA is available when the device is in controller m ode. MENU ITEM(S) PREREQUISITES Configuration > Device HA I nterfaces (with a static I P address), to-device firewall 44 NWA3000-N Series User s Guide

45 Chapter 3 Configuration Basics 3.4 Objects Objects store inform ation and are referenced by other features. I f you update this inform ation in response to changes, the device autom atically propagates the change through the features that use the object. Select an object (such as a user) and then click Object Reference at the top of the list box where the object appears in order to display basic inform ation about it. The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first. Table 12 Obj ect s Overview OBJECT user ap profile m on profile certificates WHERE USED See the User section on page 45 for details. See the AP Profile section on page 45 for details. See the MON Profile section on page 46 for details. WWW, SSH, FTP, controller User Use these screens to configure the device s adm inistrator and user accounts. The device provides t he following user types. Table 13 User Types TYPE ABILITIES adm in Change device configuration ( web, CLI ) lim ited-adm in Look at device configuration (web, CLI ). Perform basic diagnostics (CLI ) user Access network services. Browse user-m ode com m ands (CLI ) AP Profile Use these screens to configure preset profiles for the Access Points (APs) connected to your device s wireless net work. Table 14 AP Profile Types TYPE Radio SSI D Security MAC Filtering ABILITIES Create radio profiles for the APs on your network. Create SSI D profiles for the APs on your network. Create security profiles for the APs on your network. Create MAC filtering profiles for the APs on your network. NWA3000-N Series User s Guide 45

46 Chapter 3 Configuration Basics MON Profile Use these screens to set up m onitor m ode configurations that allow your connected APs to scan for other wireless devices in the vicinity. Table 15 MON Profile Types TYPE Monitor ABILITIES Create m onitor m ode configurations that can be used by the APs to periodically listen to a specified channel or num ber of channels for other wireless devices broadcasting on the frequencies. 3.5 System This section introduces som e of the m anagem ent features in the device. Use Host Nam e to configure the system and dom ain nam e for the device. Use Dat e/ Tim e to configure the current date, tim e, and tim e zone in the device. Use Console Speed to set the console speed. Use Language to select a language for the Web Configurator screens WWW, SSH, TELNET, FTP, SNMP, and Auth. Server Use these screens to set which services or protocols can be used to access the device. MENU ITEM(S) PREREQUISITES Configuration > System > W W W, SSH, TELN ET, FTP, SN MP, Auth. Server certificates (WWW, SSH, FTP) Logs and Reports The device provides a system log, offers two e-m ail profiles to which to send log m essages, and sends inform ation to four syslog servers. I t can also e-m ail you statistical reports on a daily basis. MENU ITEM(S) Configuration > Log & Report File Manager Use these screens to upload, download, delete, or run scripts of CLI com m ands. You can m anage: Configuration files. Use configuration files to back up and restore the com plete configuration of the device. You can store m ultiple configuration files in the device and switch between them without restarting. Shell scripts. Use shell scripts to run a series of CLI com m ands. These are useful for large, repet it ive configurat ion changes and for t roubleshoot ing. You can edit configuration files and shell scripts in any text editor. MENU ITEM(S) Maintenance > File Manager 46 NWA3000-N Series User s Guide

47 Chapter 3 Configuration Basics Diagnostics The device can generate a file containing the device s configuration and diagnostic inform ation. I t can also capture packets going through the device s interfaces so you can analyze them to identify network problem s MENU ITEM(S) Maintenance > Diagnostics Shutdown Use this to shutdown the device in preparation for disconnecting the power. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the device or remove the power. Not doing so can cause the firmware to become corrupt. MENU ITEM(S) Maintenance > Shutdow n NWA3000-N Series User s Guide 47

48 Chapter 3 Configuration Basics 48 NWA3000-N Series User s Guide

49 CHAPTER 4 Tutorials 4.1 Sample Network Setup This tutorial shows you how to use CAPWAP to have one device control other devices to create a wireless network that allows two types of connections: staff and guest. Staff connections have full access to the network, while guests are lim ited to I nternet access (DNS, HTTP and HTTPS services). Figure 13 Tut orial Net work Topology C A A A Controller B Managed APs Requirem ents: A DHCP server (A) with Option 138, an AD server, a switch (B) that supports 802.1q, a Layer-3 routing device and a firewall (C). Note: I n this topology the firewall, such as a ZyWALL, controls what services traffic from different VLANs can use. NWA3000-N Series User s Guide 49

Chapter 4 Tutorials The following VLAN settings are used in this tutorial: Table 16 Tutorial Topology Sum m ary VLAN VLAN ID IP ADDRESS Managem ent

50 Chapter 4 Tutorials The following VLAN settings are used in this tutorial: Table 16 Tutorial Topology Sum m ary VLAN VLAN ID IP ADDRESS Managem ent / 24 Staff / 24 Guest / 24 Figure 14 Tut orial Guest VLAN Exam ple vlan 102 Controller vlan 102 Managed APs I n this exam ple, the guest VLAN (102) can only access the I nternet while the staff VLAN (101) has access to all aspects of the network Set the Management Modes Use this section to set the m anagem ent m odes for the controller and m anaged APs. 50 NWA3000-N Series User s Guide

Chapter 4 Tutorials 4.1.1.1 Controller 1 Use the Configuration > MGNT MODE screen to set the device to controller m ode.

51 Chapter 4 Tutorials Controller 1 Use the Configuration > MGNT MODE screen to set the device to controller m ode. 2 The device resets to its default settings for the controller m ode including the I P address of and restarts. Wait a short while before you attem pt to log in again Managed APs 1 Log into the other devices and use the Configuration > MGNT MODE screen to set them to be the m anaged APs using the Auto I P address option so they obtain the controller s I P address from the DHCP server. 2 Now you can no longer log into the web configurator of the m anaged devices; you m ust m anage the device through the controller AP on your network Set the LAN IP Address and Management VLAN (vlan99) This section shows you how to set up the LAN I P address and the VLAN for m anaging the controller. This is only for network adm inistrators to m anage the controller. NWA3000-N Series User s Guide 51

Chapter 4 Tutorials 1 Open the controller s Configurat ion > LAN Set ting screen. I P Address: Enter 10.10.99.10. Subnet M ask: Ent er 255.255.255.0. Gat ew ay: Ent er 10.10.99.10. Managem ent VLAN I D: Enter 99 as the VLAN I D tag.

52 Chapter 4 Tutorials 1 Open the controller s Configurat ion > LAN Set ting screen. I P Address: Enter Subnet M ask: Ent er Gat ew ay: Ent er Managem ent VLAN I D: Enter 99 as the VLAN I D tag. Click Apply to save these changes. 2 Configure your DHCP server with the controller s I P address configured as option 138 so the m anaged devices can get the controller s I P address from it. See Chapter 7 on page 93 for details Set Up Wireless User Authentication This section shows you how to set up the controller s internal RADI US server and user accounts. Note: I f you did not replace the factory default certificate with one that uses your device's MAC address when you first logged into the device, do it now in the Object > Certificate > My Certificates screen. 52 NWA3000-N Series User s Guide

53 Chapter 4 Tutorials 1 Open the Configuration > Syst em > Auth. Server screen. Turn on the authentication server and select the certificate to use. Click Apply. 2 Open the Configuration > Object > User > User screen and click Add. 3 The Add A User window opens. NWA3000-N Series User s Guide 53

54 Chapter 4 Tutorials 3a 3b User N am e: Enter guest1. User Type: User 3c Passw ord: Enter guest1, and re-enter it in the Retype field to confirm. 3d Click OK to save these settings. 4 Repeat steps 2 and 3 to create accounts for the staff m em bers Create the AP Profiles (staff, guest) This section shows you how to configure the Access Point (AP) profiles that will be used by your APs once they are connected to the network. You will first create a security profile and an SSI D profile for staff access, then you will create a second pair for guest access. Finally, you will associate them with a radio profile which is applied to your AP s radio transm itter. 1 Open the Configuration > Object > AP Profile > SSI D > Securit y List screen and then click the Add button. 54 NWA3000-N Series User s Guide

55 Chapter 4 Tutorials 2 The Add Securit y Profile window opens. 2a Profile Nam e: Enter w ap2. 2b 2c 2d Security Mode: Select w pa2 from the list of available wireless security encryption m ethods. Under Security Mode, select X then set the Radius Server Type to I nternal. Click OK. 3 Next, open the Configurat ion > Object > AP Profile > SSI D > SSI D List screen and click the Add button. NWA3000-N Series User s Guide 55

56 Chapter 4 Tutorials 4 The Add SSI D Profile window opens. 4a 4b Profile Nam e: Enter staff. SSI D: Enter staff. This is the wireless network nam e that appears when wireless clients are looking for networks to join. 4c Security Profile: Select w pa2 from the list. This is the security profile created in step 2. 4d QoS: Select W MM. 4e VLAN I D: Enter f 4g Turn on intra-bss traffic blocking. Click OK to save these settings. 5 Repeat steps 3 and 4 to create the guest SSI D profile with the sam e settings except guest as the profile nam e and SSI D and 102 for the VLAN I D. 6 Open the Configuration > Object> AP Profile > Radio screen and then double-click the default entry. 56 NWA3000-N Series User s Guide

57 Chapter 4 Tutorials 7 The Edit Ra dio Profile window opens. 7a 7b 7c Activate: Select this to m ake the radio profile active. MBSSI D Set tings: Select an entry to change it to a drop-down list. Set # 1, to the staff SSI D profile and # 2 to the guest SSI D profile. These are the two profiles you created in steps 3 to 5 of t his procedure. Click OK to save these settings. 4.2 Rogue AP Detection Rogue APs are wireless access points interacting with the network m anaged by the device but which are not under the control of the network adm inistrator. I n short, they are a security risk because they circum vent network security policy. AP detection only works when at least 1 AP is configured for Monitor m ode. The following are som e suggestions on m onitor AP placem ent: Neighboring com panies that both support wireless network. I f you can detect your neighbor s APs and you know they are friendly, you can add them to the friendly exception list. Reception areas. I f a reception area has a high volum e of visitor traffic, it m ight be useful to see if anyone is setting up their wireless device as an AP. High security areas. An AP set to Monitor m ode will let you see if anyone sets up an unauthorized AP that could potentially com prom ise your security. NWA3000-N Series User s Guide 57

58 Chapter 4 Tutorials I n this exam ple, an em ployee illicitly connects his own AP (RG) to the network that the device m anages. While not necessarily a m alicious act, it can nonetheless have severe security consequences on the network. Figure 15 Rogue AP Exam ple A 58 NWA3000-N Series User s Guide

Chapter 4 Tutorials Here, an attacker sets up a rogue AP (RG) outside the network, which he uses in an attem pt to m im ic an device-controlled SSI D in order to capture passwords and other inform

59 Chapter 4 Tutorials Here, an attacker sets up a rogue AP (RG) outside the network, which he uses in an attem pt to m im ic an device-controlled SSI D in order to capture passwords and other inform ation when authorized wireless clients m istakenly connect to it. Figure 16 Rogue AP Exam ple B This tutorial shows you how to detect rogue APs on your network: 1 Click Configuration > Object > MON Profile to open the MON Profile screen and click the Add button. NWA3000-N Series User s Guide 59

60 Chapter 4 Tutorials 2 Click the Add button. When the Add Mon Profile window opens, configure the following: Activate: Select this to allow your m onitor APs to use this profile. Profile Nam e: For the purposes of this tutorial set this to Monitor01. Channel Dw ell Tim e: Leave this as the default 100 m illiseconds. This field is the num ber of m illiseconds that the m onitor AP scans each channel before m oving on to the next. Scan Channel Mode: Set this to auto to autom atically scan channels in the area. 3 Click OK to save your changes. 4 Next, click Configuration > W ireless > AP Managem ent. 60 NWA3000-N Series User s Guide

61 Chapter 4 Tutorials 5 Select an AP and click Edit. When the Edit AP List window opens, configure the following: Radio 1 OP Mode: Set this to MON Mode to turn the AP into a rogue AP m onitoring device. Radio 1 Profile: Select your newly created Monitor01 profile from the list. 6 Click OK to save your changes. See also: Chapter 6 on page 75 and Chapter 13 on page Rogue AP Containment When the device discovers a rogue AP within its broadcast radius, it can react in one of two ways: I f the rogue AP is connected directly to the network (such as plugged into a switch downstream of the device), then the network adm inistrator m ust m anually disconnect it. The device does not allow the isolation of a rogue AP connected directly to the network. NWA3000-N Series User s Guide 61

Chapter 4 Tutorials However, if a rogue AP independent of the device m im ics a legitim ate one, then the device can interfere with it by broadcasting dum m y packets so that it cannot m akes

62 Chapter 4 Tutorials However, if a rogue AP independent of the device m im ics a legitim ate one, then the device can interfere with it by broadcasting dum m y packets so that it cannot m akes connections with em ployee clients and capture data from them. Figure 17 Containing a Rogue AP This tutorial shows you how to quarantine a rogue AP on your network: 1 Click Configurat ion > W ireless > MON Mode. 62 NWA3000-N Series User s Guide

3 The new rogue AP appears in the Rogue/ Friendly AP List. Select it, then click the Containm ent button to quarantine it away from the rest of the network. 4.

63 Chapter 4 Tutorials 2 Click the Add button. When the Edit Rogue/ Friendly AP List opens, paste the MAC address copied from the other screen in the corresponding field, set its Role as Rogue AP and then click OK to save your changes. 3 The new rogue AP appears in the Rogue/ Friendly AP List. Select it, then click the Containm ent button to quarantine it away from the rest of the network. 4.3 Load Balancing When your AP becom es overloaded, there are two basic responses it can take. The first one is to delay a client connection by withholding the connection until the data transfer throughput is lowered or the client connection is picked up by another AP. (I f the client isn t picked up after a set period of tim e, the AP allows it to connect regardless.) The second response is to kick the connections until the AP is no longer considered overloaded. Both of these tactics are known as load balancing. This tutorial shows you how to configure the device s load balancing feature. NWA3000-N Series User s Guide 63

64 Chapter 4 Tutorials 1 Click Configurat ion > W irele ss > Load Balancing. 2 Select Enable Load Balancing to turn on this feature. 3 Set the Mode. I f you choose By Stat ion Num ber, then enter the Max Station Num ber in the available field. This balances network traffic based on the num ber of specified stations downstream of the device. I f you choose By Traffic Level, then enter the traffic threshold at which the device starts balancing connected stations. 4 Select Disassociate station w hen overloaded to disconnect stations when the load balancing threshold is crossed. The stations are first disconnected based on how long they have been idle, then secondly based on the weakness of their connection signal strength. 5 Click Apply to save your changes. See also: Chapter 9 on page Dynamic Channel Selection Dynam ic Channel Selection (DCS) is a feature that allows an AP to autom atically select the radio channel upon which it broadcasts by scanning the area around it and determ ining what channels are currently being used by other devices. When num erous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if som e or all of them are broadcasting on the sam e radio channel. This can m ake accessing the network potentially rather difficult for the stations connected to them. I f the interference becom es too great, then the network adm inistrator m ust open his AP configuration options and m anually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a m inim um degree of channel int erference. 64 NWA3000-N Series User s Guide

65 Chapter 4 Tutorials 1 Click Configurat ion > W ireless > DCS. 2 Select Enable Dynam ic Channel Selection to turn on this feature. 3 Set the DCS Tim e I nterval. This is how often the device surveys the other APs within its broadcast radius. I f you place your APs in an area with a large num ber of com peting APs, set this num ber lower to ensure that your device can adjust quickly changing conditions. 4 Select DCS Sensitivity Level. This is how sensitive the APs on your network are to other channels. Generally, as long as the area in which your AP is located has m inim al interference from other devices you can set the DCS Sensitivity Level to Low. This m eans that the AP has a very broad tolerance. 5 Select Enable DCS Client Aw are. Select this so that the APs on your network do not change channels as long as any wireless clients are connected to them. When they m ust change channels, they will wait until all stations disconnect first. 6 Set the GHz Channel Selection Met hod to auto. 7 Select a 2.4 GHz Channel Deploym ent schem e. Choose Three- Channel Deploym ent to have the device rotate through 3 channels. Choose Four- Channel Deploym ent to have the device rotate through 4 channels, if allowed. 8 Click Apply to save your changes. See also: Chapter 9 on page 101. NWA3000-N Series User s Guide 65

66 Chapter 4 Tutorials 66 NWA3000-N Series User s Guide

67 PART II Technical Reference 67

68 68

69 CHAPTER 5 Dashboard 5.1 Overview Use the Dashboard screens to check status inform ation about the device What You Can Do in this Chapter The main Dashboard screen (Section 5.2 on page 69) displays the device s general device inform ation, system status, system resource usage, and interface status. You can also display other status screens for m ore inform ation. 5.2 Dashboard This screen is the first thing you see when you log into the device. I t also appears every tim e you click the Dashboard icon in the navigation panel. The Dashboard displays general device NWA3000-N Series User s Guide 69

Chapter 5 Dashboard inform ation, system status, system resource usage, and interface status in widgets that you can rearrange t o suit your needs.

70 Chapter 5 Dashboard inform ation, system status, system resource usage, and interface status in widgets that you can rearrange t o suit your needs. You can also collapse, refresh, and close individual widget s. Figure 18 Dashboard A B C D E The following table describes the labels in this screen. Table 17 Dashboard LABEL Widget Settings (A) Up Arrow (B) Refresh Tim e Setting (C) Refresh Now (D) Close Widget (E) Device I nform ation System Nam e Model Nam e Serial Num ber MAC Address Range Firm ware Version DESCRIPTION Use this link to re-open closed widgets. Widgets that are already open appear grayed out. Click this to collapse a widget. Set the interval for refreshing the inform ation displayed in the widget. Click this to update the widget s inform ation im m ediately. Click this to close the widget. Use W idget Setting to re-open it. This field displays the nam e used to identify the device on any network. Click the icon to open the screen where you can change it. This field displays the m odel nam e of this device. This field displays the serial num ber of this device. This field displays the MAC addresses used by the device. Each physical port or wireless radio has one MAC address. The first MAC address is assigned to the Ethernet LAN port, the second MAC address is assigned to the first radio, and so on. This field displays the version num ber and date of the firm ware the device is currently running. Click the icon to open the screen where you can upload firm ware. 70 NWA3000-N Series User s Guide

71 Chapter 5 Dashboard Table 17 Dashboard ( cont inued) LABEL System Resources CPU Usage Mem ory Usage Flash Usage This field displays what percentage of the device s processing capability is currently being used. Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the device s recent CPU usage. This field displays what percentage of the device s RAM is currently being used. Hover your cursor over this field to display the Show Mem ory Usage icon that takes you to a chart of the device s recent m em ory usage. This field displays what percentage of the device s onboard flash m em ory is currently being used. AP I nform ation This shows a sum m ary of connected wireless Access Points (APs). All AP Online Managem ent AP Offline Managem ent AP Un-Managem ent AP All Station Station All Sensed Device Un- Classified AP Rogue AP Friendly AP WDS Link Status Radio Link I D Peer MAC Address Security Status System Status System Uptim e Current Date/ Tim e Current Login User DESCRIPTION This section displays a sum m ary for all connected wireless APs when the device is in controller m ode. This displays the num ber of currently connected m anaged APs. This displays the num ber of currently offline m anaged APs. This displays the num ber of non-m anaged APs. This section displays a sum m ary of connected stations when the device is in controller m ode. This displays the num ber of stations currently connected to the network. This sections displays a sum mary of all wireless devices detected by the network. This displays the num ber of detected unclassified APs. This displays the num ber of detected rogue APs. This displays the num ber of detected friendly APs. This section displays inform ation about the WDS settings when the device is in controller m ode and configured to use WDS. This field displays which radio the device is configured to use for WDS. This field displays the nam e of the bridge connection. This field displays the hardware address of the peer device. This field displays which type of security the device is using for WDS with this radio. This field displays the status of the connection to the peer device. This field displays how long the device has been running since it last restarted or was turned on. This field displays the current date and tim e in the device. The form at is yyyym m -dd hh: m m : ss. This field displays the user nam e used to log in to the current session, the am ount of reauthentication tim e rem aining, and the am ount of lease tim e rem aining. NWA3000-N Series User s Guide 71

72 Chapter 5 Dashboard Table 17 Dashboard ( cont inued) LABEL Boot Status DESCRIPTION This field displays details about the device s startup state. OK - The device started up successfully. Firm w are update OK - A firm ware update was successful. Problem atic configuration after firm w are update - The application of the configuration failed after a firm ware upgrade. System default configuration - The device successfully applied the system default configuration. This occurs when the device starts for the first tim e or you intentionally reset the device to the system default settings. Fallback to lastgood configuration - The device was unable to apply the startup- config.conf configuration file and fell back to the lastgood.conf configuration file. Fallback to system default configuration - The device was unable to apply the lastgood.conf configuration file and fell back to the system default configuration file ( system - default.conf ). Booting in progress - The device is still applying the system configuration. Managem ent Mode I nterface Status Sum m ary Nam e Status This shows whether the device is set to control other devices, work as a stand alone AP, or be controlled by another device. I f an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text. Click the Detail icon to go to a (m ore detailed) sum m ary screen of interface statistics. This field displays the nam e of each interface. This field displays the current status of each interface. The possible values depend on what type of interface it is. I nactive - The Ethernet interface is disabled. Dow n - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the port speed and duplex setting (Full or Half ). VI D HA Status This field displays the VLAN I D to which the interface belongs. This displays when the device is in controller m ode. This field displays the status of the interface in the virtual router. Active - This interface is the m aster interface in the virtual router. Stand- By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now. For exam ple, this m ight happen if the interface is down. n/ a - Device HA is not active on the interface. I P Addr/ Netm ask This field displays the current I P address and subnet m ask assigned to the interface. I f the I P address is , the interface is disabled or did not receive an I P address and subnet m ask via DHCP. I f this interface is a m em ber of an active virtual router, this field displays the I P address it is currently using. This is either the static I P address of the interface (if it is the m aster) or the m anagem ent I P address (if it is a backup). I P Assignm ent This field displays how the interface gets its I P address. Static - This interface has a static I P address. DHCP Client - This interface gets its I P address from a DHCP server. 72 NWA3000-N Series User s Guide

73 Chapter 5 Dashboard Table 17 Dashboard ( cont inued) LABEL Action Top 5 Station Use this field to get or to update the I P address for the interface. Click Renew to send a new DHCP request to a DHCP server. When the device is in controller m ode this displays the top 5 Access Points (AP) with the highest num ber of station (aka wireless client) connections during the past 24 hours. # This field displays the rank of the station. AP MAC Max. Station Count AP Description WLAN I nterface Status Sum m ary Status MAC Address Radio Band OP Mode Channel Station DESCRIPTION This field displays the MAC address of the AP to which the station belongs. This field displays the m axim um num ber of wireless clients that have connected to this AP. This displays the description of the AP to which the radio belongs. When the device is in standalone m ode this displays status inform ation for the WLAN interface. This displays whether or not the WLAN interface is activated. This displays the MAC address of the radio. This indicates the radio num ber on the device. This indicates the wireless frequency band currently being used by the radio. This indicates the radio s operating m ode. Operating m odes are AP ( access point) or MON (m onitor). This indicates the channel num ber the radio is using. This displays the num ber of wireless clients connected to the device CPU Usage Use this screen to look at a chart of the device s recent CPU usage. To access this screen, click CPU Usage in the dashboard. Figure 19 Dashboard > CPU Usage NWA3000-N Series User s Guide 73

74 Chapter 5 Dashboard The following table describes the labels in this screen. Table 18 Dashboard > CPU Usage LABEL DESCRIPTION % The y-axis represents the percentage of CPU usage. tim e The x-axis shows the tim e period over which the CPU usage occurred Refresh I nterval Enter how often you want this window to be autom atically updated. Refresh Now Click this to update the inform ation in the window right away Memory Usage Use this screen to look at a chart of the device s recent m em ory (RAM) usage. To access this screen, click Mem ory Usage in the dashboard. Figure 20 Dashboard > Mem ory Usage The following table describes the labels in this screen. Table 19 Dashboard > Mem ory Usage LABEL DESCRIPTION The y- axis represents the percentage of RAM usage. The x-axis shows the tim e period over which the RAM usage occurred Refresh I nterval Enter how often you want this window to be autom atically updated. Refresh Now Click this to update the inform ation in the window right away. 74 NWA3000-N Series User s Guide

75 CHAPTER 6 Monitor 6.1 Overview Use the Monitor screens to check status and statistics inform ation What You Can Do in this Chapter The LAN Status screen (Section 6.3 on page 76) displays general LAN interface inform ation and packet statistics. The LAN Stat us Graph screen (Section on page 78) displays a line graph of packet statistics for the device s physical LAN port. The AP List screen (Section 6.4 on page 79) displays which APs are currently connected to the device. This is available when the device is in controller m ode. The Radio List screen (Section 6.5 on page 81) displays statistics about the wireless radio transm itters in each of the APs connected to the device. The St ation I nfo screen (Section 6.6 on page 84) displays inform ation about suspected rogue APs. The Rogue AP screen (Section 6.7 on page 84) displays inform ation about suspected rogue APs. Use the Legacy Device screens (Section 6.8 on page 85) to connect to legacy APs. This is available when the device is in controller m ode. The View Log screen (Section 6.9 on page 87) displays the device s current log m essages. You can change the way the log is displayed, you can e-m ail the log, and you can also clear the log in t his screen. The View AP Log screen (Section 6.10 on page 90) displays the device s current wireless AP log m essages. This is available when the device is in controller m ode. 6.2 What You Need to Know The following term s and concepts m ay help as you read through the chapter. Rogue AP Rogue APs are wireless access points operating in a network s coverage area that are not under the control of the network s adm inistrators, and can open up holes in a network s security. See Chapter 13 on page 151 for details. Friendly AP Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from neighboring networks, for exam ple). See Chapter 13 on page 151 for details. NWA3000-N Series User s Guide 75

Chapter 6 Monitor 6.3 LAN Status Use this screen to look at general LAN interface inform ation and packet statistics. To access this screen, click Monitor > LAN Stat us.

76 Chapter 6 Monitor 6.3 LAN Status Use this screen to look at general LAN interface inform ation and packet statistics. To access this screen, click Monitor > LAN Stat us. Figure 21 Monitor > LAN Status The following table describes the labels in this screen. Table 20 Monitor > LAN Status LABEL Poll I nterval Set I nterval Stop I nterface Sum m ary Nam e Status DESCRIPTION Enter how often you want this window to be updated autom atically, and click Set I nt erval. Click this to set the Poll I nterval the screen uses. Click this to stop the window from updating autom atically. You can start it again by setting the Poll I nterval and clicking Set I nterval. This field displays the nam e of the interface. This field displays the current status of the interface: I nactive - The Ethernet interface is disabled. Dow n - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface is enabled and connected. This field displays the port speed and duplex setting (Full or Half ). HA Status This is available when the device is in controller m ode. This field displays the status of the interface in the virtual router. Active - This interface is the m aster interface in the virtual router. St and- By - This interface is a backup interface in the virtual router. Fault - This VRRP group is not functioning in the virtual router right now. For exam ple, this m ight happen if the interface is down. n/ a - Device HA is not active on the interface. VI D This field displays the VLAN I D to which the interface belongs. 76 NWA3000-N Series User s Guide

77 Chapter 6 Monitor Table 20 Monitor > LAN Status (continued) LABEL I P Addr/ Netm ask DESCRIPTION This field displays the current I P address and subnet m ask assigned to the interface. I f the I P address and subnet m ask are , the interface is disabled or did not receive an I P address and subnet m ask via DHCP. I f this interface is a m em ber of an active virtual router, this field displays the I P address it is currently using. This is either t he st at ic I P address of t he int erface ( if it is the m aster) or the m anagem ent I P address (if it is a backup). I P Assignm ent This field displays how the interface gets its I P address. St at ic - This interface has a static I P address. DHCP Client - This interface gets its I P address from a DHCP server. Action Port St atist ics Table Switch to Graphic View Status Use this field to get or to update the I P address for the interface. Click Renew to send a new DHCP request to a DHCP server. Click Connect to try to connect the interface. I f the interface cannot use one of these ways to get or to update its I P address, this field displays n/ a. Click this to display the port statistics as a line graph. This field displays the current status of the physical port. Dow n - The physical port is not connected. Speed / Duplex - The physical port is connected. This field displays the port speed and duplex setting (Full or Half ). TxPkts RxPkts Collisions Tx Rx Up Tim e System Up Tim e This field displays the num ber of packets transm itted from the device on the physical port since it was last connected. This field displays the num ber of packets received by the device on the physical port since it was last connected. This field displays the num ber of collisions on the physical port since it was last connected. This field displays the transm ission speed, in bytes per second, on the physical port in the one-second interval before the screen updated. This field displays the reception speed, in bytes per second, on the physical port in the one-second interval before the screen updated. This field displays how long the physical port has been connected. This field displays how long the device has been running since it last restarted or was turned on. NWA3000-N Series User s Guide 77

78 Chapter 6 Monitor LAN Status Graph Use the port statistics graph to look at a line graph of packet statistics for the device s physical LAN port. To view, in the LAN St atus screen click the Sw it ch t o Graphic View button. Figure 22 Monitor > LAN Status > Switch to Graphic View The following table describes the labels in this screen. Table 21 Monitor > LAN Status > Switch to Graphic View LABEL Refresh I nterval Refresh Now Switch to Grid View Kbps tim e TX RX Last Update DESCRIPTION Enter how often you want this window to be autom atically updated. Click this to update the inform ation in the window right away. Click this to display the port statistics as a table. The y-axis represents the speed of transm ission or reception. The x-axis shows the tim e period over which the transm ission or reception occurred This line represents traffic transm itted from the device on the physical port since it was last connected. This line represents the traffic received by the device on the physical port since it was last connected. This field displays the date and tim e the inform ation in the window was last updated. 78 NWA3000-N Series User s Guide

Chapter 6 Monitor 6.4 AP List Use this screen to view which APs are currently connected to the device. This is available when the device is in controller m ode.

79 Chapter 6 Monitor 6.4 AP List Use this screen to view which APs are currently connected to the device. This is available when the device is in controller m ode. To access this screen, click Monitor > W ireless > AP I nform ation > AP List. Figure 23 Monitor > Wireless > AP I nform ation > AP List The following table describes the labels in this screen. Table 22 Monitor > Wireless > AP I nform ation > AP List LABEL Add to Mgnt AP List More I nform ation DESCRIPTION When the device is in controller m ode, it lists the com patible devices it detects in this screen. Select an entry where the Status displays an AP icon wit h a quest ion m ark (?) and click this button to have the device m anage it. Click this to view a daily station count about the selected AP. The count records station activity on the AP over a consecutive 24 hour period. # This is the AP s index num ber in this list. Status Registration I P Address MAC Address Model Mgm t. VLAN I D This visually displays the AP s connection status with icons. For details on the different Status states, see the next table. This indicates whether the AP is registered with the m anaged AP list. This displays the AP s I P address. This displays the AP s MAC address. This displays the AP s m odel num ber. This displays the num ber of the AP s m anagem ent VLAN. Description This displays the AP s associated description. The default description is AP- + the AP s MAC Address. Station Refresh This displays the num ber of stations ( aka wireless clients) associated with the AP. Click this to refresh the item s displayed on this page. The following table describes the icons in this screen. Table 23 Monitor > Wireless > AP List I cons LABEL DESCRIPTION This is an AP that is not on the m anagem ent list. This is an AP that is on the m anagem ent list and which is online. This is an AP that is in the process of having its firm ware updated. This is an AP that is both on the m anagem ent list and which is offline. NWA3000-N Series User s Guide 79

Chapter 6 Monitor 6.4.1 Station Count of AP Use this screen to look at station statistics for the connected AP. To access this screen, click the More I nform at ion button in the AP List screen.

80 Chapter 6 Monitor Station Count of AP Use this screen to look at station statistics for the connected AP. To access this screen, click the More I nform at ion button in the AP List screen. Figure 24 Monitor > System Status > AP List > More I nform ation The following table describes the labels in this screen. Table 24 Monitor > System Status > AP List > More I nform ation LABEL Station Count Tim e Last Update DESCRIPTION The y-axis represents the num ber of connected stations. The x-axis shows the tim e over which a station was connected. This field displays the date and tim e the inform ation in the window was last updated. 80 NWA3000-N Series User s Guide

81 Chapter 6 Monitor 6.5 Radio List Use this screen to view statistics for the device s wireless radio transm itters when it is in standalone m ode or the radios in each of the APs connected to the device when it is in controller m ode. To access this screen, click Monitor > W ireless > AP I nform at ion > Radio List. Figure 25 Monitor > Wireless > AP I nform ation > Radio List (Controller Mode) The following table describes the labels in this screen. Table 25 Monitor > Wireless > AP I nform ation > Radio List LABEL More I nform ation DESCRIPTION Click this to view additional inform ation about the selected radio s wireless traffic and station count. I nform ation spans a 24 hour period. # When the device is in controller m ode, this is the radio s index num ber in this list. Status Loading AP Description Model MAC Address Radio OP Mode Profile Frequency Band When the device is in standalone m ode, this displays whether or not the WLAN interface is activated. This indicates the AP s load balance status. This displays the description of the AP to which the radio belongs. This displays the m odel of the AP to which the radio belongs. This displays the MAC address of the radio. This indicates the radio num ber on the AP to which it belongs. This indicates the radio s operating m ode. Operating m odes are AP (access point) or MON (m onitor). This indicates the profile nam e to which the radio belongs. This indicates the wireless frequency band currently being used by the radio. Channel I D This indicates the radio s channel I D. Station Rx PKT Tx PKT Rx FCS Error Count Tx Retry Count When the device is in standalone m ode, this displays the num ber of wireless clients connected to the device. This displays the total num ber of packets received by the radio. This displays the total num ber of packets transm itted by the radio. This indicates the num ber of received packet errors accrued by the radio. This indicates the num ber of tim es the radio has attem pted to re-transm it packets. NWA3000-N Series User s Guide 81

82 Chapter 6 Monitor AP Mode Radio Information This screen allows you to view a selected radio s MBSSI D details, wireless traffic statistics and station count for the preceding 24 hours. To access this window, click the More I nform at ion button in the Radio List Statistics screen. Figure 26 Monitor > Wireless > AP I nform ation > Radio List > More I nform ation 82 NWA3000-N Series User s Guide

83 Chapter 6 Monitor The following table describes the labels in this screen. Table 26 Monitor > Wireless > AP I nform ation > Radio List > More I nform ation LABEL MBSSI D Detail DESCRIPTION This list shows inform ation about all the wireless clients that have connected to the specified radio over the preceding 24 hours. # This is the item s sequential num ber in the list. I t has no bearing on the actual data in this list. SSI D Nam e This displays an SSI D associated with this radio. There can be up to eight m axim um. BSSI D This displays a BSSI D associated with this radio. The BSSI D is tied to the SSI D. Security Mode This displays the security m ode in which the SSI D is operating. VLAN This displays the VLAN I D associated with the SSI D. WDS Link Detail Link I D Peer MAC Address Status Security Mode Link Up Tim e When the device is in standalone m ode and you set the wireless operating m ode to AP+ Bridge this displays inform ation about the Wireless Distribution System ( WDS) connections. This field displays the nam e of the bridge connection. This field displays the hardware address of the peer device. This field displays the status of the connection to the peer device. This field displays which type of security the device is using for WDS with this radio. This field shows how long the connection to the peer device has been up. Traffic Statistics This graph displays the overall traffic inform ation the radio over the preceding 24 hours. bps tim e Station Count OK Tim e Cancel Last Update This axis represents the am ount of data m oved across this radio in m egabytes per second. This axis represents the am ount of tim e over which the data m oved across this radio. The y-axis represents the num ber of connected stations. The x-axis shows the tim e over which a station was connected. This field displays the date and tim e the inform ation in the window was last updated. Click this to close this window. Click this to close this window. NWA3000-N Series User s Guide 83

Chapter 6 Monitor 6.6 Station List Use this screen to view statistics pertaining to the associated stations (or wireless clients ). Click Monitor > W ireless > Station I nfo to access this screen.

84 Chapter 6 Monitor 6.6 Station List Use this screen to view statistics pertaining to the associated stations (or wireless clients ). Click Monitor > W ireless > Station I nfo to access this screen. Figure 27 Monitor > Wireless > Station I nfo The following table describes the labels in this screen. Table 27 Monitor > Wireless > Station I nfo LABEL DESCRIPTION # This is the station s index num ber in this list. MAC Address Associated AP SSI D Nam e Security Mode Association Tim e Refresh This is the station s MAC address. This is available when the device is in controller m ode. This indicates the AP through which the station is connected to the network. This indicates the nam e of the wireless network to which the station is connected. A single AP can have m ultiple SSI Ds or networks. This indicates which secure encryption m ethods is being used by the station to connect to the network. This indicates how long the station has been associated with the AP. Click this to refresh the item s displayed on this page. 6.7 Rogue AP Use this screen to view inform ation about suspected rogue APs. Click Monitor > W ireless > Rogue AP > Detect ed Device to access this screen. 84 NWA3000-N Series User s Guide

Chapter 6 Monitor Note: The device or at least one of the APs the device is m anaging m ust be set to Monitor m ode in order to detect other wireless devices in its vicinity.

