ZyXEL NWA-3163 User Guide
ZyXEL NWA-3163 Manual
 |
View all ZyXEL NWA-3163 manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL NWA-3163 manual content summary:
- ZyXEL NWA-3163 | User Guide - Page 1
NWA-3160 Series Models: NWA-3160, NWA-3163 & NWA-3166 Default Login Details IP Address http://192.168.1.2 Password 1234 Firmware Version 3.70 Edition 3, 01/2010 www.zyxel.com www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation - ZyXEL NWA-3163 | User Guide - Page 2
- ZyXEL NWA-3163 | User Guide - Page 3
Audience This manual is intended for people who want to configure the NWA using the web configurator. Tips for Reading User's Guides On-Screen When reading a ZyXEL User's Guide On-Screen, keep the following in mind: • If you don't already have the latest version of Adobe Reader, you can download it - ZyXEL NWA-3163 | User Guide - Page 4
specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. • Forum This contains discussions on ZyXEL products. Learn from others who use ZyXEL products and share your experiences as well. 4 NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 5
following information ready when you contact an office. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it. NWA-3160 Series User's Guide 5 - ZyXEL NWA-3163 | User Guide - Page 6
• The ZyWALL 1050 may be referred to as the "NWA", the "device", the "system" or the "product" in this User's Guide. • Product labels, screen names, field labels and field choices shorthand for "for instance", and "i.e.," means "that is" or "in other words". 6 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 7
, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. NWA Computer Notebook computer Server Printer Firewall Telephone Switch Router NWA-3160 Series User's Guide 7 - ZyXEL NWA-3163 | User Guide - Page 8
over them. • Always disconnect all cables from this device before servicing or disassembling. • Use ONLY an appropriate power adaptor or electrical lines, gas or water pipes will be damaged. • The PoE (Power over Ethernet) devices that supply or receive power and their NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 9
...187 Rogue AP Detection ...191 Remote Management Screens 199 Internal RADIUS Server ...213 Certificates ...221 Log Screens ...239 VLAN ...249 Load Balancing ...269 Dynamic Channel Selection ...275 Maintenance ...279 Appendices and Index ...287 Troubleshooting ...289 New Template User's Guide 9 - ZyXEL NWA-3163 | User Guide - Page 10
Contents Overview 10 New Template User's Guide - ZyXEL NWA-3163 | User Guide - Page 11
Antennas ...32 1.7 LEDs ...33 Chapter 2 The Web Configurator ...35 2.1 Overview ...35 2.2 Accessing the Web Configurator 35 2.3 Resetting the NWA ...36 2.3.1 Methods of Restoring Factory-Defaults 36 2.4 Navigating the Web Configurator 37 Chapter 3 Tutorials ...39 NWA-3160 Series User's Guide 11 - ZyXEL NWA-3163 | User Guide - Page 12
Your NWA in Controller AP Mode 71 3.6.4.1 Secondary AP Controller 71 3.6.4.2 Primary AP Controller 72 3.6.5 Setting Your NWA in Managed AP Mode 73 3.6.6 Configuring the Managed Access Points List 74 3.6.7 Checking your Settings and Testing the Configuration 77 12 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 13
...87 5.2.1 CAPWAP Discovery and Management 88 5.2.2 CAPWAP and DHCP 88 5.2.3 CAPWAP and IP Subnets 88 5.2.4 Notes on CAPWAP ...89 5.3 The Management 7.2 General Screen ...111 7.3 Password Screen ...113 7.4 Time Setting Screen ...115 7.5 Technical Reference ...117 NWA-3160 Series User's Guide 13 - ZyXEL NWA-3163 | User Guide - Page 14
...155 9.3.3.1 ATC+WMM from LAN to WLAN 156 9.3.3.2 ATC+WMM from WLAN to LAN 156 9.3.4 Type Of Service (ToS 156 9.3.4.1 DiffServ 156 9.3.4.2 DSCP and Per-Hop Behavior 157 9.3.4.3 ToS (Type of Service) and WMM QoS 157 Chapter 10 Wireless Security Screen ...159 14 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 15
13.2 The MAC Filter Screen ...184 13.2.1 Configuring the MAC Filter 185 Chapter 14 IP Screen...187 14.1 Overview ...187 14.1.1 What You Can Do in the IP Screen 187 14.1.2 What You Need To Know About IP 187 14.2 The IP Screen ...188 14.3 Technical Reference ...189 NWA-3160 Series User's Guide 15 - ZyXEL NWA-3163 | User Guide - Page 16
of Contents 14.3.1 WAN IP Address Assignment 189 Chapter 15 ...204 16.5 The SNMP Screen ...207 16.5.1 SNMPv3 User Profile 209 16.6 Technical Reference ...210 16.6.1 MIB ...210 16.6.2 Supported MIBs ...211 16.6.3 SNMP Traps ...211 Chapter 17 Import Screen 224 16 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 17
Microsoft's IAS Server Example 257 20.3.3.1 Configuring VLAN Groups 258 20.3.3.2 Configuring Remote Access Policies 259 20.3.4 Second Rx VLAN ID Example 267 20.3.4.1 Second Rx VLAN Setup Example 267 Chapter 21 Load Balancing ...269 21.1 Overview ...269 NWA-3160 Series User's Guide 17 - ZyXEL NWA-3163 | User Guide - Page 18
Modes 292 24.5 Internet Access ...294 24.6 Wireless Router/AP Troubleshooting 295 Chapter 25 Chapter 25 Product Specifications 297 25.1 Wall-Mounting Instructions 300 Appendix A Wireless LANs 303 Appendix B Pop-up Windows, JavaScripts and Java Permissions 319 18 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 19
Table of Contents Appendix C IP Addresses and Subnetting 327 Appendix D Text File Based Auto Configuration 349 Appendix E How to Access and Use the CLI 357 Appendix F Legal Information 363 Index...367 NWA-3160 Series User's Guide 19 - ZyXEL NWA-3163 | User Guide - Page 20
Table of Contents 20 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 21
PART I Introduction Introduction (23) The Web Configurator (35) Tutorials (39) 21 - ZyXEL NWA-3163 | User Guide - Page 22
22 - ZyXEL NWA-3163 | User Guide - Page 23
book are based on the NWA-3160 (unless otherwise stated). The Web Configuration screens are based on the NWA-3166 (unless otherwise stated). 1.1 Overview Your NWA extends the range of your existing wired network without additional wiring, providing easy network access to mobile users. It is highly - ZyXEL NWA-3163 | User Guide - Page 24
The NWA is an ideal access solution for wireless Internet connection. A typical Internet access application for your NWA is shown as follows. Stations A, B and C can access the wired network through the NWAs. Figure 1 Access Point Application AP1 A B BSS1 AP2 C BSS2 24 NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 25
settings of peer sides match one another, the connection between devices is made. At the time of writing, WDS security is compatible with other ZyXEL access points only. Refer to your other access point's documentation for details. Figure 2 Bridge Application A B NWA-3160 Series User's Guide 25 - ZyXEL NWA-3163 | User Guide - Page 26
you enable bridging in the NWA. Bridge loops cause broadcast traffic to circle the network endlessly, resulting in possible throughput degradation and disruption of communications. The following examples show two network topologies that can lead to this problem: 26 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 27
. Figure 5 Bridge Loop: Two Bridges Connected to Hub • If your NWA (in bridge mode) is connected to a wired LAN while communicating with another Wireless screen or your NWA is not set to bridge mode while connected to both wired and wireless segments of the same LAN. NWA-3160 Series User's Guide 27 - ZyXEL NWA-3163 | User Guide - Page 28
X Y A B 1.2.4 MBSSID A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA 28 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 29
SSID03 is the wireless network for standard users, and Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network (LAN) behind the AP and can access only the Internet. Figure 8 Multiple BSSs NWA-3160 Series User's Guide 29 - ZyXEL NWA-3163 | User Guide - Page 30
Layer Security (DTLS). The following ZyXEL AP models can be CAPWAP managed APs: • NWA-3160 • NWA-3163 • NWA-3500 • NWA-3550 • NWA-3166 Note: If you are using several NWA models in your network including an NWA-3166, you should use the NWA-3166 as the Controller AP. 30 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 31
of the NWA using a (supported) web browser. • Command Line Interface (CLI). Line commands are mostly used for troubleshooting by service engineers. • File Transfer Protocol (FTP). This protocol can be used for firmware upgrades and configuration backup and restore. • Simple Network Management - ZyXEL NWA-3163 | User Guide - Page 32
it). Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes. If you forget your password, you will have to reset the NWA to its factory default settings. If you backed up an earlier configuration file, you won't have to totally re-configure the - ZyXEL NWA-3163 | User Guide - Page 33
section are from the NWA-3160. Your device may differ in minor ways. Figure 11 LEDs Table 1 LEDs LABEL COLOR WDS STATUS Off Green On DESCRIPTION Either • The NWA is in Access Point or MBSSID mode and is functioning normally. or • The NWA is in AP + Bridge or Bridge / Repeater mode and has not - ZyXEL NWA-3163 | User Guide - Page 34
NWA is receiving power and functioning properly. The NWA is not receiving power. Either • If the LED blinks during the boot up process, the system is starting up. or • If the LED blinks after the boot up process, the system has failed. The NWA successfully boots up. 34 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 35
Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your computer or computer network to connect to the NWA (refer to the Quick Start Guide). 2 Launch your web browser. 3 Type "http://192.168.1.2" as the URL (default). 4 Type "1234" (default) as the password - ZyXEL NWA-3163 | User Guide - Page 36
five minutes). Simply log back into the NWA if this happens. 2.3 Resetting the NWA If you forget your password or cannot access the web configurator, you will need to use the RESET button. This replaces the current configuration file with the factory-default configuration file. This means that you - ZyXEL NWA-3163 | User Guide - Page 37
), Load Balancing, and DCS. • Click MAINTENANCE to view information about your NWA or upgrade configuration and firmware files. Maintenance features include Association List, Channel Usage, F/W (Firmware) Upload, Configuration (Backup, Restore and Default) and Restart. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 38
Chapter 2 The Web Configurator 38 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 39
to allow wireless clients to access your wired network, all using the same security and Quality of Service (QoS) settings. See Section 1.2.1 on page 24 for details. • Use Bridge / Repeater operating mode if you want to use the NWA to communicate with other access points. See Section 1.2.2 on page 25 - ZyXEL NWA-3163 | User Guide - Page 40
NWA's wireless network (see your Quick Start Guide for information on setting up your NWA and accessing the Web Configurator). Figure 13 Configuring Wireless LAN Select Operating Mode. Access Point Mode. Bridge / Repeater (optional). Check your settings and test. 40 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 41
the network printer. To do this, you will take the following steps: 1 Change the operating mode from Access Point to MBSSID and reactivate the standard network. 2 Configure a wireless network for VoIP users. 3 Configure a wireless network for guests to your office. NWA-3160 Series User's Guide 41 - ZyXEL NWA-3163 | User Guide - Page 42
you want to allow users of the guest network to access. The following table shows the addresses used in this example. Table 2 Tutorial: Example Information Network router (A) MAC address 00:AA:00:AA:00:AA Network printer (B) MAC address AA:00:AA:00:AA:00 42 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 43
Mode Log in to the NWA (see Section 2.2 on page 35). Click Wireless > Wireless. The Wireless screen appears. 3.3.1.1 Access Point Set the NWA is in Access Point operating mode, and is currently set to use the SSID03 profile. Figure 15 Tutorial: Wireless LAN: Before NWA-3160 Series User's Guide 43 - ZyXEL NWA-3163 | User Guide - Page 44
number 3 in this example). Select the Index box for the entry and click Apply to activate the profile. Your standard wireless network (SSID03) is now accessible to your wireless clients as before. You do not need to configure anything else for your standard network. 44 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 45
different security profiles. Figure 17 Tutorial: WIRELESS > SSID The Voice over IP (VoIP) network will use the pre-configured SSID profile, so select VoIP_SSID's radio button and click Edit. The following screen displays. Figure 18 Tutorial: VoIP SSID Profile Edit NWA-3160 Series User's Guide 45 - ZyXEL NWA-3163 | User Guide - Page 46
