Home » ZyXEL Manuals » Bridges & Routers » ZyXEL NBG6503 » Manual Viewer

ZyXEL NBG6503 User Guide - Page 215

Types of EAP Authentication, EAP-MD5 Message-Digest Algorithm 5, EAP-TLS Transport Layer Security

Add to My Manuals
Save this manual to your list of manuals

Page 215 highlights

Appendix C Wireless LANs • Accounting-Request Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. NBG6503 User's Guide 215

Section	Page
NBG6503	1
Contents Overview	3
Table of Contents	5
User’s Guide	13
Getting to Know Your Router	15
1.1 Overview	15
1.2 Applications	15
1.3 Ways to Manage the Router	15
1.4 Good Habits for Managing the Router	16
1.5 LEDs	17
1.6 The WPS Button	18
1.7 Wall Mounting	18
Connection Wizard	21
2.1 Overview	21
2.2 Accessing the Wizard	21
2.3 Connect to Internet	22
2.3.1 Connection Type: DHCP	23
2.3.2 Connection Type: Static IP	23
2.3.3 Connection Type: PPPoE	24
2.3.4 Connection Type: PPTP	25
2.4 Router Password	27
2.5 Wireless Security	27
2.5.1 Wireless Security: No Security	27
2.5.2 Wireless Security: WPA-PSK/WPA2-PSK	28
Introducing the Web Configurator	31
3.1 Overview	31
3.2 Accessing the Web Configurator	31
3.2.1 Login Screen	31
3.2.2 Password Screen	32
3.2.3 Home Screen	33
3.3 Resetting the Router	35
3.3.1 Procedure to Use the Reset Button	35
Monitor	37
4.1 Overview	37
4.2 What You Can Do	37
4.3 The Log Screen	37
4.3.1 View Log	37
4.4 BW MGMT Monitor	39
4.5 DHCP Table	39
4.6 Packet Statistics	40
4.7 WLAN 2.4G Station Status	41
4.8 WLAN 5G Station Status	41
Router Modes	43
5.1 Overview	43
5.1.1 Web Configurator Modes	43
5.1.2 Device Modes	43
Easy Mode	45
6.1 Overview	45
6.2 What You Can Do	46
6.3 What You Need to Know	46
6.4 Navigation Panel	47
6.5 Network Map	47
6.6 Control Panel	48
6.6.1 Game Engine	49
6.6.2 Power Saving	49
6.6.3 Content Filter	51
6.6.4 Bandwidth MGMT	51
6.6.5 Firewall	52
6.6.6 Wireless Security	52
6.6.7 WPS	54
6.7 Status Screen in Easy Mode	55
Router Mode	57
7.1 Overview	57
7.2 What You Can Do	57
7.3 Status Screen	58
7.3.1 Navigation Panel	61
Access Point Mode	65
8.1 Overview	65
8.2 What You Can Do	65
8.3 What You Need to Know	65
8.3.1 Setting your Router to AP Mode	66
8.3.2 Accessing the Web Configurator in Access Point Mode	66
8.3.3 Configuring your WLAN, Bandwidth Management and Maintenance Settings	67
8.4 AP Mode Status Screen	68
8.5 LAN Screen	70
Tutorials	73
9.1 Overview	73
9.2 Connecting to the Internet from an Access Point	73
9.3 Configuring Wireless Security Using WPS	73
9.3.1 Push Button Configuration (PBC)	74
9.3.2 PIN Configuration	75
9.4 Enabling and Configuring Wireless Security (No WPS)	77
9.4.1 Configure Your Notebook	78
Technical Reference	81
Wireless LAN	83
10.1 Overview	83
10.2 What You Can Do	83
10.3 What You Should Know	84
10.3.1 Wireless Security Overview	84
10.4 General Wireless LAN 2.4G/5G Screen	86
10.4.1 No Security	87
10.4.2 WEP Encryption	88
10.4.3 WPA-PSK/WPA2-PSK	90
10.5 MAC Filter	90
10.6 Wireless LAN Advanced Screen	91
10.7 Quality of Service (QoS) Screen	93
10.8 WPS Screen	94
10.9 WPS Station Screen	95
10.10 Scheduling Screen	96
10.11 WDS Screen	97
WAN	99
11.1 Overview	99
11.2 What You Can Do	99
11.3 What You Need To Know	99
11.3.1 Configuring Your Internet Connection	100
11.3.2 Multicast	101
11.4 Internet Connection	102
11.4.1 Ethernet Encapsulation	102
11.4.2 PPPoE Encapsulation	103
11.4.3 PPTP Encapsulation	105
11.5 Advanced WAN Screen	108
LAN	109
12.1 Overview	109
12.2 What You Can Do	109
12.3 What You Need To Know	110
12.3.1 IP Pool Setup	110
12.3.2 LAN TCP/IP	110
12.3.3 IP Alias	110
12.4 LAN IP Screen	111
12.5 IP Alias Screen	111
DHCP Server	113
13.1 Overview	113
13.2 What You Can Do	113
13.3 General Screen	113
13.4 Advanced Screen	114
Network Address Translation (NAT)	117
14.1 Overview	117
14.2 What You Can Do	117
14.3 General NAT Screen	118
14.4 NAT Application Screen	118
14.5 NAT Advanced Screen	120
14.5.1 Trigger Port Forwarding Example	122
14.5.2 Two Points To Remember About Trigger Ports	122
Dynamic DNS	123
15.1 Overview	123
15.2 What You Can Do	123
15.3 What You Need To Know	123
15.4 Dynamic DNS Screen	123
Static Route	125
16.1 Overview	125
16.2 What You Can Do	125
16.3 IP Static Route Screen	126
Firewall	129
17.1 Overview	129
17.2 What You Can Do	129
17.3 What You Need To Know	130
17.4 General Firewall Screen	130
17.5 Services Screen	131
Content Filter	133
18.1 Overview	133
18.2 What You Can Do	133
18.3 What You Need To Know	133
18.3.1 Content Filtering Profiles	133
18.4 Content Filter Screen	134
Bandwidth Management	137
19.1 Overview	137
19.2 What You Can Do	137
19.3 What You Need To Know	138
19.4 General Screen	138
19.5 Advanced Screen	138
19.5.1 Rule Configuration: Application Rule Configuration	141
19.5.2 Rule Configuration: User Defined Service Rule Configuration	142
19.6 Monitor Screen	143
19.6.1 Predefined Bandwidth Management Services	143
Remote Management	145
20.1 Overview	145
20.2 What You Can Do	145
20.3 What You Need to Know	145
20.3.1 Remote Management and NAT	145
20.3.2 System Timeout	146
20.4 WWW Screen	146
Universal Plug-and-Play (UPnP)	147
21.1 Overview	147
21.2 What You Can Do	147
21.3 What You Need to Know	147
21.3.1 NAT Traversal	147
21.3.2 Cautions with UPnP	148
21.4 UPnP Screen	148
21.5 Technical Refereance	148
21.5.1 Using UPnP in Windows XP Example	148
21.5.2 Web Configurator Easy Access	151
Maintenance	155
22.1 Overview	155
22.2 What You Can Do	155
22.3 General Screen	155
22.4 Password Screen	156
22.5 Time Setting Screen	157
22.6 Firmware Upgrade Screen	158
22.7 Configuration Backup/Restore Screen	160
22.8 Restart Screen	161
22.9 System Operation Mode Overview	161
22.10 Sys OP Mode Screen	163
Troubleshooting	165
23.1 Power, Hardware Connections, and LEDs	165
23.2 Router Access and Login	166
23.3 Internet Access	167
23.4 Resetting the Router to Its Factory Defaults	169
23.5 Wireless Router/AP Troubleshooting	169
IP Addresses and Subnetting	171
Setting Up Your Computer’s IP Address	181
Wireless LANs	209
Common Services	223
Legal Information	227