85 Chapter 6 Monitor Note: The device or at least one of the APs the device is m anaging m ust be set to Monitor m ode in order to detect other wireless devices in its vicinity. Figure 28 Monitor > Wireless > Rogue AP The following table describes the labels in this screen. Table 28 Monit or > Wireless > Rogue AP LABEL Mark as Rogue AP Mark as Friendly AP DESCRIPTION Click this button to m ark the selected AP as a rogue AP. A rogue AP can be contained in the Configuration > W ireless > MON Mode screen (Chapter 9 on page 101). Click this button to m ark the selected AP as a friendly AP. For m ore on m anaging friendly APs, see the Configuration > W ireless > MON Mode screen (Chapter 9 on page 101). # This is the station s index num ber in this list. Status Device Role MAC Address This indicates the detected device s status. This indicates the type of device detected. This indicates the detected device s role (such as friendly or rogue). This indicates the detected device s MAC address. SSI D Nam e This indicates the detected device s SSI D. Channel I D This indicates the detected device s channel I D Mode This indicates the m ode (a/ b/ g/ n) transm itted by the detected device. Security Description Last Seen Refresh This indicates the encryption m ethod (if any) used by the detected device. This displays the detected device s description. For m ore on m anaging friendly and rogue APs, see the Configuration > W ireless > MON Mode screen (Chapter 9 on page 101). This indicates the last tim e the device was detected by the device. Click this to refresh the item s displayed on this page. 6.8 Legacy Device Info When the device is in controller m ode you can use this screen to configure and m aintain a list of com patible legacy (NWA-3000 series) APs. Use the list to link to their Web Configurators. Click Monitor > W ireless > Rogue AP > Legacy Device I nfo to access this screen. Com patible legacy APs: NWA3000-N Series User s Guide 85

Chapter 6 Monitor NWA- 3160 NWA- 3163 NWA- 3500 NWA- 3550 NWA- 3166 Figure 29 Monitor > Wireless > Legacy Device I nfo The following table describes the labels in this screen.

Double-click an entry or select it and click Edit to open a screen where you can m odify the entry s settings. Select an entry and click this button to delete it from the list.

86 Chapter 6 Monitor NWA NWA NWA NWA NWA Figure 29 Monitor > Wireless > Legacy Device I nfo The following table describes the labels in this screen. Table 29 Monit or > Wireless > Legacy Device I nfo LABEL Add Edit Rem ove Connect I P Description DESCRIPTION Click this to add a device to the list of legacy APs the device m onitors. Double-click an entry or select it and click Edit to open a screen where you can m odify the entry s settings. Select an entry and click this button to delete it from the list. Select an entry and click this button to go to the legacy AP s Web Configurator screens. This is the I P address of the legacy AP. This is m anually entered inform ation about the legacy AP represented by this entry Legacy Device Info Add or Edit Use this screen to configure an entry for linking to a com patible legacy AP s Web Configurator. The legacy AP m ust also be in controller m ode. Click Monitor > W ireless > Rogue AP > Legacy Device I nfo and then click the Add button or select a radio profile from the list and click the Edit button to access this screen. Figure 30 Monitor > Wireless > Legacy Device I nfo > Add 86 NWA3000-N Series User s Guide

87 Chapter 6 Monitor The following table describes the labels in this screen. Table 30 Monit or > Wireless > Legacy Device I nfo LABEL Device I P Address Description OK Cancel DESCRIPTION Enter the legacy AP s I P address. Enter a description to help you identify the legacy AP. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes. 6.9 View Log Log m essages are stored in two separate logs, one for regular log m essages and one for debugging m essages. I n the regular log, you can look at all the log m essages by selecting All Logs, or you can select a specific category of log m essages (for exam ple, user). You can also look at the debugging log by selecting Debug Log. All debugging m essages have the sam e priority. To access this screen, click Monitor > Log. The log is displayed in the following screen. Note: When a log reaches the m axim um num ber of log m essages, new log m essages autom atically overwrite existing log m essages, starting with the oldest existing log m essage first. For individual log descriptions, see Appendix A on page 255. For the m axim um num ber of log m essages in the device, see Chapter 22 on page 251. NWA3000-N Series User s Guide 87

88 Chapter 6 Monitor Events that generate an alert (as well as a log m essage) display in red. Regular logs display in black. Click a colum n s heading cell to sort the table entries by that colum n s criteria. Click the heading cell again to reverse the sort order. Figure 31 Monit or > Log > View Log The following table describes the labels in this screen. Table 31 Monit or > Log > View Log LABEL Show Filter / Hide Filter DESCRIPTION Click this button to show or hide the filter settings. I f the filter settings are hidden, the Display, Em ail Log N ow, Refresh, and Clear Log fields are available. I f the filter settings are shown, the Display, Priority, Source Address, Destination Address, Service, Keyw ord, and Search fields are available. Display Priority Source Address Destination Address Select the category of log m essage(s) you want to view. You can also view All Logs at one tim e, or you can view the Debug Log. This displays when you show the filter. Select the priority of log m essages to display. The log displays the log m essages with this priority or higher. Choices are: any, em erg, alert, crit, error, w arn, notice, and info, from highest priority to lowest priority. This field is read-only if the Category is Debug Log. This displays when you show the filter. Type the source I P address of the incom ing packet that generated the log m essage. Do not include the port in this filter. This displays when you show the filter. Type the I P address of the destination of the incom ing packet when the log m essage was generated. Do not include the port in this filter. 88 NWA3000-N Series User s Guide

89 Chapter 6 Monitor Table 31 Monitor > Log > View Log (continued) LABEL Source I nterface Destination I nterface Keyword Protocol Search Em ail Log Now Refresh Clear Log This displays when you show the filter. Select the source interface of the packet that generated the log m essage. This displays when you show the filter. Select the destination interface of the packet that generated the log m essage. This displays when you show the filter. Type a keyword to look for in the Message, Source, Destination and Not e fields. I f a m atch is found in any field, the log m essage is displayed. You can use up to 63 alphanum eric characters and the underscore, as well as punctuation m arks (),: ;?! + -* / = # ; the period, double quotes, and brackets are not allowed. This displays when you show the filter. Select a service protocol whose log m essages you would like to see. This displays when you show the filter. Click this button to update the log using the current filter settings. Click this button to send log m essages to the Active e- m ail addresses specified in the Send Log To field on the Log Settings page. Click this to update the list of logs. Click this button to clear the whole log, regardless of what is currently displayed on the screen. # This field is a sequential value, and it is not associated with a specific log m essage. Tim e Priority Category Message Source Destination Note DESCRIPTION This field displays the tim e the log m essage was recorded. This field displays the priority of the log m essage. I t has the sam e range of values as the Priority field above. This field displays the log that generated the log m essage. I t is the sam e value used in the Display and (other) Category fields. This field displays the reason the log m essage was generated. The text [ count= x], where x is a num ber, appears at the end of the Message field if log consolidation is turned on and m ultiple entries were aggregated to generate into this one. This field displays the source I P address and the port num ber in the event that generated the log m essage. This field displays the destination I P address and the port num ber of the event that generated the log m essage. This field displays any additional inform ation about the log m essage. The Web Configurator saves the filter settings if you leave the View Log screen and return to it lat er. NWA3000-N Series User s Guide 89

90 Chapter 6 Monitor 6.10 View AP Log Use this screen to view a m anaged AP s log. Click Monitor > Log > View AP Log to access this screen. Figure 32 Monitor > Log > View AP Log The following table describes the labels in this screen. Table 32 Monitor > Log > View AP Log LABEL Show/ Hide Filter Select an AP Log Query Status DESCRIPTION Click this to show or hide the AP log filter. Select an AP from the list to view its log m essages. This indicates the current log query status. init - I ndicates the query has not been initialized. querying - I ndicates the query is in process. fail - I ndicates the query failed. success - I ndicates the query succeeded. AP I nform ation Log File Status Last Log Query Tim e This displays the MAC address for the selected AP. This indicates the status of the AP s log m essages. This indicates the last tim e the AP was queried for its log m essages. 90 NWA3000-N Series User s Guide

91 Chapter 6 Monitor Table 32 Monitor > Log > View AP Log (continued) LABEL DESCRIPTION Display Select the log file from the specified AP that you want displayed. Note: This criterion only appears when you Show Filter. Priority Select a priority level to use for filtering displayed log m essages. Note: This criterion only appears when you Show Filter. Source Address Enter a source I P address to display only the log m essages that include it. Note: This criterion only appears when you Show Filter. Destination Address Source I nterface Enter a destination I P address to display only the log m essages that include it. Note: This criterion only appears when you Show Filter. Enter a source interface to display only the log m essages that include it. Note: This criterion only appears when you Show Filter. Destination I nterface Keyword Enter a destination interface to display only the log m essages that include it. Note: This criterion only appears when you Show Filter. Enter a keyword to display only the log m essages that include it. Note: This criterion only appears when you Show Filter. Protocol Select a protocol to display only the log m essages that include it. Search Em ail Log Now Refresh Clear Log Note: This criterion only appears when you Show Filter. Click this to start the log query based on the selected criteria. I f no criteria have been selected, then this displays all log m essages for the specified AP regardless. Click this open a new e-m ail in your default e-m ail program with the selected log attached. Click this to refresh the log table. Click this to clear the log on the specified AP. # This field is a sequential value, and it is not associated with a specific log m essage. Tim e Priority Category Message Source Destination Note This indicates the tim e that the log m essages was created or recorded on the AP. This indicates the selected log m essage s priority. This indicates the selected log m essage s category. This displays content of the selected log m essage. This displays the source I P address of the selected log m essage. This displays the source I P address of the selected log m essage. This displays any notes associated with the selected log m essage. NWA3000-N Series User s Guide 91

92 Chapter 6 Monitor 92 NWA3000-N Series User s Guide

93 CHAPTER 7 Management Mode 7.1 Overview This chapter discusses using the device in m anagem ent m ode, which determ ines whether the device is used in its default standalone m ode, or as part of a Control And Provisioning of Wireless Access Points (CAPWAP) network. 7.2 About CAPWAP The device supports CAPWAP. This is ZyXEL s im plem entation of the CAPWAP protocol (RFC 5415). The CAPWAP dataflow is protected by Datagram Transport Layer Security (DTLS). The following figure illustrates a CAPWAP wireless network. You (U) configure the AP controller (C), which then autom atically updates the configurations of the m anaged APs (M1 ~ M4 ). Figure 33 CAPWAP Net work Exam ple U DHCP SERVER C M1 M2 M3 M4 Note: The device can be a standalone AP (default), a CAPWAP m anaged AP, or a CAPWAP AP controller CAPWAP Discovery and Management The link between CAPWAP-enabled access points proceeds as follows: NWA3000-N Series User s Guide 93

94 Chapter 7 Management Mode 1 An AP in m anaged AP m ode joins a wired network (receives a dynam ic I P address). 2 The AP sends out a discovery request, looking for an AP in CAPWAP AP controller m ode. 3 I f there is an AP controller on the network, it receives the discovery request. I f the AP controller is in Manual m ode it adds the details of the AP to its Unm anaged Access Points list, and you decide which available APs to m anage. I f the AP is in Alw ays Accept m ode, it autom atically adds the AP to its Managed Access Point s list and provides the m anaged AP with default configuration inform ation, as well as securely transm itting the DTLS pre-shared key. The m anaged AP is ready for associat ion wit h wireless client s Managed AP Finds the Controller A m anaged device can find the controller in one of the following ways: Manually specify the controller s I P address using the com m ands. See the device CLI Reference Guide for det ails. Get the controller s I P address from a DHCP serverwith the controller s I P address configured as option 138. Broadcasting to discover the controller within thebroadcast dom ain. The AP controller m ust have a static I P address; it cannot be a DHCP client CAPWAP and IP Subnets By default, CAPWAP works only between devices with I P addresses in the sam e subnet (see the appendices for inform ation on I P addresses and subnetting). However, you can configure CAPWAP to operate between devices with I P addresses in different subnets by doing the following. Activate DHCP. Your network s DHCP server m ust support option 138 defined in RFC Configure DHCP option 138 with the I P address of the CAPWAP AP controller on your network. 94 NWA3000-N Series User s Guide

95 Chapter 7 Management Mode DHCP Option 138 allows the CAPWAP m anagem ent request (from the AP in m anaged AP m ode) to reach the AP controller in a different subnet, as shown in the following figure. Figure 34 CAPWAP and DHCP Option 138 SUBNET 1 SUBNET 2 CAPWAP TRAFFIC DHCP SERVER + OPTION 138 AP CONTROLLER (STATIC IP) MANAGED AP Notes on CAPWAP This section lists som e additional features of ZyXEL s im plem entation of the CAPWAP protocol. When the AP controller uses its internal Rem ote Authentication Dial I n User Service (RADI US) server, m anaged APs also use the AP controller s authentication server to authenticate wireless client s. I f a m anaged AP s link to the AP controller is broken, the m anaged AP continues to use the wireless settings with which it was last provided. 7.3 The Management Mode Screen Use this screen to configure the device as an a controller of m anaged devices, a standalone AP, or a m anaged AP. Note: After you change the operation m ode, the device resets to its default settings for the m ode you set it to, including the I P address of I t also backs up its configuration to a xxx-backup.conf file where xxx denotes the m ode the device was previously using. NWA3000-N Series User s Guide 95

96 Chapter 7 Management Mode Click Configurat ion > MGNT MODE in the device s navigation m enu. The following screen displays. Figure 35 Configurat ion > MGNT MODE The following table describes the labels in this screen. Table 33 Configurat ion > MGNT MODE LABEL AP Controller Standalone AP Managed AP DESCRIPTION Select this option to have the device act as a m anaging device for other devices on your network. The device only acts as a controller when you select this. Wireless clients cannot connect directly to the controller; you have to connect to it through the wired network. Select this to m anage the device using its own web configurator, neither m anaging nor m anaged by other devices. Select this to have the device m anaged by another device on your network. When you do this, the device can be configured ONLY by the m anagem ent AP. I f you do not have an AP controller on your network and want to return the device to standalone m ode, you m ust use the its physical RESET button or the com m ands. All settings are returned to their default values. Apply Click this to save your changes. I f you change the m ode in this screen, the device restarts. Wait a short while before you attem pt to log in again. I f you changed the m ode to Managed AP, you cannot log in as the web configurator is disabled; you m ust m anage the device through the controller AP on your network. Reset Click this to return this screen to its previously-saved settings. 96 NWA3000-N Series User s Guide

97 CHAPTER 8 LAN Setting 8.1 LAN Setting Overview Use these screens to configure the device s LAN Ethernet interface including VLAN settings What You Can Do in this Chapter The LAN Setting screens (Section 8.2 on page 98) m anage the LAN Ethernet interface including VLAN settings What You Need to Know DNS Overview DNS (Dom ain Nam e System ) is for m apping a dom ain nam e to its corresponding I P address and vice versa. The DNS server is extrem ely im portant because without it, you m ust know the I P address of a m achine before you can access it. DNS Server Address Assignment The device can get the DNS server addresses in the following ways. The I SP tells you the DNS server addresses, usually in the form of an inform ation sheet, when you sign up. I f your I SP gives you DNS server addresses, m anually enter them in the DNS server fields. I f your I SP dynam ically assigns the DNS server I P addresses (along with the device s WAN I P address), set the DNS server fields to get the DNS server address from the I SP. You can m anually enter the I P addresses of other DNS servers. NWA3000-N Series User s Guide 97

98 Chapter 8 LAN Setting 8.2 LAN Setting This screen lists every Ethernet interface. To access this screen, click Configuration > LAN Setting. Figure 36 Configuration > LAN Setting 98 NWA3000-N Series User s Guide

99 Chapter 8 LAN Setting Each field is described in the following table. Table 34 Configurat ion > LAN Set t ing LABEL I P Address Assignm ent Get Autom atically Use Fixed I P Address I P Address Subnet Mask Gateway DNS Server Settings Add Edit Rem ove Move DESCRIPTION This option appears when the MGNT Mode is set to St and Alone AP. Select this to m ake the interface a DHCP client and autom atically get the I P address, subnet m ask, and gateway address from a DHCP server. Select this if you want to specify the I P address, subnet m ask, and gateway m anually. You can only configure a fixed I P address when the MGN T Mode is set to Stand Alone AP. Enter the I P address for this interface. Enter the subnet m ask of this interface in dot decim al notation. The subnet m ask indicates what part of the I P address is the sam e for all com puters in the network. Enter the I P address of the gateway. The device sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the sam e network as the interface. Use this section to specify the I P addresses for the device to use. Use one of the following ways to specify these I P addresses. User- Defined - enter a static I P address. From I SP - select the DNS server that another interface received from its DHCP server. Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Double-click an entry or select it and click Edit to be able to m odify the entry s settings. To rem ove an entry, select it and click Rem ove. The device confirm s you want to rem ove it before doing so. Note that subsequent entries m ove up by one when you take this action. To change an entry s position in the num bered list, select the entry and click Move to display a field to type a num ber for where you want to put it and press [ ENTER] to m ove the rule to the num ber that you typed. # This is the index num ber of the DNS server address entry. The ordering of your entries is im portant as the device uses them in sequence. A hyphen (-) displays for the default DNS server address entry. The device uses this default entry if it cannot get a reply for any of the other servers. Ty pe DNS Server VLAN Settings Managem ent VLAN I D As Native VLAN Apply Reset This displays whether the DNS server I P address is assigned by a DHCP server dynam ically (From DHCP), is configured m anually (User- Defined), or is the default entry the device uses if it cannot get a reply for any of the other servers. This is the I P address of a DNS server. This field displays N/ A if you have the device get a DNS server I P address from the I SP dynam ically but the LAN interface is using a static I P address. Enter a VLAN I D for the device. Select this option to treat this VLAN I D as a VLAN created on the device and not one assigned to it from outside the network. Click Apply to save your changes back to the device. Click Reset to return the screen to its last- saved settings. NWA3000-N Series User s Guide 99

Chapter 8 LAN Setting 8.2.1 Add or Edit a DNS Setting Use this screen to configure a DNS server entry for the LAN.

100 Chapter 8 LAN Setting Add or Edit a DNS Setting Use this screen to configure a DNS server entry for the LAN. Click Configuration > LAN Setting and then click the Add button or select a DNS server entry from the list and click the Edit button to access t his screen. Figure 37 Configuration > LAN Setting > Add The following table describes the labels in this screen. Table 35 Configuration > LAN Setting > Add LABEL Ty pe DESCRIPTION Select User- Defined to m anually enter a DNS server s I P address. Select From DHCP to dynam ically get a DNS server address from a DHCP server. DNS Server OK Cancel This appears when you set the Type to User- Defined. Enter the I P address of a DNS server. Click OK to save your custom ized settings and exit this screen. Click Cancel to exit this screen without saving 100 NWA3000-N Series User s Guide

101 CHAPTER 9 Wireless 9.1 Overview Use the W ireless screens to configure how the device m anages the Access Point that are connected to it What You Can Do in this Chapter The Controller screen (Section 9.2 on page 102) sets how the device allows new APs to connect to the network. This is available when the device is in controller m ode. The AP Managem ent screen (Section 9.3 on page 102) m anages the device s general wireless settings if it is in standalone m ode or the general wireless settings of all of the device s m anaged APs if the device is in controller m ode. The MON Mode screen (Section 9.4 on page 105) allows you to assign APs either to the rogue AP list or the friendly AP list. The Load Balancing screen (Section 9.5 on page 108) configures network traffic load balancing between the APs and the device. The DCS screen (Section 9.6 on page 111) configures dynam ic radio channel selection What You Need to Know The following term s and concepts m ay help as you read this chapter. Station / Wireless Client A station or wireless client is any wireless-capable device that can connect to an AP using a wireless signal. Dynamic Channel Selection (DCS) Dynam ic Channel Selection (DCS) is a feature that allows an AP to autom atically select the radio channel upon which it broadcasts by scanning the area around it and determ ining what channels are currently being used by other devices. Load Balancing (Wireless) Wireless load balancing is the process where you lim it the num ber of connections allowed on an wireless access point (AP) or you lim it the am ount of wireless traffic transm itted and received on it so the AP does not becom e overloaded. NWA3000-N Series User s Guide 101

Chapter 9 Wireless 9.2 Controller Use this screen to set how the device allows new APs to connect to the network. This is available when the device is in controller m ode.

102 Chapter 9 Wireless 9.2 Controller Use this screen to set how the device allows new APs to connect to the network. This is available when the device is in controller m ode. Click Configurat ion > W ireless > Controller to access t his screen. Figure 38 Configuration > Wireless > Controller Each field is described in the following table. Table 36 Configurat ion > Wireless > Cont roller LABEL Registration Type DESCRIPTION Select Manual to add each AP to the device for m anagem ent, or Alw ays Accept to autom atically add APs to the device for m anagem ent. Note: Select the Manual option for managing a specific set of APs. This is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue APs. For details on how to handle rogue APs, see Section 6.7 on page 84. APs m ust be connected to the device by a wired connection or network. Apply Reset Click Apply to save your changes back to the device. Click Reset to return the screen to its last- saved settings. 9.3 AP Management Use this screen to m anage all of the APs connected to the device. Click Configurat ion > W ireless > AP Managem ent to access this screen. This screen m anages the device s general wireless 102 NWA3000-N Series User s Guide

Chapter 9 Wireless settings if it is in standalone m ode or the general wireless settings of all of the device s m anaged APs if the device is in controller m ode.

Table 37 Configurat ion > Wireless > AP Managem ent ( Cont roller Mode) LABEL Edit Rem ove Reboot DESCRIPTION Select an AP and click this button to edit its properties.

103 Chapter 9 Wireless settings if it is in standalone m ode or the general wireless settings of all of the device s m anaged APs if the device is in controller m ode. Figure 39 Configuration > Wireless > AP Managem ent (Controller Mode) The following fields display if the Ndevice is in controller m ode. Table 37 Configurat ion > Wireless > AP Managem ent ( Cont roller Mode) LABEL Edit Rem ove Reboot DESCRIPTION Select an AP and click this button to edit its properties. Select an AP and click this button to rem ove it from the list. Note: If in the Configuration > Wireless > Controller screen you set the Registration Type to Always Accept, then as soon as you remove an AP from this list it reconnects. Select an AP and click this button to force it to restart. # This field is a sequential value, and it is not associated with any interface. I P Address MAC Model This field displays the I P address of the AP. This field displays the MAC address of the AP. This field displays the AP s hardware m odel inform ation. I t displays N/ A (not applicable) only when the AP disconnects from the device and the inform ation is unavailable as a result. R1 Mode / Profile This field displays the AP or MON profile for Radio 1. R2 Mode / Profile Mgnt. VLAN I D Description I f the device has a second radio this field displays the AP or MON profile for Radio 2. This field displays the I D of the AP s m anagem ent VLAN. This field displays the AP s description, which you can configure by selecting the AP and clicking the Edit button. Figure 40 Configuration > Wireless > AP Managem ent (Standalone Mode) NWA3000-N Series User s Guide 103

104 Chapter 9 Wireless The following fields display if the Ndevice is in standalone m ode. Table 38 Configurat ion > Wireless > AP Managem ent ( St andalone Mode) LABEL Model DESCRIPTION This field displays the AP s hardware m odel inform ation. I t displays N/ A (not applicable) only when the AP disconnects from the device and the inform ation is unavailable as a result. R1 Mode / Profile This field displays the AP or MON profile for Radio 1. R2 Mode / Profile I f the device has a second radio this field displays the AP or MON profile for Radio Edit AP List Select an AP and click the Edit button in the Configuration > W ireless > AP Managem ent table to display this screen. Use this screen to set the m anaged AP s general wireless settings. Figure 41 Configuration > Wireless > Edit AP List Each field is described in the following table. Table 39 Configurat ion > Wireless > Edit AP List LABEL Create new Object MAC Address Model Description DESCRIPTION Use this m enu to create a new Radio or SSI D object to associate with this AP. This displays the MAC address of the selected AP. This field displays the AP s hardware m odel inform ation. I t displays N/ A (not applicable) only when the AP disconnects from the device and the inform ation is unavailable as a result. Enter a description for this AP. You can use up to 31 characters, spaces and underscores allowed. 104 NWA3000-N Series User s Guide

105 Chapter 9 Wireless Table 39 Configurat ion > Wireless > Edit AP List ( cont inued) LABEL DESCRIPTION Radio 1 OP Mode Select the operating m ode for radio 1. AP Mode m eans the AP can receive connections from wireless clients and pass their data traffic through to the device to be m anaged (or subsequently passed on to an upstream gateway for m anaging). MON Mode m eans the AP m onitors the broadcast area for other APs, then passes their inform ation on to the device where it can be determ ined if those APs are friendly or rogue. I f an AP is set to this m ode it cannot receive connections from wireless clients. Radio 1 Profile Radio 2 OP Mode Select the profile the radio uses. I f no profile exists, you can create a new one through the Create new Object m enu. This displays if the device has a second radio. Select the operating m ode for radio 2. AP Mode m eans the AP can receive connections from wireless clients and pass their data traffic through to the device to be m anaged (or subsequently passed on to an upstream gateway for m anaging). MON Mode m eans the AP m onitors the broadcast area for other APs, then passes their inform ation on to the device where it can be determ ined if those APs are friendly or rogue. I f an AP is set to this m ode it cannot receive connections from wireless clients. Radio 2 Profile Managem ent VLAN I D As Native VLAN OK Cancel This displays if the device has a second radio. Select the profile the radio uses. I f no profile exists, you can create a new one through the Create new Object m enu. Enter a VLAN I D for this AP. Select this option to treat this VLAN I D as a VLAN created on the device and not one assigned to it from outside the network. Click OK to save your changes back to the device. Click Cancel to close the window with changes unsaved. 9.4 MON Mode Use this screen to assign APs either to the rogue AP list or the friendly AP list. A rogue AP is a wireless access point operating in a network s coverage area that is not under the control of the network adm inistrator, and which can potentially open up holes in a network s security. NWA3000-N Series User s Guide 105

106 Chapter 9 Wireless Click Configurat ion > W ireless > MON Mode to access this screen. Figure 42 Configuration > Wireless > MON Mode Each field is described in the following table. Table 40 Configurat ion > Wireless > MON Mode LABEL General Settings Enable Rogue AP Containm ent Rogue/ Friendly AP List Add Edit Rem ove Containm ent Dis- Containm ent DESCRIPTION Select this to enable rogue AP containm ent. Click this button to add an AP to the list and assign it either friendly or rogue status. Select an AP in the list to edit and reassign its status. Select an AP in the list to rem ove. Click this button to quarantine the selected AP. A quarantined AP cannot grant access to any network services. Any stations that attem pt to connect to a quarantined AP are disconnected autom atically. Click this button to stop the quarantine of the selected AP so it has norm al access to the network. # This field is a sequential value, and it is not associated with any interface. Containm ent Role MAC Address Description This field indicates the selected AP s containm ent status. This field indicates whether the selected AP is a rogue- ap or a friendlyap. To change the AP s role, click the Edit button. This field indicates the AP s radio MAC address. This field displays the AP s description. You can m odify this by clicking the Edit button. 106 NWA3000-N Series User s Guide

107 Chapter 9 Wireless Table 40 Configurat ion > Wireless > MON Mode ( cont inued) LABEL I m porting/ Exporting File Path / Browse / I m porting DESCRIPTION These controls allow you to export the current list of rogue and friendly APs or im port existing lists. Enter the file nam e and path of the list you want to im port or click the Brow se button to locate it. Once the File Path field has been populated, click I m porting to bring the list into the device. You need to wait a while for the im porting process to finish. Apply Reset Exporting Click this button to export the current list of either rogue APs or friendly APS. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings Add/Edit Rogue/Friendly List Select an AP and click the Edit button in the Configuration > W ireless > MON Mode table to display t his screen. Figure 43 Configuration > Wireless > MON Mode > Add/ Edit Rogue/ Friendly Each field is described in the following table. Table 41 Configurat ion > Wireless > MON Mode > Add/ Edit Rogue/ Friendly LABEL MAC Address Description Role OK Cancel DESCRIPTION Enter the MAC address of the AP you want to add to the list. A MAC address is a unique hardware identifier in the following hexadecim al form at: xx: xx: xx: xx: xx: xx where xx is a hexadecim al num ber separated by colons. Enter up to 60 characters for the AP s description. Spaces and underscores are allowed. Select either Rogue AP or Friendly AP for the AP s role. Click OK to save your changes back to the device. Click Cancel to close the window with changes unsaved. NWA3000-N Series User s Guide 107

108 Chapter 9 Wireless 9.5 Load Balancing Use this screen to configure wireless network traffic load balancing between the APs on your network. Click Configuration > W ireless > Load Balancing to access this screen. Figure 44 Configuration > Wireless > Load Balancing Each field is described in the following table. Table 42 Configurat ion > Wireless > Load Balancing LABEL Enable Load Balancing Mode DESCRIPTION Select this to enable load balancing on the device. Select a m ode by which load balancing is carried out. Select By St at ion N um ber to balance network traffic based on the num ber of specified stations connect to an AP. Select By Traffic Level to balance network traffic based on the volum e generated by the stations connected to an AP. Once the threshold is crossed ( either the m axim um station num bers or with network traffic), then the AP delays association request and authentication request packets from any new station that attem pts to m ake a connection. This allows the station to autom atically attem pt to connect to another, less burdened AP if one is available. Max Station Num ber Traffic Level Disassociate station when overloaded Enter the threshold num ber of stations at which an AP begins load balancing its connections. Select the threshold traffic level at which the AP begins load balancing its connections ( low, m edium, high). Select this option to kick wireless clients connected to the AP when it becom es overloaded. I f you do not enable this option, then the AP sim ply delays the connection until it can afford the bandwidth it requires, or it shunts the connection to another AP within its broadcast radius. The kick priority is determ ined autom atically by the device and is as follows: I dle Tim eout - Devices that have been idle the longest will be kicked first. I f none of the connected devices are idle, then the priority shifts to Signal St rength. Signal St rength - Devices with the weakest signal strength will be kicked first. Note: If you enable this function, you should ensure that there are multiple APs within the broadcast radius that can accept any rejected or kicked wireless clients; otherwise, a wireless client attempting to connect to an overloaded AP will be kicked continuously and never be allowed to connect. 108 NWA3000-N Series User s Guide

109 Chapter 9 Wireless Table 42 Configurat ion > Wireless > Load Balancing ( cont inued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the device. Reset Click Reset to return the screen to its last- saved settings Disassociating and Delaying Connections When your AP becom es overloaded, there are two basic responses it can take. The first one is to delay a client connection. This m eans that the AP withholds the connection until the data transfer throughput is lowered or the client connection is picked up by another AP. I f the client is picked up by another AP then the original AP cannot resum e the connection. For exam ple, here the AP has a balanced bandwidth allotm ent of 6 Mbps. I f laptop R connects and it pushes the AP over its allotm ent, say to 7 Mbps, then the AP delays the red laptop s connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare. Figure 45 Delaying a Connect ion NWA3000-N Series User s Guide 109

110 Chapter 9 Wireless The second response your AP can take is to kick the connections that are pushing it over its balanced bandwidth allotm ent. Figure 46 Kicking a Connection Connections are kicked based on either idle tim eout or signal strength. The device first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle tim e. I f no connections are idle, the next criteria the device analyzes is signal strength. Devices with the weakest signal strength are kicked first. 110 NWA3000-N Series User s Guide

111 Chapter 9 Wireless 9.6 DCS Use this screen to configure dynam ic radio channel selection. Click Configurat ion > W ireless > DCS to access this screen. Figure 47 Configuration > Wireless > DCS Each field is described in the following table. Table 43 Configurat ion > Wireless > DCS LABEL Enable Dynam ic Channel Selection DCS Tim e I nterval DESCRIPTION Select this to have the device autom atically select the radio channel upon which it broadcasts by scanning the area around it and determ ining what channels are currently being used by other devices. Enter a num ber of m inutes. This regulates how often the device surveys the other APs within its broadcast radius. I f the channel on which it is currently broadcasting suddenly com es into use by another AP, the device will then dynam ically select the next available clean channel or a channel with lower interference. NWA3000-N Series User s Guide 111

112 Chapter 9 Wireless Table 43 Configurat ion > Wireless > DCS ( cont inued) LABEL DCS Sensitivity Level DESCRIPTION Select the AP s sensitivity level toward other channels. Options are High, Medium, and Low. Generally, as long as the area in which your AP is located has m inim al interference from other devices you can set the DCS Sensit ivit y Level to Low. This m eans that the AP has a very broad tolerance. I f you are not sure about the num ber and location of any other devices in the region, set the level to Medium. The AP s tolerance for interference is relatively narrow. On the other hand, if you know there are num erous other devices in the region, you should set the level to High to keep the interference to a m inim um. I n this case, the device s tolerance for interference is quite strict. Note: Generally speaking, the higher the sensitivity level, the more frequently the AP switches channels. As a consequence, anyone connected to the AP will experience more frequent disconnects and reconnects unless you select Enable DCS Client Aware. Enable DCS Client Aware Select this to have the AP wait until all connected clients have disconnected before switching channels. I f you disable this then the AP switches channels im m ediately regardless of any client connections. I n this instance, clients that are connected to the AP when it switches channels are dropped. 2.4-GHz Channel Selection Method Select how you want to specify the channels the device switches between for 2.4 GHz operation. Select auto to have the device display a 2.4 GHz Channel Deploym ent field you can use to lim it channel switching to 3 or 4 channels. Select m anual to select the individual channels the device switches between. Select channels from the Available channels list and use the right arrow button to m ove them to the Channels selected list. 2.4-GHz Channel Deploym ent This is available when the GHz Channel Selection Method is set to auto. Select Three- Channel Deploym ent to lim it channel switching to channels 1,6, and 11, the three channels that are sufficiently attenuated to have alm ost no im pact on one another. I n other words, this allows you to m inim ize channel interference by lim iting channel-hopping to these three safe channels. Select Four- Channel Deploym ent to lim it channel switching to four channels. Depending on the country dom ain, if the only allowable channels are 1-11 then the device uses channels 1, 4, 7, 11 in this configuration; otherwise, the device uses channels 1, 5, 9, 13 in this configuration. Four channel deploym ent expands your pool of possible channels while keeping the channel interference to a m inim um. Enable 5-GHz DFS Aware Select this if your APs are operating in an area known to have RADAR devices. This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected, thus preventing it from interfering with that signal. Enabling this forces the AP to select a non- DFS channel. 112 NWA3000-N Series User s Guide

Chapter 9 Wireless Table 43 Configurat ion > Wireless > DCS ( cont inued) LABEL 5-GHz Channel Selection Method DESCRIPTION Select how you want to specify the channels the device switches between for

113 Chapter 9 Wireless Table 43 Configurat ion > Wireless > DCS ( cont inued) LABEL 5-GHz Channel Selection Method DESCRIPTION Select how you want to specify the channels the device switches between for 5 GHz operation. Select auto to have the device autom atically select the best channel. Select m anual to select the individual channels the device switches between. Select channels from the Available channels list and use the right arrow button to m ove them to the Channels selected list. Apply Reset Click Apply to save your changes back to the device. Click Reset to return the screen to its last- saved settings. 9.7 Technical Reference The following section contains additional technical inform ation about the features described in this chapt er. Dynamic Channel Selection When num erous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if som e or all of them are broadcasting on the sam e radio channel. I f the interference becom es too great, then the network adm inistrator m ust open his AP configuration options and m anually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a m inim um degree of interference. Dynam ic channel selection frees the network adm inistrator from this task by letting the AP do it autom atically. The AP can scan the area around it looking for the channel with the least am ount of int erference. I n the 2.4 GHz spectrum, each channel from 1 to 13 is broken up into discrete 22 MHz segm ents that are spaced 5 MHz apart. Channel 1 is centered on GHz while channel 13 is centered on GHz. Figure 48 An Exam ple Three-Channel Deploym ent NWA3000-N Series User s Guide 113

Chapter 9 Wireless Three channels are situated in such a way as to create alm ost no interference with one another if used exclusively: 1, 6 and 11.

Figure 49 An Exam ple Four- Channel Deploym ent However, som e regions require the use of other channels and often use a safety schem e with the following four channels: 1, 4, 7 and 11.