field. 4 Leave all the other fields at their defaults and click Apply. 3.3.2.1 Set Up Security for the VoIP Profile Now you need to configure the security settings to use on the VoIP wireless network. Click the Security tab. Figure 19 Tutorial: VoIP Security 46 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 47
use, once they know the pre-shared key (PSK). Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is "ThisismyWPA2-PSKpre-sharedkey". 3 Click Apply Security Mode is WPA2-PSK. Figure 21 Tutorial: VoIP Security: Updated NWA-3160 Series User's Guide 47 - ZyXEL NWA-3163 | User Guide - Page 48
network via the Guest_SSID profile can access only certain pre-defined devices on the network (see Section on page 178), and "intra-BSS traffic blocking" means that the client cannot access other clients on the same wireless network (see Section 8.1.2 on page 120). 48 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 49
standard network (SSID04) is already using the security01 profile, and the VoIP network is using the security02 profile (renamed VoIP_Security) so select the security03 profile from the Security field. 4 Leave all the other fields at their defaults and click Apply. NWA-3160 Series User's Guide 49 - ZyXEL NWA-3163 | User Guide - Page 50
do not have access to sensitive information on the network, you should not leave the network without security. An attacker could still cause damage to the network or intercept unsecured that the Security Mode is WPA-PSK. Figure 25 Tutorial: Guest Security: Updated 50 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 51
Tutorial: Layer 2 Isolation Profile Enter the MAC addresses and descriptions of the two network devices you want users on the guest network to be able to access: the main network router (00:AA:00:AA:00:AA) and the network printer (AA:00:AA:00:AA:00). Click Apply. NWA-3160 Series User's Guide 51 - ZyXEL NWA-3163 | User Guide - Page 52
a real device on your network that is not on the layer 2 isolation list). If you receive a reply, check the settings in the Wireless > Layer-2 Isolation > Edit screen, and ensure that the correct layer 2 isolation profile is enabled in the Guest_SSID profile screen. 52 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 53
and accessed from your floor of the building. There are no other static wireless networks in your coverage area. The following diagram shows the wireless networks in your area. Your access points are marked A, B, C and D. You also have a network mail/file server, marked NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 54
192.168.1.1 Access Point B 192.168.1.2 Access Point C 192.168.1.3 Access Point D 192.168.1.4 File / Mail Server E 192.168.1.25 Access Point 1 UNKNOWN MAC ADDRESS 00:AA:00:AA:00:AA AA:00:AA:00:AA:00 A0:0A:A0:0A:A0:0A 0A:A0:0A:A0:0A:A0 N/A AF:AF:AF:FA:FA:FA 54 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 55
to set up and save a list of access points you want to allow in your network's coverage area. 1 On a computer connected to the wired network (F in the previous figure), open your Internet :0A DESCRIPTION My Access Point _A_ My Access Point _B_ My Access Point _C_ NWA-3160 Series User's Guide 55 - ZyXEL NWA-3163 | User Guide - Page 56
:FA:FA:FA DESCRIPTION My Access Point _D_ Coffee Shop Access Point _1_ Note: You can add APs that are not part of your network to the friendly AP list other access points. Click the Configuration tab.The following screen appears. Figure 32 Tutorial: Configuration 56 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 57
5 Save the friendly AP list somewhere it can be accessed by all the other access points on the network. In this example, save it on the network file server (E in Figure 29 on page 54). The default filename is "Flist". Figure 34 Tutorial: Save Friendly AP list NWA-3160 Series User's Guide 57 - ZyXEL NWA-3163 | User Guide - Page 58
every hour. In this example, enter "10". 3 In the Expiration Time field, enter how long an AP's entry can remain in the list before the NWA discards it from the list when the AP is no longer active. In this example, enter "30". 4 Click Apply. 58 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 59
inbox whenever a rogue AP is discovered in your wireless network's coverage area. 1 Click LOGS > Log Settings. The access point - in this example, "ALERT_Access_Point_A". 4 Enter the email address to which you want alerts to be sent ([email protected], in this example). NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 60
the other wireless access points on your network to do the same things. For each access point, take the following steps. 1 From a computer on the wired network, enter the access point's IP address and login alert, email alerts are correctly configured on that NWA. 60 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 61
valuable proprietary data. You have two secure servers (1 and 2 in the following figure). Wireless user "Alice" (A) needs to access server 1 (but should not access server 2) and wireless user "Bob" (B) needs to access server 2 (but should not access server 1). Your NWA-3160 Series User's Guide 61 - ZyXEL NWA-3163 | User Guide - Page 62
Network 3.5.2 Your Requirements 1 You want to set up a wireless network to allow only Alice to access Server 1 and the Internet. 2 You want to set up a second wireless network to allow only Bob to access PSK Hide SSID Intra-BSS traffic blocking Enabled Enabled 62 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 63
Alice to access secure server 1 via the network switch. You will configure the MAC filter to restrict access to Alice alone, and then configure layer-2 isolation to allow her to access only the network router, the file server and the Internet security gateway. NWA-3160 Series User's Guide 63 - ZyXEL NWA-3163 | User Guide - Page 64
Chapter 3 Tutorials Take the following steps to configure the SERVER_1 network. 1 Log into the NWA's Web Configurator and click Wireless > SSID. The following screen displays, showing the SSID profiles you already configured. Figure 38 Tutorial: SSID Profile 64 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 65
Name to "L-2-ISO_SERVER_1" and click Apply. You have restricted users on the SERVER_1 network to access only the devices with the MAC addresses you entered. 7 Click the MAC Filter tab. When the MAC Filter screen appears, select macfilter03's entry and click Edit. NWA-3160 Series User's Guide 65 - ZyXEL NWA-3163 | User Guide - Page 66
SERVER_1 network is now configured. 3.5.5 Configure the SERVER_2 Network Next, you will configure the SERVER_2 network that allows Bob to access secure server 2 and the Internet. To do this, repeat the SERVER_2 MAC Address: 66:55:44:33:22:11 Description: GATEWAY 66 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 67
the following sections to ensure that your wireless networks are set up correctly. 3.5.6.1 Checking Settings Take the following steps to check that the NWA is using the correct SSIDs, MAC filters in the following figure. Figure 43 Tutorial: SSID Tab Correct Settings NWA-3160 Series User's Guide 67 - ZyXEL NWA-3163 | User Guide - Page 68
following. Attempt to access Server 1. You should be able to do so. Attempt to access the Internet. You should be able to do so. Attempt to access Server 2. You should the relevant network. If this does not help, see the Troubleshooting chapter in this User's Guide. 68 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 69
NWA's controller AP and managed AP modes. Note: If you are using several NWA models in your network including an NWA-3166, you should use the NWA-3166 DHCP Server You D C B E A Secondary and Primary Controller APs 1st floor Managed APs 2nd, 3rd and 4th floors NWA-3160 Series User's Guide 69 - ZyXEL NWA-3163 | User Guide - Page 70
in default standalone mode) to Managed AP mode. You can also manually enter the IP addresses of your primary and secondary NWA controller APs. 3 Add the newly converted managed APs (B, C and D, from step 4) to the Managed Access Points List of the NWA primary controller AP. 70 NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 71
network, the secondary controller AP's WLAN radio is turned off as long as the primary controller AP is turned on. Note: If you are using several NWA models in your network including an NWA-3166, you should use the NWA-3166 as the Controller AP. 1 Access 's presence. NWA-3160 Series User's Guide 71 - ZyXEL NWA-3163 | User Guide - Page 72
NWA in primary controller AP mode, open the Controller > Redundacy screen (this screen only appears when the NWA is in Controller AP mode) in the Web Configurator of the NWA that you want to serve as the main controller. Figure 47 Tutorial: Primary Controller AP 72 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 73
a request to be managed to controller APs that are within range, even if the controller AP belongs to another network. 3 You are logged out of the Web Configurator and the screen shows a message that the device is rebooting. You lose access to the Web Configurator. NWA-3160 Series User's Guide 73 - ZyXEL NWA-3163 | User Guide - Page 74
Points List in the Controller > AP Lists screen. • If the Registration Type is set to Always Accept, the controller AP immediately adds the AP to the Managed Access Points List in the Controller > AP Lists screen. For this example, we set the Registration Type to Manual. 74 NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 75
by filling in the Description field. Click Add. 3 The 2nd, 3rd and 4th floor NWA managed APs (B, C and D) should now be in the Manged Access Points List. By default, newly added managed APs in the list have their WLAN Radio Profile set to disabled. This means that their wireless functions are turned - ZyXEL NWA-3163 | User Guide - Page 76
Figure 51 Tutorial:AP List (Managed) 4 In the screen that opens, choose the radio profile for each WLAN radio and click Apply. Figure 52 Tutorial: Managed AP WLAN Radio Profile In this example, the 1st floor NWA managed AP uses radio06 for its WLAN1 Radio Profile. 76 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 77
networks within range. In the image above, we can see Mktg Grp 6 which is the SSID in the WLAN1 radio profile enabled for the 1st floor NWA managed AP. Do the same for the other WLAN radio profiles of the remaining NWA the configurations of the primary controller AP. NWA-3160 Series User's Guide 77 - ZyXEL NWA-3163 | User Guide - Page 78
Chapter 3 Tutorials 78 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 79
Screens (109) Wireless Screen (119) SSID Screen (149) Wireless Security Screen (159) RADIUS Screen (173) Layer-2 Isolation Screen (177) MAC Filter Screen (183) IP Screen (187) Rogue AP Detection (191) Remote Management Screens (199) Internal RADIUS Server (213) Certificates (221) Log Screens (239 - ZyXEL NWA-3163 | User Guide - Page 80
80 - ZyXEL NWA-3163 | User Guide - Page 81
4.1 Overview The Status screen displays when you log into the NWA or click Status in the navigation menu. Use this screen view of system, Ethernet, WLAN and other information regarding your NWA. Click Status. The following screen displays. Figure 54 The Status Screen NWA-3160 Series User's Guide 81 - ZyXEL NWA-3163 | User Guide - Page 82
the NWA is to slow down. WLAN Associations This field displays the number of wireless clients currently associated with the wireless module. It supports up to 128 concurrent associations. Interface Status Interface This column displays each interface of the NWA. 82 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 83
not use VLAN. System Status Show Statistics Click this link to view port status and packet specific statistics. NWA. See Chapter 19 on page 239. Rogue AP List Click this to see a list of unauthorized access points in the local area. See Section 15.2.2 on page 196. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 84
This is the Ethernet port (LAN) or wireless LAN adaptor (WLAN). Status This shows the port speed and duplex setting if you or Bridge / Repeater mode. This is the index number of the bridge connection. This shows whether the bridge connection is activated or not. 84 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 85
for refreshing statistics. Set Interval Click this button to apply the new poll interval you entered above. Stop Click this button to stop refreshing statistics. NWA-3160 Series User's Guide 85 - ZyXEL NWA-3163 | User Guide - Page 86
Chapter 4 Status Screen 86 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 87
management mode. This screen determines whether the NWA is used in its default standalone mode, or as part of a Control And Provisioning of Wireless Access Points (CAPWAP) network. 5.2 About CAPWAP The NWA supports CAPWAP. This is ZyXEL's implementation of the IETF's CAPWAP protocol (RFC 4118). The - ZyXEL NWA-3163 | User Guide - Page 88