Match case Limit results 1 per page

Appendix C Wireless LANs

NBG6503 User’s Guide

215

• Accounting-Request

Sent by the access point requesting accounting.

• Accounting-Response

Sent by the RADIUS server to indicate that it has started or stopped accounting.

In order to ensure network security, the access point and the RADIUS server use a shared secret

key, which is a password, they both know. The key is not sent over the network. In addition to the

shared key, password information exchanged is also encrypted to protect the network from

unauthorized access.

Types of EAP Authentication

This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and

LEAP. Your wireless LAN device may not support all authentication types.

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE

802.1x transport mechanism in order to support multiple types of user authentication. By using EAP

to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a

RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that

supports IEEE 802.1x. .

For EAP-TLS authentication type, you must first have a wired connection to the network and obtain

the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used

to authenticate users and a CA issues certificates and guarantees the identity of each certificate

owner.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server

sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password by

encrypting the password with the challenge and sends back the information. Password is not sent in

plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get

the plaintext passwords, the passwords must be stored. Thus someone other than the

authentication server may access the password file. In addition, it is possible to impersonate an

authentication server as MD5 authentication method does not perform mutual authentication.

Finally, MD5 authentication method does not support data encryption with dynamic session key. You

must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for

mutual authentication. The server presents a certificate to the client. After validating the identity of

the server, the client sends a different certificate to the server. The exchange of certificates is done

in the open before a secured tunnel is created. This makes user identity vulnerable to passive

attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity.

However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which

imposes a management overhead.