114 Chapter 9 Wireless Three channels are situated in such a way as to create alm ost no interference with one another if used exclusively: 1, 6 and 11. When an AP broadcasts on any of these three channels, it should not interfere with neighboring APs as long as they are also lim ited to sam e trio. Figure 49 An Exam ple Four- Channel Deploym ent However, som e regions require the use of other channels and often use a safety schem e with the following four channels: 1, 4, 7 and 11. While they are situated sufficiently close to both each other and the three so-called safe channels (1,6 and 11) that interference becom es inevitable, the severity of it is dependent upon other factors: proxim ity to the affected AP, signal strength, activity, and so on. Finally, there is an alternative four channel schem e for ETSI, consisting of channels 1, 5, 9, 13. This offers significantly less overlap that the other one. Figure 50 An Alt ernat ive Four- Channel Deploym ent Load Balancing Because there is a hard upper lim it on an AP s wireless bandwidth, load balancing can be crucial in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a m eager trickle, the load balanced AP instead lim its the incom ing connections as a m eans to m aintain bandwidth integrity. There are two kinds of wireless load balancing available on the device: Load balancing by st ation num ber lim its the num ber of devices allowed to connect to your AP. I f you know exactly how m any stations you want to let connect, choose this option. For exam ple, if your com pany s graphic design team has their own AP and they have 10 com puters, you can load balance for 10. Later, if som eone from the sales departm ent visits the graphic design team s offices for a m eeting and he tries to access the network, his com puter s connection is delayed, giving it the opportunit y to connect to a different, neighboring AP. I f he still connects to the AP regardless of the delay, then the AP m ay boot other people who are already connected in order to associate with the new connection. 114 NWA3000-N Series User s Guide

115 Chapter 9 Wireless Load balancing by t raffic level lim its the num ber of connections to the AP based on m axim um bandwidth available. I f you are uncertain as to the exact num ber of wireless connections you will have then choose this option. By setting a m axim um bandwidth cap, you allow any num ber of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed provided that there are other APs in range. I m agine a coffee shop in a crowded business district that offers free wireless connectivity to its custom ers. The coffee shop owner can t possibly know how m any connections his AP will have at any given m om ent. As such, he decides to put a lim it on the bandwidth that is available to his custom ers but not on the actual num ber of connections he allows. This m eans anyone can connect to his wireless network as long as the AP has the bandwidth to spare. I f too m any people connect and the AP hits its bandwidth cap then all new connections m ust basically wait for their turn or get shunted to the nearest identical AP. NWA3000-N Series User s Guide 115

116 Chapter 9 Wireless 116 NWA3000-N Series User s Guide

117 C HAPTER 10 Device HA 10.1 Overview Device HA is available when the device is in controller m ode. Device HA lets a backup device (also in controller m ode) autom atically take over if the m aster device fails. Figure 51 Device HA Backup Taking Over for the Master A B I n this exam ple, device B is the backup for device A in the event som ething happens to it and prevents it from m anaging the wireless network What You Can Do in this Chapter The General screen (Section 10.2 on page 118) configures device HA global settings, and displays the status of each interface m onitored by device HA. The Active- Passive Mode screens (Section 10.3 on page 120) use active-passive m ode device HA. You can configure general active-passive m ode device HA settings, view and m anage the list of m onitored interfaces, and synchronize backup devices What You Need to Know The following term s and concepts m ay help as you read this chapter. Management Access You can configure a separate m anagem ent I P address for each interface. You can use it to access the device for m anagem ent whether the device is the m aster or a backup. The m anagem ent I P address should be in the sam e subnet as the interface I P address. NWA3000-N Series User s Guide 117

118 Chapter 10 Device HA Synchronization Use synchronization to have a backup device copy the m aster device s configuration, and cert ificat es. Note: Only devices of the sam e m odel and firm ware version can synchronize. Otherwise you m ust m anually configure the m aster device s settings on the backup (by editing copies of the configuration files in a text editor for exam ple) Before You Begin Configure a static I P address for each interface that you will have device HA m onitor. Note: Subscribe to services on the backup device before synchronizing it with the m aster device Device HA General This screen lets you enable or disable device HA, and displays which device HA m ode the device is set to use along with a sum m ary of the m onitored interfaces. Click Configuration > Device HA > General t o display. Figure 52 Configuration > Device HA > General The following table describes the labels in this screen. Table 44 Configurat ion > Device HA > General LABEL Enable Device HA Device HA Mode DESCRIPTION Turn the device s device HA feature on or off. Note: It is not recommended to use STP (Spanning Tree Protocol) with device HA. This displays active-passive m ode by default. Legacy m ode device HA is not supported by the device. The m aster and its backups m ust all use the sam e device HA m ode. Monitored I nterface Sum m ary This table shows the status of the interfaces that you selected for m onitoring in the other device HA screens. # This is the entry s index num ber in the list. I nterface These are the nam es of the interfaces that are m onitored by device HA. 118 NWA3000-N Series User s Guide

119 Chapter 10 Device HA Table 44 Configurat ion > Device HA > General ( cont inued) LABEL Virtual Router I P / Netm ask Managem ent I P / Netm ask Link Status HA Status DESCRIPTION This is the interface s I P address and subnet m ask. Whichever device is the m aster uses this virtual router I P address and subnet m ask. This field displays the interface s m anagem ent I P address and subnet m ask. You can use this I P address and subnet m ask to access the device whether it is in m aster or backup m ode. This tells whether the m onitored interface s connection is down or up. The text before the slash shows whether the device is configured as the m aster or the backup role. This text after the slash displays the m onitored interface s status in the virtual router. Active - This interface is up and using the virtual I P address and subnet m ask. St and- By - This interface is a backup interface in the virtual router. I t is not using the virtual I P address and subnet m ask. Fault - This interface is not functioning in the virtual router right now. I n activepassive m ode (or in legacy m ode with link m onitoring enabled), if one of the m aster device s interfaces loses its connection, the m aster device forces all of its interfaces to the fault state so the backup device can take over all of the m aster device s functions. Apply Reset Click Apply to save your changes back to the device. Click Reset to return the screen to its last- saved settings. NWA3000-N Series User s Guide 119

120 Chapter 10 Device HA 10.3 Active-Passive Mode The Device HA Act ive- Passive Mode screen lets you configure general active-passive m ode device HA settings, view and m anage the list of m onitored interfaces, and synchronize backup devices. To access this screen, click Configuration > Device HA > Active- Passive Mode. Figure 53 Configuration > Device HA > Active-Passive Mode 120 NWA3000-N Series User s Guide

121 Chapter 10 Device HA The following table describes the labels in this screen. Table 45 Configurat ion > Device HA > Act ive- Passive Mode LABEL Show / Hide Advanced Settings Device Role DESCRIPTION Click this button to display a greater or lesser num ber of configuration fields. Select the device HA role that the device plays in the virtual router. Choices are: Master - This device is the m aster device in the virtual router. This device uses the virtual I P address for each m onitored interface. Note: Do not set this field to Master for two or more devices in the same virtual router (same cluster ID). Backup - This device is a backup device in the virtual router. This device does not use any of the virtual I P addresses. Priority Enable Preem ption Cluster Settings Cluster I D Authentication This field is available for a backup device. Type the priority of the backup device. The backup device with the highest value takes over the role of the m aster device if the m aster device becom es unavailable. The priority m ust be between 1 and 254. (The m aster interface has priority 255.) This field is available for a backup device. Select this if this device should becom e the m aster device if a lower-priority device is the m aster when this one is enabled. (I f the role is m aster, the device preem pts by default.) Type the cluster I D num ber. A virtual router consists of a m aster device and all of its backup devices. I f you have m ultiple device virtual routers on your network, use a different cluster I D for each virtual router. Select the authentication m ethod the virtual router uses. Every interface in a virtual router m ust use the sam e authentication m ethod and password. Choices are: None - this virtual router does not use any authentication m ethod. Text - this virtual router uses a plain text password for authentication. Type the password in the field next to the radio button. The password can consist of alphanum eric characters, the underscore, and som e punctuation m arks (+ - / * = : # ~ \ () ), and it can be up to eight characters long. I P AH ( MD5 ) - this virtual router uses an encrypted MD5 password for authentication. Type the password in the field next to the radio button. The password can consist of alphanum eric characters, the underscore, and som e punctuation m arks (+ -/ * = : # ~ \ () ), and it can be up to eight characters long. Monitored I nterface Sum m ary This table shows the status of the device HA settings and status of the device s interfaces. Edit Activate I nactivate Select an entry and click this to be able to m odify it. To turn on an entry, select it and click Activate. To turn off an entry, select it and click I nactivate. # This is the entry s index num ber in the list. Status I nterface The activate (light bulb) icon is lit when the entry is active and dim m ed when the entry is inactive. This field identifies the interface. At the tim e of writing, Ethernet and bridge interfaces can be included in the active-passive m ode virtual router. The m em ber interfaces of any bridge interfaces do not display separately. NWA3000-N Series User s Guide 121

122 Chapter 10 Device HA Table 45 Configurat ion > Device HA > Act ive- Passive Mode ( cont inued) LABEL Virtual Router I P / Netm ask Managem ent I P / Netm ask Link Status Synchronization DESCRIPTION This is the m aster device s ( static) I P address and subnet m ask for this interface. I f a backup takes over for the m aster, it uses this I P address. These fields are blank if the interface is a DHCP client or has no I P settings. This field displays the interface s m anagem ent I P address and subnet m ask. You can use this I P address and subnet m ask to access the device whether it is in m aster or backup m ode. This tells whether the m onitored interface s connection is down or up. Use synchronization to have a backup device copy the m aster device s configuration and certificates. Every interface s m anagem ent I P address m ust be in the sam e subnet as the interface s I P address (the virtual router I P address). Server Address I f this device is set to backup role, enter the I P address or Fully-Qualified Dom ain Nam e (FQDN) of the device from which to get updated configuration. Usually, you should enter the I P address or FQDN of a virtual router on a secure network. I f this device is set to m aster role, this field displays the device s I P addresses and/ or Fully-Qualified Dom ain Nam es (FQDN) through which devices in backup role can get updated configuration from this device. Sync. Now Server Port Click this to copy the specified device s configuration. I f this device is set to backup role, enter the port num ber to use for Secure FTP when synchronizing with the specified m aster device. I f this device is set to m aster role, this field displays the device s Secure FTP port num ber. Click the link if you need to change the FTP port num ber. Every device in the virtual router m ust use the sam e port num ber. I f the m aster device changes, you have to m anually change this port num ber in the backups. Password Enter the password used for verification during synchronization. Every device in the virtual router m ust use the sam e password. I f you leave this field blank in the m aster device, no backup devices can synchronize from it. I f you leave this field blank in a backup device, it cannot synchronize from the m aster device. Auto Synchronize I nterval Apply Reset Select this to get the updated configuration autom atically from the specified device according to the specified I nt erval. The first synchronization begins after the specified I nt erval; the device does not synchronize im m ediately. When you select Auto Synchronize, set how often the device synchronizes with the m aster. This appears when the device is currently using active-passive m ode device HA. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings. 122 NWA3000-N Series User s Guide

Chapter 10 Device HA 10.3.1 Edit Monitored Interface This screen lets you enable or disable m onitoring of an interface and set the interface s m anagem ent I P address and subnet m ask.

123 Chapter 10 Device HA Edit Monitored Interface This screen lets you enable or disable m onitoring of an interface and set the interface s m anagem ent I P address and subnet m ask. To access this screen, click Configuration > Device HA > Active- Passive Mode > Edit. Figure 54 Device HA > Active-Passive Mode > Edit Monitored I nterface The following table describes the labels in this screen. Table 46 Device HA > Active-Passive Mode > Edit Monitored I nterface LABEL Enable Monitored I nterface I nterface Nam e Virtual Router I P (VRI P) / Subnet Mask Manage I P Manage I P Subnet Mask OK Cancel DESCRIPTION Select this to have device HA m onitor the status of this interface s connection. This identifies the interface. This is the interface s (static) I P address and subnet m ask in the virtual router. Whichever device is currently serving as the m aster uses this virtual router I P address and subnet m ask. These fields are blank if the interface is a DHCP client or has no I P settings. Enter the interface s I P address for m anagem ent access. You can use this I P address to access the device whether it is the m aster or a backup. This m anagem ent I P address should be in the sam e subnet as the interface I P address. Enter the subnet m ask of the interface s m anagem ent I P address. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes Technical Reference The following section contains additional technical inform ation about the features described in this chapt er. NWA3000-N Series User s Guide 123

124 Chapter 10 Device HA Virtual Router The m aster and backup device form a single virtual router. I n the following exam ple, m aster device A and backup device B form a virtual router. Figure 55 Virtual Router A B Cluster ID You can have m ultiple device virtual routers on your network. Use a different cluster I D to identify each virtual router. I n the following exam ple, devices A and B form a virtual router that uses cluster I D 1. devices C and D form a virtual router that uses cluster I D 2. Figure 56 Cluster I Ds for Multiple Virtual Routers A 1 B C D 2 Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA m onitors. I f a m onitored interface on the device loses its connection, device HA has the backup device take over. Enable m onitoring for the sam e interfaces on the m aster and backup devices. Each m onitored interface m ust have a static I P address and be connected to the sam e subnet as the corresponding interface on the backup or m aster device. 124 NWA3000-N Series User s Guide

125 Chapter 10 Device HA Virtual Router and Management IP Addresses I f a backup takes over for the m aster, it uses them aster s I P addresses. These I P addresses are know as the virtual router I P addresses. Each interface can also have a m anagem ent I P address. You can connect to this I P address to m anage the device regardless of whether it is the m aster or the backup. For exam ple, device B takes over A s LAN interface I P address. This is a virtual router I P address. device A keeps it s LAN m anagem ent I P address of and device B has its own LAN m anagem ent I P address of These do not change when device B becom es the m aster. NWA3000-N Series User s Guide 125

126 Chapter 10 Device HA 126 NWA3000-N Series User s Guide

127 C HAPTER 11 User 11.1 Overview This chapter describes how to set up user accounts and user settings for the device. You can also set up rules that control when users have to log in to the device before the device routes traffic for them What You Can Do in this Chapter The User screen (see Section 11.2 on page 128) provides a sum m ary of all user accounts. TheSet ting screen (see Section 11.3 on page 130) controls default settings, login settings, lockout settings, and other user settings for the device. You can also use this screen to specify when users m ust log in to the device before it routes traffic for them What You Need To Know The following term s and concepts m ay help as you read this chapter. User Account A user account defines the privileges of a user logged into the device. User accounts are used in controlling access to configuration and services in the device. User Types These are the types of user accounts the device uses. Table 47 Types of User Account s TYPE ABILITIES LOGIN METHOD(S) Adm in Users adm in Change device configuration (web, CLI ) WWW, TELNET, SSH, FTP, Console, lim ited-adm in Look at device configuration (web, CLI ) Access Users Perform basic diagnostics (CLI ) WWW, TELNET, SSH, Console user Used for the em bedded RADI US server and SNMPv3 user access Browse user-m ode com m ands (CLI ) Note: The default adm in account is always authenticated locally, regardless of the authentication m ethod setting. NWA3000-N Series User s Guide 127

128 Chapter 11 User 11.2 User Summary The User screen provides a sum m ary of all user accounts. To access this screen click Configurat ion > Obj ect > User. Figure 57 Configurat ion > Obj ect > User The following table describes the labels in this screen. Table 48 Configurat ion > Obj ect > User LABEL Add Edit Rem ove Object References DESCRIPTION Click this to create a new entry. Double-click an entry or select it and click Edit to open a screen where you can m odify the entry s settings. To rem ove an ent ry, select it and click Rem ove. The device confirm s you want to rem ove it before doing so. Select an entry and click Object References to open a screen that shows which settings use the entry. # This field is a sequential value, and it is not associated with a specific user. User Nam e User Type This field displays the user nam e of each user. This field displays type of user this account was configured as. adm in - this user can look at and change the configuration of the device lim ited- adm in - this user can look at the configuration of the device but not to change it user - this user has access to the device s services but cannot look at the configuration Description This field displays the description for each user Add/Edit User The User Add/ Edit screen allows you to create a new user account or edit an existing one Rules for User Names Enter a user nam e from 1 to 31 characters. The user nam e can only contain the following characters: Alphanum eric A-z 0-9 (there is no unicode support) 128 NWA3000-N Series User s Guide

129 Chapter 11 User _ [ underscores] - [dashes] The first character m ust be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other lim itations on user nam es are: User nam es are case-sensitive. I f you enter a user'bob' but use 'BOB' when connecting via CI FS or FTP, it will use the account settings used for 'BOB' not bob. User nam es have to be different than user group nam es. Here are the reserved user nam es: adm admin any bin daemon debug devicehaecived ftp games halt ldap-users lp mail news nobody operator radius-users root shutdown sshd sync uucp zyxel To access this screen, go to the User screen, and click Add or Edit. Figure 58 Configurat ion > User > User > Add/ Edit A User NWA3000-N Series User s Guide 129

130 Chapter 11 User The following table describes the labels in this screen. Table 49 Configurat ion > User > User > Add/ Edit A User LABEL User Nam e User Type DESCRIPTION Type the user nam e for this user account. You m ay use 1-31 alphanum eric characters, underscores(_), or dashes (-), but the first character cannot be a num ber. This value is case-sensitive. User nam es have to be different than user group nam es, and som e words are reserved. Select what type of user this is. Choices are: adm in - this user can look at and change the configuration of the device lim ited- adm in - this user can look at the configuration of the device but not to change it user - this is used for em bedded RADI US server and SNMPv3 user access Password This field is not available if you select the ext - user or ext- group- user type. Enter the password of this user account. I t can consist of 4-31 alphanum eric characters. Retype Description Authentication Tim eout Settings Lease Tim e Reauthentication Tim e OK Cancel Re-enter the password to m ake sure you have entered it correctly. Enter the description of each user, if any. You can use up to 60 printable ASCI I characters. Default descriptions are provided. I f you want to set authentication tim eout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow. Enter the num ber of m inutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 m inutes. You can enter 0 to m ake the num ber of m inutes unlim ited. Adm in users renew the session every tim e the m ain screen refreshes in the Web Configurator. Type the num ber of m inutes this user can be logged into the device in one session before the user has to log in again. You can specify 1 to 1440 m inutes. You can enter 0 to m ake the num ber of m inutes unlim ited. Unlike Lease Tim e, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes Setting This screen controls default settings, login settings, lockout settings, and other user settings for the device. You can also use this screen to specify when users m ust log in to the device before it routes traffic for them. 130 NWA3000-N Series User s Guide

131 Chapter 11 User To access this screen, login to the Web Configurator, and click Configuration > Object > User > Setting. Figure 59 Configurat ion > Obj ect > User > Set t ing The following table describes the labels in this screen. Table 50 Configuration > Obj ect > User > Setting LABEL User Authentication Tim eout Settings Default Authentication Tim eout Settings Edit DESCRIPTION These authentication tim eout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still m anually configure any user account s authentication tim eout settings. Double-click an entry or select it and click Edit to open a screen where you can m odify the entry s settings. # This field is a sequential value, and it is not associated with a specific entry. NWA3000-N Series User s Guide 131

132 Chapter 11 User Table 50 Configuration > Obj ect > User > Setting (continued) LABEL User Type DESCRIPTION These are the kinds of user account the device supports. adm in - this user can look at and change the configuration of the device lim ited- adm in - this user can look at the configuration of the device but not to change it user - this is used for em bedded RADI US server and SNMPv3 user access Lease Tim e This is the default lease tim e in m inutes for each type of user account. I t defines the num ber of m inutes the user has to renew the current session before the user is logged out. Adm in users renew the session every tim e the m ain screen refreshes in the Web Configurator. Reauthentication Tim e User Logon Settings Lim it the num ber of sim ultaneous logons for adm inistration account Maxim um num ber per adm inistration account User Lockout Settings Apply Reset Enable logon retry lim it Maxim um retry count Lockout period This is the default reauthentication tim e in m inutes for each type of user account. I t defines the num ber of m inutes the user can be logged into the device in one session before having to log in again. Unlike Lease Tim e, the user has no opportunity to renew the session without logging out. Select this check box if you want to set a lim it on the num ber of sim ultaneous logins by adm in users. I f you do not select this, adm in users can login as m any tim es as they want at the sam e tim e using the sam e or different I P addresses. This field is effective when Lim it... for adm inistration account is checked. Type the m axim um num ber of sim ultaneous logins by each adm in user. Select this check box to set a lim it on the num ber of tim es each user can login unsuccessfully ( for exam ple, wrong password) before the I P address is locked out for a specified am ount of tim e. This field is effective when Enable logon ret ry lim it is checked. Type the m axim um num ber of tim es each user can login unsuccessfully before the I P address is locked out for the specified lockout period. The num ber m ust be between 1 and 99. This field is effective when Enable logon ret ry lim it is checked. Type the num ber of m inutes the user m ust wait to try to login again, if logon retry lim it is enabled and the m axim um retry count is reached. This num ber m ust be between 1 and 65,535 (about 45.5 days). Click Apply to save the changes. Click Reset to return the screen to its last- saved settings Edit User Authentication Timeout Settings This screen allows you to set the default authentication tim eout settings for the selected type of user account. These default authentication tim eout settings also control the settings for any existing user accounts that are set to use the default settings. You can still m anually configure any user account s authentication tim eout settings. 132 NWA3000-N Series User s Guide

Chapter 11 User To access this screen, go to the Configuration > Object > User > Setting screen, and click one of the Default Aut henticat ion Tim eout Settings section s Edit icons.

133 Chapter 11 User To access this screen, go to the Configuration > Object > User > Setting screen, and click one of the Default Aut henticat ion Tim eout Settings section s Edit icons. Figure 60 User > Setting > Edit User Authentication Tim eout Settings The following table describes the labels in this screen. Table 51 User > Setting > Edit User Authentication Tim eout Settings LABEL User Type DESCRIPTION This read-only field identifies the type of user account for which you are configuring the default settings. adm in - this user can look at and change the configuration of the device lim ited- adm in - this user can look at the configuration of the device but not to change it user - this user has access to the device s services but cannot look at the configuration Lease Tim e Enter the num ber of m inutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 m inutes. You can enter 0 to m ake the num ber of m inutes unlim ited. Adm in users renew the session every tim e the m ain screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. I f you allow access users to renew tim e autom atically, the users can select this check box on their screen as well. I n this case, the session is autom atically renewed before the lease tim e expires. Reauthentication Tim e OK Cancel Type the num ber of m inutes this type of user account can be logged into the device in one session before the user has to log in again. You can specify 1 to 1440 m inutes. You can enter 0 to m ake the num ber of m inutes unlim ited. Unlike Lease Tim e, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes. NWA3000-N Series User s Guide 133

134 Chapter 11 User 134 NWA3000-N Series User s Guide

135 C HAPTER 12 AP Profile 12.1 Overview This chapter shows you how to configure preset profiles for the Access Points (APs) connected to your device s wireless network What You Can Do in this Chapter The Radio screen (Section 12.2 on page 136) creates radio configurations that can be used by the APs. The SSI D screen ( Section 12.3 on page 142) configures three different types of profiles for your net worked APs What You Need To Know The following term s and concepts m ay help as you read this chapter. Wireless Profiles At the heart of all wireless AP configurations on the device are profiles. A profile represents a group of saved settings that you can use across any num ber of connected APs. You can set up the following wireless profile types: Radio - This profile type defines the properties of an AP s radio transm itter. You can have a m axim um of 32 radio profiles on the device. SSI D - This profile type defines the properties of a single wireless network signal broadcast by an AP. Each radio on a single AP can broadcast up to 8 SSI Ds. You can have a m axim um of 32 SSI D profiles on the device. Security - This profile type defines the security settings used by a single SSI D. I t controls the encryption m ethod required for a wireless client to associate itself with the SSI D. You can have a m axim um of 32 security profiles on the device. MAC Filtering - This profile provides an additional layer of security for an SSI D, allowing you to block access or allow access to that SSI D based on wireless client MAC addresses. I f a client s MAC address is on the list, then it is either allowed or denied, depending on how you set up the MAC Filter profile. You can have a m axim um of 32 MAC filtering profiles on the device. SSID The SSI D (Service Set I Dentifier) is the nam e that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) m ust have the sam e SSI D. I n other words, it is the nam e of the wireless network that clients use to connect to it. NWA3000-N Series User s Guide 135

136 Chapter 12 AP Profile WEP WEP (Wired Equivalent Privacy) encryption scram bles all data packets transm itted between the AP and the wireless stations associated with it in order to keep network com m unications private. Both the wireless stations and the access points m ust use the sam e WEP key for data encryption and decrypt ion. WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the I EEE i standard. WPA2 (I EEE i) is a wireless security standard that defines stronger encryption, authentication and key m anagem ent than WPA. Key differences between WPA(2) and WEP are im proved data encryption and user authentication. IEEE 802.1x The I EEE 802.1x standard outlines enhanced security m ethods for both the authentication of wireless stations and encryption key m anagem ent. Authentication is done using an external RADI US server Radio This screen allows you to create radio profiles for the APs on your network. A radio profile is a list of settings that an device AP can use to configure either one of its two radio transm itters. To access this screen click Configuration > Object > AP Profile. Note: You can have a m axim um of 32 radio profiles on the device. Figure 61 Configurat ion > Obj ect > AP Profile > Radio 136 NWA3000-N Series User s Guide

137 Chapter 12 AP Profile The following table describes the labels in this screen. Table 52 Configurat ion > Obj ect > AP Profile > Radio LABEL Add Edit Rem ove Activate I nactivate Object Reference DESCRIPTION Click this to add a new radio profile. Click this to edit the selected radio profile. Click this to rem ove the selected radio profile. To turn on an entry, select it and click Activate. To turn off an entry, select it and click I nactivate. Click this to view which other objects are linked to the selected radio profile. # This field is a sequential value, and it is not associated with a specific user. Status Profile Nam e Frequency Band Channel I D This field shows whether or not the entry is activated. This field indicates the nam e assigned to the radio profile. This field indicates the frequency band which this radio profile is configured to use. This field indicates the broadcast channel which this radio profile is configured to use. NWA3000-N Series User s Guide 137

138 Chapter 12 AP Profile Add/Edit Radio Profile This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 62 Configurat ion > Obj ect > AP Profile > Add/ Edit Profile ( St andalone Mode) The following table describes the labels in this screen. Table 53 Configurat ion > Obj ect > AP Profile > Add/ Edit Profile LABEL Hide / Show Advanced Settings Create New Object General Settings DESCRIPTION Click this to hide or show the Advanced Settings in this window. Select an item from this m enu to create a new object of that type. Any objects created in this way are autom atically linked to this radio profile. 138 NWA3000-N Series User s Guide

139 Chapter 12 AP Profile Table 53 Configurat ion > Obj ect > AP Profile > Add/ Edit Profile ( cont inued) LABEL Activate Select this option to m ake this profile active. Profile Nam e Enter up to 31 alphanum eric characters to be used as this profile s nam e. Spaces and underscores are allowed. Operating Mode DESCRIPTION This displays if the device is set to standalone m ode. Select AP+ Bridge to have the radio function as an access point and bridge sim ultaneously. Select MBSSI D to have the radio function as an access point with one or m ore BSSI Ds Band Select the wireless band which this radio profile should use. 2.4 GHz is the frequency used by I EEE b/ g/ n wireless clients. 5 GHz is the frequency used by I EEE a/ n wireless clients. Channel Select the wireless channel which this radio profile should use. I t is recom m ended that you choose the channel least in use by other APs in the region where this profile will be im plem ented. This will reduce the am ount of interference between wireless clients and the AP to which this profile is assigned. SSI D Profile This displays if the operating m ode is set to AP+ Bridge. Select the SSI D profile this radio profile uses. Advanced Settings Channel Width Select the channel bandwidth you want to use for your wireless network. Select Auto to allow the device to adjust the channel bandwidth depending on network conditions. Select 2 0 MHz if you want to lessen radio interference with other wireless devices in your neighborhood. Guard I nterval Set the guard interval for this radio profile to either short or long. Enable A-MPDU Aggregation The guard interval is the gap introduced between data transm ission from users in order to reduce interference. Reducing the interval increases data transfer rates but also increases interference. I ncreasing the interval reduces data transfer rates but also reduces interference. Select this to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet fram es along with their n headers and wraps them in a n MAC header. This m ethod is useful for increasing bandwidth throughput in environm ents that are prone to high error rates. A- MPDU Lim it Enter the m axim um fram e size to be aggregated. A- MPDU Subfram e Enable A- MSDU Aggregation Enter the m axim um num ber of fram es to be aggregated each tim e. Select this to enable A- MSDU aggregation. Mac Service Data Unit (MSDU) aggregation collects Ethernet fram es without any of their n headers and wraps the header-less payload in a single n MAC header. This m ethod is useful for increasing bandwidth t hroughput. I t is also m ore efficient t han A- MPDU except in environm ent s t hat are prone to high error rates. A- MSDU Lim it Enter the m axim um fram e size to be aggregated. NWA3000-N Series User s Guide 139

140 Chapter 12 AP Profile Table 53 Configurat ion > Obj ect > AP Profile > Add/ Edit Profile ( cont inued) LABEL RTS/ CTS Threshold DESCRIPTION Use RTS/ CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the sam e AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transm its. This stops wireless clients from transm itting packets at the sam e tim e ( and causing data collisions). A wireless client sends an RTS for all packets larger than the num ber (of bytes) that you enter here. Set the RTS/ CTS equal to or higher than the fragm entation threshold to turn RTS/ CTS off. Fragm entation Threshold Beacon I nterval DTI M Output Power The threshold (num ber of bytes) for the fragm entation boundary for directed m essages. I t is the m axim um data fragm ent size that can be sent. Enter an even num ber between and When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the tim e period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power m ode before waking up to handle the beacon. A high value helps save current consum ption of the access point. Delivery Traffic I ndication Message (DTI M) is the tim e period after which broadcast and m ulticast packets are transm itted to m obile clients in the Active Power Managem ent m ode. A high DTI M value can cause clients to lose connectivity with the network. This value can be set from 1 to 255. Set the output power of the AP in this field. I f there is a high density of APs in an area, decrease the output power of the NWA5160N to reduce interference with other APs. Select one of the following % ( Full Pow er), 5 0 %, 2 5 %, or %. See the product specifications for m ore inform ation on your device s output power. Note: Reducing the output power also reduces the device s effective broadcast radius. Rate Configuration This section controls the data rates perm itted for clients. For each Rate, select a rate option from its list. The rates are: Fast Select - Select an broadcast frequency to determ ine the baseline rate configuration. Basic Rate ( Mbps) - Set the basic rate configuration in Mbps. Support Rate ( Mbps) - Set the support rate configuration in Mbps. MCS Rate - Set the MCS rate configuration. 140 NWA3000-N Series User s Guide

141 Chapter 12 AP Profile Table 53 Configurat ion > Obj ect > AP Profile > Add/ Edit Profile ( cont inued) LABEL WDS Settings Edit Activate I nactivate This section displays if you set the Operating Mode to AP+ Bridge. Configure the security settings for the device s Wireless Distribution System (WDS), the wireless connection between two or m ore APs. Select No Security to not encrypt the traffic between APs. Note: WDS security is independent of the security settings between the device and any wireless clients. Select TKI P ( ZyAI R Series Com pat ible) to enable Tem poral Key I ntegrity Protocol (TKI P) security on your WDS. This option is com patible with other ZyXEL access points that support WDS security. Use this if the other access points on your network support WDS security but do not have an AES option. Note: Check your other AP s documentation to make sure it supports WDS security. Select AES to enable Advanced Encryption System (AES) security on your WDS. AES provides superior security to TKI P. Use AES if the other access points on your network support it for the WDS. Note: At the time of writing, this option is compatible with other ZyXEL NWA access points only. When you enable WDS security, for each access point in your WDS enter the AP s MAC address and a pre-shared key. Each access point can use a different pre-shared key. Configure WDS security and the relevant PSK in each of your other access point(s). Note: Other APs must use the same encryption method to enable WDS security. Click this to edit the selected entry. To turn on an entry, select it and click Activate. To turn off an entry, select it and click I nactivate. # This field is a sequential value, and it is not associated with a specific user. Status Rem ote Bridge MAC PSK Support Non-11n Legacy Link MBSSI D Settings OK Edit Cancel SSI D Profile DESCRIPTION This field shows whether or not the entry is activated. Type the MAC address of the peer device in a valid MAC address form at, that is, six hexadecim al character pairs, for exam ple, 12: 34: 56: 78: 9a: bc. Type a pre-shared key (PSK) from 8 to 63 case-sensitive ASCI I characters (including spaces and sym bols). You m ust also set the peer device to use the sam e pre-shared key. Each peer device can use a different pre-shared key. Select this to be able to include com patible legacy NWA series APs (NWA- 3160/ NWA-3163/ NWA-3500/ NWA-3550) as WDS links. This section displays if you set the Operating Mode to MBSSI D. I t allows you to associate an SSI D profile with the radio profile. Select an SSI D and click this button to reassign it. The selected SSI D becom es editable im m ediately upon clicking. I ndicates which SSI D profile is associated with this radio profile. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes. NWA3000-N Series User s Guide 141

142 Chapter 12 AP Profile 12.3 SSID The SSI D screens allow you to configure three different types of profiles for your networked APs: an SSI D list, which can assign specific SSI D configurations to your APs; a security list, which can assign specific encryption m ethods to the APs when allowing wireless clients to connect to them ; and a MAC filter list, which can lim it connections to an AP based on wireless clients MAC addresses SSID List This screen allows you to create and m anage SSI D configurations that can be used by the APs. An SSI D, or Service Set I Dentifier, is basically the nam e of the wireless network to which a wireless client can connect. The SSI D appears as readable text to any device capable of scanning for wireless frequencies (such as the WiFi adapter in a laptop), and is displayed as the wireless network nam e when a person m akes a connection to it. To access this screen click Configuration > Obj ect > AP Profile > SSI D. Note: You can have a m axim um of 32 SSI D profiles on the device. Figure 63 Configurat ion > Obj ect > AP Profile > SSI D List The following table describes the labels in this screen. Table 54 Configurat ion > Obj ect > AP Profile > SSI D List LABEL Add Edit Rem ove Object Reference DESCRIPTION Click this to add a new SSI D profile. Click this to edit the selected SSI D profile. Click this to rem ove the selected SSI D profile. Click this to view which other objects are linked to the selected SSI D profile (for exam ple, radio profile). # This field is a sequential value, and it is not associated with a specific user. Profile Nam e SSI D Security Profile QOS MAC Filtering Profile VLAN I D This field indicates the nam e assigned to the SSI D profile. This field indicates the SSI D nam e as it appears to wireless clients. This field indicates which (if any) security profile is associated with the SSI D profile. This field indicates the QoS type associated with the SSI D profile. This field indicates which (if any) MAC Filter Profile is associated with the SSI D profile. This field indicates the VLAN I D associated with the SSI D profile. 142 NWA3000-N Series User s Guide

143 Chapter 12 AP Profile Add/Edit SSID Profile This screen allows you to create a new SSI D profile or edit an existing one. To access this screen, click the Add button or select an SSI D profile from the list and click the Edit button. Figure 64 Configurat ion > Obj ect > AP Profile > Add/ Edit SSI D Profile The following table describes the labels in this screen. Table 55 Configurat ion > Obj ect > AP Profile > Add/ Edit SSI D Profile LABEL Create new Object Profile Nam e SSI D Security Profile DESCRIPTION Select an object type from the list to create a new one associated with this SSI D profile. Enter up to 31 alphanum eric characters for the profile nam e. This nam e is only visible in the Web Configurator and is only for m anagem ent purposes. Spaces and underscores are allowed. Enter the SSI D nam e for this profile. This is the nam e visible on the network to wireless clients. Enter up to 32 characters, spaces and underscores are allowed. Select a security profile from this list to associate with this SSI D. I f none exist, you can use the Create new Object m enu to create one. Note: It is highly recommended that you create security profiles for all of your SSIDs to enhance your network security. MAC Filtering Profile Select a MAC filtering profile from the list to associate with this SSI D. I f none exist, you can sue the Create new Object m enu to create one. MAC filtering allows you to lim it the wireless clients connecting to your network through a particular SSI D by wireless client MAC addresses. Any clients that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections. The disable setting m eans no MAC filtering is used. NWA3000-N Series User s Guide 143