, you can configure CAPWAP to operate between devices with IP addresses in different subnets by doing the following. • Activate DHCP option 43 on your network's DHCP server. • Configure DHCP option 43 with the IP address of the CAPWAP AP controller on your network. 88 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 89
Use this screen to configure the NWA as a CAPWAP controller AP, a CAPWAP managed AP, or to use it in its default standalone mode. Note: If you are using several NWA models in your network including an NWA-3166, you should use the NWA-3166 as the Controller AP. NWA-3160 Series User's Guide 89 - ZyXEL NWA-3163 | User Guide - Page 90
, it becomes a DHCP client. To discover its new IP address, check the DHCP server on your network. If your network has no DHCP server, the NWA's IP address remains the same. You can also check the Controller > AP Lists screen of the AP controller on your network. 90 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 91
DESCRIPTION Apply Click this to save your changes. Reset If you change the mode in this screen, the NWA restarts. Wait a short while before you NWA through the management AP on your network. Click this to return this screen to its previously-saved settings. NWA-3160 Series User's Guide 91 - ZyXEL NWA-3163 | User Guide - Page 92
Chapter 5 Management Mode 92 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 93
NWA is used as a CAPWAP (Control And Provisioning of Wireless Access Points about your managed wireless network. • Use the NWA can be a CAPWAP controller AP. In this setup, the NWA can manage the wireless configurations and device settings of several APs at the same time. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 94
He changes the security mode to WPAPSK just by accessing the Web Configurator of the controller AP (C). several NWA models in your network including an NWA-3166, you should use the NWA-3166 as NWA reboots and shows the following message. Figure 60 System Restart 94 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 95
NWA is in AP controller mode, the Status screen displays some unique fields in the System Information, AP Status, WLAN Association and System Status sections. The System Status links take you to screens that provide information on the access points managed by the NWA. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 96
Un-managed WLAN Association 5GHz Always Accept displays if the NWA automatically manages any CAPWAP-enabled AP that transmits a management request over the network. When the NWA is in AP controller mode, this displays Controller. This field displays the number of access points, managed by the NWA - ZyXEL NWA-3163 | User Guide - Page 97
page 102) and the NWA acts as the primary AP controller. Redundancy Device This field displays the IP address of the secondary AP managed APs. By default, the controller NWA is always included in this table. Although you cannot remove it, you can edit its settings. NWA-3160 Series User's Guide 97 - ZyXEL NWA-3163 | User Guide - Page 98
list. This displays the IP address of the managed AP. This displays the MAC address of the managed AP. This displays the model name and 802.11 mode of the managed AP. This displays the description of the managed AP. You can assign this in Section 6.4.1 on page 100. 98 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 99
Yellow: the AP is upgrading its firmware. Edit Delete Un-Managed Access Points List Index Select IP MAC Address Model Description Add Automatic NWA's managed AP list. Enter how often you want the NWA to update this screen. Click this to update this screen immediately. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 100
this access point ( Reset Select Disable if you do not want to use a radio profile. The AP's radio is not active when you select Disable. Click this to save the changes in this screen. Click this to return the fields in this screen to their previouslysaved values. 100 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 101
> AP Lists screen). • Select Always Accept to have the NWA manage any AP on your network that transmits a CAPWAP request for management. Click this to save the changes in this screen. Click this to return the fields in this screen to their previously-saved values. NWA-3160 Series User's Guide 101 - ZyXEL NWA-3163 | User Guide - Page 102
backup in the field below. Enter the IP address of the secondary controller AP. Select this if the NWA is the secondary controller AP. Click this to save the changes in this screen. Click this to return the fields in this screen to their previously-saved values. 102 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 103
Use this screen to configure radio profiles. Radio profiles contain information about an AP's wireless settings and can be applied to APs managed by the NWA. In AP Controller mode, click Profile Edit > Radio. The following screen displays. Figure 67 Radio Screen NWA-3160 Series User's Guide 103 - ZyXEL NWA-3163 | User Guide - Page 104
go to the radio profile configuration screen. 6.7.2 The Radio Profile Edit Screen Use this screen to configure a specific radio profile. In the Profile Edit > Radio screen, select a profile and click Edit. The following screen displays. Figure 68 Radio Edit Screen 104 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 105
options in this field depend on the 802.11 modes that your device supports: Channel Width • NWA-3166 supports 802.11b/g, 802.11a, 802.11n/g and 802.11n/a. • NWA-3160 supports 802.11b only, 802.11g only, 802.11b/g and 802.11a. • NWA-3163 supports 802.11b only, 802.11g only and 802.11b/g. This field - ZyXEL NWA-3163 | User Guide - Page 106
radar systems or other wireless networks. (For NWA-3160 and NWA-3163) Choose Channel ID Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting. Set the operating frequency/channel depending on your particular region. To manually set the NWA to use a channel - ZyXEL NWA-3163 | User Guide - Page 107
data collisions on the wireless network if you have wireless clients access point at this speed. • Optional: Clients can connect to the access point at this speed, when permitted to do so by the AP. • Disabled: Clients cannot connect to the access point at this speed. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 108
SSID profile or profiles you want access points using this radio profile to use. Each AP can use multiple SSID profiles simultaneously. Enable Antenna Diversity Apply Reset Configure SSID profiles in the Profile Edit > SSID screens. (For NWA-3160 and NWA-3163) Select this to use antenna diversity - ZyXEL NWA-3163 | User Guide - Page 109
password for your NWA and have a RADIUS server authenticate management logins to the NWA. • Use the Time Setting screen (see Section 7.4 on page 115) to change your NWA's time and date. This screen allows you to configure the NWA's time based on your local time zone. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 110
as the network number; which covers 254 individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network. 110 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 111
"-" and underscores "_" are accepted. Domain Name If you want to log into the NWA using the System Name, enter a name not longer than 15 alphanumeric characters. This is not a required field. Leave this field blank or enter the domain name here if you know it. NWA-3160 Series User's Guide 111 - ZyXEL NWA-3163 | User Guide - Page 112
DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. Apply Reset The default setting is None. Click Apply to save your changes. Click Reset to reload the previous configuration for this screen. 112 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 113
other fields in this section) to have a RADIUS server authenticate management logins to the NWA. Use old setting Select this to have a RADIUS server authenticate management logins to the NWA using the RADIUS username and password already configured on the device. NWA-3160 Series User's Guide 113 - ZyXEL NWA-3163 | User Guide - Page 114
logins to the NWA. The NWA tests the user name and password against the RADIUS server when you apply your settings. • The user name and password must already be configured Apply to save your changes. Click Reset to reload the previous configuration for this screen. 114 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 115
and date you entered. New Time (hh:mm:ss) This field displays the last updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. NWA-3160 Series User's Guide 115 - ZyXEL NWA-3163 | User Guide - Page 116
server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this NWA use the predefined list of time servers. User Defined Time Server Address Enter the IP address or URL of your time server. Check with your ISP/network NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 117
Apply Click Apply to save your changes. Reset Click Reset to reload the previous configuration for this screen Default Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 118
, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the NWA goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. 118 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 119
those specified in your NWA. 8.1.1 What You Can Do in the Wireless Screen Use the Wireless > Wireless screen (see Section 8.2 on page 123) to configure the NWA to use a WLAN interface and operate in AP (Access Point), AP + Bridge, Bridge / Repeater or MBSSID mode. NWA-3160 Series User's Guide 119 - ZyXEL NWA-3163 | User Guide - Page 120
Basic Service set 120 A B ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 121
75 Extended Service Set Operating Mode The NWA can run in four operating modes as follows: • AP (Access Point). The NWA is a wireless access point that allows wireless communication to other devices in the network. • Bridge / Repeater. The NWA acts as a wireless network bridge and establishes - ZyXEL NWA-3163 | User Guide - Page 122
was also the possibility of channel interference. The NWA's MBSSID (Multiple Basic Service Set IDentifier) function allows you to use one access point to provide several BSSs simultaneously. You can then A maximum of eight BSSs are allowed on one AP simultaneously. 122 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 123
mode you select. Note: Some fields in this screen may not apply to your NWA model. 8.2.1 Access Point Mode Use this screen to use your NWA as an access point. Select Access Point as the Operating Mode. The following screen displays. Figure 76 Wireless: Access Point NWA-3160 Series User's Guide 123 - ZyXEL NWA-3163 | User Guide - Page 124
in this field depend on the 802.11 modes that your device supports: Channel Width • NWA-3166 supports 802.11b/g, 802.11a, 802.11n/g and 802.11n/a. • NWA-3160 supports 802.11b only, 802.11g only, 802.11b/g and 802.11a. • NWA-3163 supports 802.11b only, 802.11g only and 802.11b/ g. This field - ZyXEL NWA-3163 | User Guide - Page 125
23 Wireless: Access Point LABEL DESCRIPTION networks. (For NWA-3160 and NWA-3163 only) Channel ID Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting. Set the operating frequency/channel depending on your particular region. To manually set the NWA - ZyXEL NWA-3163 | User Guide - Page 126
are: • Basic (1~11 Mbps only): Clients can always connect to the access point at this speed. • Optional: Clients can connect to the access point at this speed, when permitted to do so by the AP. • Disabled: Clients cannot connect to the access point at this speed. 126 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 127
network. Select the check box to activate STP on the NWA. Roaming allows wireless stations to switch from one access point to another as they move from one coverage area to another. Select this checkbox to enable roaming on the NWA if you have two or more NWAs on the same subnet. Apply Reset Note - ZyXEL NWA-3163 | User Guide - Page 128
Chapter 8 Wireless Screen Note: You can view an example of this setup in Section 8.3.3 on page 146. Figure 77 Wireless: Bridge / Repeater 128 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 129
options in this field depend on the 802.11 modes that your device supports: Channel Width • NWA-3166 supports 802.11b/g, 802.11a, 802.11n/g and 802.11n/a. • NWA-3160 supports 802.11b only, 802.11g only, 802.11b/g and 802.11a. • NWA-3163 supports 802.11b only, 802.11g only and 802.11b/g. This field - ZyXEL NWA-3163 | User Guide - Page 130
/ Repeater LABEL networks. (For NWA-3160 and NWA-3163 only) Channel ID Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting. Set the operating frequency/channel depending on your particular region. To manually set the NWA NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 131
the PSK field for each access point in your WDS. Each access point can use a different pre-shared key. • Configure WDS security and the relevant PSK in each of your other access point(s). Note: Other APs must use the same encryption method to enable WDS security. NWA-3160 Series User's Guide 131 - ZyXEL NWA-3163 | User Guide - Page 132
-compliant bridges in your network to ensure that only one path exists between any two stations on the network. Select the check box to activate STP on the NWA. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 132 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 133
Chapter 8 Wireless Screen 8.2.3 AP + Bridge Mode Use this screen to have the NWA function as a bridge and access point simultaneously. Select AP + Bridge as the Operating Mode. The following screen diplays. Figure 78 AP + Bridge NWA-3160 Series User's Guide 133 - ZyXEL NWA-3163 | User Guide - Page 134
options in this field depend on the 802.11 modes that your device supports: Channel Width • NWA-3166 supports 802.11b/g, 802.11a, 802.11n/g and 802.11n/a. • NWA-3160 supports 802.11b only, 802.11g only, 802.11b/g and 802.11a. • NWA-3163 supports 802.11b only, 802.11g only and 802.11b/g. This field - ZyXEL NWA-3163 | User Guide - Page 135
networks. (For NWA-3160 and NWA-3163 only) Channel ID Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting. Set the operating frequency/channel depending on your particular region. To manually set the NWA 256 and 2346. NWA-3160 Series User's Guide 135 - ZyXEL NWA-3163 | User Guide - Page 136
are: • Basic (1~11 Mbps only): Clients can always connect to the access point at this speed. • Optional: Clients can connect to the access point at this speed, when permitted to do so by the AP. • Disabled: Clients cannot connect to the access point at this speed. 136 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 137
on your WDS. This option is compatible with other ZyXEL access points that support WDS security. Use this if the other access points on your network support WDS security but do not have an AES option. key. Each peer device can use a different pre-shared key. NWA-3160 Series User's Guide 137 - ZyXEL NWA-3163 | User Guide - Page 138
on the NWA if you have two or more NWAs on the same subnet. Apply Reset Note: All APs on the same subnet and the wireless stations must have the same SSID to allow roaming. Click Apply to save your changes. Click Reset to begin configuring this screen afresh. 138 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 139
Chapter 8 Wireless Screen 8.2.4 MBSSID Mode Use this screen to have the NWA function in MBSSID mode. Select MBSSID as the Operating Mode. The following screen diplays. Figure 79 Wireless: MBSSID NWA-3160 Series User's Guide 139 - ZyXEL NWA-3163 | User Guide - Page 140
options in this field depend on the 802.11 modes that your device supports: Channel Width • NWA-3166 supports 802.11b/g, 802.11a, 802.11n/g and 802.11n/a. • NWA-3160 supports 802.11b only, 802.11g only, 802.11b/g and 802.11a. • NWA-3163 supports 802.11b only, 802.11g only and 802.11b/g. This field - ZyXEL NWA-3163 | User Guide - Page 141
networks. (For NWA-3160 and NWA-3163 only) Channel ID Select this to improve data throughput on the WLAN by enabling fast frame and packet bursting. Set the operating frequency/channel depending on your particular region. To manually set the NWA 256 and 2346. NWA-3160 Series User's Guide 141 - ZyXEL NWA-3163 | User Guide - Page 142
Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enable (default) to have the NWA use the data rate. Select Disable if you do not want the NWA to use the data rate. 142 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 143
network. Select the check box to activate STP on the NWA. Roaming allows wireless stations to switch from one access point to another as they move from one coverage area to another. Select this checkbox to enable roaming on the NWA if you have two or more NWAs on the same subnet. Apply Reset Note - ZyXEL NWA-3163 | User Guide - Page 144
root path cost). If there is no root port, then this bridge has been accepted as the root bridge of the spanning tree network. For each LAN segment, a designated bridge is selected. This bridge has the lowest cost to the root among the bridges connected to the LAN. 144 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 145
. As long as your NWA detects no radar activity on the channel you select, you can use the channel to communicate. However, a wireless LAN operating on the same frequency as an active radar system could disrupt the radar system. Therefore, if the NWA detects radar NWA-3160 Series User's Guide 145 - ZyXEL NWA-3163 | User Guide - Page 146
automatically instructs the wireless clients to move to another channel, then resumes communications on the new channel. 8.3.3 Roaming A wireless station is a device with an IEEE 802.11a/b/g compliant wireless interface. An access point (AP) acts as a bridge between the wireless and wired networks - ZyXEL NWA-3163 | User Guide - Page 147
to roam between the coverage areas. • All the access points must be on the same subnet and configured with the same ESSID. • If IEEE 802.1x user authentication is enabled and to be done locally on the access point, the new access point must have the user profile for the wireless station. NWA-3160 - ZyXEL NWA-3163 | User Guide - Page 148
if using dynamic IP address assignment. To enable roaming on your NWA, click WIRELESS > Wireless. The screen appears as shown. Figure 81 Enabling Roaming Select the Enable Roaming check box and click Apply. Note: Roaming cannot be enabled in Bridge / Repeater mode. 148 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 149
), and a guest profile that allows visitors access only the Internet and the network printer (Guest_SSID). 9.1.1 What You Can Do in the SSID Screen Use the Wireless > SSID screen (see Section 9.2 on page 151) to configure up to 16 SSID profiles for your NWA. NWA-3160 Series User's Guide 149 - ZyXEL NWA-3163 | User Guide - Page 150
in the SSID profile) • Wireless > Layer 2 Isolation (the layer 2 isolation list, if activated in the SSID profile) • Also, use the VLAN screen to set up wireless VLANs based on SSID Configure the fields in the above screens to use the settings in an SSID profile. 150 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 151
the identification name of each SSID profile on the NWA. This field displays the name of the wireless profile on the network. When a wireless client scans for an AP the Quality of Service setting for this profile or NONE if QoS is not configured on a profile. NWA-3160 Series User's Guide 151 - ZyXEL NWA-3163 | User Guide - Page 152
(a wireless client scanning for an AP will find this SSID). Alternatively, select Enable to have the NWA hide this SSID (a wireless client scanning for an AP will not find this SSID). Security Select this field. See Section 11.2 on page 175 for more information. 152 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 153
on packets to be transmitted over the wireless network. WMM QoS prioritizes wireless traffic according to the delivery requirements of the individual and applications. WMM QoS is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks. NWA-3160 Series User's Guide 153 - ZyXEL NWA-3163 | User Guide - Page 154
applications such as Internet telephony (Voice over IP or VoIP) tend to have smaller packet sizes than non-time sensitive applications such as FTP (File Transfer Protocol). The following table shows some common applications, their time sensitivity, and their 154 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 155
your wireless network and automatically assign a WMM priority to packets that do not already have one (see Section 9.3.3.1 on page 156). • automatically prioritize all packets going from your wireless network to the wired network (see Section 9.3.3.2 on page 156). NWA-3160 Series User's Guide 155 - ZyXEL NWA-3163 | User Guide - Page 156
decide the best method of delivery, that is the least cost, fastest route and so on. 9.3.4.1 DiffServ DiffServ is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route 156 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 157
that each packet gets across the DiffServ network. Based on the marking rule, different of Service) and WMM QoS The DSCP value of outgoing packets is between 0 and 255. 0 is the default priority. IP (VoIP) device for example may allow you to define the DSCP value. NWA-3160 Series User's Guide 157 - ZyXEL NWA-3163 | User Guide - Page 158
following table lists which WMM QoS priority level the NWA uses for specific DSCP values. Table 36 ToS and IEEE 802.1d background A. The NWA also uses best effort for any DSCP value for which another WMM QoS priority is not specified (255, 158 or 37 for example). 158 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 159
you to configure the security mode for your NWA. Wireless security is vital to your network. It protects communications between wireless stations, access points and the wired network. Figure 86 Securing the Wireless Network In the figure above, the NWA (ZyXEL Device) checks the identity of devices - ZyXEL NWA-3163 | User Guide - Page 160
the access points to keep network communications private. • 802.1x-Only. This is a standard that extends the features of IEEE 802.11 to support extended authentication. It provides additional accounting and control features. This option does not support data encryption. 160 NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 161
mode, it is further converted by the NWA into a complicated string that is referred to as the "key". This key is requested from all devices wishing to connect to a wireless network. PSK The Pre-Shared Key (PSK) is a password shared by a wireless access point and a client during a previous secure - ZyXEL NWA-3163 | User Guide - Page 162
the security mode this security profile uses. Edit Select an entry from the list and click Edit to configure security settings for that profile. 162 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 163
to identify this security profile. Security Mode Choose WEP in this field. WEP Encryption Select Disable to allow wireless stations to communicate with the access points without any data encryption. Select 64-bit WEP or 128-bit WEP to enable data encryption. NWA-3160 Series User's Guide 163 - ZyXEL NWA-3163 | User Guide - Page 164
to encrypt data. Both the NWA and the wireless stations must Reset You must configure all four keys, but only one key can be activated at any one time. The default key is key 1. Click Apply to save your changes. Click Reset to begin configuring this screen afresh. 164 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 165
. The wireless station needs to enter the user name and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). Click Apply to save your changes. Click Reset to begin configuring this screen afresh. NWA-3160 Series User's Guide 165 - ZyXEL NWA-3163 | User Guide - Page 166
for the keys must be set up exactly the same on the access points as they are on the wireless stations. The preceding "0x" is entered automatically. You must configure all four keys, but only one key can be activated at any one time. The default key is key 1. 166 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 167
enter the user name and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). Click Apply to save your changes. Click Reset to begin this security profile. Security Mode Choose WPA in this field. NWA-3160 Series User's Guide 167 - ZyXEL NWA-3163 | User Guide - Page 168
the RADIUS server has priority. The NWA automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or - ZyXEL NWA-3163 | User Guide - Page 169
to which it is currently connected, before moving into the new AP's coverage area. This speeds up roaming. Select Enable to allow pre-authentication, or Disable to switch it off. Click Apply to save your changes. Click Reset to begin configuring this screen afresh. NWA-3160 Series User's Guide 169 - ZyXEL NWA-3163 | User Guide - Page 170
common password, instead of user-specific credentials. network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). 170 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 171
. • If you don't have WPA/WPA2-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security. You can manually enter 64bit, 128-bit or 152-bit WEP keys. More information on Wireless Security can be found in Appendix A on page 303. NWA-3160 Series User's Guide 171 - ZyXEL NWA-3163 | User Guide - Page 172
Chapter 10 Wireless Security Screen 172 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 173
Internet using the NWA (ZyXEL Device). The NWA in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet. In this scenario, only client U's identity is verified by the RADIUS server and allowed access to the Internet. NWA-3160 Series User's Guide 173 - ZyXEL NWA-3163 | User Guide - Page 174