144 Chapter 12 AP Profile Table 55 Configuration > Object > AP Profile > Add/ Edit SSI D Profile (continued) LABEL DESCRIPTION QoS Select a Quality of Service ( QoS) access category to associate with this SSI D. Access categories m inim ize the delay of data packets across a wireless network. Certain categories, such as video or voice, are given a higher priority due to the tim e sensitive nature of their data packets. QoS access categories are as follows: disable: Turns off QoS for this SSI D. All data packets are treated equally and not tagged with access categories. W MM: Enables autom atic tagging of data packets. The device assigns access categories to the SSI D by exam ining data as it passes through it and m aking a best guess effort. I f som ething looks like video traffic, for instance, it is tagged as such. W MM_ VOI CE: All wireless traffic to the SSI D is tagged as voice data. This is recom m ended if an SSI D is used for activities like placing and receiving VoI P phone calls. W MM_ VI DEO: All wireless traffic to the SSI D is tagged as video data. This is recom m ended for activities like video conferencing. W MM_ BEST_ EFFORT: All wireless traffic to the SSI D is tagged as best effort, m eaning the data travels the best route it can without displacing higher priority traffic. This is good for activities that do not require the best bandwidth throughput, such as surfing the I nternet. W MM_ BACKGROUND: All wireless traffic to the SSI D is tagged as low priority or background traffic, m eaning all other access categories take precedence over this one. I f traffic from an SSI D does not have strict throughput requirem ents, then this access category is recom m ended. For exam ple, an SSI D that only has network printers connected to it. VLAN I D Enter a VLAN I D for the device to use to tag traffic originating from this SSI D. Hidden SSI D Select this if you want to hide your SSI D from wireless clients. This tells any wireless clients in the vicinity of the AP using this SSI D profile not to display its SSI D nam e as a potential connection. Not all wireless clients respect this flag and display it anyway. When an SSI D is hidden and a wireless client cannot see it, the only way you can connect to the SSI D is by m anually entering the SSI D nam e in your wireless connection setup screen( s) ( these vary by client, client connectivity software, and operating system ). Enable I ntra-bss Traffic Blocking OK Cancel Select this option to prevent crossover traffic from within the sam e SSI D. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes Security List This screen allows you to m anage wireless security configurations that can be used by your SSI Ds. Wireless security is im plem ented strictly between the AP broadcasting the SSI D and the stations that are connected to it. To access this screen click Configuration > Obj ect > AP Profile > SSI D > Security List. 144 NWA3000-N Series User s Guide

145 Chapter 12 AP Profile Note: You can have a m axim um of 32 security profiles on the device. Figure 65 Configurat ion > Obj ect > AP Profile > SSI D > Securit y List The following table describes the labels in this screen. Table 56 Configuration > Object > AP Profile > SSI D > Security List LABEL Add Edit Rem ove Object Reference DESCRIPTION Add/Edit Security Profile Click this to add a new security profile. Click this to edit the selected security profile. Click this to rem ove the selected security profile. Click this to view which other objects are linked to the selected security profile (for exam ple, SSI D profile). # This field is a sequential value, and it is not associated with a specific user. Profile Nam e This field indicates the nam e assigned to the security profile. Security Mode This field indicates this profile s security m ode ( if any). This screen allows you to create a new security profile or edit an existing one. To access this screen, click the Add button or select a security profile from the list and click the Edit button. Note: This screen s options change based on the Security Mode selected. Only the default screen is displayed here. Figure 66 SSI D > Security Profile > Add/ Edit Security Profile NWA3000-N Series User s Guide 145

146 Chapter 12 AP Profile The following table describes the labels in this screen. Table 57 SSI D > Securit y Profile > Add/ Edit Securit y Profile LABEL Profile Nam e Security Mode DESCRIPTION Enter up to 31 alphanum eric characters for the profile nam e. This nam e is only visible in the Web Configurator and is only for m anagem ent purposes. Spaces and underscores are allowed. Select a security m ode from the list: w ep, w pa, w pa2, or w pa2 - m ix X Select this to enable 802.1x secure authentication. Radius Server Type Prim ary / Secondary Radius Server Activate Radius Server I P Address Radius Server Port Radius Server Secret Prim ary / Secondary Accounting Server Activate Accounting Server I P Address Accounting Server Port Accounting Share Secret Reauthentication Tim er I dle Tim eout Authentication Type Select internal to use the device s internal authentication database, or external to use an external RADI US server for authentication. Select this to have the device use the specified RADI US server. Enter the I P address of the RADI US server to be used for authentication. Enter the port num ber of the RADI US server to be used for authentication. Enter the shared secret password of the RADI US server to be used for authentication. Select the check box to enable user accounting through an external authentication server. Enter the I P address of the external accounting server in dotted decim al notation. Enter the port num ber of the external accounting server. The default port num ber is You need not change this value unless your network adm inistrator instructs you to do so with additional inform ation. Enter a password (up to 128 alphanum eric characters) as the key to be shared between the external accounting server and the device. The key m ust be the sam e on the external accounting server and your device. The key is not sent over the network. Enter the interval (in seconds) between authentication requests. Enter a 0 for unlim ited requests. Enter the idle interval ( in seconds) that a client can be idle before authentication is discontinued. Select a WEP authentication m ethod. Choices are Open or Share key. Share key is only available if you are not using 802.1x. 146 NWA3000-N Series User s Guide

147 Chapter 12 AP Profile Table 57 SSI D > Security Profile > Add/ Edit Security Profile (continued) LABEL Key Length DESCRIPTION Select the bit- length of the encryption key to be used in WEP connections. I f you select W EP- 6 4 : Enter 10 hexadecim al digits in the range of A-F, a-f and 0-9 (for exam ple, 0x11AA22BB33) for each Key used. or Enter 5 ASCI I characters (case sensitive) ranging from a-z, A-Z and 0-9 (for exam ple, MyKey) for each Key used. I f you select W EP : Enter 26 hexadecim al digits in the range of A-F, a-f and 0-9 (for exam ple, 0x AABBCC) for each Key used. or Enter 13 ASCI I characters (case sensitive) ranging from a-z, A-Z and 0-9 (for exam ple, MyKey ) for each Key used. Key 1~ 4 PSK Pre-Shared Key Cipher Type Based on your Key Length selection, enter the appropriate length hexadecim al or ASCI I key. Select this option to use a Pre-Shared Key with WPA encryption. Enter a pre-shared key of between 8 and 63 case-sensitive ASCI I characters (including spaces and sym bols) or 64 hexadecim al characters. Select an encryption cipher type from the list. auto - This autom atically chooses the best available cipher based on the cipher in use by t he wireless client t hat is at t em pt ing t o m ake a connect ion. tkip - This is the Tem poral Key I ntegrity Protocol encryption m ethod added later to the WEP encryption protocol to further secure. Not all wireless clients m ay support this. aes - This is the Advanced Encryption Standard encryption m ethod. I t is a m ore recent developm ent over TKI P and considerably m ore robust. Not all wireless clients m ay support this. Group Key Update Tim er Pre-Authentication OK Cancel Enter the interval (in seconds) at which the AP updates the group WPA encryption key. This is available when the profile is set to use w pa2 or w pa2 - m ix and 802.1x. Enable or Disable pre-authentication to allow the AP to send authentication inform ation to other APs on the network, allowing connected wireless clients to switch APs without having to re- authenticate their network connection. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes MAC Filter List This screen allows you to create and m anage security configurations that can be used by your SSI Ds. To access this screen click Configuration > Object > AP Profile > SSI D > MAC Filter List. NWA3000-N Series User s Guide 147

148 Chapter 12 AP Profile Note: You can have a m axim um of 32 MAC filtering profiles on the device. Figure 67 Configuration > Object > AP Profile > SSI D > MAC Filter List The following table describes the labels in this screen. Table 58 Configuration > Object > AP Profile > SSI D > MAC Filter List LABEL Add Edit Rem ove Object Reference DESCRIPTION Add/Edit MAC Filter Profile Click this to add a new MAC filtering profile. Click this to edit the selected MAC filtering profile. Click this to rem ove the selected MAC filtering profile. Click this to view which other objects are linked to the selected MAC filtering profile (for exam ple, SSI D profile). # This field is a sequential value, and it is not associated with a specific user. Profile Nam e Filter Action This field indicates the nam e assigned to the MAC filtering profile. This field indicates this profile s filter action (if any). This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add button or select a MAC filter profile from the list and click the Edit button. 148 NWA3000-N Series User s Guide

149 Chapter 12 AP Profile Note: Each MAC filtering profile can include a m axim um of 512 MAC addresses. Figure 68 SSI D > MAC Filter List > Add/ Edit MAC Filter Profile The following table describes the labels in this screen. Table 59 SSI D > MAC Filter List > Add/ Edit MAC Filter Profile LABEL Profile Nam e Filter Action Add Edit Rem ove DESCRIPTION Enter up to 31 alphanum eric characters for the profile nam e. This nam e is only visible in the Web Configurator and is only for m anagem ent purposes. Spaces and underscores are allowed. Select allow t o permit t he wireless client with the MAC addresses in this profile to connect to the network through the associated SSI D; select deny to block the wireless clients with the specified MAC addresses. Click this to add a MAC address to the profile s list. Click this to edit the selected MAC address in the profile s list. Click this to rem ove the selected MAC address from the profile s list. # This field is a sequential value, and it is not associated with a specific user. MAC Description This field specifies a MAC address associated with this profile. This field displays a description for the MAC address associated with this profile. You can click the description to m ake it editable. Enter up to 60 characters, spaces and underscores allowed. NWA3000-N Series User s Guide 149

150 Chapter 12 AP Profile 150 NWA3000-N Series User s Guide

151 C HAPTER 13 MON Profile 13.1 Overview This screen allows you to set up m onitor m ode configurations that allow your connected APs to scan for other wireless devices in the vicinity. Once detected, you can use the MON Mode screen (Chapter 9 on page 101) to classify them as either rogue or friendly and then m anage them accordingly What You Can Do in this Chapter The MON Profile screen (Section 13.2 on page 152) creates preset m onitor m ode configurations that can be used by the APs What You Need To Know The following term s and concepts m ay help as you read this chapter. Active Scan An active scan is perform ed when an com patible wireless m onitoring device is explicitly triggered to scan a specified channel or num ber of channels for other wireless devices broadcasting on the frequencies by sending probe request fram es. Passive Scan A passive scan is perform ed when an com patible m onitoring device is set to periodically listen to a specified channel or num ber of channels for other wireless devices broadcasting on the frequencies. NWA3000-N Series User s Guide 151

152 Chapter 13 MON Profile 13.2 MON Profile This screen allows you to create m onitor m ode configurations that can be used by the APs. To access this screen, login to the Web Configurator, and click Configuration > Object > MON Profile. Figure 69 Configurat ion > Obj ect > MON Profile The following table describes the labels in this screen. Table 60 Configurat ion > Obj ect > MON Profile LABEL Add Edit Rem ove Activate I nactivate Object Reference DESCRIPTION Click this to add a new m onitor m ode profile. Click this to edit the selected m onitor m ode profile. Click this to rem ove the selected m onitor m ode profile. To turn on an entry, select it and click Activate. To turn off an entry, select it and click I nactivate. Click this to view which other objects are linked to the selected m onitor m ode profile (for exam ple, an AP m anagem ent profile). # This field is a sequential value, and it is not associated with a specific profile. Status Profile Nam e This field shows whether or not the entry is activated. This field indicates the nam e assigned to the m onitor profile. 152 NWA3000-N Series User s Guide

153 Chapter 13 MON Profile Add/Edit MON Profile This screen allows you to create a new m onitor m ode profile or edit an existing one. To access this screen, click the Add button or select and existing m onitor m ode profile and click the Edit button. Figure 70 Configurat ion > Obj ect > MON Profile > Add/ Edit MON Profile The following table describes the labels in this screen. Table 61 Configurat ion > Obj ect > MON Profile > Add/ Edit MON Profile LABEL Activate Profile Nam e Channel dwell tim e Scan Channel Mode DESCRIPTION Select this to activate this m onitor m ode profile. This field indicates the nam e assigned to the m onitor m ode profile. Enter the interval ( in m illiseconds) before the AP switches to another channel for m onitoring. Select auto to have the AP switch to the next sequential channel once the Channel dw ell tim e expires. Select m anual to set specific channels through which to cycle sequentially when the Channel dw ell tim e expires. Selecting this options m akes the Scan Channel List options available. NWA3000-N Series User s Guide 153

154 Chapter 13 MON Profile Table 61 Configurat ion > Obj ect > MON Profile > Add/ Edit MON Profile ( cont inued) LABEL Set Scan Channel List (2.4 G) DESCRIPTION Move a channel from the Available channels colum n to the Channels selected colum n to have the APs using this profile scan that channel when Scan Channel Mode is set to m anual. These channels are lim ited to the 2.4 GHz range ( b/ g/ n). Set Scan Channel List (5 G) Move a channel from the Available channels colum n to the Channels selected colum n to have the APs using this profile scan that channel when Scan Channel Mode is set to m anual. These channels are lim ited to the 5 GHz range ( a/ n). OK Cancel Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes Technical Reference The following section contains additional technical inform ation about the features described in this chapt er. Rogue APs Rogue APs are wireless access points operating in a network s coverage area that are not under the control of the network s adm inistrators, and can open up holes in a network s security. Attackers can take advantage of a rogue AP s weaker (or non-existent) security to gain access to the network, or set up their own rogue APs in order to capture inform ation from wireless clients. I f a scan reveals a rogue AP, you can use com m ercially-available software to physically locate it. Figure 71 Rogue AP Exam ple X A RG C B I n the exam ple above, a corporate network s security is com prom ised by a rogue AP (RG) set up by an em ployee at his workstation in order to allow him to connect his notebook com puter wirelessly (A). The com pany s legitim ate wireless network (the dashed ellipse B) is well-secured, but the rogue AP uses inferior security that is easily broken by an attacker (X) running readily available 154 NWA3000-N Series User s Guide

155 Chapter 13 MON Profile encryption-cracking software. I n this exam ple, the attacker now has access to the com pany network, including sensitive data stored on the file server (C). Friendly APs I f you have m ore than one AP in your wireless network, you should also configure a list of friendly APs. Friendly APs are other wireless access points that are detected in your network, as well as any others that you know are not a threat (those from recognized networks, for exam ple). I t is recom m ended that you export (save) your list of friendly APs often, especially if you have a network with a large num ber of access points. NWA3000-N Series User s Guide 155

156 Chapter 13 MON Profile 156 NWA3000-N Series User s Guide

157 C HAPTER 14 Certificates 14.1 Overview The device can use certificates (also called digital I Ds) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner s identity and public key. Certificates provide a way to exchange public keys for use in authentication What You Can Do in this Chapter The My Certificate screens (Section 14.2 on page 160) generate and export self-signed certificates or certification requests and im port the device s CA-signed certificates. The Trusted Certificat es screens (Section 14.3 on page 168) save CA certificates and trusted rem ote host certificates to the device. The device trusts any valid certificate that you have im ported as a trusted certificate. I t also trusts any valid certificate signed by any of the certificates that you have im ported as a trusted certificate What You Need to Know The following term s and concepts m ay help as you read this chapter. When using public-key cryptology for authentication, each host has two keys. One key is public and can be m ade openly available. The other key is private and m ust be kept secure. These keys work like a handwritten signature ( in fact, certificates are often referred to as digital signatures ). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether som ething was signed by you, or by som eone else. I n the sam e way, your private key writes your digital signature and your public key allows people to verify whether data was signed by you, or by som eone else. This process works as follows: 1 Tim wants to send a m essage to Jenny. He needs her to be sure that it com es from him, and that the m essage content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). 2 Tim keeps the private key and m akes the public key openly available. This m eans that anyone who receives a m essage seem ing to com e from Tim can read it and verify whether it is really from him or not. 3 Tim uses his private key to sign the m essage and sends it to Jenny. 4 Jenny receives the m essage and uses Tim s public key to verify it. Jenny knows that the m essage is from Tim, and that although other people m ay have been able to read the m essage, no-one can have altered it (because they cannot re-sign the m essage with Tim s private key). NWA3000-N Series User s Guide 157

158 Chapter 14 Certificates 5 Additionally, Jenny uses her own private key to sign a m essage and Tim uses Jenny s public key to verify the m essage. The device uses certificates based on public-key cryptology to authenticate users attem pting to establish a connection, not to encrypt the data that you send after establishing a connection. The m ethod used to secure the data that you send through an established connection depends on the type of connect ion. The certification authority uses its private key to sign certificates. Anyone can then use the certification authority s public key to verify the certificates. A certification path is the hierarchy of certification authority certificates that validate a certificate. The device does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities m aintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The device can check a peer s certificate against a directory server s list of revoked certificates. The fram ework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). Advantages of Certificates Certificates offer the following benefits. The device only has to store the certificates ofthe certification authorities that you decide to trust, no m atter how m any devices you need to authenticate. Key distribution is sim ple and very secure since you can freely distribute public keys and you never need to transm it private keys. Self-signed Certificates You can have the device act as a certification authority and sign its own certificates. Factory Default Certificate The device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to im port has to be in one of these file form ats: Binary X.509: This is an I TU-T recom m endation that defines the form ats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy EnhancedMail form at uses lowercase letters, uppercase letters and num erals to convert a binary X.509 certificate into a printable form. Binary PKCS# 7: This is a standard that defines the general syntax for data (including digital signatures) that m ay be encrypted. A PKCS # 7 file is used to transfer a public key certificate. The private key is not included. The device currently allows the im portation of a PKS# 7 file that contains a single certificate. PEM (Base-64) encoded PKCS# 7: This Privacy Enhanced Mail (PEM) form at uses lowercase letters, uppercase letters and num erals to convert a binary PKCS# 7 certificate into a printable form. 158 NWA3000-N Series User s Guide

Chapter 14 Certificates Binary PKCS# 12: This is a form at for transferring public key and private key certificates.the private key in a PKCS # 12 file is within a password-encrypted envelope.

159 Chapter 14 Certificates Binary PKCS# 12: This is a form at for transferring public key and private key certificates.the private key in a PKCS # 12 file is within a password-encrypted envelope. The file s password is not connected to your certificate s public or private passwords. Exporting a PKCS # 12 file creates this and you m ust provide it to decrypt the contents when you im port the file into the device. Note: Be careful not to convert a binary file to text during the transfer process. I t is easy for this to occur since m any program s use text files by default Verifying a Certificate Before you im port a trusted certificate into the device, you should verify that you have the correct certificate. You can do this using the certificate s fingerprint. A certificate s fingerprint is a m essage digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate s fingerprint to verify that you have the actual certificate. 1 Browse to where you have the certificate saved on your com puter. 2 Make sure that the certificate has a.cer or.crt file nam e extension. 3 Double-click the certificate s icon to open the Certificat e window. Click the Details tab and scroll down to the Thum bprint Algorithm and Thum bprint fields. 4 Use a secure m ethod to verify that the certificate owner has the sam e inform ation in the Thum bprint Algorithm and Thum bprint fields. The secure m ethod m ay very based on your situation. Possible exam ples would be over the telephone or through an HTTPS connection. NWA3000-N Series User s Guide 159

160 Chapter 14 Certificates 14.2 My Certificates Click Configurat ion > Object > Certificate > My Certificates to open this screen. This is the device s sum m ary list of certificates and certification requests. Figure 72 Configuration > Object > Certificate > My Certificates The following table describes the labels in this screen. Table 62 Configuration > Object > Certificate > My Certificates LABEL PKI Storage Space in Use Add Edit DESCRIPTION This bar displays the percentage of the device s PKI storage space that is currently in use. When the storage space is alm ost full, you should consider deleting expired or unnecessary certificates before adding m ore certificates. Click this to go to the screen where you can have the device generate a certificate or a certification request. Double-click an entry or select it and click Edit to open a screen with an in-depth list of inform ation about the certificate. Rem ove The device keeps all of your certificates unless you specifically delete them. Uploading a new firm ware or default configuration file does not delete your certificates. To rem ove an entry, select it and click Rem ove. The device confirm s you want to rem ove it before doing so. Subsequent certificates m ove up by one when you take this action. Object References You cannot delete certificates that any of the device s features are configured to use. Select an entry and click Obj ect References to open a screen that shows which settings use the entry. # This field displays the certificate index num ber. The certificates are listed in alphabetical order. Nam e This field displays the nam e used to identify this certificate. I t is recom m ended that you give each certificate a unique nam e. 160 NWA3000-N Series User s Guide

161 Chapter 14 Certificates Table 62 Configuration > Object > Certificate > My Certificates (continued) LABEL Type DESCRIPTION This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Cert ificate I m port screen to im port the certificate and replace the request. SELF represents a self-signed certificate. CERT represents a certificate issued by a certification authority. Subject I ssuer Valid From Valid To I m port Refresh This field displays identifying inform ation about the certificate s owner, such as CN (Com m on Nam e), OU (Organizational Unit or departm ent), O (Organization or com pany) and C (Country). I t is recom m ended that each certificate have unique subject inform ation. This field displays identifying inform ation about the certificate s issuing certification authority, such as a com m on nam e, organizational unit or departm ent, organization or com pany and country. With self-signed certificates, this is the sam e inform ation as in the Subject field. This field displays the date that the certificate becom es applicable. This field displays the date that the certificate expires. The text displays in red and includes an Expired! m essage if the certificate has expired. Click I m port to open a screen where you can save a certificate to the device. Click Refresh to display the current validity status of the certificates. NWA3000-N Series User s Guide 161

162 Chapter 14 Certificates Add My Certificates Click Configurat ion > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 73 Configuration > Object > Certificate > My Certificates > Add 162 NWA3000-N Series User s Guide

163 Chapter 14 Certificates The following table describes the labels in this screen. Table 63 Configuration > Object > Certificate > My Certificates > Add LABEL Nam e Subject I nform ation Organizational Unit Organization Town (City) State, (Province) Country DESCRIPTION Type a nam e to identify this certificate. You can use up to 31 alphanum eric and ; ~!@# $% ^ &()_+ [ ] { },.= - characters. Use these fields to record inform ation that identifies the owner of the certificate. You do not have to fill in every field, although you m ust specify a Host I P Address, Host Dom ain N am e, or E- Mail. The certification authority m ay add fields (such as a serial num ber) to the subject inform ation when it issues a certificate. I t is recom m ended that each certificate have unique subject inform ation. Select a radio button to identify the certificate s owner by I P address, dom ain nam e or e-m ail address. Type the I P address (in dotted decim al notation), dom ain nam e or e-m ail address in the field provided. The dom ain nam e or e- m ail address is for identification purposes only and can be any string. A dom ain nam e can be up to 255 characters. You can use alphanum eric characters, the hyphen and periods. An e- m ail address can be up to 63 characters. You can use alphanum eric characters, the hyphen, sym bol, periods and the underscore. I dentify the organizational unit or departm ent to which the certificate owner belongs. You can use up to 31 characters. You can use alphanum eric characters, the hyphen and the underscore. I dentify the com pany or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanum eric characters, the hyphen and the underscore. I dentify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanum eric characters, the hyphen and the underscore. I dentify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanum eric characters, the hyphen and the underscore. I dentify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanum eric characters, the hyphen and the underscore. Key Type Select RSA to use the Rivest, Sham ir and Adlem an public-key algorithm. Select DSA to use the Digital Signature Algorithm public-key algorithm. Key Length Enrollm ent Options Create a self-signed certificate Create a certification request and save it locally for later m anual enrollm ent Select a num ber from the drop-down list box to determ ine how m any bits the key should use (512 to 2048). The longer the key, the m ore secure it is. A longer key also uses m ore PKI storage space. These radio buttons deal with how and when the certificate is to be generated. Select this to have the device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. Select this to have the device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority. Copy the certification request from the My Cert ificate Details screen and then send it to the certification authority. NWA3000-N Series User s Guide 163

164 Chapter 14 Certificates Table 63 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL Create a certification request and enroll for a certificate im m ediately online DESCRIPTION Select this to have the device generate a request for a certificate and apply to a certification authority for a certificate. You m ust have the certification authority s certificate already im ported in the Trusted Certificates screen. When you select this option, you m ust select the certification authority s enrollm ent protocol and the certification authority s certificate from the dropdown list boxes and enter the certification authority s server address. You also need to fill in the Reference Num ber and Key if the certification authority requires them. Enrollm ent Protocol This field applies when you select Create a cert ification request and enroll for a certificate im m ediately online. Select the certification authority s enrollm ent protocol from the drop-down list box. Sim ple Certificate Enrollm ent Protocol ( SCEP) is a TCP-based enrollm ent protocol that was developed by VeriSign and Cisco. Certificate Managem ent Protocol ( CMP) is a TCP-based enrollm ent protocol that was developed by the Public Key I nfrastructure X.509 working group of the I nternet Engineering Task Force (I ETF) and is specified in RFC CA Server Address This field applies when you select Create a cert ification request and enroll for a certificate im m ediately online. Enter the I P address ( or URL) of the certification authority server. For a URL, you can use up to 511 of the following characters. a-za-z0-9'()+,/ :.=?;!* - CA Certificate This field applies when you select Create a cert ification request and enroll for a certificate im m ediately online. Select the certification authority s certificate from the CA Cert ificate drop-down list box. You m ust have the certification authority s certificate already im ported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and m anage) the device's list of certificates of trusted certification authorities. Request Authentication When you select Create a certification request and enroll for a cert ificat e im m ediately online, the certification authority m ay want you to include a reference num ber and key to identify you when you send a certification request. Fill in both the Reference Num ber and the Key fields if your certification authority uses the CMP enrollm ent protocol. Just the Key field displays if your certification authority uses the SCEP enrollm ent protocol. For the reference num ber, use 0 to For the key, use up to 31 of the following characters. a-za-z0-9; ` ~!@# $% ^ &* ()_+ \ { } ':,./ < > = - OK Cancel Click OK to begin certificate or certification request generation. Click Cancel to quit and return to the My Cert ificates screen. I f you configured the My Certificat e Create screen to have the device enroll a certificate and the certificate enrollm ent is not successful, you see a screen with a Return button that takes you back to the My Cert ificate Create screen. Click Return and check your inform ation in the My Certificat e Creat e screen. Make sure that the certification authority inform ation is correct and that your I nternet connection is working properly if you want the device to enroll a certificate online. 164 NWA3000-N Series User s Guide

165 Chapter 14 Certificates Edit My Certificates Click Configurat ion > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate inform ation and change the certificate s nam e. Figure 74 Configuration > Object > Certificate > My Certificates > Edit NWA3000-N Series User s Guide 165

166 Chapter 14 Certificates The following table describes the labels in this screen. Table 64 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Nam e This field displays the identifying nam e of this certificate. You can use up to 31 alphanum eric and ; ~!@# $% ^ &()_+ [ ] { },.= - characters. Certification Path Refresh Certificate I nform ation Type This field displays for a certificate, not a certification request. Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). I f the issuing certification authority is one that you have im ported as a trusted certification authority, it m ay be the only certification authority in the list ( along with the certificate itself ). I f the certificate is a self- signed certificate, the certificate itself is the only one in the list. The device does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked. Click Refresh to display the certification path. These read- only fields display detailed inform ation about the certificate. This field displays general inform ation about the certificate. CA-signed m eans that a Certification Authority signed the certificate. Self-signed m eans that the certificate s owner signed the certificate (not a certification authority). X.509 m eans that this certificate was created and signed according to the I TU-T X.509 recom m endation that defines the form ats for public-key certificates. Version This field displays the X.509 version num ber. Serial Num ber Subject I ssuer This field displays the certificate s identification num ber given by the certification authority or generated by the device. This field displays inform ation that identifies the owner of the certificate, such as Com m on Nam e (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C). This field displays identifying inform ation about the certificate s issuing certification authority, such as Com m on Nam e, Organizational Unit, Organization and Country. With self-signed certificates, this is the sam e as the Subject N am e field. none displays for a certification request. Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative Nam e This field displays the type of algorithm that was used to sign the certificate. The device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm ). Som e certification authorities m ay use rsapkcs1-m d5 (RSA public-private key encryption algorithm and the MD5 hash algorithm ). This field displays the date that the certificate becom es applicable. none displays for a certification request. This field displays the date that the certificate expires. The text displays in red and includes an Expired! m essage if the certificate has expired. none displays for a certification request. This field displays the type of algorithm that was used to generate the certificate s key pair (the device uses RSA encryption) and the length of the key set in bits (1024 bits for exam ple). This field displays the certificate owner s I P address (I P), dom ain nam e (DNS) or e- m ail address (EMAI L). 166 NWA3000-N Series User s Guide

167 Chapter 14 Certificates Table 64 Configuration > Object > Certificate > My Certificates > Edit LABEL Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint Certificate in PEM (Base-64) Encoded Form at DESCRIPTION This field displays for what functions the certificate s key can be used. For exam ple, DigitalSignature m eans that the key can be used to sign certificates and KeyEncipherm ent m eans that the key can be used to encrypt text. This field displays general inform ation about the certificate. For exam ple, Subject Type= CA m eans that this is a certification authority s certificate and Path Length Constraint= 1 m eans that there can only be one certification authority in the certificate s path. This field does not display for a certification request. This is the certificate s m essage digest that the device calculated using the MD5 algorithm. This is the certificate s m essage digest that the device calculated using the SHA1 algorithm. This read-only text box displays the certificate or certification request in Privacy Enhanced Mail ( PEM) form at. PEM uses lowercase letters, uppercase letters and num erals to convert a binary certificate into a printable form. You can copy and paste a certification request into a certification authority s web page, an e-m ail that you send to the certification authority or a text editor and save the file on a m anagem ent com puter for later m anual enrollm ent. You can copy and paste a certificate into an e-m ail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a m anagem ent com puter for later distribution (via floppy disk for exam ple). Export Export Certificate Only Password Export Certificate with Private Key OK Cancel This button displays for a certification request. Use this button to save a copy of the request without its private key. Click this button and then Save in the File Dow nload screen. The Save As screen opens, browse to the location that you want to use and click Save. Use this button to save a copy of the certificate without its private key. Click this button and then Save in the File Dow nload screen. The Save As screen opens, browse to the location that you want to use and click Save. I f you want to export the certificate with its private key, create a password and type it here. Make sure you keep this password in a safe place. You will need to use it if you im port the certificate to another device. Use this button to save a copy of the certificate with its private key. Type the certificate s password and click this button. Click Save in the File Dow nload screen. The Save As screen opens, browse to the location that you want to use and click Save. Click OK to save your changes back to the device. You can only change the nam e. Click Cancel to quit and return to the My Cert ificates screen Import Certificates Click Configurat ion > Object > Certificate > My Certificates > I m port to open the My Certificat e I m port screen. Follow the instructions in this screen to save an existing certificate to the device. Note: You can im port a certificate that m atches a corresponding certification request that was generated by the device. You can also im port a certificate in PKCS# 12 form at, including the certificate s public and private keys. NWA3000-N Series User s Guide 167

168 Chapter 14 Certificates The certificate you im port replaces the corresponding request in the My Certificates screen. You m ust rem ove any spaces in the certificate s filenam e before you can im port it. Figure 75 Configuration > Object > Certificate > My Certificates > I m port The following table describes the labels in this screen. Table 65 Configuration > Object > Certificate > My Certificates > I m port LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Brow se to find it. You cannot im port a certificate with the sam e nam e as a certificate that is already in the device. Browse Password OK Cancel Click Brow se to find the certificate file you want to upload. This field only applies when you im port a binary PKCS# 12 form at file. Type the file s password that was created when the PKCS # 12 file was exported. Click OK to save the certificate on the device. Click Cancel to quit and return to the My Certificates screen Trusted Certificates Click Configurat ion > Object > Certificate > Trusted Certificates to open the Trust ed Certificat es screen. This screen displays a sum m ary list of certificates that you have set the device to accept as trusted. The device also accepts any valid certificate signed by a certificate on this list 168 NWA3000-N Series User s Guide

169 Chapter 14 Certificates as being trustworthy; thus you do not need to im port any certificate that is signed by one of these certificates. Figure 76 Configuration > Object > Certificate > Trusted Certificates The following table describes the labels in this screen. Table 66 Configuration > Object > Certificate > Trusted Certificates LABEL PKI Storage Space in Use Edit DESCRIPTION This bar displays the percentage of the device s PKI storage space that is currently in use. When the storage space is alm ost full, you should consider deleting expired or unnecessary certificates before adding m ore certificates. Double-click an entry or select it and click Edit to open a screen with an in- depth list of inform ation about the certificate. Rem ove The device keeps all of your certificates unless you specifically delete them. Uploading a new firm ware or default configuration file does not delete your certificates. To rem ove an entry, select it and click Rem ove. The device confirm s you want to rem ove it before doing so. Subsequent certificates m ove up by one when you take this action. Object Reference You cannot delete certificates that any of the device s features are configured to use. Select an entry and click Obj ect References to open a screen that shows which settings use the entry. # This field displays the certificate index num ber. The certificates are listed in alphabetical order. Nam e Subject I ssuer Valid From Valid To I m port Refresh This field displays the nam e used to identify this certificate. This field displays identifying inform ation about the certificate s owner, such as CN (Com m on Nam e), OU (Organizational Unit or departm ent), O (Organization or com pany) and C (Country). I t is recom m ended that each certificate have unique subject inform ation. This field displays identifying inform ation about the certificate s issuing certification authority, such as a com m on nam e, organizational unit or departm ent, organization or com pany and country. With self- signed certificates, this is the sam e inform ation as in the Subj ect field. This field displays the date that the certificate becom es applicable. This field displays the date that the certificate expires. The text displays in red and includes an Expired! m essage if the certificate has expired. Click I m port to open a screen where you can save the certificate of a certification authority that you trust, from your com puter to the device. Click this button to display the current validity status of the certificates. NWA3000-N Series User s Guide 169

170 Chapter 14 Certificates Edit Trusted Certificates Click Configuration > Object > Certificate > Trusted Certificates and then a certificate s Edit icon to open the Trusted Certificat es Edit screen. Use this screen to view in-depth inform ation about the certificate, change the certificate s nam e and set whether or not you want the device to check a certification authority s list of revoked certificates before trusting a certificate issued by the cert ificat ion aut hority. Figure 77 Configuration > Object > Certificate > Trusted Certificates > Edit 170 NWA3000-N Series User s Guide

171 Chapter 14 Certificates The following table describes the labels in this screen. Table 67 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL Nam e Certification Path Refresh Enable X.509v3 CRL Distribution Points and OCSP checking OCSP Server URL I D Password LDAP Server Address Port I D Password Certificate I nform ation Type Version Serial Num ber Subject DESCRIPTION This field displays the identifying nam e of this certificate. You can change the nam e. You can use up to 31 alphanum eric and ; ~!@# $% ^ &( )_+ [ ] { },.= - characters. Click the Refresh button to have this read-only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate. I f the issuing certification authority is one that you have im ported as a trusted certificate, it m ay be the only certification authority in the list (along with the end entity s own certificate). The device does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked. Click Refresh to display the certification path. Select this check box to have the device check incom ing certificates that are signed by this certificate against a Certificate Revocation List (CRL) or an OCSP server. You also need to configure the OSCP or LDAP server details. Select this check box if the directory server uses OCSP (Online Certificate Status Protocol). Type the protocol, I P address and pathnam e of the OCSP server. The device m ay need to authenticate itself in order to assess the OCSP server. Type the login nam e (up to 31 ASCI I characters) from the entity m aintaining the server (usually a certification authority). Type the password (up to 31 ASCI I characters) from the entity m aintaining the OCSP server (usually a certification authority). Select this check box if the directory server uses LDAP ( Lightweight Directory Access Protocol). LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates. Type the I P address (in dotted decim al notation) of the directory server. Use this field to specify the LDAP server port num ber. You m ust use the sam e server port num ber that the directory server uses. 389 is the default server port num ber for LDAP. The device m ay need to authenticate itself in order to assess the CRL directory server. Type the login nam e (up to 31 ASCI I characters) from the entity m aintaining the server ( usually a certification authority). Type the password (up to 31 ASCI I characters) from the entity m aintaining the CRL directory server (usually a certification authority). These read-only fields display detailed inform ation about the certificate. This field displays general inform ation about the certificate. CA-signed m eans that a Certification Authority signed the certificate. Self- signed m eans that the certificate s owner signed the certificate (not a certification authority). X.509 m eans that this certificate was created and signed according to the I TU-T X.509 recom m endation that defines the form ats for public-key certificates. This field displays the X.509 version num ber. This field displays the certificate s identification num ber given by the certification authority. This field displays inform ation that identifies the owner of the certificate, such as Com m on Nam e ( CN), Organizational Unit (OU), Organization (O) and Country ( C). NWA3000-N Series User s Guide 171

172 Chapter 14 Certificates Table 67 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL I ssuer DESCRIPTION This field displays identifying inform ation about the certificate s issuing certification authority, such as Com m on Nam e, Organizational Unit, Organization and Country. With self-signed certificates, this is the sam e inform ation as in the Subj ect Nam e field. Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative Nam e Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint Certificate This field displays the type of algorithm that was used to sign the certificate. Som e certification authorities use rsa-pkcs1-sha1 (RSA public- private key encryption algorithm and the SHA1 hash algorithm ). Other certification authorities m ay use rsa- pkcs1- m d5 (RSA public-private key encryption algorithm and the MD5 hash algorithm ). This field displays the date that the certificate becom es applicable. The text displays in red and includes a Not Yet Valid! m essage if the certificate has not yet becom e applicable. This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! m essage if the certificate is about to expire or has already expired. This field displays the type of algorithm that was used to generate the certificate s key pair ( the device uses RSA encryption) and the length of the key set in bits (1024 bits for exam ple). This field displays the certificate s owner s I P address (I P), dom ain nam e (DNS) or e- m ail address (EMAI L). This field displays for what functions the certificate s key can be used. For exam ple, DigitalSignature m eans that the key can be used to sign certificates and KeyEncipherm ent m eans that the key can be used to encrypt text. This field displays general inform ation about the certificate. For exam ple, Subject Type= CA m eans that this is a certification authority s certificate and Path Length Constraint= 1 m eans that there can only be one certification authority in the certificate s path. This is the certificate s m essage digest that the device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for exam ple) that this is actually their certificate. This is the certificate s m essage digest that the device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for exam ple) that this is actually their certificate. This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) form at. PEM uses lowercase letters, uppercase letters and num erals to convert a binary certificate into a printable form. You can copy and paste the certificate into an e-m ail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a m anagem ent com puter for later distribution (via floppy disk for exam ple). Export Certificate OK Cancel Click this button and then Save in the File Dow nload screen. The Save As screen opens, browse to the location that you want to use and click Save. Click OK to save your changes back to the device. You can only change the nam e. Click Cancel to quit and return to the Trusted Certificates screen. 172 NWA3000-N Series User s Guide

Chapter 14 Certificates 14.3.2 Import Trusted Certificates Click Configurat ion > Object > Certificate > Trusted Certificates > I m port to open the Trusted Certificates I m port screen.