server for your NWA. You can configure up to four RADIUS server profiles. Each profile also has one backup authentication server and a backup accounting server. These profiles can be assigned to an SSID profile in the Wireless > SSID configuration screen. 174 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 175
of time for each authentication is decided by the wireless client or based on the configuration of the ReAuthentication Timer field in the Security screen. NWA-3160 Series User's Guide 175 - ZyXEL NWA-3163 | User Guide - Page 176
between the external accounting server and the NWA. The key must be the same on the external accounting server and your NWA. The key is not sent over the network. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 176 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 177
NWA (Z) to allow a guest wireless client (A) to access the main network router (B). The router provides access to the Internet and the network printer (D) while preventing the client from accessing other computers and servers on the network screen are blocked from NWA-3160 Series User's Guide 177 - ZyXEL NWA-3163 | User Guide - Page 178
Access Control) address. The MAC address is assigned at the factory and NWA. If layer-2 isolation is enabled, you need to know the MAC address of each wireless client, AP, computer or router that you want to allow to communicate with the NWA's wireless clients. 178 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 179
a layer-2 isolation profile in the Layer-2 Isolation Configuration screen. Edit Select an entry from the list and click Edit to configure settings for that profile. NWA-3160 Series User's Guide 179 - ZyXEL NWA-3163 | User Guide - Page 180
addresses These are the MAC address of a wireless client, AP, computer or router. A wireless client associated with the NWA can communicate with another wireless client, AP, computer or router only if the MAC addresses of those devices are listed in this table. 180 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 181
to allow the associated wireless clients to have access to in these address fields. Type the MAC to save your changes. Reset Click Reset to begin configuring this screen NWA (A). Figure 100 Layer-2 Isolation Example Configuration 00:00:c5:00:00:66 00:00:c5:00:00:cc NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 182
B and file server C but not wireless client 3. • Enter the server's and your NWA's MAC addresses in the MAC Address fields. Enter "File Server C" in C's Description field, and enter "Access Point B" in B's Description field. Figure 102 Layer-2 Isolation Example 2 182 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 183
which wireless station is allowed or denied access to the NWA. 13.1.2 What You Should Know About MAC Filter Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal NWA-3160 Series User's Guide 183 - ZyXEL NWA-3163 | User Guide - Page 184
know the MAC address of each device to configure MAC filtering on the NWA. 13.2 The MAC Filter Screen The MAC filter profile is a user-configured list of MAC addresses. Each SSID profile can reference one MAC click Edit to configure settings for that profile. 184 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 185
Chapter 13 MAC Filter Screen 13.2.1 Configuring the MAC Filter To change your NWA's MAC filter settings, click WIRELESS > MAC Filter > Edit. The screen appears as shown. LABEL DESCRIPTION MAC Address Filter Profile Name Type a name to identify this profile. NWA-3160 Series User's Guide 185 - ZyXEL NWA-3163 | User Guide - Page 186
. Click Reset to begin configuring this screen afresh. Note: If you configure both the MAC Address Filter table and Group Settings table and a client matches a MAC address specified in both tables, the settings in the Group Settings is applied by the NWA first. 186 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 187
the IP Screen (see Section 14.2 on page 188) to configure the IP address of your NWA. 14.1.2 What You Need To Know About IP The Ethernet parameters of the NWA are preset with the following values: • IP address of 192.168.1.2 • Subnet mask of 255.255.255.0 (24 bits) NWA-3160 Series User's Guide 187 - ZyXEL NWA-3163 | User Guide - Page 188
. On the LAN, the gateway must be a router on the same segment as your NWA; over the WAN, the gateway must be the IP address of one of the remote nodes. Apply Click Apply to save your changes. Reset Click Reset to begin configuring this screen afresh. 188 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 189
situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. NWA-3160 Series User's Guide 189 - ZyXEL NWA-3163 | User Guide - Page 190
Chapter 14 IP Screen 190 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 191
software to physically locate it. Note that it is not necessary for a network to have a legitimate wireless LAN component for rogue APs to open the network to an attacker. In this case, any AP detected can be classified as rogue. Figure 108 Rogue AP Example NWA-3160 Series User's Guide 191 - ZyXEL NWA-3163 | User Guide - Page 192
recommended that you export (save) your list of friendly APs often, especially if you have a network with a large number of access points. If you do not add them to the friendly AP list, these access points will appear in the Rogue AP list each time the NWA scans. 192 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 193
have no way of knowing that they are not associating with a legitimate company AP. The attacker can forward network traffic from associated clients to a legitimate AP, creating the impression of normal service. This is a variety of "man-in-the-middle" attack. NWA-3160 Series User's Guide 193 - ZyXEL NWA-3163 | User Guide - Page 194
Friendly AP screen) to your computer. Enter the location of a previously-saved friendly AP list to upload to the NWA. Alternatively, click the Browse button to locate a list. Click this button to locate a previously-saved list of friendly APs to upload to the NWA. 194 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 195
Access Control (MAC) address of the AP. All wireless devices have a MAC address that uniquely identifies them. This field displays the Service Set IDentifier (also known as the network name) of the AP. This field displays the wireless channel the AP is currently using. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 196
details of access points in the NWA's coverage area NWA scan for rogue APs. Index This is the index number of the AP's entry in the list. Select Use this check box to select the APs you want to move to the friendly AP list (see Section 15.2.1 on page 195) 196 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 197
this button to add the entry to the friendly AP list (see Section 15.2.1 on page 195). When the NWA next scans for rogue APs, the selected AP does not appear in the rogue AP list. Reset Click Reset to return all fields in this screen to their default values. NWA-3160 Series User's Guide 197 - ZyXEL NWA-3163 | User Guide - Page 198
Chapter 15 Rogue AP Detection 198 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 199
Both WLAN and LAN • Neither (Disable) In the figure below, the NWA (A) is being managed by a desktop computer (B) connected via LAN (Land Area Network). It is also being accessed by a notebook (C) connected via WLAN (Wireless LAN). Figure 113 Remote Management Example B NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 200
devices. Your NWA supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA through the network. The NWA supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. . 200 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 201
at one time. The NWA automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows: • Telnet • HTTP NWA-3160 Series User's Guide 201 - ZyXEL NWA-3163 | User Guide - Page 202
default. Server Access You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the NWA using Telnet. 202 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 203
your customized settings and exit this screen. Click Reset to begin configuring this screen afresh. 16.3 The FTP Screen You can upload and download the NWA's firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. NWA-3160 Series User's Guide 203 - ZyXEL NWA-3163 | User Guide - Page 204
. Click Reset to begin configuring this screen afresh. 16.4 The WWW Screen You can choose to configure your NWA via the World Wide Web (WWW) using a Web browser. This lets you specify which IP addresses or computers are able to communicate with and access the NWA. 204 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 205
the SSL client to authenticate itself with the NWA by sending the NWA a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the NWA (see the appendix on importing certificates for details). NWA-3160 Series User's Guide 205 - ZyXEL NWA-3163 | User Guide - Page 206
this service. Apply Reset Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service. Click Apply to save your customized settings and exit this screen. Click Reset to begin configuring this screen afresh. 206 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 207
administrate your NWA over the network. To change your NWA's SNMP settings password sent with each trap to the SNMP manager. The default is public and allows all requests. Trap Destination Type the IP address of the station to which you want the NWA to send SNMP traps. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 208
this service. Apply Reset Choose Selected to just allow the computer with the IP address that you specify to access the NWA using this service. Click Apply to save your customized settings and exit this screen. Click Reset to begin configuring this screen afresh. 208 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 209
authentication with managers using SNMP v3. Password Confirm Password Access Type Enter the password for the user name. Retype the password for verification. The default value for this is Set. This is generally considered stronger than MD5, but is slower. NWA-3160 Series User's Guide 209 - ZyXEL NWA-3163 | User Guide - Page 210
password for the user name. Retype the password for verification. The default and exit this screen. Click Reset to begin configuring this screen afresh network contain object variables or managed objects that define each piece of information to be collected about a 210 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 211
events. 16.6.2 Supported MIBs The NWA supports MIB II that is defined in RFC-1213 and RFC-1215 as well as the proprietary ZyXEL private MIB. inform the administrator of events in data networks handled by the device. The NWA can send the following traps to the NWA-3160 Series User's Guide 211 - ZyXEL NWA-3163 | User Guide - Page 212
set requirements with the wrong community (password). Traps defined in the ZyXEL Private MIB. whyReboot 1.3.6.1.4.1.890.1.5.1 3.0.1 (warm start). "System reboot by user!" is added for an intentional reboot (for example, download new files, CI command "sys 212 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 213
to access the network. Figure 120 RADIUS Server Access Request Z Wired Network A Allow / Deny The NWA can also serve as a RADIUS server to authenticate other APs and their wireless clients. For more background information on RADIUS, see Section 11.1.2 on page 174. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 214
.2 Internal RADIUS Server Setting Screen Use this screen to turn the NWA's internal RADIUS server off or on and to view information about the NWA's certificates. Click AUTH. SERVER > Setting. The following screen displays. Figure 121 Internal RADIUS Server Setting 214 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 215
in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Click Apply to have the NWA use certificates to authenticate wireless clients. Click Reset to start configuring this screen afresh. NWA-3160 Series User's Guide 215 - ZyXEL NWA-3163 | User Guide - Page 216
and this shared secret must also be configured in the "external RADIUS" server fields of the trusted AP. Apply Reset Note: The first trusted AP fields are for the NWA itself. Click Apply to save your changes. Click Reset to begin configuring this screen afresh. 216 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 217
client's utility must be the same as this password. Apply Reset Note: If you are using PEAP authentication, this password field is limited to 14 ASCII characters in length. Click Apply to save your changes. Click Reset to begin configuring this screen afresh. NWA-3160 Series User's Guide 217 - ZyXEL NWA-3163 | User Guide - Page 218
2 Configure wireless client user names and passwords in the Trusted Users database to use a trusted AP as a relay between the NWA's internal RADIUS server and the wireless clients. The wireless clients can then be authenticated by the NWA's internal RADIUS server. 218 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 219