173 Chapter 14 Certificates Import Trusted Certificates Click Configurat ion > Object > Certificate > Trusted Certificates > I m port to open the Trusted Certificates I m port screen. Follow the instructions in this screen to save a trusted certificate to the device. Note: You m ust rem ove any spaces from the certificate s filenam e before you can im port the certificate. Figure 78 Configuration > Object > Certificate > Trusted Certificates > I m port The following table describes the labels in this screen. Table 68 Configuration > Object > Certificate > Trusted Certificates > I m port LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Brow se to find it. You cannot im port a certificate with the sam e nam e as a certificate that is already in the device. Browse OK Cancel Click Brow se to find the certificate file you want to upload. Click OK to save the certificate on the device. Click Cancel to quit and return to the previous screen Technical Reference The following section contains additional technical inform ation about the features described in this chapt er. OCSP OCSP (Online Certificate Status Protocol) allows an application or device to check whether a certificate is valid. With OCSP the device checks the status of individual certificates instead of downloading a Certificate Revocation List (CRL). OCSP has two m ain advantages over a CRL. The first is real-tim e status inform ation. The second is a reduction in network traffic since the device only gets inform ation on the certificates that it needs to verify, not a huge list. When the device requests certificate status inform ation, the OCSP server returns a expired, current or unknown response. NWA3000-N Series User s Guide 173

174 Chapter 14 Certificates 174 NWA3000-N Series User s Guide

175 C HAPTER 15 System 15.1 Overview Use the system screens to configure general device settings What You Can Do in this Chapter TheHost Nam e screen (Section 15.2 on page 176) configures a unique nam e for the device in your net work. The Dat e/ Tim e screen (Section 15.3 on page 176) configures the date and tim e for the device. The Console Speed screen (Section 15.4 on page 180) configures the console port speed when you connect to the device via the console port using a term inal em ulation program. The W W W screens (Section 15.5 on page 181) configure settings for HTTP or HTTPS access to the device. The SSH screen (Section 15.6 on page 190) configures SSH (Secure SHell) for securely accessing the device s com m and line interface. The Telnet screen (Section 15.7 on page 195) configures Telnet for accessing the device s com m and line interface. TheFTP screen (Section 15.8 on page 195) specifies FTP server settings. You can upload and download the device s firm ware and configuration files using FTP. Please also see Chapter 17 on page 219 for m ore inform ation about firm ware and configuration files. The SNMP screens (Section 15.9 on page 196) configure the device s SNMP settings, including profiles t hat define allowed SNMPv3 access. The Auth. Server screens (Section on page 200) configure settings for the device s builtin authentication server. NWA3000-N Series User s Guide 175

176 Chapter 15 System 15.2 Host Name A host nam e is the unique nam e by which a device is known on a network. Click Configuration > System > Host Nam e to open this screen. Figure 79 Configurat ion > Syst em > Host Nam e The following table describes the labels in this screen. Table 69 Configurat ion > Syst em > Host Nam e LABEL System Nam e Dom ain Nam e Apply Reset DESCRIPTION Choose a descriptive nam e to identify your device device. This nam e can be up to 64 alphanum eric characters long. Spaces are not allowed, but dashes (-) underscores (_) and periods (.) are accepted. Enter the dom ain nam e (if you know it) here. This nam e is propagated to DHCP clients connected to interfaces with the DHCP server enabled. This nam e can be up to 254 alphanum eric characters long. Spaces are not allowed, but dashes - are accepted. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings Date and Time For effective scheduling and logging, the device system tim e m ust be accurate. The device has a software m echanism to set the tim e m anually or get the current tim e and date from an external server. 176 NWA3000-N Series User s Guide

177 Chapter 15 System To change your device s tim e based on your local tim e zone and date, click Configuration > System > Date/ Tim e. The screen displays as shown. You can m anually set the device s tim e and date or have the device get the date and tim e from a tim e server. Figure 80 Configuration > System > Date/ Tim e The following table describes the labels in this screen. Table 70 Configuration > System > Date/ Tim e LABEL Current Tim e and Date Current Tim e Current Date Tim e and Date Setup Manual New Tim e (hh- m m - ss) New Date (yyyy-m m -dd) DESCRIPTION This field displays the present tim e of your device. This field displays the present date of your device. Select this radio button to enter the tim e and date m anually. I f you configure a new tim e and date, tim e zone and daylight saving at the sam e tim e, the tim e zone and daylight saving will affect the new tim e and date you entered. When you enter the tim e settings m anually, the device uses the new setting once you click Apply. This field displays the last updated tim e from the tim e server or the last tim e configured m anually. When you set Tim e and Date Setup to Manual, enter the new tim e in this field and then click Apply. This field displays the last updated date from the tim e server or the last date configured m anually. When you set Tim e and Date Setup to Manual, enter the new date in this field and then click Apply. NWA3000-N Series User s Guide 177

178 Chapter 15 System Table 70 Configuration > System > Date/ Tim e (continued) LABEL Get from Tim e Server DESCRIPTION Select this radio button to have the device get the tim e and date from the tim e server you specify below. The device requests tim e and date settings from the tim e server under the following circum stances. When the device starts up. When you click Apply or Synchronize Now in this screen. 24-hour intervals after starting up. Tim e Server Address Sync. Now Tim e Zone Setup Tim e Zone Enable Daylight Saving Enter the I P address or URL of your tim e server. Check with your I SP/ network adm inistrator if you are unsure of this inform ation. Click this button to have the device get the tim e and date from a tim e server ( see the Tim e Server Address field). This also saves your changes (except the daylight saving settings). Choose the tim e zone of your location. This will set the tim e difference between your tim e zone and Greenwich Mean Tim e (GMT). Daylight saving is a period from late spring to fall when m any countries set their clocks ahead of norm al local tim e by one hour to give m ore daytim e light in the evening. Select this option if you use Daylight Saving Tim e. Start Date Configure the day and tim e when Daylight Saving Tim e starts if you selected Enable Daylight Saving. The at field uses the 24 hour form at. Here are a couple of exam ples: Daylight Saving Tim e starts in m ost parts of the United States on the second Sunday of March. Each tim e zone in the United States starts using Daylight Saving Tim e at 2 A.M. local tim e. So in the United States you would select Second, Sunday, March and type 2 in the at field. Daylight Saving Tim e st art s in t he European Union on the last Sunday of March. All of the tim e zones in the European Union start using Daylight Saving Tim e at the sam e m om ent (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The tim e you type in the at field depends on your tim e zone. I n Germ any for instance, you would type 2 because Germ any's tim e zone is one hour ahead of GMT or UTC (GMT+ 1). End Date Configure the day and tim e when Daylight Saving Tim e ends if you selected Enable Daylight Saving. The at field uses the 24 hour form at. Here are a couple of exam ples: Daylight Saving Tim e ends in the United States on the first Sunday of Novem ber. Each tim e zone in the United States stops using Daylight Saving Tim e at 2 A.M. local tim e. So in the United States you would select First, Sunday, Novem ber and type 2 in the at field. Daylight Saving Tim e ends in the European Union on the last Sunday of October. All of the tim e zones in the European Union stop using Daylight Saving Tim e at the sam e m om ent ( 1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The tim e you type in the at field depends on your tim e zone. I n Germ any for instance, you would type 2 because Germ any's tim e zone is one hour ahead of GMT or UTC (GMT+ 1). Offset Specify how m uch the clock changes when daylight saving begins and ends. Enter a num ber from 1 to 5.5 (by 0.5 increm ents). For exam ple, if you set this field to 3.5, a log occurred at 6 P.M. in local official tim e will appear as if it had occurred at 10: 30 P.M. Apply Reset Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings. 178 NWA3000-N Series User s Guide

179 Chapter 15 System Pre-defined NTP Time Servers List When you turn on the device for the first tim e, the date and tim e start at : 00: 00. The device then attem pts to synchronize with one of the following pre-defined list of Network Tim e Protocol (NTP) tim e servers. The device continues to use the following pre-defined list of NTP tim e servers if you do not specify a tim e server or it cannot synchronize with the tim e server you specified. Table 71 Default Tim e Servers 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org When the device uses the pre-defined list of NTP tim e servers, it random ly selects one server and tries to synchronize with it. I f the synchronization fails, then the device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP tim e servers have been t ried Time Server Synchronization Click the Synchronize Now button to get the tim e and date from the tim e server you specified in the Tim e Server Address field. When the Loading m essage appears, you m ay have to wait up to one m inute. Figure 81 Loading The Current Tim e and Current Date fields will display the appropriate settings if the synchronizat ion is successful. I f the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/ Tim e screen. To m anually set the device date and tim e: 1 Click System > Date/ Tim e. 2 Select Manual under Tim e and Date Setup. 3 Enter the device s tim e in the New Tim e field. 4 Enter the device s date in the New Dat e field. 5 Under Tim e Zone Setup, select your Tim e Zone from the list. 6 As an option you can select the Enable Daylight Saving check box to adjust the device clock for daylight savings. 7 Click Apply. NWA3000-N Series User s Guide 179

Chapter 15 System To get the device date and tim e from a tim e server: 1 Click System > Date/ Tim e. 2 Select Get from Tim e Server under Tim e and Dat e Setup.

180 Chapter 15 System To get the device date and tim e from a tim e server: 1 Click System > Date/ Tim e. 2 Select Get from Tim e Server under Tim e and Dat e Setup. 3 Under Tim e Zone Setup, select your Tim e Zone from the list. 4 Under Tim e and Dat e Setup, enter a Tim e Server Address. 5 Click Apply Console Speed This section shows you how to set the console port speed when you connect to the device via the console port using a term inal em ulation program. See Table 1 on page 23 for default console port settings. Click Configuration > Syst em > Console Speed to open this screen. Figure 82 Configuration > System > Console Speed The following table describes the labels in this screen. Table 72 Configuration > System > Console Speed LABEL Console Port Speed DESCRIPTION Use the drop-down list box to change the speed of the console port. Your device supports 9600, 19200, 38400, 57600, and bps (default) for the console port. The Console Port Speed applies to a console port connection using term inal em ulation software and NOT the Console in the device Web Configurator Status screen. Apply Reset Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings. 180 NWA3000-N Series User s Guide

Chapter 15 System 15.5 WWW Overview The following figure shows secure and insecure m anagem ent of the device com ing in from the WAN. HTTPS and SSH access are secure.

181 Chapter 15 System 15.5 WWW Overview The following figure shows secure and insecure m anagem ent of the device com ing in from the WAN. HTTPS and SSH access are secure. HTTP, and Telnet m anagem ent access are not secure. Figure 83 Secure and I nsecure Service Access From the WAN Service Access Limitations A service cannot be used to access the device when you have disabled that service in the corresponding screen System Timeout There is a lease tim eout for adm inistrators. The device autom atically logs you out if the m anagem ent session rem ains idle for longer than this tim eout period. The m anagem ent session does not tim e out when a statistics screen is polling. Each user is also forced to log in the device for authentication again when the reauthentication tim e expires. You can change the tim eout settings in the User screens HTTPS You can set the device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). I t relies upon certificates, public keys, and private keys (see Chapter 14 on page 157 for m ore inform ation). HTTPS on the device is used so that you can securely access the device using the Web Configurator. The SSL protocol specifies that the HTTPS server (the device) m ust always authenticate itself to the HTTPS client (the com puter which requests the HTTPS connection with the device), whereas the NWA3000-N Series User s Guide 181

Chapter 15 System HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticat e Client Cert ificates in the W W W screen).

182 Chapter 15 System HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select Authenticat e Client Cert ificates in the W W W screen). Authenticat e Client Cert ificat es is optional and if selected m eans the HTTPS client m ust send the device a certificate. You m ust apply for a certificate for the browser from a CA that is a trusted CA on the device. Please refer to the following figure. 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the device s web server. 2 HTTP connection requests from a web browser go to port 80 (by default) on the device s web server. Figure 84 HTTP/ HTTPS I m plem entation Note: I f you disable HTTP in the W W W screen, then the device blocks all HTTP connection attem pts Configuring WWW Service Control Click Configurat ion > Syst em > W W W to open the W W W screen. Use this screen to specify HTTP or HTTPS settings. Figure 85 Configurat ion > Syst em > WWW > Service Cont rol 182 NWA3000-N Series User s Guide

183 Chapter 15 System The following table describes the labels in this screen. Table 73 Configurat ion > Syst em > WWW > Service Cont rol LABEL HTTPS Enable Server Port Authenticate Client Certificates Server Certificate Redirect HTTP to HTTPS HTTP Enable Server Port Apply Reset DESCRIPTION Select the check box to allow or disallow the com puter with the I P address that m atches the I P address( es) in the Service Control table to access the device Web Configurator using secure HTTPs connections. The HTTPS server listens on port 443 by default. I f you change the HTTPS server port to a different num ber on the device, for exam ple 8443, then you m ust notify people who need to access the device Web Configurator to use https: / / device I P Address: as the URL. Select Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the device by sending the device a certificate. To do that the SSL client m ust have a CA-signed certificate from a CA that has been im ported as a trusted CA on the device. Select a certificate the HTTPS server (the device) uses to authenticate itself to the HTTPS client. You m ust have certificates already configured in the My Cert ificates screen. To allow only secure Web Configurator access, select this to redirect all HTTP connection requests to the HTTPS server. Select the check box to allow or disallow the com puter with the I P address that m atches the I P address( es) in the Service Control table to access the device Web Configurator using HTTP connections. You m ay change the server port num ber for a service if needed, however you m ust use the sam e port num ber in order to use that service to access the device. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings HTTPS Example I f you haven t changed the default HTTPS port on the device, then in your browser enter https: / / device I P Address/ as the web site address where device I P Address is the I P address or dom ain nam e of the device you wish to access Internet Explorer Warning Messages When you attem pt to access the device HTTPS server, a Windows dialog box pops up asking if you trust the server certificate. Click View Certificat e if you want to verify that the certificate is from the device. NWA3000-N Series User s Guide 183

184 Chapter 15 System You see the following Security Alert screen in I nternet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked. Figure 86 Security Alert Dialog Box (I nternet Explorer) Avoiding Browser Warning Messages Here are the m ain reasons your browser displays warnings about the device s HTTPS server certificate and what you can do to avoid seeing the warnings: The issuing certificate authority of the device s HTTPS server certificate is not one of the browser s trusted certificate authorities. The issuing certificate authority of the device's factory default certificate is the device itself since the certificate is a self-signed certificate. For the browser to trust a self-signed certificate, im port the self-signed certificate into your operating system as a trusted certificate. To have the browser trust the certificates issued by a certificate authority, im port the certificate authority s certificate into your operating system as a trusted certificate. Refer to Appendix B on page 273 for details. 184 NWA3000-N Series User s Guide

Chapter 15 System 15.5.5.3 Login Screen After you accept the certificate, the device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection.

You m ust have im ported at least one trusted CA to the device in order for the Authenticate Client Certificat es to be active (see the Certificates chapter for details).

185 Chapter 15 System Login Screen After you accept the certificate, the device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. Figure 87 Login Screen ( I nt ernet Explorer) Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Aut hent icate Client Certificates is selected on the device. You m ust have im ported at least one trusted CA to the device in order for the Authenticate Client Certificat es to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the device (see the device s Trusted CA Web Configurator screen). Figure 88 Trust ed Cert ificat es The CA sends you a package containing the CA s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). NWA3000-N Series User s Guide 185

Chapter 15 System 15.5.5.5 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen sim ilar to the one shown next.

186 Chapter 15 System Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen sim ilar to the one shown next. 2 Click I nst all Certificate and follow the wizard as shown earlier in this appendix Installing a Personal Certificate You need a password in advance. The CA m ay issue the password or you m ay have to specify it during the enrollm ent. Double-click the personal certificate given to you by the CA to produce a screen sim ilar to the one shown next 186 NWA3000-N Series User s Guide

should autom atically appear in the File nam e text box.

187 Chapter 15 System 1 Click Next to begin the wizard. 2 The file nam e and path of the certificate you double-clicked should autom atically appear in the File nam e text box. Click Brow se if you wish to im port a different certificate. NWA3000-N Series User s Guide 187

on your com puter or select Place all certificates in the follow

188 Chapter 15 System 3 Enter the password given to you by the CA. 4 Have the wizard determ ine where the certificate should be saved on your com puter or select Place all certificates in the follow ing store and choose a different location. 188 NWA3000-N Series User s Guide

Chapter 15 System 5 Click Finish to com plete the wizard and begin the im port process. 6 You should see the following screen when the certificate is correctly installed on your com puter. 15.5.5.7 Using a Certificate When Accessing the device To access the device via HTTPS: 1 Enter https: / / device I P Address/ in your browser s web address field.

189 Chapter 15 System 5 Click Finish to com plete the wizard and begin the im port process. 6 You should see the following screen when the certificate is correctly installed on your com puter Using a Certificate When Accessing the device To access the device via HTTPS: 1 Enter https: / / device I P Address/ in your browser s web address field. NWA3000-N Series User s Guide 189

Chapter 15 System 2 When Authenticat e Client Certificates is selected on the device, the following screen asks you to select a personal certificate to send

6 SSH You can use SSH (Secure SHell) to securely access the device s com m and line interface.

190 Chapter 15 System 2 When Authenticat e Client Certificates is selected on the device, the following screen asks you to select a personal certificate to send to the device. This screen displays even if you only have a single certificate as in the exam ple. 3 You next see the Web Configurator login screen SSH You can use SSH (Secure SHell) to securely access the device s com m and line interface. SSH is a secure com m unication protocol that com bines authentication and data encryption to provide secure encrypted com m unication between two hosts over an unsecured network. I n the 190 NWA3000-N Series User s Guide

Chapter 15 System following figure, com puter B on the I nternet uses SSH to securely connect to the WAN port of the device (A) for a m anagem ent session.

191 Chapter 15 System following figure, com puter B on the I nternet uses SSH to securely connect to the WAN port of the device (A) for a m anagem ent session. Figure 89 SSH Com m unication Over the WAN Exam ple How SSH Works The following figure is an exam ple of how a secure connection is established between two rem ote hosts using SSH v1. Figure 90 How SSH v1 Works Exam ple 1 Host I dentification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a random ly generated session key with the host key and server key and sends the result back to the server. The client autom atically saves any new server public keys. I n subsequent connections, the server public key is checked against the saved version on the client com puter. 2 Encrypt ion Met hod Once the identification is verified, both the client and server m ust agree on the type of encryption m ethod to use. NWA3000-N Series User s Guide 191

192 Chapter 15 System 3 Authentication and Data Transm ission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication inform ation (user nam e and password) to the server to log in to the server SSH Implementation on the device Your device supports SSH versions 1 and 2 using RSA authentication and four encryption m ethods (AES, 3DES, Archfour, and Blowfish). The SSH server is im plem ented on the device for m anagem ent using port 22 (by default) Requirements for Using SSH You m ust install an SSH client program on a client com puter (Windows or Linux operating system ) that is used to connect to the device over SSH Configuring SSH Click Configurat ion > Syst em > SSH to open the following screen. Use this screen to configure your NWA3000-N series AP s Secure Shell settings. Note: I t is recom m ended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 91 Configurat ion > Syst em > SSH 192 NWA3000-N Series User s Guide

193 Chapter 15 System The following table describes the labels in this screen. Table 74 Configurat ion > Syst em > SSH LABEL Enable DESCRIPTION Select the check box to allow or disallow the com puter with the I P address that m atches the I P address(es) in the Service Control table to access the device CLI using this service. Version 1 Select the check box to have the device use both SSH version 1 and version 2 protocols. I f you clear the check box, the device uses only SSH version 2 protocol. Server Port Server Certificate Apply Reset You m ay change the server port num ber for a service if needed, however you m ust use the sam e port num ber in order to use that service for rem ote m anagem ent. Select the certificate whose corresponding private key is to be used to identify the device for SSH connections. You m ust have certificates already configured in the My Certificates screen. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings Examples of Secure Telnet Using SSH This section shows two exam ples using a com m and interface and a graphical interface SSH client program to rem otely access the device. The configuration and connection steps are sim ilar for m ost SSH client program s. Refer to your SSH client program user s guide Example 1: Microsoft Windows This section describes how to access the device using the Secure Shell Client program. 1 Launch the SSH client and specify the connection inform ation (I P address, port num ber) for the device. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prom pting you to store the host key in you com puter. Click Yes to continue. Figure 92 SSH Exam ple 1: Store Host Key Enter the password to log in to the device. The CLI screen displays next. NWA3000-N Series User s Guide 193

194 Chapter 15 System Example 2: Linux This section describes how to access the device using the OpenSSH client program that com es with m ost Linux distributions. 1 Test whether the SSH service is available on the device. Enter telnet at a term inal prom pt and press [ENTER]. The com puter attem pts to connect to port 22 on the device (using the default I P address of ). A m essage displays indicating the SSH protocol version supported by the device. Figure 93 SSH Exam ple 2: Test $ telnet Trying Connected to Escape character is '^]'. SSH Enter ssh This com m and forces your com puter to connect to the device using SSH version 1. I f this is the first tim e you are connecting to the device using SSH, a m essage displays prom pting you to save the host inform ation of the device. Type yes and press [ENTER]. Then enter the password to log in to the device. Figure 94 SSH Exam ple 2: Log in $ ssh The authenticity of host ' ( )' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ' ' (RSA1) to the list of known hosts. Administrator@ 's password: 3 The CLI screen displays next. 194 NWA3000-N Series User s Guide

195 Chapter 15 System 15.7 Telnet You can use Telnet to access the device s com m and line interface. Click Configuration > System > TELNET to configure your device for rem ote Telnet access. Use this screen to enable or disable Telnet and set the server port num ber. Figure 95 Configurat ion > Syst em > TELNET The following table describes the labels in this screen. Table 75 Configurat ion > Syst em > TELNET LABEL Enable Server Port Apply Reset DESCRIPTION Select the check box to allow or disallow the com puter with the I P address that m atches the I P address( es) in the Service Control table to access the device CLI using this service. You m ay change the server port num ber for a service if needed, however you m ust use the sam e port num ber in order to use that service for rem ote m anagem ent. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings FTP You can upload and download the device s firm ware and configuration files using FTP. To use this feature, your com puter m ust have an FTP client. See Chapter 17 on page 219 for m ore inform ation about firm ware and configurat ion files. NWA3000-N Series User s Guide 195

196 Chapter 15 System To change your device s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify FTP settings. Figure 96 Configurat ion > Syst em > FTP The following table describes the labels in this screen. Table 76 Configurat ion > Syst em > FTP LABEL Enable TLS required DESCRIPTION Select the check box to allow or disallow the com puter with the I P address that m atches the I P address( es) in the Service Control table to access the device using this service. Select the check box to use FTP over TLS (Transport Layer Security) to encrypt com m unication. This im plem ents TLS as a security m echanism to secure FTP clients and/ or servers. Server Port Server Certificate Apply Reset You m ay change the server port num ber for a service if needed, however you m ust use the sam e port num ber in order to use that service for rem ote m anagem ent. Select the certificate whose corresponding private key is to be used to identify the device for FTP connections. You m ust have certificates already configured in the My Certificates screen. Click Apply to save your changes back to the device. Click Reset to return the screen to its last- saved settings SNMP Sim ple Network Managem ent Protocol is a protocol used for exchanging m anagem ent inform ation between network devices. Your device supports SNMP agent functionality, which allows a m anager station to m anage and m onitor the device through the network. The device supports SNMP version 196 NWA3000-N Series User s Guide

197 Chapter 15 System one (SNMPv1), version two (SNMPv2c), and version three (SNMPv3). The next figure illustrates an SNMP m anagem ent operation. Figure 97 SNMP Managem ent Model An SNMP m anaged network consists of two m ain types of com ponent: agents and a m anager. An agent is a m anagem ent software m odule that resides in a m anaged device (the device). An agent translates the local m anagem ent inform ation from the m anaged device into a form com patible with SNMP. The m anager is the console through which network adm inistrators perform network m anagem ent functions. I t executes applications that control and m onitor m anaged devices. The m anaged devices contain object variables/ m anaged objects that define each piece of inform ation to be collected about a device. Exam ples of variables include such as num ber of packets received, node port status etc. A Managem ent I nform ation Base (MI B) is a collection of m anaged objects. SNMP allows a m anager and agents to com m unicate for the purpose of accessing these objects. SNMP itself is a sim ple request/ response protocol based on the m anager/ agent m odel. The m anager issues a request and the agent returns responses using the following protocol operations: Get - Allows the m anager to retrieve an object variable from the agent. GetNext - Allows the m anager to retrieve the next object variable from a table or list within an agent. I n SNMPv1, when a m anager wants to retrieve all elem ents of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set - Allows the m anager to set values for object variables within an agent. Trap - Used by the agent to inform the m anager of som e events. NWA3000-N Series User s Guide 197

198 Chapter 15 System Supported MIBs The device supports MI B I I that is defined in RFC-1213 and RFC The device also supports private MI Bs (ZYXEL-ES-CAPWAP.MI B, ZYXEL-ES-COMMON.MI B, ZYXEL-ES-HYBRI DAP.MI B, ZYXEL- ES-PROWLAN.MI B, ZYXEL-ES-RFMGMT.MI B, ZYXEL-ES-SMI.MI B, and ZYXEL-ES-WI RELESS.MI B) to collect inform ation about CPU and m em ory usage and VPN total throughput. The focus of the MI Bs is to let adm inistrators collect statistical data and m onitor status and perform ance. You can download the device s MI Bs from SNMP Traps The device will send traps to the SNMP m anager when any one of the following events occurs. Table 77 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start This trap is sent when the device is turned on or an agent restarts. linkdown This trap is sent when the Ethernet link is down. linkup This trap is sent when the Ethernet link is up. authenticationfailure This trap is sent when an SNMP request com es from non- authenticated hosts Configuring SNMP To change your device s SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings. You can also configure profiles t hat define allowed SNMPv3 access. Figure 98 Configurat ion > Syst em > SNMP 198 NWA3000-N Series User s Guide

199 Chapter 15 System The following table describes the labels in this screen. Table 78 Configurat ion > Syst em > SNMP LABEL Enable Server Port Trap Com m unity Destination SNMPv2c Get Com m unity Set Com m unity SNMPv3 Add Edit Rem ove DESCRIPTION Select the check box to allow or disallow users to access the device using SNMP. You m ay change the server port num ber for a service if needed, however you m ust use the sam e port num ber in order to use that service for rem ote m anagem ent. Type t he trap com m unity, which is the password sent wit h each t rap t o the SNMP m anager. The default is public and allows all requests. Type the I P address of the station to send your SNMP traps to. Select this to allow SNMP m anagers using SNMPv2c to access the device. Enter the Get Com m unity, which is the password for the incom ing Get and GetNext requests from the m anagem ent station. The default is public and allows all requests. Enter the Set com m unity, which is the password for incom ing Set requests from the m anagem ent station. The default is private and allows all requests. Select this to allow SNMP m anagers using SNMPv3 to access the device. Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Double-click an entry or select it and click Edit to be able to m odify the entry s settings. To rem ove an ent ry, select it and click Rem ove. The device confirm s you want to rem ove it before doing so. Note that subsequent entries m ove up by one when you take this action. # This the index num ber of an SNMPv3 user profile. User Nam e Authentication Privacy Privilege Apply Reset This is the nam e of the user for which this SNMPv3 user profile is configured. This field displays the type of authentication the SNMPv3 user m ust use to connect to the device using this SNMPv3 user profile. This field displays t he t ype of encryption t he SNMPv3 user m ust use t o connect t o the device using this SNMPv3 user profile. This field displays whether the SNMPv3 user can have read-only or read and write access to the device using this SNMPv3 user profile. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings. NWA3000-N Series User s Guide 199

200 Chapter 15 System Adding or Editing an SNMPv3 User Profile This screen allows you to add or edit an SNMPv3 user profile. To access this screen, click the Configuration > System > SNMP screen s Add button or select a SNMPv3 user profile from the list and click the Edit button. Figure 99 Configurat ion > Syst em > SNMP > Add The following table describes the labels in this screen. Table 79 Configurat ion > Syst em > SNMP LABEL User Nam e Authentication DESCRIPTION Select the user nam e of the user account for which this SNMPv3 user profile is configured. Select the type of authentication the SNMPv3 user m ust use to connect to the device using this SNMPv3 user profile. Select N ON E to not authenticate the SNMPv3 user. Select MD5 to require the SNMPv3 user s password be encrypted by MD5 for authentication. Select SHA to require the SNMPv3 user s password be encrypted by SHA for authentication. Privacy Select the type of encryption the SNMPv3 user m ust use to connect to the device using this SNMPv3 user profile. Select N ON E to not encrypt the SNMPv3 com m unications. Select DES to use DES to encrypt the SNMPv3 com m unications. Select AES to use AES to encrypt the SNMPv3 com m unications. Privilege OK Cancel Select whether the SNMPv3 user can have read-only or read and write access to the device using this SNMPv3 user profile. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes Internal RADIUS Server The device can use its internal Rem ote Authentication Dial I n User Service (RADI US) server to authenticate the wireless clients of trusted APs. RADI US is a protocol that enables you to control access to a network by authenticating user credentials. 200 NWA3000-N Series User s Guide

201 Chapter 15 System The following figure shows how this is done. Wireless clients m ake access requests to trusted APs, which relay the requests to the device. Figure 100 Trust ed APs Overview RADIUS Server Trusted APs Wireless clients Certificates are used by wireless clients to authenticate the RADI US server. These are digital signatures that identify network devices. Certificates ensure that the clients supply their login details to the correct device. I nform ation m atching the certificate is held on the wireless client s utility. A password and user nam e on the utility m ust m atch an entry in the Object > Users screen s list so that the RADI US server can be authenticated. Note: The device can function as an AP and as a RADI US server at the sam e tim e Configuring the Internal RADIUS Server Use this screen to turn the device s internal RADI US server off or on, select the certificate it uses, and m aintain a list of trusted client APs. A trusted AP is an AP that uses the device s internal RADI US server to authenticate its wireless clients. Each wireless client m ust have a user nam e and password configured in the Object > Users screen. NWA3000-N Series User s Guide 201

202 Chapter 15 System Click Configura t ion > Syst em > Aut h. Server. The following screen displays. Figure 101 Configurat ion > Syst em > Aut h. Server The following table describes the labels in this screen. Table 80 Configurat ion > Syst em > Aut h. Server LABEL Enable Authentication Server Authentication Server Certificate Trusted Client Add Edit Rem ove Activate I nactivate DESCRIPTION Select this to have the device use its internal RADI US server to authenticate wireless clients connecting to trusted APs. Select the certificate the device s internal RADI US server uses for authenticating wireless clients connecting to trusted APs. Note: It is recommended that you replace the factory default certificate with one that uses your device's MAC address. Do this when you first log in to the device or in the Object > Certificate > My Certificates screen. Use this table to m anage the list of profiles of trusted APs for which the device authenticates wireless clients. Click this to add a new trusted AP profile. Click this to edit the selected trusted AP profile. Click this to rem ove the selected trusted AP profile. To turn on a profile, select it and click Activate. To turn off a profile, select it and click I nactivate. # This field is a sequential value, and it is not associated with a specific profile. Status Profile Nam e I P Address Mask Description This field shows whether or not the entry is activated. This field indicates the nam e assigned to the trusted AP profile. This field indicates the I P address of the trusted AP in dotted decim al notation. This field indicates the subnet m ask of the trusted AP in dotted decim al notation. The subnet m ask indicates what part of the I P address is the sam e for all com puters in the network. This field shows the inform ation listed to help identify the trusted AP profile. 202 NWA3000-N Series User s Guide

Chapter 15 System Table 80 Configuration > System > Auth. Server (continued) LABEL DESCRIPTION Apply Click OK to save your changes back to the device.

203 Chapter 15 System Table 80 Configuration > System > Auth. Server (continued) LABEL DESCRIPTION Apply Click OK to save your changes back to the device. Reset Click Reset to start configuring this screen afresh Adding or Editing a Trusted AP Profile This screen allows you to add or edit an internal RADI US server trusted AP profile. To access this screen, click the Configuration > System > Auth. Server screen s Add button or select a trusted AP profile from the list and click the Edit button. Figure 102 Configuration > System > Auth. Server > Add The following table describes the labels in this screen. Table 81 Configurat ion > Syst em > Aut h. Server LABEL Activate Profile Nam e I P Address Netm ask Secret DESCRIPTION Select this to turn on this trusted AP profile. Type a nam e for the trusted AP profile. Type the I P address of the trusted AP in dotted decim al notation. Type the subnet m ask of the trusted AP in dotted decim al notation. The subnet m ask indicates what part of the I P address is the sam e for all com puters in the network. Enter a password (up to 31 alphanum eric characters, no spaces) as the key for encrypting com m unications between the device and this entry s AP. The key is not sent over the network. This key m ust be the sam e on t he device and t he AP. Both the device s I P address and this shared secret m ust also be configured in the external RADI US server fields of the trusted AP. Description OK Cancel Type som e inform ation to help identify the trusted AP. Click OK to save your changes back to the device. Click Cancel to exit this screen without saving your changes. NWA3000-N Series User s Guide 203

204 Chapter 15 System Technical Reference This section provides som e technical background inform ation about the topics covered in this chapt er. Internal RADIUS Server PEAP (Protected EAP) and MD5 authentication is im plem ented on the internal RADI US server using sim ple usernam e and password m ethods over a secure TLS connection. See Appendix C on page 287 for m ore inform ation on the types of EAP authentication and the internal RADI US authentication m ethod used in your device. Note: The internal RADI US server does not support dom ain accounts (DOMAI N/ user). When you configure your Windows XP SP2 Wireless Zero Configuration PEAP/ MS- CHAPv2 settings, clear the Use W indow s logon nam e and passw ord check box. When authentication begins, a pop-up dialog box requests you to type a N am e, Passw ord and Dom ain of the RADI US server. Specify a nam e and password only, do not specify a dom ain. 204 NWA3000-N Series User s Guide

205 C HAPTER 16 Log and Report 16.1 Overview Use the system screens to configure daily reporting and log settings What You Can Do In this Chapter The Em ail Daily Report screen (Section 16.2 on page 205) configures how and where to send daily reports and what reports to send. The Log Setting screens (Section 16.3 on page 207) specify which logs are e-m ailed, where they are e-m ailed, and how often they are e-m ailed Daily Report Use this screen to start or stop data collection and view various statistics about traffic passing through your device. Note: Data collection m ay decrease the device s traffic throughput rate. NWA3000-N Series User s Guide 205

206 Chapter 16 Log and Report Click Configurat ion > Log & Report > Em ail Daily Report to display the following screen. Configure this screen to have the device e-m ail you system statistics every day. Figure 103 Configurat ion > Log & Report > Em ail Daily Report ( St andalone Mode) 206 NWA3000-N Series User s Guide

207 Chapter 16 Log and Report The following table describes the labels in this screen. Table 82 Configurat ion > Log & Report > Em ail Daily Report LABEL Enable Em ail Daily Report Mail Server Mail Subject Mail From Mail To SMTP Authentication User Nam e Password Send Report Now Tim e for sending report Report I tem s Reset All Counters Apply Reset DESCRIPTION Select this to send reports by e-m ail every day. Type the nam e or I P address of the outgoing SMTP server. Type the subject line for the outgoing e-m ail. Select Append system nam e to add the device s system nam e to the subject. Select Append date tim e to add the device s system date and tim e to the subject. Type the e-m ail address from which the outgoing e-m ail is delivered. This address is used in replies. Type the e-m ail address (or addresses) to which the outgoing e-m ail is delivered. Select this check box if it is necessary to provide a user nam e and password to the SMTP server. This box is effective when you select the SMTP Authentication check box. Type the user nam e to provide to the SMTP server when the log is e-m ailed. This box is effective when you select the SMTP Authentication check box. Type the password to provide to the SMTP server when the log is e-m ailed. Click this button to have the device send the daily e-m ail report im m ediately. Select the tim e of day (hours and m inutes) when the log is e-m ailed. Use 24-hour notation. Select the inform ation to include in the report. Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period. Click this to discard all report data and start all of the counters over at zero. Click Apply to save your changes back to the device. Click Reset to return the screen to its last-saved settings Log Setting These screens control log m essages and alerts. A log m essage stores the inform ation for viewing (for exam ple, in the View Log tab) or regular e-m ailing later, and an alert is e-m ailed im m ediately. Usually, alerts are used for events that require m ore serious attention, such as system errors and attacks. The device provides a system log and supports e-m ail profiles and rem ote syslog servers. The system log is available on the View Log tab, the e-m ail profiles are used to m ail log m essages to the specified destinations, and the other four logs are stored on specified syslog servers. The Log Setting tab also controls what inform ation is saved in each log. For the system log, you can also specify which log m essages are e-m ailed, where they are e-m ailed, and how often they are e-m ailed. For alerts, the Log Settings tab controls which events generate alerts and where alerts are e- m ailed. NWA3000-N Series User s Guide 207

208 Chapter 16 Log and Report The Log Settings Sum m ary screen provides a sum m ary of all the settings. You can use the Log Settings Edit screen to m aintain the detailed settings (such as log categories, e-m ail addresses, server nam es, etc.) for any log. Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Sum m ary screen to edit this inform ation for all logs at the sam e tim e Log Setting Summary To access this screen, click Configuration > Log & Report > Log Setting. Figure 104 Configuration > Log & Report > Log Setting The following table describes the labels in this screen. Table 83 Configuration > Log & Report > Log Setting LABEL Edit Activate I nactivate DESCRIPTION Double-click an entry or select it and click Edit to open a screen where you can m odify the entry s settings. To turn on an entry, select it and click Activate. To turn off an entry, select it and click I nactivate. # This field is a sequential value, and it is not associated with a specific log. Nam e This field displays the nam e of the log (system log or one of the rem ote servers). 208 NWA3000-N Series User s Guide

209 Chapter 16 Log and Report Table 83 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION Log Form at This field displays the form at of the log. I nt ernal - system log; you can view the log on the View Log tab. VRPT/ Syslog - ZyXEL s Vantage Report, syslog- com patible form at. CEF/ Syslog - Com m on Event Form at, syslog-com patible form at. Sum m ary Active Log Sum m ary Apply This field is a sum m ary of the settings for each log. Click this button to open the Active Log Sum m ary Edit screen. Click this button to save your changes (activate and deactivate logs) and m ake them take effect. NWA3000-N Series User s Guide 209

Chapter 16 Log and Report 16.3.2 Edit Log Settings This screen controls the detailed settings for each log in the system log (which includes the e-m ail profiles).

210 Chapter 16 Log and Report Edit Log Settings This screen controls the detailed settings for each log in the system log (which includes the e-m ail profiles). Go to the Log Settings Sum m ary screen and click the system log Edit icon. Figure 105 Configuration > Log & Report > Log Setting > Edit The following table describes the labels in this screen. Table 84 Configuration > Log & Report > Log Setting > Edit LABEL Server 1/ 2 Active DESCRIPTION Select this to send log m essages and alerts according to the inform ation in this section. You specify what kinds of log m essages are included in log inform ation and what kinds of log m essages are included in alerts in the Active Log and Alert section. 210 NWA3000-N Series User s Guide

211 Chapter 16 Log and Report Table 84 Configuration > Log & Report > Log Setting > Edit (continued) LABEL Mail Server Mail Subject Send From Send Log To Send Alerts To Sending Log Day for Sending Log Tim e for Sending Log SMTP Authentication User Nam e Password Active Log and Alert System log DESCRIPTION Type the nam e or I P address of the outgoing SMTP server. Type the subject line for the outgoing e- m ail. Type the e- m ail address from which the outgoing e-m ail is delivered. This address is used in replies. Type the e- m ail address to which the outgoing e-m ail is delivered. Type the e- m ail address to which alerts are delivered. Select how often log inform ation is e-m ailed. Choices are: W hen Full, Hourly and W hen Full, Daily and W hen Full, and W eekly and W hen Full. This field is available if the log is e-m ailed weekly. Select the day of the week the log is e- m ailed. This field is available if the log is e-m ailed weekly or daily. Select the tim e of day ( hours and m inutes) when the log is e-m ailed. Use 24-hour notation. Select t his check box if it is necessary t o provide a user nam e and password to the SMTP server. This box is effective when you select the SMTP Authentication check box. Type the user nam e to provide to the SMTP server when the log is e- m ailed. This box is effective when you select the SMTP Authentication check box. Type the password to provide to the SMTP server when the log is e-m ailed. Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any inform ation for any category for the system log or e-m ail any logs to e-m ail server 1 or 2. enable norm al logs (green check m ark) - create log m essages and alerts for all categories for the system log. I f e-m ail server 1 or 2 also has norm al logs enabled, the device will e- m ail logs to them. enable norm al logs and debug logs (yellow check m ark) - create log m essages, alerts, and debugging inform ation for all categories. The device does not e-m ail debugging inform ation, even if this setting is selected. E-m ail Server 1 Use the E- Mail Server 1 drop-down list to change the settings for e- m ailing logs to e-m ail server 1 for all log categories. Using the Syst em Log drop-down list to disable all logs overrides your e- m ail server 1 settings. enable norm al logs (green check m ark) - e-m ail log m essages for all categories to e-m ail server 1. enable alert logs (red exclam ation point) - e-m ail alerts for all categories to e- m ail server 1. E-m ail Server 2 Use the E- Mail Server 2 drop-down list to change the settings for e- m ailing logs to e-m ail server 2 for all log categories. Using the Syst em Log drop-down list to disable all logs overrides your e- m ail server 2 settings. enable norm al logs (green check m ark) - e-m ail log m essages for all categories to e-m ail server 2. enable alert logs (red exclam ation point) - e-m ail alerts for all categories to e- m ail server 2. NWA3000-N Series User s Guide 211

212 Chapter 16 Log and Report Table 84 Configuration > Log & Report > Log Setting > Edit (continued) LABEL # This field is a sequential value, and it is not associated with a specific address. Log Category System log DESCRIPTION This field displays each category of m essages. I t is the sam e value used in the Display and Category fields in the View Log tab. The Default category includes debugging m essages generated by open source software. Select which events you want to log by Log Category. There are three choices: disable all logs (red X) - do not log any inform ation from this category enable norm al logs (green checkm ark) - create log m essages and alerts from this category enable norm al logs and debug logs (yellow check m ark) - create log m essages, alerts, and debugging inform ation from this category; the device does not e-m ail debugging inform ation, however, even if this setting is selected. E-m ail Server 1 E-m ail Server 2 Log Consolidation OK Active Log Consolidation I nterval Cancel Select whether each category of events should be included in the log m essages when it is e-m ailed ( green check m ark) and/ or in alerts (red exclam ation point) for the e- m ail settings specified in E- Mail Server 1. The device does not e-m ail debugging inform ation, even if it is recorded in the Syst em log. Select whether each category of events should be included in log m essages when it is e-m ailed (green check m ark) and/ or in alerts (red exclam ation point) for the e-m ail settings specified in E- Mail Server 2. The device does not e-m ail debugging inform ation, even if it is recorded in the System log. Select this to activate log consolidation. Log consolidation aggregates m ultiple log m essages that arrive within the specified Log Consolidation I nt erval. I n the View Log tab, the text [ count= x], where x is the num ber of original log m essages, is appended at the end of the Message field, when m ultiple log m essages were aggregated. Type how often, in seconds, to consolidate log inform ation. I f the sam e log m essage appears m ultiple tim es, it is aggregated into one log m essage with the text [ count= x], where x is the num ber of original log m essages, appended at the end of the Message field. Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes. 212 NWA3000-N Series User s Guide

Chapter 16 Log and Report 16.3.3 Edit Remote Server This screen controls the settings for each log in the rem ote server (syslog).

213 Chapter 16 Log and Report Edit Remote Server This screen controls the settings for each log in the rem ote server (syslog). Go to the Log Settings Sum m ary screen and click a rem ote server Edit icon. Figure 106 Configuration > Log & Report > Log Setting > Edit Rem ote Server NWA3000-N Series User s Guide 213

214 Chapter 16 Log and Report The following table describes the labels in this screen. Table 85 Configuration > Log & Report > Log Setting > Edit Rem ote Server LABEL Log Settings for Rem ote Server Active Log Form at DESCRIPTION Select this check box to send log inform ation according to the inform ation in this section. You specify what kinds of m essages are included in log inform ation in the Active Log section. This field displays the form at of the log inform ation. I t is read-only. VRPT/ Syslog - ZyXEL s Vantage Report, syslog- com patible form at. CEF/ Syslog - Com m on Event Form at, syslog-com patible form at. Server Address Log Facility Active Log Selection Type the server nam e or the I P address of the syslog server to which to send log inform ation. Select a log facility. The log facility allows you to log the m essages to different files in the syslog server. Please see the docum entation for your syslog program for m ore inform ation. Use the Selection drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not send the rem ote server logs for any log category. enable norm al logs (green check m ark) - send the rem ote server log m essages and alerts for all log categories. enable norm al logs and debug logs (yellow check m ark) - send the rem ote server log m essages, alerts, and debugging inform ation for all log categories. # This field is a sequential value, and it is not associated with a specific address. Log Category Selection This field displays each category of m essages. I t is the sam e value used in the Display and Category fields in t he View Log tab. The Default category includes debugging m essages generated by open source software. Select what inform ation you want to log from each Log Category (except All Logs; see below). Choices are: disable all logs (red X) - do not log any inform ation from this category enable norm al logs (green checkm ark) - log regular inform ation and alerts from this category enable norm al logs and debug logs (yellow check m ark) - log regular inform ation, alerts, and debugging inform ation from this category OK Cancel Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes Active Log Summary This screen allows you to view and to edit what inform ation is included in the system log, e-m ail profiles, and rem ote servers at the sam e tim e. I t does not let you change other log settings (for 214 NWA3000-N Series User s Guide

215 Chapter 16 Log and Report exam ple, where and how often log inform ation is e-m ailed or rem ote server nam es). To access this screen, go to the Log Settings Sum m ary screen, and click the Act ive Log Sum m ary button. Figure 107 Active Log Sum m ary This screen provides a different view and a different way of indicating which m essages are included in each log and each alert. (The Default category includes debugging m essages generated by open source soft ware.) NWA3000-N Series User s Guide 215

216 Chapter 16 Log and Report The following table describes the fields in this screen. Table 86 Configuration > Log & Report > Log Setting > Active Log Sum m ary LABEL Active Log Sum m ary System log DESCRIPTION I f the device is set to controller m ode, the AC section controls logs generated by the controller and the AP section controls logs generated by the m anaged APs. Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not log any inform ation for any category for the system log or e-m ail any logs to e-m ail server 1 or 2. enable norm al logs (green check m ark) - create log m essages and alerts for all categories for the system log. I f e-m ail server 1 or 2 also has norm al logs enabled, the device will e-m ail logs to them. enable norm al logs and debug logs (yellow check m ark) - create log m essages, alerts, and debugging inform ation for all categories. The device does not e-m ail debugging inform ation, even if this setting is selected. E-m ail Server 1 Use the E- Mail Server 1 drop-down list to change the settings for e-m ailing logs to e-m ail server 1 for all log categories. Using the Syst em Log drop-down list to disable all logs overrides your e-m ail server 1 settings. enable norm al logs (green check m ark) - e- m ail log m essages for all categories to e- m ail server 1. enable alert logs (red exclam ation point) - e-m ail alerts for all categories to e- m ail server 1. E-m ail Server 2 Use the E- Mail Server 2 drop-down list to change the settings for e-m ailing logs to e-m ail server 2 for all log categories. Using the Syst em Log drop-down list to disable all logs overrides your e-m ail server 2 settings. enable norm al logs (green check m ark) - e- m ail log m essages for all categories to e- m ail server 2. enable alert logs (red exclam ation point) - e-m ail alerts for all categories to e- m ail server 2. Rem ote Server 1~ 4 For each rem ote server, use the Selection drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not send the rem ote server logs for any log category. enable norm al logs (green check m ark) - send the rem ote server log m essages and alerts for all log categories. enable norm al logs and debug logs (yellow check m ark) - send the rem ote server log m essages, alerts, and debugging inform ation for all log categories. # This field is a sequential value, and it is not associated with a specific address. Log Category This field displays each category of m essages. I t is the sam e value used in the Display and Category fields in t he View Log tab. The Default category includes debugging m essages generated by open source software. 216 NWA3000-N Series User s Guide

217 Chapter 16 Log and Report Table 86 Configuration > Log & Report > Log Setting > Active Log Sum m ary (continued) LABEL System log DESCRIPTION Select which events you want to log by Log Category. There are three choices: disable all logs (red X) - do not log any inform ation from this category enable norm al logs (green checkm ark) - create log m essages and alerts from this category enable norm al logs and debug logs (yellow check m ark) - create log m essages, alerts, and debugging inform ation from this category; the device does not e-m ail debugging inform ation, however, even if this setting is selected. E-m ail Server 1 E-m ail E-m ail Server 2 E-m ail Rem ote Server 1~ 4 Select whether each category of events should be included in the log m essages when it is e-m ailed (green check m ark) and/ or in alerts (red exclam ation point) for the e-m ail settings specified in E- Mail Server 1. The device does not e-m ail debugging inform ation, even if it is recorded in the System log. Select whether each category of events should be included in log m essages when it is e-m ailed (green check m ark) and/ or in alerts (red exclam ation point) for the e-m ail settings specified in E- Mail Server 2. The device does not e- m ail debugging inform ation, even if it is recorded in the System log. For each rem ote server, select what inform ation you want to log from each Log Category ( except All Logs; see below). Choices are: disable all logs (red X) - do not log any inform ation from this category enable norm al logs (green checkm ark) - log regular inform ation and alerts from this category enable norm al logs and debug logs (yellow check m ark) - log regular inform ation, alerts, and debugging inform ation from this category OK Cancel Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes. NWA3000-N Series User s Guide 217

218 Chapter 16 Log and Report 218 NWA3000-N Series User s Guide

219 C HAPTER 17 File Manager 17.1 Overview Configuration files define the device s settings. Shell scripts are files of com m ands that you can store on the device and run when you need them. You can apply a configuration file or run a shell script without the device restarting. You can store m ultiple configuration files and shell script files on the device. You can edit configuration files or shell scripts in a text editor and upload them to the device. Configuration files use a.conf extension and shell scripts use a.zysh extension What You Can Do in this Chapter The Configuration File screen (Section 17.2 on page 220) stores and nam es configuration files. You can also download and upload configurat ion files. The Firm w are Package screen (Section 17.3 on page 224) checks your current firm ware version and uploads firm ware to the device. The Shell Script screen (Section 17.4 on page 226) stores, nam es, downloads, uploads and runs shell script files What you Need to Know The following term s and concepts m ay help as you read this chapter. Configuration Files and Shell Scripts When you apply a configuration file, the device uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the device only applies the com m ands that it contains. Other settings do not change. These files have the sam e syntax, which is also identical to the way you run CLI com m ands m anually. An exam ple is shown below # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin #configure default radio profile, change 2GHz channel to 11 & Tx output power # to 50% wlan-radio-profile default 2g-channel 11 output-power 50% exit write NWA3000-N Series User s Guide 219

220 Chapter 17 File Manager While configuration files and shell scripts have the sam e syntax, the device applies configuration files differently than it runs shell scripts. This is explained below. Table 87 Configuration Files and Shell Scripts in the device Configuration Files (.conf) Resets to default configuration. Goes into CLI Configuration m ode. Runs the com m ands in the configuration file. Shell Scripts (.zysh) Goes into CLI Privilege m ode. Runs the com m ands in the shell script. You have to run the aforem entioned exam ple as a shell script because the first com m and is run in Privilege m ode. I f you rem ove the first com m and, you have to run the exam ple as a configuration file because the rest of the com m ands are executed in Configuration m ode. Comments in Configuration Files or Shell Scripts I n a configuration file or shell script, use # or! as the first character of a com m and line to have the device treat the line as a com m ent. Your configuration files or shell scripts can use exit or a com m and line consisting of a single! to have the device exit sub com m and m ode. Note: exit or!' m ust follow sub com m ands if it is to m ake the device exit sub com m and m ode. I n the following exam ple lines 1 and 2 are com m ents. Line 5 exits sub com m and m ode.! this is from Joe # on 2010/12/05 wlan-ssid-profile default ssid Joe-AP qos wmm security default! Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script, the device processes the file line-by-line. The device checks the first line and applies the line if no errors are detected. Then it continues with the next line. I f the device finds an error, it stops applying the configuration file or shell script and generates a log. You can change the way a configuration file or shell script is applied. I nclude setenv stop-onerror off in the configuration file or shell script. The device ignores any errors in the configuration file or shell script and applies all of the valid com m ands. The device still generates a log for any errors Configuration File Click Maintenance > File Manager > Configuration File to open this screen. Use the Configuration File screen to store, run, and nam e configuration files. You can also download 220 NWA3000-N Series User s Guide

Chapter 17 File Manager configuration files from the device to your com puter and upload configuration files from your com puter to the device.

221 Chapter 17 File Manager configuration files from the device to your com puter and upload configuration files from your com puter to the device. Once your device is configured and functioning properly, it is highly recom m ended that you back up your configuration file before m aking further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Configuration File Flow at Restart I f there is not a st artup- config.conf when you restart the device (whether through a m anagem ent interface or by physically turning the power off and back on), the device uses the system - default.conf configuration file with the device s default settings. If there is a startup- config.conf, the device checks it for errors and applies it. I f there are no errors, t he device uses it and copies it t o t he lastgood.conf configuration file as a back up file. I f there is an error, the device generates a log and copies the st art up- config.conf configuration file to the startup- config- bad.conf configuration file and tries the existing lastgood.conf configuration file. I f there isn t a lastgood.conf configuration file or it also has an error, the device applies the system - default.conf configuration file. You can change the way the st art up- config.conf file is applied. I nclude the setenv-startup stop-on-error off com m and. The device ignores any errors in the startup- config.conf file and applies all of the valid com m ands. The device still generates a log for any errors. Figure 108 Maintenance > File Manager > Configuration File Do not turn off the device while configuration file upload is in progress. NWA3000-N Series User s Guide 221

222 Chapter 17 File Manager The following table describes the labels in this screen. Table 88 Maintenance > File Manager > Configuration File LABEL Renam e DESCRIPTION Use this button to change the label of a configuration file on the device. You can only renam e m anually saved configuration files. You cannot renam e the lastgood.conf, system - default.conf and startup- config.conf files. You cannot renam e a configuration file to the nam e of another configuration file in the device. Click a configuration file s row to select it and click Renam e to open the Renam e File screen. Specify the new nam e for the configuration file. Use up to 25 characters (including a-za-z0-9; ~!@# $% ^ &()_+ [ ] { },.= -). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. Rem ove Click a configuration file s row to select it and click Rem ove to delete it from the device. You can only delete m anually saved configuration files. You cannot delete the system - default.conf, startup- config.conf and lastgood.conf files. A pop-up window asks you to confirm that you want to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. Download Copy Click a configuration file s row to select it and click Dow nload to save the configuration to your com puter. Use this button to save a duplicate of a configuration file on the device. Click a configuration file s row to select it and click Copy to open the Copy File screen. Specify a nam e for the duplicate configuration file. Use up to 25 characters (including a-za-z0-9; ~!@# $% ^ &()_+ [ ] { },.= -). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. 222 NWA3000-N Series User s Guide

Chapter 17 File Manager Table 88 Maintenance > File Manager > Configuration File (continued) LABEL Apply DESCRIPTION Use this button to have the device use a specific configuration file.

223 Chapter 17 File Manager Table 88 Maintenance > File Manager > Configuration File (continued) LABEL Apply DESCRIPTION Use this button to have the device use a specific configuration file. Click a configuration file s row to select it and click Apply to have the device use that configuration file. The device does not have to restart in order to use a different configuration file, although you will need to wait for a few m inutes while the system reconfigures. The following screen gives you options for what t he device is t o do if it encounters an error in the configuration file. I m m ediately stop applying the configuration file - this is not recom m ended because it would leave the rest of the configuration blank. I f the interfaces were not configured before the first error, the console port m ay be the only way to access the device. I m m ediately stop applying the configuration file and roll back to the previous configuration - this gets the device started with a fully valid configuration file as quickly as possible. I gnore errors and finish applying the configuration file - this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors. This lets the device apply m ost of your configuration and you can refer to the logs for what to fix. I gnore errors and finish applying the configuration file and then roll back to the previous configuration - this applies the valid parts of the configuration file, generates error logs for all of the configuration file s errors, and starts the device with a fully valid configuration file. Click OK to have the device start applying the configuration file or click Cancel to close the screen # This colum n displays the num ber for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total num ber of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. NWA3000-N Series User s Guide 223

224 Chapter 17 File Manager Table 88 Maintenance > File Manager > Configuration File (continued) LABEL File Nam e DESCRIPTION This colum n displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file nam es. The system - default.conf file contains the device s default settings. Select this file and click Apply to reset all of the device settings to the factory defaults. This configuration file is included when you upload a firm ware package. The startup- config.conf file is the configuration file that the device is currently using. I f you m ake and save changes during your m anagem ent session, the changes are applied to this configuration file. The device applies configuration changes m ade in the Web Configurator to the configuration file when you click Apply or OK. I t applies configuration changes m ade via com m ands when you use the write com m and. The last good.conf is the m ost recently used (valid) configuration file that was saved when the device last restarted. I f you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration. When you change the device s operation m ode, it backs up the configuration to a xxx-backup.conf file where xxx denotes the m ode the NWA3000-N series AP was previously using. Size Last Modified Upload Configuration File This colum n displays the size (in KB) of a configuration file. This colum n displays the date and tim e that the individual configuration files were last changed or saved. The bottom part of the screen allows you to upload a new or previously saved configuration file from your com puter to your device You cannot upload a configuration file nam ed system - default.conf or lastgood.conf. I f you upload startup- config.conf, it will replace the current configuration and im m ediately apply the new settings. File Path Type in the location of the file you want to upload in this field or click Brow se... to find it. Browse... Upload Click Brow se... to find the.conf file you want to upload. The configuration file m ust use a.conf filenam e extension. You will receive an error m essage if you try to upload a fie of a different form at. Rem em ber that you m ust decom press com pressed (.zip) files before you can upload them. Click Upload to begin the upload process. This process m ay take up to two m inutes Firmware Package Click Maintenance > File Manager > Firm w are Package to open this screen. Use the Firm w are Package screen to check your current firm ware version and upload firm ware to the device. Note: The Web Configurator is the recom m ended m ethod for uploading firm ware. You only need to use the com m and line interface if you need to recover the firm ware. See the CLI Reference Guide for how to determ ine if you need to recover the firm ware and how to recover it. Find the firm ware package at in a file that (usually) uses a.bin extension. 224 NWA3000-N Series User s Guide

Chapter 17 File Manager The firmware update can take up to five minutes. Do not turn off or reset the device while the firmware update is in progress!

225 Chapter 17 File Manager The firmware update can take up to five minutes. Do not turn off or reset the device while the firmware update is in progress! Figure 109 Maintenance > File Manager > Firm ware Package The following table describes the labels in this screen. Table 89 Maintenance > File Manager > Firm ware Package LABEL Boot Module Current Version Released Date File Path Browse... Upload DESCRIPTION This is the version of the boot m odule that is currently on the device. This is the firm ware version and the date created. This is the date that the version of the firm ware was created. Type in the location of the file you want to upload in this field or click Brow se... to find it. Click Brow se... to find the.bin file you want to upload. Rem em ber that you m ust decom press com pressed (.zip) files before you can upload them. Click Upload to begin the upload process. This process m ay take up to two m inutes. After you see the Firm w are Upload in Process screen, wait two m inutes before logging into the device again. Note: The device autom atically reboots after a successful upload. The device autom atically restarts causing a tem porary network disconnect. I n som e operating system s, you m ay see the following icon on your desktop. Figure 110 Net work Tem porarily Disconnect ed After five m inutes, log in again and check your new firm ware version in the Dashboard screen. NWA3000-N Series User s Guide 225

Chapter 17 File Manager 17.4 Shell Script Use shell script files to have the device use com m ands that you specify. Use a text editor to create the shell script files. They m ust use a.

226 Chapter 17 File Manager 17.4 Shell Script Use shell script files to have the device use com m ands that you specify. Use a text editor to create the shell script files. They m ust use a.zysh filenam e extension. Click Maintenance > File Manager > Shell Script to open this screen. Use the Shell Script screen to store, nam e, download, upload and run shell script files. You can store m ultiple shell script files on the device at the sam e tim e. Note: You should include write com m ands in your scripts. I f you do not use the write com m and, the changes will be lost when the device restarts. You could use m ultiple write com m ands in a long script. Figure 111 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 90 Maint enance > File Manager > Shell Script LABEL Renam e DESCRIPTION Use this button to change the label of a shell script file on the device. You cannot renam e a shell script to the nam e of another shell script in the device. Click a shell script s row to select it and click Renam e to open the Renam e File screen. Specify the new nam e for the shell script file. Use up to 25 characters (including a-za- Z0-9; ~!@# $% ^ &()_+ [ ] { },.= - ). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. Rem ove Click a shell script file s row to select it and click Delete to delete the shell script file from the device. A pop- up window asks you to confirm that you want to delete the shell script file. Click OK t o delet e t he shell script file or click Cancel to close the screen without deleting the shell script file. Download Copy Click a shell script file s row to select it and click Dow nload to save the configuration to your com puter. Use this button to save a duplicate of a shell script file on the device. Click a shell script file s row to select it and click Copy to open the Copy File screen. Specify a nam e for the duplicate file. Use up to 25 characters (including a-za-z0-9; ~!@# $% ^ &( )_+ [ ] { },.= -). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. 226 NWA3000-N Series User s Guide

227 Chapter 17 File Manager Table 90 Maint enance > File Manager > Shell Script ( cont inued) LABEL Run DESCRIPTION Use this button to have the device use a specific shell script file. Click a shell script file s row to select it and click Run to have the device use that shell script file. You m ay need to wait awhile for the device to finish applying the com m ands. # This colum n displays the num ber for each shell script file entry. File Nam e Size Last Modified Upload Shell Script File Path Browse... Upload This colum n displays the label that identifies a shell script file. This colum n displays the size ( in KB) of a shell script file. This colum n displays the date and tim e that the individual shell script files were last changed or saved. The bottom part of the screen allows you to upload a new or previously saved shell script file from your com puter to your device. Type in the location of the file you want to upload in this field or click Brow se... to find it. Click Brow se... to find the.zysh file you want to upload. Click Upload to begin the upload process. This process m ay take up to several m inutes. NWA3000-N Series User s Guide 227

228 Chapter 17 File Manager 228 NWA3000-N Series User s Guide

229 C HAPTER 18 Diagnostics 18.1 Overview Use the diagnostics screens for troubleshooting What You Can Do in this Chapter The Diagnostics screen (Section 18.2 on page 229) generates a file containing the device s configuration and diagnostic inform ation if you need to provide it to custom er support during t roubleshoot ing. The Packet Capture screen (Section 18.3 on page 230) captures data packets going through the device. The W ireless Fram e Capture screens (Section 18.4 on page 233) capture network traffic going through the AP interfaces connected to your device Diagnostics This screen provides an easy way for you to generate a file containing the device s configuration and diagnostic inform ation. You m ay need to generate this file and send it to custom er support during t roubleshoot ing. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 112 Maintenance > Diagnostics NWA3000-N Series User s Guide 229

230 Chapter 18 Diagnostics The following table describes the labels in this screen. Table 91 Maint enance > Diagnost ics LABEL Filenam e Last m odified Size Collect Now Download DESCRIPTION This is the nam e of the m ost recently created diagnostic file. This is the date and tim e that the last diagnostic file was created. The form at is yyyy-m m -dd hh: m m : ss. This is the size of the m ost recently created diagnostic file. Click this to have the device create a new diagnostic file. Click this to save the m ost recent diagnostic file to a com puter Packet Capture Use this screen to capture network traffic going through the device s interfaces. Studying these packet captures m ay help you identify network problem s. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the sam e nam e. Change the File Suffix field s setting to avoid this. Figure 113 Maintenance > Diagnostics > Packet Capture > Capture 230 NWA3000-N Series User s Guide

231 Chapter 18 Diagnostics The following table describes the labels in this screen. Table 92 Maint enance > Diagnost ics > Packet Capt ure LABEL I nterfaces I P Type Host I P Host Port File Size DESCRIPTION Enabled interfaces (except for virtual interfaces) appear under Available I nterfaces. Select interfaces for which to capture packets and click the right arrow button to m ove them to the Capt ure I nt erfaces list. Use the [ Shift] and/ or [ Ctrl] key to select m ultiple objects. Select the protocol of traffic for which to capture packets. Select any to capture packets for all types of traffic. Select a host I P address object for which to capture packets. Select any to capture packets for all hosts. Select User Defined t o be able t o ent er an I P address. This field is configurable when you set the I P Type to any, tcp, or udp. Specify the port num ber of traffic to capture. Specify a m axim um size lim it in kilobytes for the total com bined size of all the capture files on the device, including any existing capture files and any new capture files you generate. Note: If you have existing capture files you may need to set this size larger or delete existing capture files. The valid range is 1 to The device stops the capture and generates the capture file when either the file reaches this size or the tim e period specified in the Duration field expires. Duration File Suffix Set a tim e lim it in seconds for the capture. The device stops the capture and generates the capture file when either this period of tim e has passed or the file reaches the size specified in the File Size field. 0 m eans there is no tim e lim it. Specify text to add to the end of the file nam e (before the dot and filenam e extension) to help you identify the packet capture files. Modifying the file suffix also avoids m aking new capture files that overwrite existing files of the sam e nam e. The file nam e form at is interface nam e-file suffix.cap, for exam ple lanpacket-capture.cap. Num ber Of Bytes To Capture (Per Packet) Capture Specify the m axim um num ber of bytes to capture per packet. The device autom atically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets m ay be larger than the size of captured packets. Click this button to have the device capture packets according to the settings configured in this screen. You can configure the device while a packet capture is in progress although you cannot m odify the packet capture settings. The device s throughput or perform ance m ay be affected while a packet capture is in progress. After the device finishes the capture it saves a separate capture file for each selected interface. The total num ber of packet capture files that you can save depends on the file sizes and the available flash storage space. Once the flash storage space is full, adding m ore packet captures will fail. Stop Reset Click this button to stop a currently running packet capture and generate a separate capture file for each selected interface. Click this button to return the screen to its last- saved settings. NWA3000-N Series User s Guide 231

232 Chapter 18 Diagnostics Packet Capture Files Click Maintenance > Diagnostics > Packet Capture > Files to open the packet capture files screen. This screen lists the files of packet captures the device has perform ed. You can download the files to your com puter where you can study them using a packet analyzer (also known as a net work or prot ocol analyzer) such as Wireshark. Figure 114 Maintenance > Diagnostics > Packet Capture > Files The following table describes the labels in this screen. Table 93 Maint enance > Diagnost ics > Packet Capt ure > Files LABEL Rem ove Download DESCRIPTION Select files and click Rem ove to delete them from the device. Use the [ Shift] and/ or [ Ctrl] key to select m ultiple files. A pop-up window asks you to confirm that you want to delete. Click a file to select it and click Dow nload to save it to your com puter. # This colum n displays the num ber for each packet capture file entry. The total num ber of packet capture files that you can save depends on the file sizes and the available flash storage space. File Nam e Size Last Modified This colum n displays the label that identifies the file. The file nam e form at is interface nam e-file suffix.cap. This colum n displays the size (in bytes) of a configuration file. This colum n displays the date and tim e that the individual files were saved Example of Viewing a Packet Capture File Here is an exam ple of a packet capture file viewed in the Wireshark packet analyzer. Notice that the size of fram e 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The device 232 NWA3000-N Series User s Guide

Chapter 18 Diagnostics truncated the fram e because the capture screen s Num ber Of Bytes To Capture ( Per Packet ) field was set to 1500 bytes. Figure 115 Packet Capture File Exam ple 18.