PEAP/MS-CHAPv2 settings, deselect the Use Windows logon name and password check box. When authentication begins, a pop-up dialog box requests you to type a Name, Password and Domain of the RADIUS server. Specify a name and password only, do not specify a domain. NWA-3160 Series User's Guide 219 - ZyXEL NWA-3163 | User Guide - Page 220
Chapter 17 Internal RADIUS Server 220 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 221
import or create a new certificate. • Use the Trusted CAs screens (see Chapter 18 on page 233) to save CA certificates to the NWA. This screen displays a summary list of certificates of the certification authorities that you have set the NWA to accept as trusted. NWA-3160 Series User's Guide 221 - ZyXEL NWA-3163 | User Guide - Page 222
help as you read through this chapter. The NWA also trusts any valid certificate signed by any of NWA's summary of certificates and certification requests. Click Certificates > My Certificates. The following screen displays. Figure 126 Certificates > My Certificates 222 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 223
This button displays when the NWA has the factory default certificate. The factory default certificate is common to all NWAs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your NWA's MAC address. Index This field - ZyXEL NWA-3163 | User Guide - Page 224
Select the Default self-signed certificate NWA. Note: You can import only a certificate that matches a corresponding certification request that was generated by the NWA. Click Certificates > My Certificates and then Import to open the My Certificate Import screen. 224 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 225
certificate file you want to upload. Apply Click Apply to save the certificate on the NWA. Cancel Note: The certificate you import replaces the corresponding request in the My Certificates screen. Click Cancel to quit and return to the My Certificates screen. NWA-3160 Series User's Guide 225 - ZyXEL NWA-3163 | User Guide - Page 226
18 Certificates 18.2.2 My Certificates Create Screen Use this screen to have the NWA create a self-signed certificate, enroll a certificate with a certification authority or generate certificate. It is recommended that each certificate have unique subject information. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 227
to identify the certificate's owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the NWA NWA-3160 Series User's Guide 227 - ZyXEL NWA-3163 | User Guide - Page 228
the Internet Engineering Task Force (IETF) and is specified in RFC 2510. Enter the IP address (or URL) of the certification authority server. Select the certification authority's certificate is working properly if you want the NWA to enroll a certificate online. 228 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 229
host certificates that you import to the NWA. Click Certificates > My Certificates to open the My Certificates screen (Figure 126 on page 222). Click the details button to open the My Certificate Details screen. Figure 129 Certificates > My Certificate Details NWA-3160 Series User's Guide 229 - ZyXEL NWA-3163 | User Guide - Page 230
was used to sign the certificate. The NWA uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use ras-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm). 230 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 231
's IP address (IP), domain computer for later manual enrollment. Export Apply in the File Download screen. The Save default self-signed certificate that signs the imported trusted remote host certificates. Click Cancel to quit and return to the My Certificates screen. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 232
. Table 69 Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the NWA's PKI storage space that is currently in use. When you are using 80% or less of the if the certificate is about to expire or has already expired. 232 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 233
revocation lists (CRL) check box in the certificate's details screen to have the NWA check the CRL before trusting any certificates issued by the certification authority. Otherwise the field import the certificate. Figure 131 Certificates > Trusted CAs Import NWA-3160 Series User's Guide 233 - ZyXEL NWA-3163 | User Guide - Page 234
find the certificate file you want to upload. Apply Click Apply to save the certificate on the NWA. Cancel Click Cancel to quit and return to the Trusted CAs screen. 18.3.2 Trusted CAs Details Details screen. Figure 132 Certificates > Trusted CAs Details 234 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 235
be the only certification authority in the list (along with the end entity's own certificate). The NWA does not trust the end entity's certificate and displays "Not trusted" in this field if any Valid! message if the certificate has not yet become applicable. NWA-3160 Series User's Guide 235 - ZyXEL NWA-3163 | User Guide - Page 236
owner's IP address (IP), domain Save in the File Download screen. The Save NWA to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority. Click Cancel to quit and return to the Trusted CAs screen. 236 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 237
authorities like CyberTrust or VeriSign and government certification authorities. You can use the NWA to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. NWA-3160 Series User's Guide 237 - ZyXEL NWA-3163 | User Guide - Page 238
and Thumbprint fields. The secure method may vary according to your situation. Possible examples would be over the telephone or through an HTTPS connection. 238 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 239
problems or system failures occur, the cause or origin can be traced. Logs are also essential for auditing and keeping track of changes made by users. Figure 135 Accessing Logs in the Network The figure above illustrates three ways to access logs. The user (U) can access logs directly from the NWA - ZyXEL NWA-3163 | User Guide - Page 240
IP access control. You can view logs and alert messages in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. 240 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 241
the reason for the log. This field lists the source IP address and the port number of the incoming packet. This field lists the destination IP address and the port number of the incoming packet. This renew the log screen. Click Clear Log to clear all the logs. NWA-3160 Series User's Guide 241 - ZyXEL NWA-3163 | User Guide - Page 242
Chapter 19 Log Screens 19.3 The Log Settings Screen Use this screen to configure where and when the NWA will send the logs, and which logs and/or immediate alerts to send. Click Logs > Log Settings. The following screen displays. Figure 137 Logs > Log Settings 242 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 243
Password Enter the password associated with the above username. Syslog Logging Syslog logging sends a log to an external syslog server used to store logs. Active Click Active to enable syslog logging. Syslog IP example 23:00 equals 11:00 pm) to send the logs. NWA-3160 Series User's Guide 243 - ZyXEL NWA-3163 | User Guide - Page 244
Successfully Someone has logged on to the NWA via telnet. TELNET Login Fail Someone has failed to log on to the NWA via telnet. FTP Login Successfully Someone has logged on to the NWA via FTP. FTP Login Fail Someone has failed to log on to the NWA via FTP. 244 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 245
Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem are defined in this appendix's other charts. NWA-3160 Series User's Guide 245 - ZyXEL NWA-3163 | User Guide - Page 246
and alerts and then view the results. ras> sys logs load ras> sys logs category error 3 ras> sys logs save ras> sys logs display access #. time source message 0 | 11/11/2002 15:10:12 | 172.22.3.80:137 BLOCK destination | 172.22.255.255:137 notes | ACCESS 246 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 247
Chapter 19 Log Screens NWA-3160 Series User's Guide 247 - ZyXEL NWA-3163 | User Guide - Page 248
Chapter 19 Log Screens 248 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 249
from an SSID with the VLAN ID you set in this screen. • Use the Radius VLAN screen (Section 20.2.1 on page 252) to configure your RADIUS Virtual LAN setup. Your RADIUS server assigns VLAN IDs to a user or user group's traffic based on what you set in this screen. NWA-3160 Series User's Guide 249 - ZyXEL NWA-3163 | User Guide - Page 250
in order to access and manage the NWA. If a device is not a member of this VLAN, then that device cannot manage the NWA. Note: If no devices are in the management VLAN, then you will be able to access the NWA only through the console port (not through the network). 250 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 251
this VLAN group. At least one device in your network must belong to this VLAN group in order to manage the NWA. Note: Mail and FTP servers must have the same management VLAN ID to communicate with the NWA. See Section 20.3.2 on page 254 for more information. NWA-3160 Series User's Guide 251 - ZyXEL NWA-3163 | User Guide - Page 252
the NWA. Click this to return this screen to its last-saved settings. 20.2.1 RADIUS VLAN Screen Use this screen to configure your RADIUS Virtual LAN setup. Your RADIUS server assigns VLAN IDs to a user or user group's traffic based on what you set in this screen. 252 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 253
257 for more information. Index This is the index number of the SSID profile. Active Select a check box to enable the SSID profile. ID Type a VLAN ID. Incoming traffic from the WLAN is authorized and assigned a VLAN ID before it is sent to the LAN. NWA-3160 Series User's Guide 253 - ZyXEL NWA-3163 | User Guide - Page 254
VLAN (VLAN ID 1). The following procedure shows you how to configure a tagged VLAN. Note: Use the out-of-band management port or console port to configure the switch if you misconfigure the management VLAN and lock yourself out from performing in-band management. 254 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 255
Packets (Tx) Tagging on the port which you want to connect to the NWA. Disable Tx Tagging on the port you are using to connect to your computer. 7 Under Control, select Fixed to set the port as a member of the VLAN. Figure 142 VLAN-Aware Switch - Static VLAN NWA-3160 Series User's Guide 255 - ZyXEL NWA-3163 | User Guide - Page 256
to your computer and port 2 to connect to the NWA: Figure 141 on page 255. 1 In the NWA web configurator click VLAN to open the VLAN setup screen. 2 Select the Enable VLAN Tagging check box and type a Management VLAN ID (10 in this example) in the field provided. 256 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 257
VLAN assignment allows network administrators to assign a specific VLAN (configured on the NWA) to an individual's Windows User Account. When a wireless station is successfully authenticated to the network, it is automatically placed into it's respective VLAN. NWA-3160 Series User's Guide 257 - ZyXEL NWA-3163 | User Guide - Page 258
VLAN ID. One VLAN Group must be created for each VLAN defined on the NWA. The VLAN Groups must be created as Global/Security groups. 1a Type a name for the VLAN Group that describes the VLAN Group's function. 1b Select the Global Group scope parameter check box. 258 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 259
Members 20.3.3.2 Configuring Remote Access Policies Once the VLAN Groups have been created, the IAS Remote Access Policy needs to be defined. This allows the IAS to compare the user account being authenticated against the group memberships of each VLAN Group. NWA-3160 Series User's Guide 259 - ZyXEL NWA-3163 | User Guide - Page 260
. Each Remote Access Policy will be matched to one VLAN Group. An example may be, Allow - VLAN 10 Policy. 1c Click Next. Figure 148 New Remote Access Policy for VLAN Group 2 The Conditions window displays. Select Add to add a condition for this policy to act on. 260 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 261
with each policy. 5 Click OK and Next in the next few screens to accept the group value. Figure 150 Adding VLAN Group 6 When the Permissions options screen displays, select Grant remote access permission. 6a Click Next to grant access based on group membership. NWA-3160 Series User's Guide 261 - ZyXEL NWA-3163 | User Guide - Page 262
Chapter 20 VLAN 6b Click the Edit Profile button. Figure 151 Granting Permissions and User Profile Screens 7 The Edit Dial-in Profile screen displays. Click the Authentication tab types listed below the dropdown list box. Figure 152 Authentication Tab Settings 262 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 263