233 Chapter 18 Diagnostics truncated the fram e because the capture screen s Num ber Of Bytes To Capture ( Per Packet ) field was set to 1500 bytes. Figure 115 Packet Capture File Exam ple 18.4 Wireless Frame Capture Use this screen to capture wireless network traffic going through the AP interfaces connected to your device. Studying these fram e captures m ay help you identify network problem s. Click Maintenance > Diagnostics > W ireless Fram e Capt ure to display this screen. NWA3000-N Series User s Guide 233

234 Chapter 18 Diagnostics Note: New capture files overwrite existing files of the sam e nam e. Change the File Suffix field s setting to avoid this. Figure 116 Maintenance > Diagnostics > Wireless Fram e Capture > Capture The following table describes the labels in this screen. Table 94 Maint enance > Diagnost ics > Wireless Fram e Capt ure > Capt ure LABEL AP Operating Mode Wireless Radio 1 operating m ode Please configure at least one radio to MON m ode. MON Mode APs Configure AP to MON Mode Available MON Mode APs DESCRIPTION This section appears when the device is set to the standalone AP m ode. This field shows whether the radio is set to function as an AP or a m onitor. Click this to go the Configuration > W ireless > AP Managem ent screen, where you can set a radio to m onitor m ode. This section appears when the device is set to the controller m ode. Click this to go the Configuration > W ireless > AP Managem ent screen, where you can set one or m ore APs to m onitor m ode. This colum n displays which APs on your wireless network are currently configured for m onitor m ode. Use the arrow buttons to m ove APs off this list and onto the Captured MON Mode APs list. Capture MON Mode APs Misc Setting File Size This colum n displays the m onitor-m ode configured APs selected to for wireless fram e capture. Specify a m axim um size lim it in kilobytes for the total com bined size of all the capture files on the device, including any existing capture files and any new capture files you generate. Note: If you have existing capture files you may need to set this size larger or delete existing capture files. The valid range is 1 to The device stops the capture and generates the capture file when either the file reaches this size or the tim e period specified in the Duration field expires. 234 NWA3000-N Series User s Guide

235 Chapter 18 Diagnostics Table 94 Maintenance > Diagnostics > Wireless Fram e Capture > Capture (continued) LABEL File Prefix DESCRIPTION Specify text to add to the front of the file nam e in order to help you identify fram e capture files. You can m odify the prefix to also create new fram e capture files each tim e you perform a fram e capture operation. Doing this does no overwrite existing fram e capture files. The file form at is: [ file prefix].dum p. For exam ple, m onitor.dum p. Capture Click this button to have the device capture fram es according to the settings configured in this screen. You can configure the device while a fram e capture is in progress although you cannot m odify the fram e capture settings. The device s throughput or perform ance m ay be affected while a fram e capture is in progress. After the device finishes the capture it saves a com bined capture file for all APs. The total num ber of fram e capture files that you can save depends on the file sizes and the available flash storage space. Once the flash storage space is full, adding m ore fram e captures will fail. Stop Reset Click this button to stop a currently running fram e capture and generate a com bined capture file for all APs. Click this button to return the screen to its last- saved settings Wireless Frame Capture Files Click Maintenance > Diagnostics > W ireless Fram e Capt ure > Files to open this screen. This screen lists the files of wireless fram e captures the device has perform ed. You can download the files to your com puter where you can study them using a packet analyzer (also known as a network or prot ocol analyzer) such as Wireshark. Figure 117 Maintenance > Diagnostics > Wireless Fram e Capture > Files The following table describes the labels in this screen. Table 95 Maint enance > Diagnost ics > Wireless Fram e Capt ure > Files LABEL Rem ove Download DESCRIPTION Select files and click Rem ove to delete them from the device. Use the [ Shift] and/ or [ Ctrl] key to select m ultiple files. A pop-up window asks you to confirm that you want to delete. Click a file to select it and click Dow nload to save it to your com puter. # This colum n displays the num ber for each packet capture file entry. The total num ber of packet capture files that you can save depends on the file sizes and the available flash storage space. NWA3000-N Series User s Guide 235

236 Chapter 18 Diagnostics Table 95 Maint enance > Diagnost ics > Wireless Fram e Capt ure > Files ( cont inued) LABEL File Nam e Size Last Modified DESCRIPTION This colum n displays the label that identifies the file. The file nam e form at is interface nam e-file suffix.cap. This colum n displays the size (in bytes) of a configuration file. This colum n displays the date and tim e that the individual files were saved. 236 NWA3000-N Series User s Guide

237 C HAPTER 19 Reboot 19.1 Overview Use this to restart the device What You Need To Know I f you applied changes in the Web configurator, these were saved autom atically and do not change when you reboot. I f you m ade changes in the CLI, however, you have to use the write com m and to save the configuration before you reboot. Otherwise, the changes are lost when you reboot. Reboot is different to reset; reset returns the device to its default configuration Reboot This screen allows rem ote users can restart the device. To access this screen, click Maintenance > Reboot. Figure 118 Maint enance > Reboot Click the Reboot button to restart the device. Wait a few m inutes until the login screen appears. I f the login screen does not appear, type the I P address of the device in your Web browser. You can also use the CLI com m and reboot to restart the device. NWA3000-N Series User s Guide 237

238 Chapter 19 Reboot 238 NWA3000-N Series User s Guide

239 C HAPTER 20 Shutdown 20.1 Overview Use this screen to shutdown the device. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the device or remove the power. Not doing so can cause the firmware to become corrupt What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes. Shutdown is different to reset; reset returns the device to its default configuration Shutdown To access this screen, click Maintenance > Shutdow n. Figure 119 Maint enance > Shut down Click the Shut dow n button to shut down the device. Wait for the device to shut down before you m anually turn off or rem ove the power. I t does not turn off the power. You can also use the CLI com m and shutdown to shutdown the device. NWA3000-N Series User s Guide 239

240 Chapter 20 Shutdown 240 NWA3000-N Series User s Guide

241 C HAPTER 21 Troubleshooting 21.1 Overview This chapter offers som e suggestions to solve problem s you m ight encounter. The potential problem s are divided into the following categories. Power, Hardware Connect ions, and LEDs device Access and Login I nternet Access Wireless AP Troubleshoot ing Resetting the device 21.2 Power, Hardware Connections, and LEDs The device does not turn on. None of the LEDs turn on. 1 Make sure you are using the power adaptor included with the device or a PoE power injector. 2 Make sure the power adaptor or PoE power injector is connected to the device and plugged in to an appropriate power source. Make sure the power source is turned on. 3 Disconnect and re-connect the power adaptor or PoE power injector. 4 I nspect your cables for dam age. Contact the vendor to replace any dam aged cables. 5 I f none of these steps work, you m ay have faulty hardware and should contact your device vendor. One of the LEDs does not behave as expected. 1 Make sure you understand the norm al behavior of the LED. See Section 1.7 on page Check the hardware connections. See the Quick Start Guide. 3 I nspect your cables for dam age. Contact the vendor to replace any dam aged cables. 4 Disconnect and re-connect the power adaptor or PoE power injector to the device. NWA3000-N Series User s Guide 241

242 Chapter 21 Troubleshooting 5 I f the problem continues, contact the vendor device Access and Login I forgot the I P address for the device. 1 The default I P address is Use the com m ands through the console port to check the I P address. Connect your com puter to the CONSOLE port using a console cable. Your com puter should have a term inal em ulation com m unications program (such as HyperTerm inal) set to VT100 term inal em ulation, no parity, 8 data bits, 1 stop bit, no flow control and bps port speed. 3 I f this does not work, you have to reset the device to its factory defaults. See Section 21.6 on page 249. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct I P address. The default I P address is I f you changed the I P address, use the new I P address. I f you changed the I P address and have forgotten it, see the troubleshooting suggestions for I forgot the I P address for the device. 2 Check the hardware connections, and m ake sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page Make sure your I nternet browser does not block pop-up windows and has JavaScripts and Java enabled. 4 Make sure your com puter is in the sam e subnet as the device. (I f you know that there are routers between your com puter and the device, skip this step.) I f there is no DHCP server on your network, m ake sure your com puter s I P address is in the sam e subnet as the device. 5 Reset the device to its factory defaults, and try to access the device with the default I P address. See your Quick Start Guide. 6 I f the problem continues, contact the network adm inistrator or vendor, or try one of the advanced suggest ions. Adva nced Suggest ions 242 NWA3000-N Series User s Guide

243 Chapter 21 Troubleshooting Try to access the device using another service, such as Telnet. I f you can access the device, check the rem ote m anagem ent settings to find out why the device does not respond to HTTP. I f your com puter is connected wirelessly, use a com puter that is connected to a LAN / ETHERNET port. I f you ve forgotten the device s I P address, you can use the com m ands through the console port to check it. Connect your com puter to the CONSOLE port using a console cable. Your com puter should have a term inal em ulation com m unications program (such as HyperTerm inal) set to VT100 term inal em ulation, no parity, 8 data bits, 1 stop bit, no flow control and bps port speed. I forgot the password. 1 The default password is I f this does not work, you have to reset the device to its factory defaults. See Section 21.6 on page 249. I can see the Login screen, but I cannot log in to the device. 1 Make sure you have entered the user nam e and password correctly. The default password is This fields are case-sensitive, so m ake sure [ Caps Lock] is not on. 2 You cannot log in to the web configurator while som eone is using Telnet to access the device. Log out of the device in the other session, or ask the person who is logged in to log out. 3 Disconnect and re-connect the power adaptor or PoE power injector to the device. 4 I f this does not work, you have to reset the device to its factory defaults. See Section 21.6 on page 249. I cannot access the device via the console port. 1 Check to see if the device is connected to your com puter's console port. 2 Check to see if the com m unications program is configured correctly. The com m unications software should be configured as follows: VT100 term inal em ulation bps is the default speed on leaving the factory. Try other speeds in case the speed has been changed. No parity, 8 data bits, 1 stop bit, data flow set to none. NWA3000-N Series User s Guide 243

244 Chapter 21 Troubleshooting I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firm ware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. I gnore the suggestions about your browser Internet Access I cannot access the I nternet. 1 Check the hardware connections, and m ake sure the LEDs are behaving as expected. See the Quick Start Guide and Section 21.2 on page Make sure you entered your I SP account inform ation correctly. These fields are case-sensitive, so m ake sure [ Caps Lock] is not on. 3 I f you are trying to access the I nternet wirelessly, m ake sure the wireless settings on the wireless client are the sam e as the settings on the AP. 4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 5 I f the problem continues, contact your I SP. I cannot access the I nternet anym ore. I had access to the I nternet (with the device), but m y I nternet connection is not available anym ore. 1 Check the hardware connections, and m ake sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page Reboot the device. 3 I f the problem continues, contact your I SP. The I nternet connection is slow or interm ittent. 1 There m ight be a lot of traffic on the network. Look at the LEDs, and check Section 1.7 on page 25. I f the device is sending or receiving a lot of inform ation, try closing som e program s that use the I nternet, especially peer-to-peer applications. 244 NWA3000-N Series User s Guide

245 Chapter 21 Troubleshooting 2 Check the signal strength. I f the signal is weak, try m oving the device closer to the AP (if possible), and look around to see if there are any devices that m ight be interfering with the wireless network (m icrowaves, other wireless networks, and so on). 3 Reboot the device. 4 I f the problem continues, contact the network adm inistrator or vendor, or try one of the advanced suggest ions. Adva nced Suggest ions Check the settings for QoS. I f it is disabled, you m ight consider activating it. I f it is enabled, you m ight consider raising or lowering the priority for som e applications Wireless AP Troubleshooting I cannot access the device or ping any com puter from the WLAN. 1 Make sure the wireless LAN is enabled on the device 2 Make sure the wireless adapter on the wireless station is working properly. 3 Make sure the wireless adapter (installed on your com puter) is I EEE com patible and supports the sam e wireless standard as the device. 4 Make sure your com puter (with a wireless adapter installed) is within the transm ission range of the device. 5 Check that both the device and your wireless station are using the sam e wireless and wireless security set t ings. 6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the device. 7 Make sure you allow the device to be rem otely accessed through the WLAN interface. Check your rem ote m anagem ent settings. Hackers have accessed m y WEP-encrypted wireless LAN. WEP is extrem ely insecure. I ts encryption can be broken by an attacker, using widely-available software. I t is strongly recom m ended that you use a m ore effective security m echanism. Use the strongest security m echanism that all the wireless devices in your network support. WPA2 or WPA2- PSK is recom m ended. The wireless security is not following the re-authentication tim er setting I specified. NWA3000-N Series User s Guide 245

246 Chapter 21 Troubleshooting I f a RADI US server authenticates wireless stations, the re-authentication tim er on the RADI US server has priority. Change the RADI US server s configuration if you need to use a different reauthentication tim er setting. Device HA is not working. You m ay need to disable STP (Spanning Tree Protocol). The m aster and its backups m ust all use the sam e device HA m ode (active-passive). Configure a static I P address for each interface that you will have device HA m onitor. Configure a separate m anagem ent I P address for each interface. You can use it to access the device for m anagem ent whether the device is the m aster or a backup. The m anagem ent I P address should be in the sam e subnet as the interface I P address. Enable m onitoring for the sam e interfaces on the master and backup devices. Each m onitored interface m ust have a static I P address and be connected to the sam e subnet as the corresponding interface on the backup or m aster device. I f you have m ultiple device virtual routers on your network, use a different cluster I D to identify each virtual router. There can only be one m aster device in each virtual router (sam e cluster I D). A broadcast storm results when I turn on Device HA. Do not connect the bridge interfaces on two devices without device HA activated on both. Either activate device HA before connecting the bridge interfaces or disable the bridge interfaces, connect the bridge interfaces, activate device HA, and finally reactivate the bridge interfaces. I cannot get the Device HA synchronization to work. Only devices of the sam e m odel and firm ware version can synchronize. I cannot get a certificate to im port into the device. 1 For My Certificat es, you can im port a certificate that m atches a corresponding certification request that was generated by the device. You can also im port a certificate in PKCS# 12 form at, including the certificate s public and private keys. 2 You m ust rem ove any spaces from the certificate s filenam e before you can im port the certificate. 3 Any certificate that you want to im port has to be in one of these file form ats: Binary X.509: This is an I TU-T recom m endation that defines the form ats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy EnhancedMail form at uses lowercase letters, uppercase letters and num erals to convert a binary X.509 certificate into a printable form. 246 NWA3000-N Series User s Guide

247 Chapter 21 Troubleshooting Binary PKCS# 7: This is a standard that defines the general syntax for data (including digital signatures) that m ay be encrypted. A PKCS # 7 file is used to transfer a public key certificate. The private key is not included. The device currently allows the im portation of a PKS# 7 file that contains a single certificate. PEM (Base-64) encoded PKCS# 7: This Privacy Enhanced Mail (PEM) form at uses lowercase letters, uppercase letters and num erals to convert a binary PKCS# 7 certificate into a printable form. Binary PKCS# 12: This is a form at for transferring public key and private key certificates.the private key in a PKCS # 12 file is within a password-encrypted envelope. The file s password is not connected to your certificate s public or private passwords. Exporting a PKCS # 12 file creates this and you m ust provide it to decrypt the contents when you im port the file into the device. Note: Be careful not to convert a binary file to text during the transfer process. I t is easy for this to occur since m any program s use text files by default. I can only see newer logs. Older logs are m issing. When a log reaches the m axim um num ber of log m essages, new log m essages autom atically overwrite existing log m essages, starting with the oldest existing log m essage first. The com m ands in m y configuration file or shell script are not working properly. I n a configuration file or shell script, use # or! as the first character of a com m and line to have the device treat the line as a com m ent. Your configuration files or shell scripts can use exit or a com m and line consisting of a single! to have the device exit sub com m and m ode. Include write com m ands in your scripts. Otherwise the changes will be lost when the device restarts. You could use m ultiple write com m ands in a long script. Note: exit or!' m ust follow sub com m ands if it is to m ake the device exit sub com m and m ode. I cannot get the firm ware uploaded using the com m ands. The Web Configurator is the recom m ended m ethod for uploading firm ware. You only need to use the com m and line interface if you need to recover the firm ware. See the CLI Reference Guide for how to determ ine if you need to recover the firm ware and how to recover it. My packet capture captured less than I wanted or failed. The packet capture screen s File Size sets a m axim um size lim it for the total com bined size of all the capture files on the device, including any existing capture files and any new capture files you NWA3000-N Series User s Guide 247

248 Chapter 21 Troubleshooting generate. I f you have existing capture files you m ay need to set this size larger or delete existing capt ure files. The device stops the capture and generates the capture file when either the capture files reach the File Size or the tim e period specified in the Durat ion field expires. My earlier packet capture files are m issing. New capture files overwrite existing files of the sam e nam e. Change the File Suffix field s setting to avoid this. Wireless clients cannot connect to an AP. There m ay be a configuration m ism atch between the wireless clients and the AP. or an incorrect VLAN topology. See Chapter 4 on page 49 for a sim ple prim er on basic network topology and m anagem ent. The wireless client s MAC address m ay be on the MAC filtering list. See Section on page 147 for details on m anaging the device MAC Filter. The wireless client m ay not be able to get an I P: Check the wireless client s own network configuration settings to ensure that it is set up to receive its I P address autom atically. I f the device or a connected I nternet access device are m anaging the network with static I Ps, m ake sure that the server settings for issuing those I Ps are properly configured. Check the wireless client s own network settings to ensure it is already set up with its static I P address. Authentication of the wireless client with the authentication server m ay have failed. Ensure the AP profile assigned to the AP uses a security profile that is properly configured and which is m atches the security settings in use by the device. For exam ple, if the security m ode on the AP is set to WPA/ WPA2 then m ake sure the authentication server is running and able to com plete the 802.1x authentication sequence. See Chapter 12 on page 135 and Section on page 200 for m ore. I f you cannot solve the problem on your own, before contacting Custom er Support use the builtin wireless fram e capture tools (Chapter 18 on page 229) to capture data that can be used for m ore granular troubleshooting procedures. To use the built-in wireless fram e capture tool, first set up a second device nearby to act as a Monitor AP (Chapter 9 on page 101). The AP status is registered as offline even though it is on. Check the network connections between the device and the AP to ensure they are still intact. The AP m ay be suffering from instability. Disconnect it to turn its power off, wait som e tim e, then reconnect it and see if that resolves the issue. The CAPWAP daem on m ay be down. Use the device s built-in diagnostic tools and CLI console to get CAPWAP debug m essages which can later be sent to custom er service for analysis. 248 NWA3000-N Series User s Guide

249 Chapter 21 Troubleshooting Wireless clients are not being load balanced am ong m y APs. Make sure that all the APs used by the wireless clients in question share the sam e SSI D, security, and radio settings. Make sure that all the APs are in the sam e broadcast dom ain. Make sure that the wireless clients are in range of the other APs; if they are only in range of a single AP, then load balancing m ay not be as effective. I n the Monitor > W ireless > AP I nform ation > Radio List page, there is no load balancing indicator associated with any APs assigned to the load balancing task. Check to be sure that the AP profile which contains the load balancing settings is correctly assigned to the APs in question. The load balancing task m ay have been term inated because further load balancing on the APs in quest ion is no longer required Resetting the device I f you cannot access the device by any m ethod, try restarting it by turning the power off and then on again. I f you still cannot access the device by any m ethod or you forget the adm inistrator password(s), you can reset the device to its factory-default settings. Any configuration files or shell scripts that you saved on the device should still be available afterwards. Use the following procedure to reset the device to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system -default.conf file. Note: This procedure rem oves the current configuration. 1 Make sure the PW R\ SYS LED is on and not blinking. 2 Press the RESET button and hold it until the PW R\ SYS LED begins to blink. (This usually takes about five seconds.) 3 Release the RESET button, and wait for the device to restart. You should be able to access the device using the default settings Getting More Troubleshooting Help Search for support inform ation for your m odel at for m ore troubleshooting suggest ions. NWA3000-N Series User s Guide 249

250 Chapter 21 Troubleshooting 250 NWA3000-N Series User s Guide

251 C HAPTER 22 Product Specifications The following tables sum m arize the device s hardware and firm ware features. Table 96 Hardware Specificat ions Power Specification Reset button Ethernet Port Power over Ethernet (PoE) Console Port Antenna 12 V DC, 1.5 A Returns all settings to their factory defaults. Gigabit Ethernet, full duplex, RJ- 45 connectors, auto-negotiating, auto- MDI / MDI X ( auto- crossover, uses either crossover or straight- through Ethernet cables). I EEE 802.3at com pliant, backwards com patible to 802.3af One PS-2 console port 2 reverse SMA antenna connectors 2 external dipole antennas, Gain: 2 dbi Output Power I EEE a: Using single antenna: 12dBm I EEE a: Using single antenna: 18dbm I EEE b Using single antenna: 17dBm I EEE g Using single antenna: 14dBm I EEE gn: HT20 Using single antenna: 12.5dBm Using three antennas: 17dBm I EEE gn: HT40 Using single antenna: 8.5 dbm Using three antennas: 13 dbm I EEE an: HT20 / HT Using single antenna: 7.5 dbm Using three antennas: 12 dbm I EEE an: HT20 / HT Using single antenna: 13.5 dbm Using three antennas: 18 dbm Theft Prevention Operating Tem perature Storage Tem perature Operating Hum idity Kengsinton slot 0 ~ 40 º C -30 ~ 70 º C 10 ~ 90 % (non-condensing) NWA3000-N Series User s Guide 251

252 Chapter 22 Product Specifications Table 96 Hardware Specificat ions Storage Hum idity Dim ensions Weight Distance between the centers of wallm ounting holes on the device s back. Screw size for wallm ounting Plenum Rating 10 ~ 90 % (non-condensing) m m (L) x 138.5m m (W) x 47.5m m (H) 450 g 140 m m M4 Tap Screw. See Figure 121 on page 254 for details. The device s housing is treated with fire- retardant chem icals. I n the event of fire, plenum -rated m aterials burn m ore slowly and produce less sm oke than non-plenum -rated m aterials, decreasing the quantity of toxic or asphyxiating m aterial produced. Table 97 Firm ware Specifications Default I P Address Default Subnet Mask Default Password (24 bits) Wireless LAN Standards I EEE a, I EEE b, I EEE g, I EEE n Security and Control WPA and WPA2 (Wi-FiProtected Access) support, Mixed WPA and WPA2 support 64 and 128 bit WEP, Mixed 802.1x/ WEP and WPA support 802.1x authentication EAP-TLS, EAP-TTLS, -PEAP, -SI M, -FAST, -AKA support AES, TKI P & WEP encryption support MBSSI D m ode allows the device to operate up to 8 different wireless networks (BSSs) sim ultaneously, each with independentlyconfigurable wireless and security settings. Use up to 8 sim ultaneous BSSI Ds and configure up to 64 SSI D profiles SSI D-based RADI US server selection Secure AP control & m anagem ent over GRE CAPWAP standard based solution Sim ultaneous centralized & distributed WLAN support I nternal RADI US server supporting PEAP/ TTLS/ MD5 with a 32-entry trusted AP list and 512- entry local user list MAC address filtering through WLAN (support 512 MAC address entries in each profile) Blocking I ntra-bss Traffic Support Prim ary and Backup RADI US server SSH HTTPS Quality of Service WMM certified (prioritizes wireless traffic) Pre-authentication (WPA2 only) PMK caching for fast roam ing (WPA2 only) DiffServ m arking AP Load Balancing Wireless I ntrusion Prevention VLAN The device can balance wireless network traffic between the APs on your network by station quantity or by traffic volum e. Rogue AP detection, classification, and suppression 802.1Q VLAN tagging 252 NWA3000-N Series User s Guide

253 Chapter 22 Product Specifications Table 97 Firm ware Specifications STP ( Spanning Tree Protocol) / RSTP (Rapid STP) Certificates SSL Passthrough MAC Address Filter Wireless Association List Logging and Tracing Em bedded FTP Server SNMP DFS CAPWAP (R)STP detects and breaks network loops and provides backup links between switches, bridges or routers. I t allows a bridge to interact with other (R)STP-com pliant bridges in your network to ensure that only one path exists between any two stations on the network. The device can use certificates (also called digital I Ds) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. SSL (Secure Sockets Layer) uses a public key to encrypt data that's transm itted over an SSL connection. Both Netscape Navigator and I nternet Explorer support SSL, and m any Web sites use the protocol to obtain confidential user inform ation, such as credit card num bers. By convention, URLs that require an SSL connection start with https instead of http. The device allows SSL connections to take place through the device. Your device checks the MAC address of the wireless station against a list of allowed or denied MAC addresses. With the wireless association list, you can see the list of the wireless stations that are currently using the device to access your wired network. Built-in m essage logging and packet tracing. The device stores up to 512 event logs or 1024 debug logs. The em bedded FTP server enables fast firm ware upgrades as well as configuration file backups and restoration. SNMP (Sim ple Network Managem ent Protocol) is a protocol used for exchanging m anagem ent inform ation between network devices. SNMP is a m em ber of the TCP/ I P protocol suite. Your device supports SNMP agent functionality, which allows a m anger station to m anage and m onitor the device through the network. The device supports SNMP version one ( SNMPv1), version two c (SNMPv2c), and version three (SNMPv3). DFS (Dynam ic Frequency Selection) and TPC (Transm it Power Control) from I EEE h allows a wider choice of a wireless channels. The device can be m anaged via CAPWAP (Control And Provisioning of Wireless Access Points), which allows m ultiple APs to be configured and m anaged by a single AP controller Wall-Mounting Instructions Com plete the following steps to hang your device on a wall. Note: See Table 96 on page 251 for the size of screws to use and how far apart to place them. 1 Select a position free of obstructions on a sturdy wall. 2 Drill two holes for the screws. Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws. NWA3000-N Series User s Guide 253

254 Chapter 22 Product Specifications 3 Do not insert the screws all the way into the wall. Leave a sm all gap of about 0.5 cm between the heads of the screws and the wall. 4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the device with the connection cables. 5 Align the holes on the back of the device with the screws on the wall. Hang the device on the screws. Figure 120 Wall-m ounting Exam ple The following are dim ensions of an M4 tap screw and m asonry plug used for wall m ounting. All m easurem ents are in m illim eters (m m ). Figure 121 Masonry Plug and M4 Tap Screw 254 NWA3000-N Series User s Guide

255 APPENDIX A Log Descriptions This appendix provides descript ions of exam ple log m essages. The ZySH logs deal with internal system errors. Table 98 ZySH Logs LOG MESSAGE Invalid message queue. Maybe someone starts another zysh daemon. ZySH daemon is instructed to reset by %d System integrity error! Group OPS cannot close property group cannot close group %s: cannot get size of group %s: cannot specify properties for entry %s %s: cannot join group %s, loop detected cannot create, too many groups (>%d) %s: cannot find entry %s %s: cannot remove entry %s List OPS DESCRIPTION 1st: pid num 1st: zysh group nam e 1st: zysh group nam e, 2st: zysh entry nam e 1st: zysh group nam e, 2st: zysh group nam e 1st: m ax group num can't alloc entry: %s! 1st: zysh entry nam e can't retrieve entry: %s! can't get entry: %s! 1st: zysh group nam e, 2st: zysh entry nam e 1st: zysh group nam e, 2st: zysh entry nam e 1st: zysh entry nam e 1st: zysh entry nam e can't print entry: %s! 1st: zysh entry nam e %s: cannot retrieve entries from list! can't get name for entry %d! 1st: zysh list nam e 1st: zysh entry index NWA3000-N Series User s Guide 255

256 Appendix A Log Descriptions Table 98 ZySH Logs (continued) LOG MESSAGE can't get reference count: %s! can't print entry name: %s! 1st: zysh list nam e 1st: zysh entry nam e Can't append entry: %s! 1st: zysh entry nam e Can't set entry: %s! 1st: zysh entry nam e Can't define entry: %s! 1st: zysh entry nam e %s: list is full! Can't undefine %s Can't remove %s Table OPS %s: cannot retrieve entries from table! %s: index is out of range! %s: cannot set entry #%d %s: table is full! %s: invalid old/new index! Unable to move entry #%d! %s: invalid index! Unable to delete entry #%d! Unable to change entry #%d! %s: cannot retrieve entries from table! %s: invalid old/new index! Unable to move entry #%d! %s: apply failed at initial stage! %s: apply failed at main stage! %s: apply failed at closing stage! DESCRIPTION 1st: zysh list nam e 1st: zysh list nam e 1st: zysh list nam e 1st: zysh table nam e 1st: zysh table nam e 1st: zysh table nam e,2st: zysh entry num 1st: zysh table nam e 1st: zysh table nam e 1st: zysh entry num 1st: zysh table nam e 1st: zysh entry num 1st: zysh entry num 1st: zysh table nam e 1st: zysh table nam e 1st: zysh entry num 1st: zysh table nam e 1st: zysh table nam e 1st: zysh table nam e 256 NWA3000-N Series User s Guide

257 Appendix A Log Descriptions Table 99 User Logs LOG MESSAGE %s %s from %s has logged in EnterpriseWLAN %s %s from %s has logged out EnterpriseWLAN %s %s from %s has been logged out EnterpriseWLAN (re-auth timeout) %s %s from %s has been logged out EnterpriseWLAN (lease timeout) %s %s from %s has been logged out EnterpriseWLAN (idle timeout) Console has been put into lockout state Address %u.%u.%u.%u has been put into lockout state Failed login attempt to EnterpriseWLAN from %s (login on a lockout address) Failed login attempt to EnterpriseWLAN from %s (reach the max. number of user) DESCRIPTION A user logged into the device. 1st % s: The type of user account. 2nd % s: The user s user nam e. 3rd % s: The nam e of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). A user logged out of the device. 1st % s: The type of user account. 2nd % s: The user s user nam e. 3rd % s: The nam e of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). The device is signing the specified user out due to a reauthentication tim eout. 1st % s: The type of user account. 2nd % s: The user s user nam e. 3rd % s: The nam e of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). The device is signing the specified user out due to a lease tim eout. 1st % s: The type of user account. 2nd % s: The user s user nam e. 3rd % s: The nam e of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). The device is signing the specified user out due to an idle tim eout. 1st % s: The type of user account. 2nd % s: The user s user nam e. 3rd % s: The nam e of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). Too m any failed login attem pts were m ade on the console port so the device is blocking login attem pts on the console port. Too m any failed login attem pts were m ade from an I P address so the device is blocking login attem pts from that I P address. % u.% u.% u.% u: the source address of the user s login attem pt A login attem pt cam e from an I P address that the device has locked out. % u.% u.% u.% u: the source address of the user s login attem pt The device blocked a login because the m axim um login capacity for the particular service has already been reached. % s: service nam e NWA3000-N Series User s Guide 257

258 Appendix A Log Descriptions Table 99 User Logs ( cont inued) LOG MESSAGE Failed login attempt to EnterpriseWLAN from %s (reach the max. number of simultaneous logon) User %s has been denied access from %s User %s has been denied access from %s LDAP/AD: Wrong IP or Port. IP:%s, Port: %d Domain-auth fail Failed to join domain: Access denied DESCRIPTION The device blocked a login because the m axim um sim ultaneous login capacity for the adm inistrator or access account has already been reached. % s: service nam e The device blocked a login according to the access control configuration. % s: service nam e The device blocked a login attem pt by the specified user nam e because of an invalid user nam e or password. 2nd % s: service nam e LDAP/ AD: Wrong I P or Port.Please check the AAA server setting. Dom ain- auth fail. Please check the dom ain- auth related setting. Failed to join dom ain: Access denied. Please check the AD server. Table 100 Built- in Services Logs LOG MESSAGE User on %u.%u.%u.%u has been denied access from %s DESCRIPTION HTTP/ HTTPS/ TELNET/ SSH/ FTP/ SNMP access to the device was denied. % u.% u.% u.% u is I P address HTTPS certificate:%s does not exist. HTTPS service will not work. HTTPS port has been changed to port %s. HTTPS port has been changed to default port. HTTP port has changed to port %s. HTTP port has changed to default port. SSH port has been changed to port %s. SSH port has been changed to default port. SSH certificate:%s does not exist. SSH service will not work. % s is HTTP/ HTTPS/ SSH/ SNMP/ FTP/ TELNET An adm inistrator assigned a nonexistent certificate to HTTPS. % s is certificate nam e assigned by user An adm inistrator changed the port num ber for HTTPS. % s is port num ber An adm inistrator changed the port num ber for HTTPS back to the default (443). An adm inistrator changed the port num ber for HTTP. % s is port num ber assigned by user An adm inistrator changed the port num ber for HTTP back to the default (80). An adm inistrator changed the port num ber for SSH. % s is port num ber assigned by user An adm inistrator changed the port num ber for SSH back to the default (22). An adm inistrator assigned a nonexistent certificate to SSH. % s is certificate nam e assigned by user 258 NWA3000-N Series User s Guide

259 Appendix A Log Descriptions Table 100 Built-in Services Logs (continued) LOG MESSAGE SSH certificate:%s format is wrong. SSH service will not work. TELNET port has been changed to port %s. TELNET port has been changed to default port. FTP certificate:%s does not exist. FTP port has been changed to port %s. FTP port has been changed to default port. SNMP port has been changed to port %s. SNMP port has been changed to default port. Console baud has been changed to %s. Console baud has been reset to %d. Set timezone to %s. DESCRIPTION After an adm inistrator assigns a certificate for SSH, the device needs to convert it to a key used for SSH. % s is certificate nam e assigned by user An adm inistrator changed the port num ber for TELNET. % s is port num ber assigned by user An adm inistrator changed the port num ber for TELNET back to the default (23). An adm inistrator assigned a nonexistent certificate to FTP. % s is certificate nam e assigned by user An adm inistrator changed the port num ber for FTP. % s is port num ber assigned by user An adm inistrator changed the port num ber for FTP back to the default (21). An adm inistrator changed the port num ber for SNMP. % s is port num ber assigned by user An adm inistrator changed the port num ber for SNMP back to the default (161). An adm inistrator changed the console port baud rate. % s is baud rate assigned by user An adm inistrator changed the console port baud rate back to the default (115200). % d is default baud rate An adm inistrator changed the tim e zone. Set timezone to default. Enable daylight saving. Disable daylight saving. The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. Interface %s ping check is successful. Zone Forwarder adds DNS servers in records. % s is tim e zone value An adm inistrator changed the tim e zone back to the default ( 0). An adm inistrator turned on daylight saving. An adm inistrator turned off daylight saving. The default record DNS servers is m ore than 128. Ping check ok, add DNS servers in bind. % s is interface nam e NWA3000-N Series User s Guide 259

260 Appendix A Log Descriptions Table 100 Built-in Services Logs (continued) LOG MESSAGE Interface %s ping check is failed. Zone Forwarder removes DNS servers in records. Interface %s ping check is disabled. Zone Forwarder adds DNS servers in records. SNMP trap can not be sent successfully DESCRIPTION Ping check failed, rem ove DNS servers from bind. % s is interface nam e Ping check disabled, add DNS servers in bind. % s is interface nam e Cannot send a SNMP trap to a rem ote host due to network error Table 101 System Logs LOG MESSAGE DESCRIPTION Port %d is up!! When LI NK is up, % d is the port num ber. Port %d is down!! When LI NK is down, % d is the port num ber. %s is dead at %s A daem on ( process) is gone (was killed by the operating system ). %s process count is incorrect at %s %s becomes Zombie at %s 1st % s: Daem on Nam e, 2nd % s: date and tim e The count of the listed process is incorrect. 1st % s: Daem on Nam e, 2nd % s: date and tim e A process is present but not functioning. 1st % s: Daem on Nam e, 2nd % s: date and tim e When m em ory usage exceed threshold-m ax, m em ory usage reaches % d% % : m em -threshold-m ax. When local storage usage exceeds threshold-m ax, % s: Partition nam e file system usage reaches % d% % : disk-threshold-m ax. When m em ory usage drops below threshold-m in, System Mem ory usage drops below the threshold of % d% % : m em -threshold-m in. DHCP Server executed with cautious mode enabled DHCP Server executed with cautious mode disabled Received packet is not an ARP response packet Receive an ARP response Receive ARP response from %s (%s) When local storage usage drops below threshold- m in, % s: partition_nam e file system drops below the threshold of % d% % : disk- threshold- m in. DHCP Server executed with cautious m ode enabled. DHCP Server executed with cautious m ode disabled. A packet was received but it is not an ARP response packet. The device received an ARP response. The device received an ARP response from the listed source. 260 NWA3000-N Series User s Guide

261 Appendix A Log Descriptions Table 101 System Logs (continued) LOG MESSAGE The request IP is: %s, sent from %s Received ARP response NOT for the request IP address Receive an ARP response from the client issuing the DHCP request Receive an ARP response from an unknown client In total, received %d arp response packets for the requested IP address Clear arp cache successfully. Client MAC address is not an Ethernet address DHCP request received via interface %s (%s:%s), src_mac: %s with requested IP: %s IP confliction is detected. Send back DHCP-NAK. Clear ARP cache done NTP update successful, current time is %s NTP update failed Device is rebooted by administrator! Collect Diagnostic Information has failed - Server did not respond. Collect Diagnostic Infomation has succeeded. DESCRIPTION The device accepted a request. The device received an ARP response that is NOT for the requested I P address. The device received an ARP response from the client issuing the DHCP request. The device received an ARP response from an unknown client. The device received the specified total num ber of ARP response packets for the requested I P address. The ARP cache was cleared successfully. A client MAC address is not an Ethernet address. The device received a DHCP request through the specified interface. I P conflict was detected. Send back DHCP- NAK. Clear ARP cache done. The device successfully synchronized with a NTP tim e server. % s is the date and tim e. The device was not able to synchronize with the NTP tim e server successfully. An adm inistrator restarted the device. There was an error and the diagnostics were not com pleted. The diagnostics scripts were executed successfully. NWA3000-N Series User s Guide 261

262 Appendix A Log Descriptions Table 102 Device HA Logs LOG MESSAGE Device HA VRRP Group %s has been added. Device HA VRRP group %s has been modified. Device HA VRRP group %s has been deleted. Device HA VRRP interface %s for VRRP Group %s has changed. Device HA syncing from %s starts. %s has no file to sync, Skip syncing it for %s. Master configuration is the same with Backup. Skip updating it. %s file not existed, Skip syncing it for %s Master firmware version can not be recognized. Stop syncing from Master. Device HA Sync has failed when syncing %s for %s due to bad \"Sync Password\". Device HA Sync has failed when syncing %s for %s due to bad \"Sync From\" or \"Sync Port\". Device HA Sync has failed when syncing %s for %s. Sync Failed: Cannot connect to Master when syncing %s for %s. DESCRIPTION An VRRP group has been created, % s: the nam e of VRRP group. An VRRP group has been m odified, % s: the nam e of VRRP group. An VRRP group has been deleted, % s: the nam e of VRRP group. Configuration of an interface that belonged to a VRRP group has been changed, 1st % s: VRRP interface nam e, 2ed % s: % s: the nam e of VRRP group. Device HA Syncing from Master starts when user click "Sync Now" using Auto Sync, % s: The I P of FQDN of Master. There is no file to be synchronized from the Master when syncing a object (AV/ AS/ I DP/ Certificate/ System Configuration), But in fact, there should be som ething in the Master for the device to synchronize with, 1st % s: The syncing object, 2ed % s: The feature nam e for the syncing object. The System Startup configuration file synchronized from the Master is the sam e with the one in the Backup, so the configuration does not have to be updated. There is no file to be synchronized from the Master when syncing a object (AV/ AS/ I DP/ Certificate/ System Configuration), But in fact, there should be som ething in the Master for the device to synchronize with, 1st % s: The syncing object, 2ed % s: The feature nam e for the syncing object. Synchronizing stopped because the firm ware version file was not found in the Master. A Backup device only synchronizes from the Master if the firm ware versions are the sam e between the Master and the Backup. The synchronization password was incorrect when attem pting to synchronize a certain object (AV/ AS/ I DP/ Certificate/ System Configuration). 1st % s: The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized. The Sync From I P address or Sync Port m ay be incorrect when synchronizing a certain object (AV/ AS/ I DP/ Certificate/ System Configuration). Synchronization failed when synchronizing a certain object (AV/ AS/ I DP/ Certificate/ System Configuration) due to an unknown reason, 1st % s: The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized. Synchronization failed because the Backup could not connect to the Master. The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized. 262 NWA3000-N Series User s Guide

263 Appendix A Log Descriptions Table 102 Device HA Logs ( cont inued) LOG MESSAGE Backup firmware version can not be recognized. Stop syncing from Master. Sync failed: Remote Firmware Version Unknown Master firmware version should be the same with Backup. Update %s for %s has failed. Update %s for %s has failed: %s. Device HA has skipped syncing %s since %s is %s. Device HA authentication type for VRRP group %s maybe wrong. Device HA authenticaton string of text for VRRP group %s maybe wrong. Device HA authentication string of AH for VRRP group %s maybe wrong. Retrying to update %s for %s. Retry: %d. Recovring to Backup original state for %s has failed. Recovering to Backup original state for %s has succeeded. One of VRRP groups has became avtive. Device HA Sync has aborted from Master %s. DESCRIPTION The firm ware version on the Backup cannot be resolved to check if it is the sam e as on the Master. A Backup device only synchronizes from the Master if the Master and the Backup have the sam e firm ware versions. The firm ware version on the Master cannot be resolved to check if it is the sam e as on the Master. A Backup device only synchronizes from the Master if the Master and the Backup have the sam e firm ware versions. The Backup and Master have different firm ware versions. A Backup device only synchronizes from the Master if the Master and the Backup have the sam e firm ware versions. Updating a certain object failed when updating (AS/ AV/ I DP/ Certificate/ System Configuration). 1st % s: The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized. Updating a certain object failed when updating (AS/ AV/ I DP/ Certificate/ System Configuration) due to som e reason. 1st % s: The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized. A certain service has no license or the license is expired, so it was not synchronized from the Master. 1st % s: The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized, 3rd % s: unlicensed or license expired. A VRRP group s Authentication Type (Md5 or I PSec AH) configuration m ay not m atch between the Backup and the Master. % s: The nam e of the VRRP group. A VRRP group s Sim ple String (Md5) configuration m ay not m atch between the Backup and the Master. % s: The nam e of the VRRP group. A VRRP group s AH String (I PSec AH) configuration m ay not m atch between the Backup and the Master. % s: The nam e of the VRRP group. An update failed. Retrying to update the failed object again. 1st % s: The object to be synchronized, 2ed % s: The feature nam e for the object to be synchronized, % d: the retry count. An update failed. The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object. Recovery succeeded when an update for the specified object failed. % s: I P or FQDN of Master NWA3000-N Series User s Guide 263

264 Appendix A Log Descriptions Table 102 Device HA Logs ( cont inued) LOG MESSAGE Master configuration file does not exist. Skip updating ZySH Startup Configuration. System internal error: %s. Skip updating %s. Master configuration file is empty. Skip updating ZySH Startup Configuration. Device HA Sync has failed when syncing %s for %s due to transmission timeout. VRRP interface %s has been shutdown. VRRP interface %s has been brought up. Version for %s is the same, skip update DESCRIPTION 1st % s: error string, 2ed % s: the syncing object 1st % s: the syncing object, 2ed % s: the feature nam e for the syncing obj ect % s: The nam e of the VRRP interface. % s: The nam e of the VRRP interface. Table 103 Cert ificat e Pat h Verificat ion Failure Reason Codes CODE DESCRIPTION 1 Algorithm m ism atch between the certificate and the search constraints. 2 Key usage m ism atch between the certificate and the search constraints. 3 Certificate was not valid in the tim e interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache. 9 Certificate decoding failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped ( did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific inform ation m issing). 14 (Not used) 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly. 18 CRL was not found (anywhere). 19 CRL was not added to the cache. 264 NWA3000-N Series User s Guide

265 Appendix A Log Descriptions Table 103 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION 20 CRL decoding failed. 21 CRL is not currently valid, but in the future. 22 CRL contains duplicate serial num bers. 23 Tim e interval is not continuous. 24 Tim e inform ation not available. 25 Database m ethod failed due to tim eout. 26 Database m ethod failed. 27 Path was not verified. 28 Maxim um path length reached. Table 104 WLAN Logs LOG MESSAGE Wlan %s is enabled. Wlan %s is disabled. Wlan %s has been configured. Interface %s has been configured. Interface %s has been deleted. Create interface %s has failed. Wlan device does not exist. System internal error. No 802.1X or WPA enabled! System internal error. Error configuring WPA state! System internal error. Error enabling WPA/ 802.1X! Station has associated. Interface: %s, MAC: %s. WPA or WPA2 enterprise EAP timeout. Interface: %s, MAC: %s. DESCRIPTION The WLAN (I EEE b and or g) feature has been turned on. % s is the slot num ber where the WLAN card is or can be installed. The WLAN ( I EEE b and or g) feature has been turned off. % s is the slot num ber where the WLAN card is or can be installed. The WLAN (I EEE b and or g) feature s configuration has been changed. % s is the slot num ber where the WLAN card is or can be installed. The configuration of the specified WLAN interface ( % s) has been changed. The specified WLAN interface (% s) has been rem oved. The wireless device failed to create the specified WLAN interface (% s). Rem ove the wireless device and reinstall it. I EEE 802.1x or WPA is not enabled. The device was not able to configure the wireless device to use WPA. Rem ove the wireless device and reinstall it. The device was not able to enable WPA/ I EEE 802.1X. A wireless client with the specified MAC address (second % s) associated with the specified WLAN interface (first % s). There was an EAP tim eout for a wireless client connected to the specified WLAN interface (first % s). The MAC address of the wireless client is listed (second % s). NWA3000-N Series User s Guide 265

266 Appendix A Log Descriptions Table 104 WLAN Logs (continued) LOG MESSAGE Station association has failed. Maximum associations have reached the maximum number. Interface: %s, MAC: %s. WPA authentication has failed. Interface: %s, MAC: %s. Incorrect password for WPA or WPA2 enterprise internal authentication. Interface: %s, MAC: %s. Incorrect username or password for WPA or WPA2 enterprise internal authentication. Interface: %s, MAC: %s. System internal error. %s: STA %s could not extract EAP-Message from RADIUS message Station accounting start. Station accounting success. DESCRIPTION A wireless client with the specified MAC address (second % s) failed to connect to the specified WLAN interface ( first % s) because the WLAN interface already has its m axim um num ber of wireless clients. A wireless client used an incorrect WPA key and thus failed to connect to the specified WLAN interface (first % s). The MAC address of the wireless client is listed (second % s). A wireless client used an incorrect WPA or WPA2 user password and failed authentication by the device s local user database while trying to connect to the specified WLAN interface (first % s). The MAC address of the wireless client is listed (second % s). A wireless client used an incorrect WPA or WPA2 user nam e or user password and failed authentication by the device s local user database while trying to connect to the specified WLAN interface (first % s). The MAC address of the wireless client is listed (second % s). There was an error when attem pting to extract the EAP-Message from a RADI US m essage. The first % s is the WLAN interface. The second % s is the MAC address of the wireless client. RADI US accounting started. I f you don't receive the success m essage, it m ay have failed. RADI US accounting succeeded. Table 105 Account Logs LOG MESSAGE Account %s %s has been deleted. Account %s %s has been changed. Account %s %s has been added. DESCRIPTION A user deleted an I SP account profile. 1st % s: profile type, 2nd % se: profile nam e. A user changed an I SP account profile s options. 1st % s: profile type, 2nd % s: profile nam e. A user added a new I SP account profile. 1st % s: profile type, 2nd % s: profile nam e. 266 NWA3000-N Series User s Guide

267 Appendix A Log Descriptions Table 106 File Manager Logs LOG MESSAGE ERROR:#%s, %s DESCRIPTION Apply configuration failed, this log will be what CLI com m and is and what error m essage is. 1st % s is CLI com m and. WARNING:#%s, %s 2nd % s is error m essage when apply CLI com m and. Apply configuration failed, this log will be what CLI com m and is and what warning m essage is. 1st % s is CLI com m and. ERROR:#%s, %s 2nd % s is warning m essage when apply CLI com m and. Run script failed, this log will be what wrong CLI com m and is and what error m essage is. 1st % s is CLI com m and. WARNING:#%s, %s 2nd % s is error m essage when apply CLI com m and. Run script failed, this log will be what wrong CLI com m and is and what warning m essage is. 1st % s is CLI com m and. Resetting system... System resetted. Now apply %s.. Running %s... 2nd % s is warning m essage when apply CLI com m and. Before apply configuration file. After the system reset, it started to apply the configuration file. % s is configuration file nam e. An adm inistrator ran the listed shell script. % s is script file nam e. Table 107 DHCP Logs LOG MESSAGE Can't find any lease for this client - %s, DHCP pool full! DHCP server offered %s to %s(%s) Requested %s from %s(%s) No applicable lease found for DHCP request - %s! DHCP released %s with %s(%s) Sending ACK to %s DHCP server assigned %s to %s(%s) DESCRIPTION All of the I P addresses in the DHCP pool are already assigned to DHCP clients, so there is no I P address to give to the listed DHCP client. The DHCP server feature gave the listed I P address to the com puter with the listed hostnam e and MAC address. The device received a DHCP request for the specified I P address from the com puter with the listed hostnam e and MAC address. There is no m atching DHCP lease for a DHCP client s request for the specified I P address. A DHCP client released the specified I P address. The DHCP client s hostnam e and MAC address are listed. The DHCP server feature received a DHCP client s inform packet and is sending an ACK to the client. The DHCP server feature assigned a client the I P address that it requested. The DHCP client s hostnam e and MAC address are listed. NWA3000-N Series User s Guide 267

268 Appendix A Log Descriptions Table 108 E-m ail Daily Report Logs LOG MESSAGE Daily Report has been activated. Daily Report has been deactivated. daily report has been sent successfully. Cannot resolve mail server address %s. Mail server authentication failed. Failed to send report. Mail From address %s1 is inconsistent with SMTP account %s2. Failed to connect to mail server %s. DESCRIPTION The daily e-m ail report function has been turned on. The device will e- m ail a daily report about the selected item s at the scheduled tim e if the required settings are configured correctly. The daily e-m ail report function has been turned off. The device will not e-m ail daily reports. The device sent a daily e-m ail report m ail successfully. The (listed) SMTP address configured for the daily e-m ail report function is incorrect. The user nam e or password configured for authenticating with the e- m ail server is incorrect. The user nam e and password configured for authenticating with the e- m ail server are correct, but the (listed) sender e-m ail address does not m atch the (listed) SMTP e-m ail account. The device could not connect to the SMTP e- m ail server ( % s). The address configured for the server m ay be incorrect or there m ay be a problem with the device s or the server s network connection. Table 109 CAPWAP Server Logs LOG MESSAGE WLAN Controller Start. Registration Type:%s DESCRIPTION I ndicates that AP m anagem ent services has started. WLAN Controller Reset. The AP m anagem ent service has reset. WLAN Controller End. The AP m anagem ent service has ended. Managed AP Connect. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s The specified Managed AP connected to the CAPWAP server. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. Managed AP Disconnect. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s, Reason:%s, State %s 8th % s: Managed AP Description. The specified Managed AP disconnected from the CAPWAP server. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. 9th % s: Managed AP Disconnect Reason. Add a Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s 10th % s: Managed AP State. The specified AP from un-m anaged list was added to m anaged list. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 268 NWA3000-N Series User s Guide

269 Appendix A Log Descriptions Table 109 CAPWAP Server Logs LOG MESSAGE Delete a Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s Update a Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s DESCRIPTION The specified AP from m anaged list was deleted. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. Configuration settings were issued to the specified AP on the m anaged list. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. Update a Managed AP Fail. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s ReBoot Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s Switch Managed AP to Standalone AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s Upgrade Managed AP's Firmware. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s Start Send Configuration to Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s Sucess Send Configuration to Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s Start Send Updating Configuration to Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s 7th % s: Managed AP Model Nam e. Configuration settings were issued to the specified AP on the m anaged list, but the AP sent back the apply fail response. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. Rebooted the specified AP on the m anaged list. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. Rollback the AP to Standalone Mode. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. I ndicates that the AP on the Managed List had its firm ware upgraded. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. I ndicates that a Send Configuration request was sent to an AP on the Managed List. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. I ndicates that a Send Configuration Response was received from an AP on the Managed List. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. I ndicates that a Send Updating Configuration request was sent to an AP on the Managed List. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. NWA3000-N Series User s Guide 269

270 Appendix A Log Descriptions Table 109 CAPWAP Server Logs LOG MESSAGE Sucess Send Updating Configuration to Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s "Send Retransmit Configuration to Managed AP. MACAddr:%02x%02x%02x%0 2x%02x%02x, Model:%s, Name:%s, retry count:%d" STA Association. MACAddr:%02x%02x%02x%0 2x%02x%02x, AP=%s STA Disassociation. MACAddr:%02x%02x%02x%0 2x%02x%02x, AP=%s STA Roaming. MAC Addr:%02x:%02x:%02x:%0 2x:%02x:%02x, From=%s, To=%s DESCRIPTION I ndicates that a Send Updating Configuration Response was received from an AP on the Managed List. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. I ndicates that the CAPWAP server retransm ited configuration to an AP on the Managed List. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP Model Nam e. 8th % s: Managed AP Description. 9th % d: Retry count." A station connected to the specified AP. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP's description. A station disconnected from the specified AP. 1st % 02x ~ 6th % 02x: Managed AP MAC Address. 7th % s: Managed AP's description. The specified station m oved from the first specified AP to other specified AP. 1st % 02x~ 6th% 02x: Station MAC Address. 7th % s: Source AP s description. STA List Full. STA List of Managed AP [%s] is Full 8th % s: Destination AP's description. I ndicates that the num ber of stations connecting to the specified AP has reached its upper lim it. 1st % s: Managed AP's description. Table 110 CAPWAP Client Logs LOG MESSAGE Managed AP Start. Discovery Type:%s Managed AP Reset. Discovery Type:%s Managed AP End Connect to WLAN Controller. WLAN Controller:%s Disconnect to WLAN Controller. WLAN Controller:%s DESCRIPTION The CAPWAP Client service started. 1st % s: Discovery type { By DHCP Broadcast} Reset the CAPWAP Client service. 1st % s: Discovery type { By DHCP Broadcast} The CAPWAP Client service was ended. The CAPWAP Client connected to the WLAN Controller. 1st % s: WLAN Controller I P Address." The CAPWAP Client was disconnected from the WLAN Controller. 1st % s: WLAN Controller I P Address." 270 NWA3000-N Series User s Guide

271 Appendix A Log Descriptions Table 110 CAPWAP Client Logs LOG MESSAGE Updated configuration by a WLAN Controller Success. %s Updated configuration by a WLAN Controller Fail. %s ReBoot by a WLAN Controller. WLAN Controller:%s Switch Managed AP to Standalone AP. WLAN Controller:%s Firmware upgraded by WLAN Controller. WLAN Controller:%s Apply configuration by a WLAN Controller Success. %s Managed AP Configuration Flush. %s AC IP Change. New Discovery Type:%s, WLAN Controller IP: %s Managed AP Receiving Complete ZySH Configuration from AC Managed AP Receiving Updating ZySH Configuration from AC STA Association. DESCRIPTION The configuration was upgraded successfully by the WLAN Controller. 1st % s: Partial Updating." Configuration upgrade by the WLAN Controller failed. 1st % s: Wrong Configuration." The m anaged AP was rebooteed WLAN Controller. 1st % s: WLAN Controller I P Address." The WLAN controller set the m anaged AP to Standalone Mode. 1st % s: WLAN Controller I P Address." The CAPWAP client s firm ware was upgraded by the WLAN controller. 1st % s: WLAN Controller I P Address." The WLAN controller successfully applied configuration. 1st % s: Com plete Updating" The m anaged AP reset ZySH for flushing its running-config & reapplied the startup-config. 1st % s: Reset ZySH Daem on Changed the m anaged AP s AC I P. 1st % s: Discovery type { By DHCP Broadcast} 2nd % s: WLAN Controller I P Address" The m anaged AP is receiving total configuration from the WLAN Controller during CAPWAP protocol handshaking. (Configuration Change State) The AP is receiving configuration settings from the device because the device changed configuration. (RUN State) I ndicates the specified station associated with the specified AP. MAC Addr: % 02x: % 02x: % 02x: % 0 2x: % 02x: % 02x,AP= % s STA Disassociation. MAC Addr: % 02x: % 02x: % 02x: % 0 2x: % 02x: % 02x,AP= % s STA Roam ing. MAC Addr: % 02x: % 02x: % 02x: % 0 2x: % 02x: % 02x, From = % s, To= % s STA List Full. STA List of Managed AP [ % s] is Full 1st % 02x~ 6th% 02x: Station MAC Address. 7th % s: AP's description. I ndicates the specified station de- associated from the specified AP. 1st % 02x~ 6th% 02x: Station MAC Address. 7th % s: AP's description. The specified station roam ed from the first specified AP to the other. 1st % 02x~ 6th% 02x: Station MAC Address. 7th % s: Source AP's description. 8th % s: Destination AP's description. The num ber of stations connecting to the specified AP has reached its upper lim it. 1st % s: WTP's description. NWA3000-N Series User s Guide 271

272 Appendix A Log Descriptions Table 111 AP Load Balancing Logs LOG MESSAGE kick station % 02x: % 02x: % 02x: % 02x: % 02x: % 02x DESCRIPTION I ndicates that the specified station was rem oved from an AP s wireless network because the AP becam e overloaded. Table 112 Rogue AP Logs LOG MESSAGE rogue ap detection is enabled. DESCRIPTION I ndicates that rogue AP detection is enabled. Table 113 Wireless Fram e Capt ure Logs LOG MESSAGE Capture done! check_size: % d, m ax_file_size: % d\ n DESCRIPTION This m essage displays check_size % d and m ax_file_size % d when the wireless fram e capture has been com pleted. 1st % d: total files size of directory. 2nd % d: m ax files size. Can not initial m onitor m ode signal handler.\ n While an AP is in Monitor m ode, the handler functions as a daem on; if it fails to initialize the handler, then this m essage is returned. Table 114 DCS Logs LOG MESSAGE dcs init failed!\n init zylog fail\n channel changed: %s %d -> %d\n DESCRIPTION I ndicates that the device failed to initialize the dcs daem on. I ndicates that the device failed to initialize zylog. DCS has changed the wireless interface % s channel from % d to channel % d. 1st % s: interface nam e 1st % d: current channel dcs is terminated! 2nd % d: new channel DCS was term inated for an unknown reason. 272 NWA3000-N Series User s Guide

273 APPENDIX B Importing Certificates This appendix shows you how to im port public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitim ate. When a certificate authority such as VeriSign, Com odo, or Network Solutions, to nam e a few, receives a certificate request from a website operator, they confirm that the web dom ain and contact inform ation in the request m atch those on public record with a dom ain nam e registrar. I f they m atch, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitim ate. Many ZyXEL products, such as the NSA-2401, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitim ate device and not one m asquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the m ost com m on web browsers, you will need to im port the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority. Note: You can see if you are browsing on a secure website if the URL in your web browser s address bar begins with or there is a sealed padlock icon ( ) som ewhere in the m ain browser window (not all browsers show the padlock in the sam e location.) Internet Explorer The following exam ple uses Microsoft I nternet Explorer 7 on Windows XP Professional; however, they can also apply to I nternet Explorer on Windows Vista. NWA3000-N Series User s Guide 273

certification error. 2 Click Continue t o this w ebsite ( not recom m ended).

274 Appendix B Importing Certificates 1 I f your device s Web Configurator is set to use SSL certification, then the first tim e you browse to it you are presented with a certification error. 2 Click Continue t o this w ebsite ( not recom m ended). 3 I n the Address Bar, click Cert ificat e Error > View certificates. 274 NWA3000-N Series User s Guide

275 Appendix B Importing Certificates 4 I n the Certificate dialog box, click I nstall Certificate. 5 I n the Certificate I m port W izard, click Next. NWA3000-N Series User s Guide 275

7 Otherwise, select Place all certificates in the follow ing store and then click Brow se.

276 Appendix B Importing Certificates 6 I f you want I nternet Explorer to Autom atically select certificat e store based on the type of certificate, click Next again and then go to step 9. 7 Otherwise, select Place all certificates in the follow ing store and then click Brow se. 8 I n the Select Certificate St ore dialog box, choose a location in which to save the certificate and then click OK. 276 NWA3000-N Series User s Guide

Appendix B Importing Certificates 9 I n the Com

277 Appendix B Importing Certificates 9 I n the Com pleting the Certificate I m port W izard screen, click Finish. 10 I f you are presented with another Security W arning, click Yes. 11 Finally, click OK when presented with the successful certificate installation m essage. NWA3000-N Series User s Guide 277

Appendix B Importing Certificates 12 The next tim e you start I nternet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar.

Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prom pted, you can install a

278 Appendix B Importing Certificates 12 The next tim e you start I nternet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page s W ebsit e I dentificat ion inform at ion. Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prom pted, you can install a stand-alone certificate file if one has been issued to you. 1 Double-click the public key certificate file. 2 I n the security warning dialog box, click Open. 3 Refer to steps 4-12 in the I nternet Explorer procedure beginning on page 273 to com plete the inst allat ion process. 278 NWA3000-N Series User s Guide

Windows XP. 1 Open I nternet Explorer and click Tools > I nternet Options.

279 Appendix B Importing Certificates Removing a Certificate in Internet Explorer This section shows you how to rem ove a public key certificate in I nternet Explorer 7 on Windows XP. 1 Open I nternet Explorer and click Tools > I nternet Options. 2 I n the I nternet Options dialog box, click Content > Certificates. NWA3000-N Series User s Guide 279

4 I n the Certificates confirm ation, click Yes. 5 I n the Root Certificate Store dialog box, click Yes.

280 Appendix B Importing Certificates 3 I n the Certificates dialog box, click the Trusted Root Cert ificat es Authorities tab, select the certificate that you want to delete, and then click Rem ove. 4 I n the Certificates confirm ation, click Yes. 5 I n the Root Certificate Store dialog box, click Yes. 6 The next tim e you go to the web site that issued the public key certificate you just rem oved, a cert ificat ion error appears. 280 NWA3000-N Series User s Guide

Appendix B Importing Certificates Firefox The following exam ple uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on

1 I f your device s Web Configurator is set to use SSL certification, then the first tim e you browse to it you are presented with a certification error.

281 Appendix B Importing Certificates Firefox The following exam ple uses Mozilla Firefox 2 on Windows XP Professional; however, the screens can also apply to Firefox 2 on all platform s. 1 I f your device s Web Configurator is set to use SSL certification, then the first tim e you browse to it you are presented with a certification error. 2 Select Accept this certificate perm anently and click OK. 3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page I nfo > Security window to view the web page s security inform ation. NWA3000-N Series User s Guide 281

282 Appendix B Importing Certificates Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prom pted, you can install a stand-alone certificate file if one has been issued to you. 1 Open Firefox and click Tools > Options. 2 I n the Options dialog box, click Advanced > Encryption > View Certificat es. 282 NWA3000-N Series User s Guide

5 The next tim e you visit the web site, click the padlock in the address bar to open the Page I nfo > Security window to

283 Appendix B Importing Certificates 3 I n the Certificate Manager dialog box, click W eb Sites > I m port. 4 Use the Select File dialog box to locate the certificate and then click Open. 5 The next tim e you visit the web site, click the padlock in the address bar to open the Page I nfo > Security window to see the web page s security inform ation. Removing a Certificate in Firefox This section shows you how to rem ove a public key certificate in Firefox 2. NWA3000-N Series User s Guide 283

284 Appendix B Importing Certificates 1 Open Firefox and click Tools > Options. 2 I n the Options dialog box, click Advanced > Encryption > View Certificat es. 284 NWA3000-N Series User s Guide

4 I n the Delete W eb Site Certificat es dialog box, click OK.

285 Appendix B Importing Certificates 3 I n the Certificate Manager dialog box, select the W eb Sit es tab, select the certificate that you want to rem ove, and then click Delete. 4 I n the Delete W eb Site Certificat es dialog box, click OK. 5 The next tim e you go to the web site that issued the public key certificate you just rem oved, a cert ificat ion error appears. NWA3000-N Series User s Guide 285

286 Appendix B Importing Certificates 286 NWA3000-N Series User s Guide

287 APPENDIX C Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The sim plest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of com puters with wireless adapters (A, B, C). Any tim e two or m ore wireless adapters are within range of each other, they can set up an independent network, which is com m only referred to as an ad-hoc network or I ndependent Basic Service Set (I BSS). The following diagram shows an exam ple of notebook com puters using wireless adapters to form an ad-hoc wireless LAN. Figure 122 Peer-to-Peer Com m unication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all com m unications between wireless clients or between a wireless client and a wired network client go through one access point (AP). I ntra-bss traffic is traffic between wireless clients in the BSS. When I ntra-bss is enabled, wireless client A and B can access the wired network and com m unicate with each other. When I ntra-bss is NWA3000-N Series User s Guide 287

288 Appendix C Wireless LANs disabled, wireless client A and B can still access the wired network but cannot com m unicate with each other. Figure 123 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an I nfrastructure WLAN. The Access Points not only provide com m unication with the wired network but also m ediate wireless network traffic in the im m ediate neighborhood. 288 NWA3000-N Series User s Guide

289 Appendix C Wireless LANs An ESSI D (ESS I Dentification) uniquely identifies each ESS. All access points and their associated wireless clients within the sam e ESS m ust have the sam e ESSI D in order to com m unicate. Figure 124 I nfrast ruct ure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transm it and receive data. Channels available depend on your geographical area. You m ay have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. I nterference occurs when radio signals from different access points overlap causing int erference and degrading perform ance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For exam ple, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. RTS/CTS A hidden node occurs when two stations are within range of the sam e access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they NWA3000-N Series User s Guide 289

290 Appendix C Wireless LANs cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 125 RTS/ CTS When station A sends data to the AP, it m ight not know that the station B is already using the channel. I f these two stations send data at the sam e tim e, collisions m ay occur when both sets of data arrive at the AP at the sam e tim e, resulting in a loss of m essages for both stations. RTS/ CTS is designed to prevent collisions due to hidden nodes. An RTS/ CTS defines the biggest size data fram e you can send before an RTS (Request To Send)/ CTS (Clear to Send) handshake is invoked. When a data fram e exceeds the RTS/ CTS value you set (between 0 to 2432 bytes), the station that wants to transm it this fram e m ust first send an RTS (Request To Send) m essage to the AP for perm ission to send it. The AP then responds with a CTS (Clear to Send) m essage to all other stations within its range to notify them to defer their transm ission. I t also reserves and confirm s with the requesting station the tim e fram e for the requested transm ission. Stations can send fram es sm aller than the specified RTS/ CTS directly to the AP without the RTS (Request To Send)/ CTS (Clear to Send) handshake. You should only configure RTS/ CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large fram es is m ore than the extra network overhead involved in the RTS (Request To Send)/ CTS (Clear to Send) handshake. I f the RTS/ CTS value is greater than the Fragm ent ation Threshold value (see next), then the RTS (Request To Send)/ CTS (Clear to Send) handshake will never occur as data fram es will be fragm ented before they reach RTS/ CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput perform ance instead of providing a rem edy. Fragmentation Threshold A Fragm ent ation Threshold is the m axim um data fragm ent size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragm ent the packet into sm aller data fram es. A large Fragm entation Threshold is recom m ended for networks not prone to interference while you should set a sm aller threshold for busy networks or networks that are prone to interference. 290 NWA3000-N Series User s Guide

291 Appendix C Wireless LANs I f the Fragm ent ation Threshold value is sm aller than the RTS/ CTS value (see previously) you set then the RTS (Request To Send)/ CTS (Clear to Send) handshake will never occur as data fram es will be fragm ented before they reach RTS/ CTS size. Preamble Type Pream ble is used to signal that data is com ing to the receiver. Short and long refer to the length of the synchronization field in a packet. Short pream ble increases perform ance as less tim e sending pream ble m eans m ore tim e for sending data. All I EEE com pliant wireless adapters support long pream ble, but not all support short pream ble. Use long pream ble if you are unsure what pream ble m ode other wireless devices on the network support, and to provide m ore reliable com m unications in busy wireless networks. Use short pream ble if you are sure all wireless devices on the network support it, and to provide m ore efficient com m unications. Use the dynam ic setting to autom atically use short pream ble when all wireless devices on the network support it, otherwise the device uses long pream ble. Note: The wireless devices MUST use the sam e pream ble m ode in order to com m unicate. IEEE g Wireless LAN I EEE g is fully com patible with the I EEE b standard. This m eans an I EEE b adapter can interface directly with an I EEE g access point (and vice versa) at 11 Mbps or lower depending on range. I EEE g has several interm ediate rate steps between the m axim um and m inim um data rates. The I EEE g data rate and m odulation are as follows: Table 115 I EEE g DATA RATE (MBPS) MODULATION 1 DBPSK (Differential Binary Phase Shift Keyed) 2 DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Com plem entary Code Keying) 6/ 9/ 12/ 18/ 24/ 36/ 48/ 54 OFDM ( Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless com m unication between wireless clients, access points and the wired network. Wireless security m ethods available on the device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the device identity. NWA3000-N Series User s Guide 291

292 Appendix C Wireless LANs The following figure shows the relative effectiveness of these wireless security m ethods available on your device. Table 116 Wireless Securit y Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSI D (Default) Unique SSI D with Hide SSI D Enabled MAC Address Filtering WEP Encryption I EEE802.1x EAP with RADI US Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure Note: You m ust enable the sam e wireless security settings on the device and on all wireless clients that you want to associate with it. IEEE 802.1x I n June 2001, the I EEE 802.1x standard was designed to extend the features of I EEE to support extended authentication as well as providing additional accounting and control features. I t is supported by Windows XP and a num ber of network devices. Som e advantages of I EEE 802.1x are: User based identification that allows for roam ing. Support for RADI US (Rem ote Authentication Dial I n User Service, RFC 2138, 2139) for centralized user profile and accounting m anagem ent on a network RADI US server. Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication m ethods to be deployed with no changes to the access point or the wireless clients. RADIUS RADI US is based on a client-server m odel that supports authentication, authorization and accounting. The access point is the client and the server is the RADI US server. The RADI US server handles the following tasks: Authentication Determ ines the identity of the users. Authorization Determ ines the network services available to authenticated users once they are connected to the net work. Account ing Keeps track of the client s network activity. 292 NWA3000-N Series User s Guide

293 Appendix C Wireless LANs RADI US is a sim ple package exchange in which your AP acts as a m essage relay between the wireless client and the network RADI US server. Types of RADIUS Messages The following types of RADI US m essages are exchanged between the access point and the RADI US server for user authentication: Access- Request Sent by an access point requesting authentication. Access- Rej ect Sent by a RADI US server rejecting access. Access- Accept Sent by a RADI US server allowing access. Access- Challenge Sent by a RADI US server requesting m ore inform ation in order to allow access. The access point sends a proper response from the user and then sends another Access-Request m essage. The following types of RADI US m essages are exchanged between the access point and the RADI US server for user account ing: Account ing- Request Sent by the access point requesting accounting. Account ing- Response Sent by the RADI US server to indicate that it has started or stopped accounting. I n order to ensure network security, the access point and the RADI US server use a shared secret key, which is a password, they both know. The key is not sent over the network. I n addition to the shared key, password inform ation exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses som e popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device m ay not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the I EEE 802.1x transport m echanism in order to support m ultiple types of user authentication. By using EAP to interact with an EAP-com patible RADI US server, an access point helps a wireless station and a RADI US server perform authentication. The type of authentication you use depends on the RADI US server and an interm ediary AP(s) that supports I EEE 802.1x.. For EAP-TLS authentication type, you m ust first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital I Ds) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. NWA3000-N Series User s Guide 293

294 Appendix C Wireless LANs EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the sim plest one-way authentication m ethod. The authentication server sends a challenge to the wireless client. The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the inform ation. Password is not sent in plain text. However, MD5 authentication has som e weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords m ust be stored. Thus som eone other than the authentication server m ay access the password file. I n addition, it is possible to im personate an authentication server as MD5 authentication m ethod does not perform m utual authentication. Finally, MD5 authentication m ethod does not support data encryption with dynam ic session key. You m ust configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for m utual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This m akes user identity vulnerable to passive attacks. A digital certificate is an electronic I D card that authenticates the sender s identity. However, to im plem ent EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which im poses a m anagem ent overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the serverside authentications to establish a secure connection. Client authentication is then done by sending usernam e and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP m ethods and legacy authentication m ethods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) LEAP Like EAP-TTLS, server- side certificate authentication is used to establish a secure connection, then use sim ple usernam e and password m ethods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP m ethods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is im plem ented only by Cisco. LEAP (Lightweight Extensible Authentication Protocol) is a Cisco im plem entation of I EEE 802.1x. Dynamic WEP Key Exchange The AP m aps a unique key that is generated with the RADI US server. This key expires when the wireless connection tim es out, disconnects or reauthentication tim es out. A new WEP key is generated each tim e reauthentication is perform ed. 294 NWA3000-N Series User s Guide

295 Appendix C Wireless LANs I f this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You m ay still configure and store keys, but they will not be used while dynam ic WEP is enabled. Note: EAP-MD5 cannot be used with Dynam ic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynam ic keys for data encryption. They are often deployed in corporate environm ents, but for public deploym ent, a sim ple user nam e and password pair is m ore practical. The following table is a com parison of the features of authentication types. Table 117 Com parison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynam ic Key Exchange No Yes Yes Yes Yes Credential I ntegrity None Strong Strong Strong Moderate Deploym ent Difficulty Easy Hard Moderate Moderate Moderate Client I dentity Protection No No Yes Yes No WPA and WPA2 Encryption Wi-Fi Protected Access (WPA) is a subset of the I EEE i standard. WPA2 (I EEE i) is a wireless security standard that defines stronger encryption, authentication and key m anagem ent than WPA. Key differences between WPA or WPA2 and WEP are im proved data encryption and user authentication. I f both an AP and the wireless clients support WPA2 and you have an external RADI US server, use WPA2 for stronger data encryption. I f you don't have an external RADI US server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords m atch, a wireless client will be granted access to a WLAN. I f the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADI US server or not. Select WEP only when the AP and/ or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. WPA im proves data encryption by using Tem poral Key I ntegrity Protocol (TKI P), Message I ntegrity Check (MI C) and I EEE 802.1x. WPA2 also uses TKI P when required for com patibility reasons, but offers stronger encryption than TKI P with Advanced Encryption Standard (AES) in the Counter m ode with Cipher block chaining Message authentication code Protocol (CCMP). TKI P uses 128-bit keys that are dynam ically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit m athem atical algorithm NWA3000-N Series User s Guide 295

296 Appendix C Wireless LANs called Rijndael. They both include a per-packet key m ixing function, a Message I ntegrity Check (MI C) nam ed Michael, an extended initialization vector (I V) with sequencing rules, and a re-keying m echanism. WPA and WPA2 regularly change and rotate the encryption keys so that the sam e encryption key is never used twice. The RADI US server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and m anagem ent system, using the PMK to dynam ically generate unique data encryption keys to encrypt every data packet that is wirelessly com m unicated between the AP and the wireless clients. This all happens in the background autom atically. The Message I ntegrity Check (MI C) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MI C provides a strong m athem atical function in which the receiver and the transm itter each com pute and then com pare the MI C. I f they do not m atch, it is assum ed that the data has been tam pered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking m echanism (MI C), with TKI P and AES it is m ore difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption m echanism s used for WPA(2) and WPA(2)-PSK are the sam e. The only difference between the two is that WPA(2)-PSK uses a sim ple com m on password, instead of user-specific credentials. The com m on-password approach m akes WPA(2)-PSK susceptible to brute-force password-guessing attacks but it s still an im provem ent over WEP as it em ploys a consistent, single, alphanum eric password to derive a PMK which is used to generate unique tem poral encryption keys. This prevent all wireless devices sharing the sam e encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply I EEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADI US database. WPA2 reduces the num ber of key exchange m essages from six to four (CCMP 4-way handshake) and shortens the tim e required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and m ay not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the sam e AP and does not need to go with the authentication process again. Pre-authentication enables fast roam ing by allowing the wireless client (already connecting to an AP) to perform I EEE 802.1x authentication with another AP before connecting to it. Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the tim e of writing, the m ost widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you m ust run Windows XP to use it. 296 NWA3000-N Series User s Guide

Appendix C Wireless LANs WPA(2) with RADIUS Application Example To set up WPA(2), you need the I P address of the RADI US server, its port num ber (default is 1812), and the RADI US shared secret.

297 Appendix C Wireless LANs WPA(2) with RADIUS Application Example To set up WPA(2), you need the I P address of the RADI US server, its port num ber (default is 1812), and the RADI US shared secret. A WPA(2) application exam ple with an external RADI US server looks as follows. "A" is the RADI US server. "DS" is the distribution system. 1 The AP passes the wireless client's authentication request to the RADI US server. 2 The RADI US server then checks the user's identification against its database and grants or denies net work access accordingly. 3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADI US server and the client. 4 The RADI US server distributes the PMK to the AP. The AP then sets up a key hierarchy and m anagem ent system, using the PMK to dynam ically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly com m unicated between the AP and the wireless clients. Figure 126 WPA(2) with RADI US Application Exam ple WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) m ust consist of between 8 and 63 ASCI I characters or 64 hexadecim al characters (including spaces and sym bols). 2 The AP checks each wireless client's password and allows it to join the network only if the password m atches. 3 The AP and wireless clients generate a com m on PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSI D. NWA3000-N Series User s Guide 297

NWA3000-N Series. Wireless N Business WLAN 3000 Series Access Point. Default Login Details. Version 2.23 Edition 1, 1/2011

NWA3000-N Series. Wireless N Business WLAN 3000 Series Access Point. Default Login Details. Version 2.23 Edition 1, 1/2011 NWA3000-N Series Wireless N Business WLAN 3000 Series Access Point Default Login Details IP Address https://192.168.1.2 User Name admin Password 1234 Version 2.23 Edition 1, 1/2011 www.zyxel.com www.zyxel.com