tab. The current default parameters returned to the NWA should be Service-Type and Framed-Protocol. • Click the Add button to add an additional three RADIUS VLAN attributes required for 802.1X Dynamic VLAN Assignment. Figure 154 Connection Attributes Screen NWA-3160 Series User's Guide 263 - ZyXEL NWA-3163 | User Guide - Page 264
Chapter 20 VLAN 11 The RADIUS Attribute screen displays. From the list, three RADIUS attributes will be added: • Tunnel-Medium-Type • Tunnel-Pvt-Group from the Attribute value drop-down list box. Click OK. Figure 156 802 Attribute Setting for Tunnel-Medium-Type 264 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 265
shown as Figure 155 on page 264. 15a Select Tunnel-Type. 15b Click Add. 16 The Enumerable Attribute Information screen displays. 16a Select Virtual LANs (VLAN) from the attribute value drop-down list box. NWA-3160 Series User's Guide 265 - ZyXEL NWA-3163 | User Guide - Page 266
Advanced Tab Note: Repeat the Configuring Remote Access Policies procedure for each VLAN Group defined in the Active Directory. Remember to place the most general Remote Access Policies at the bottom of the list and the most specific at the top of the list. 266 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 267
. However, SSID02 has no second Rx VLAN ID configured, and the NWA forwards only packets tagged with VLAN ID 2 to it. 20.3.4.1 Second Rx VLAN Setup Example The following steps show you how to setup a second Rx VLAN ID on the NWA. 1 Log into the Web Configurator. NWA-3160 Series User's Guide 267 - ZyXEL NWA-3163 | User Guide - Page 268
a Second Rx VLAN ID of 4. Figure 161 Configuring SSID: Second Rx VLAN ID Example 6 Click Apply to save these settings. Outgoing packets from clients in SSID03 are tagged with a VLAN ID of 3, and incoming packets with a VLAN ID of 3 or 4 are forwarded to SSID03. 268 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 269
NWA and they have 10 computers, you can load balance for 10. Later, if someone from the sales department visits the graphic design team's offices for a meeting and he tries to access the network as the NWA (such as SSID, security mode, radio mode, and so on). NWA-3160 Series User's Guide 269 - ZyXEL NWA-3163 | User Guide - Page 270
Chapter 21 Load Balancing Imagine a coffee shop in a crowded business district that offers free wireless connectivity to its customers. The coffee shop owner can't possibly know how many connections his NWA will have at any given moment. As such, he decides to put a limit on the bandwidth that is - ZyXEL NWA-3163 | User Guide - Page 271
Load Balancing FIELD DESCRIPTION Enable Load Balancing Select this option to turn on wireless load balancing. Mode Use the option to choose the specific method by which you want to enable load balancing on your NWA - Up to 20 Mbps before it becomes overloaded. NWA-3160 Series User's Guide 271 - ZyXEL NWA-3163 | User Guide - Page 272
Load Balancing Table 81 Load Balancing Apply Reset Note balanced bandwidth allotment of 6 Mbps. If the red laptop (R) attempts to connect and it could potentially push the AP over its allotment, say to 7 Mbps, then the AP delays the red laptop's connection until it 272 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 273
NWA first looks to see which devices have been idle the longest, then starts kicking them in order of highest idle time. If no connections are idle, the next criteria the NWA analyzes is signal strength. Devices with the weakest signal strength are kicked first. NWA-3160 Series User's Guide 273 - ZyXEL NWA-3163 | User Guide - Page 274
Chapter 21 Load Balancing 274 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 275
and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interferrence) in order to give the connected stations a minimum degree of cross-channel interference. Figure 166 An example of cross-channel interference NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 276
broadcast radius. If the channel on which it is currently broadcasting suddenly comes into use by another AP, the NWA will then dynamically select the next available empty channel or a channel with markedly lower interference. This is set to 720 minutes by default. 276 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 277
NWA to broadcast on unused radar channels. If you select Disable to turn the feature off. See Section 8.3.2 on page 145 for more information on dynamic frequency. Click this to save your changes to the NWA. Click this to return this screen to its last-saved settings. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 278
Chapter 22 Dynamic Channel Selection 278 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 279
firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, for example "[Model #].bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 280
connection. WDS Link This section displays only when bridge mode is activated on one of the NWA's WLAN adaptors. Link No This field displays the index number of a bridge connection on the WDS. or not (None). Refresh Click Refresh to reload the screen. 280 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 281
a channel that's currently in use, choose one with low signal strength for minimum interference. Network Mode This refers to your wireless LAN infrastructure (refer to the Wireless LAN chapter) and security setup. Refresh Click Refresh to reload the screen. NWA-3160 Series User's Guide 281 - ZyXEL NWA-3163 | User Guide - Page 282
upload process. This process may take up to two minutes. Do not turn off the NWA while firmware upload is in progress! After you see the Firmware Upload in Process screen, wait two minutes before logging into the NWA again. Figure 171 Firmware Upload In Process 282 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 283
Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 173 Firmware Upload Error NWA-3160 Series User's Guide 283 - ZyXEL NWA-3163 | User Guide - Page 284
23.5 Configuration Screen Use this screen backup or upload your NWA's configuration file. You can also reset the configuration of your device in this screen. Click to your previous settings. Click Backup to save the NWA's current configuration to your computer. 284 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 285
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA IP address (192.168.1.2). See your Quick Start Guide for details on how to set up your computer's IP address. NWA-3160 Series User's Guide 285 - ZyXEL NWA-3163 | User Guide - Page 286
to the Configuration screen. Figure 177 Configuration Upload Error 23.5.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the NWA to its factory defaults as shown on the screen. The following warning screen will appear - ZyXEL NWA-3163 | User Guide - Page 287
PART III Appendices and Index Troubleshooting (289) Product Specifications (297) Power Adaptor Specifications (247) Setting up Your Computer's IP Address (249) Wireless LANs (303) Pop-up Windows, JavaScripts and Java Permissions (319) IP Addresses and Subnetting (327) Text File Based Auto - ZyXEL NWA-3163 | User Guide - Page 288
288 - ZyXEL NWA-3163 | User Guide - Page 289
or cord to the NWA. • If the problem continues, contact the vendor. One of the LEDs does not behave as expected. • Make sure you understand the normal behavior of the LED. See Section 1.7 on page 33. • Check the hardware connections. See the Quick Start Guide. NWA-3160 Series User's Guide 289 - ZyXEL NWA-3163 | User Guide - Page 290
address when accessing the NWA over the wired network, and use the WLAN MAC address when accessing the NWA over the wireless interface. • If this does not work, you have to reset the device to its factory defaults. See Section 2.3 on page 36. I forgot the password. 290 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 291
is no DHCP server on your network, make sure your computer's IP address is in the same subnet as the NWA. • Reset the device to its factory defaults, and try to access the NWA with the default IP address. See your Quick Start Guide. • If the problem continues, contact the network administrator or - ZyXEL NWA-3163 | User Guide - Page 292
Configurator is idle. 24.4 AP Management Modes The primary controller AP cannot connect to the secondary controller AP. 292 The controllers need to have static IP addresses in the same network. Make sure you set the IP addresses in the IP screen. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 293
24 Troubleshooting The secondary controller AP's wireless profiles do not appear in my wireless network. In case you have both primary and secondary controller APs in the network, the secondary controller AP's WLAN once it is detected again by the controller AP. NWA-3160 Series User's Guide 293 - ZyXEL NWA-3163 | User Guide - Page 294
any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on). • Reboot the NWA. • If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions 294 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 295
sure you allow the NWA to be remotely accessed through the WLAN interface. Check your remote management settings. Some clients cannot connect to or keep on getting disconnected from the NWA's wireless network. • Check if you have Load Balancing enabled. Wireless load balancing is the process whereby - ZyXEL NWA-3163 | User Guide - Page 296
Chapter 24 Troubleshooting 296 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 297
Power over Ethernet IEEE 802.3af compliant. (PoE) Console Port One MIL-C-5015 style RS-232 console port Antenna (NWA-3160 / NWA-3163) SMA antenna connectors, equipped by default with 2dBi omni antenna, 60° (NWA-3166) Three embedded U.FL-R-SMT connectors (2T/3R) NWA-3160 Series User's Guide 297 - ZyXEL NWA-3163 | User Guide - Page 298
~ 60 º C Operation Humidity 10 ~ 90 % (non-condensing) Storage Humidity 5 ~ 95 % (non-condensing) Dimensions (NWA-3160 / NWA-3163, including antennas) 212.5mm (L) x 138.5mm (W) x 52mm (H) (NWA-3166) 198.5 mm (L) x 138.5mm (W) x 47.5mm (H) Distance between the centers of wallmounting holes on - ZyXEL NWA-3163 | User Guide - Page 299
Chapter 25 Product Specifications Table 88 Firmware Specifications Default IP Address 192.168.1.2 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 Wireless LAN Standards (NWA-3160, NWA-3163) IEEE 802.11a, IEEE 802.11b, IEEE 802.11g (NWA-3166) IEEE 802.11a, IEEE 802.11b, - ZyXEL NWA-3163 | User Guide - Page 300
DHCP client information. SNMP SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your NWA supports weight of the NWA with the connection cables. 300 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 301
the back of the NWA with the screws on the wall. Hang the NWA on the screws. Figure 180 Wall-mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). Figure 181 Masonry Plug NWA-3160 Series User's Guide 301 - ZyXEL NWA-3163 | User Guide - Page 302
Chapter 25 Product Specifications 302 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 303
clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate NWA-3160 Series User's Guide 303 - ZyXEL NWA-3163 | User Guide - Page 304
between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. 304 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 305
identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 184 Infrastructure WLAN Channel A channel is the channel 1, then you need to select a channel between 6 or 11. NWA-3160 Series User's Guide 305 - ZyXEL NWA-3163 | User Guide - Page 306
following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they hidden nodes exists on your network and the "cost" of resending large frames is more than the extra 306 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 307
busy wireless networks. Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications. Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. NWA-3160 Series User - ZyXEL NWA-3163 | User Guide - Page 308
protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the NWA are data encryption, wireless client authentication, restricting access by device MAC address and hiding the NWA identity. 308 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 309
Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the - ZyXEL NWA-3163 | User Guide - Page 310
is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. 310 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 311
that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP- NWA-3160 Series User's Guide 311 - ZyXEL NWA-3163 | User Guide - Page 312
password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen. You may still configure and NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 313
password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support . This all happens in the background automatically. NWA-3160 Series User's Guide 313 - ZyXEL NWA-3163 | User Guide - Page 314
Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. 314 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 315
download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. WPA(2) with RADIUS Application Example You need the IP address of the RADIUS server, its port number (default as follows. NWA-3160 Series User's Guide 315 - ZyXEL NWA-3163 | User Guide - Page 316
characters (including spaces and symbols). 2 The AP checks each wireless client's password and (only) allows it to join the network if the password matches. 3 The AP and wireless clients use the pre-shared key to Yes Enable without Dynamic WEP Key Yes Disable 316 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 317
/ KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802.1X WPA TKIP/AES No network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 318
WLAN multiple access points. point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 318 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 319
device's IP address. Disable pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 188 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. NWA-3160 Series User's Guide 319 - ZyXEL NWA-3163 | User Guide - Page 320
to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 320 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 321
Permissions 2 Select Settings...to open the Pop-up Blocker Settings screen. Figure 190 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix "http://". For example, http://192.168.167.1. NWA-3160 Series User's Guide 321 - ZyXEL NWA-3163 | User Guide - Page 322
Appendix B Pop-up Windows, JavaScripts and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites. Figure 191 Pop-up Blocker Settings 5 Click configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 322 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 323
tab. Figure 192 Internet Options: Security 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). NWA-3160 Series User's Guide 323 - ZyXEL NWA-3163 | User Guide - Page 324
then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 324 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 325
(Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for under Java (Sun) is selected. NWA-3160 Series User's Guide 325 - ZyXEL NWA-3163 | User Guide - Page 326
Appendix B Pop-up Windows, JavaScripts and Java Permissions 3 Click OK to close the window. Figure 195 Java (Sun) 326 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 327
of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. Introduction to IP Addresses One part of the IP address is the network number, and the other part 00000000 to 11111111 in binary, or 0 to 255 in decimal. NWA-3160 Series User's Guide 327 - ZyXEL NWA-3163 | User Guide - Page 328
) and host ID of an IP address (192.168.1.2 in decimal). Table 93 Subnet Masks 1ST OCTET: 2ND OCTET: 3RD OCTET: 4TH OCTET IP Address (Binary) Subnet Mask (Binary) (192) (168) (1) (2) 11000000 10101000 00000001 00000010 11111111 11111111 11111111 00000000 328 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 329
An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). NWA-3160 Series User's Guide 329 - ZyXEL NWA-3163 | User Guide - Page 330
and Subnetting As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows: Table 95 Maximum Host Numbers SUBNET MASK HOST ID 2 1111 1100 LAST OCTET (DECIMAL) 0 128 192 224 240 248 252 330 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 331
the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The "borrowed" host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. NWA-3160 Series User's Guide 331 - ZyXEL NWA-3163 | User Guide - Page 332
IP Addresses and Subnetting The following figure shows the company network after subnetting. There are now two sub-networks, A and B. Figure 198 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network or 255.255.255.192. 332 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 333
11000000 Highest Host ID: 192.168.1.190 Table 100 Subnet 4 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) NETWORK NUMBER LAST OCTET BIT VALUE 192.168.1. 192 11000000.10101000.00000001 11000000 . 11111111.11111111.11111111 11000000 . NWA-3160 Series User's Guide 333 - ZyXEL NWA-3163 | User Guide - Page 334
and Subnetting Table 100 Subnet 4 (continued) IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast .255.255.248 (/29) 32 6 6 255.255.255.252 (/30) 64 2 7 255.255.255.254 (/31) 128 1 334 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 335
remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your NWA will compute the subnet mask automatically based on the IP address that NWA-3160 Series User's Guide 335 - ZyXEL NWA-3163 | User Guide - Page 336
, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the NWA's LAN port. 336 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 337
need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: 1 In the Network window, click Add. 2 Select Protocol and then click Add. NWA-3160 Series User's Guide 337 - ZyXEL NWA-3163 | User Guide - Page 338
your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 200 Windows 95/98/Me: TCP/IP Properties: IP Address 338 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 339
OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your NWA and restart your computer when prompted. Verifying Settings 1 Click Start and then Run. 2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration window. NWA-3160 Series User's Guide 339 - ZyXEL NWA-3163 | User Guide - Page 340
, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 202 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 203 Windows XP: Control Panel 340 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 341
Figure 204 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in IP Properties window opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 342
clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): 342 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 343
207 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close ]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. NWA-3160 Series User's Guide 343 - ZyXEL NWA-3163 | User Guide - Page 344
Appendix C IP Addresses and Subnetting Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/ IP Control Panel. Figure 208 Macintosh OS 8/9: Apple Menu 344 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 345
Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your NWA and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the TCP/IP Control Panel window. NWA-3160 Series User's Guide 345 - ZyXEL NWA-3163 | User Guide - Page 346
from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. Figure 211 Macintosh OS X: Network 4 For statically assigned settings, do the following: 346 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 347
mask in the Subnet mask box. • Type the IP address of your NWA in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your NWA and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. NWA-3160 Series User's Guide 347 - ZyXEL NWA-3163 | User Guide - Page 348
Appendix C IP Addresses and Subnetting 348 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 349
renewing DHCP client information. Figure 212 Text File Based Auto Configuration Use one of the following methods to give the AP the IP address of the TFTP server where you store the configuration files and the name of the configuration file that it should download. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 350
MIB VARIABLE VALUE Step 1 pwTftpServer Set the IP address of the TFTP server. Step 2 pwTftpFileName Set the file name, for example, g3000hcfg.txt. Step 3 pwTftpFileType Set to 3 (text configuration file). Step 4 pwTftpOpCommand Set to 2 (download). 350 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 351
Troubleshooting Format !#ZYXEL PROWLAN !# downloaded file is larger (newer), the AP uses the file. Configuration File Rules You can only use the wlan and wcfg commands in the configuration file. The AP ignores other ZyNOS commands but continues to check the next command. NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 352
, the newly loaded configuration file will password that you use to log into the AP. Wcfg Command Configuration File Examples These example configuration files use the wcfg command to configure security and SSID profiles. Figure 214 WEP Configuration File Example !#ZYXEL NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 353
wcfg ssid 2 macfilter disable wcfg ssid save Figure 216 WPA-PSK Configuration File Example !#ZYXEL PROWLAN !#VERSION 13 wcfg security 3 name Test-wpapsk wcfg security 3 mode wpapsk wcfg 4 wcfg ssid 3 l2siolation disable wcfg ssid 3 macfilter disable wcfg ssid save NWA-3160 Series User's Guide 353 - ZyXEL NWA-3163 | User Guide - Page 354
Auto Configuration Figure 217 WPA Configuration File Example !#ZYXEL PROWLAN !#VERSION 14 wcfg security 4 name Test macfilter disable wcfg ssid save Wlan Command Configuration File Example This example configuration file uses the wlan command to configure the AP 354 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 355
WLAN profile wlan opmode 0 wlan ssidprofile ssid-wep !change operating mode -> MBSSID mode, !then select ssid-wpapsk, ssid-wpa2psk as running WLAN profiles wlan opmode 3 wlan ssidprofile ssid-wpapsk ssid-wpa2psk ! set output power level to 50% wlan output power 2 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 356
Appendix D Text File Based Auto Configuration 356 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 357
Port SETTING DEFAULT VALUE Terminal Emulation VT100 Baud Rate 9600 bps Parity None Number of Data Bits 8 Number of Stop Bits 1 Flow Control None 3 Press [ENTER] to open the login screen. Telnet 1 Connect your computer to one of the Ethernet ports. NWA-3160 Series User's Guide 357 - ZyXEL NWA-3163 | User Guide - Page 358
computer IP address is in the same subnet, unless you are accessing the NWA through one or more routers. Logging in Use the administrator username and password. If this is your first login, use the default values. in some NWA models you may not need to enter the user name. Table 111 Default User - ZyXEL NWA-3163 | User Guide - Page 359
How to Access and Use the CLI • Commands are in courier new font. • Required input values are in angle brackets ; for example, ping means that you must specify an IP address for this interface. Remember to also include underscores if required. NWA-3160 Series User's Guide 359 - ZyXEL NWA-3163 | User Guide - Page 360
the NWA. Follow these steps to create a list of supported commands: 1 Log into the CLI. 2 Type help and press [ENTER]. A list comes up which shows all the commands available for this device. ras> help alarm exit sys ras> chsh ip voip config statistics switch 360 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 361
as you run them and others require you to run a save command. See the related section of this guide to see if a save command is required. Note: Unsaved configuration changes are lost once you restart the NWA Logging Out Use the exit command to log out of the CLI. NWA-3160 Series User's Guide 361 - ZyXEL NWA-3163 | User Guide - Page 362
Appendix E How to Access and Use the CLI 362 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 363
manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications NWA-3160 Series User's Guide 363 - ZyXEL NWA-3163 | User Guide - Page 364
tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there persons. 注意 ! NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 365
functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. NWA-3160 Series User's Guide 365 - ZyXEL NWA-3163 | User Guide - Page 366
may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. 366 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 367
305 Class of Service (CoS) 156 command interface 31 configuration 23 configuration file examples 352 format 351 configuration file rules 351 console port (accessing the CLI) 357 Control and Providioning of Wireless Access Points See CAPWAP copyright 363 CoS 156 CTS (Clear to Send) 306 NWA-3160 - ZyXEL NWA-3163 | User Guide - Page 368
server 23 Internal RADIUS Server Setting Screen 214 Internet Assigned Numbers Authority See IANA Internet security gateway 23 Internet telephony 29 IP address 110, 189, 299 IPSec VPN capability 299 isolation 23 L LAN 85 layer-2 isolation 23, 30 LEDs 33 368 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 369
25 network number 110 network traffic 23 RADIUS 309 message types 310 messages 310 shared secret key 310 rapid STP 144 reauthentication time 165, 167, 168, 169, 170 registration product 366 related documentation 3 remote management limitations 200 repeater 25 NWA-3160 Series User's Guide 369 - ZyXEL NWA-3163 | User Guide - Page 370
wcfg command 352 WDS 25, 26, 28 web configurator 23, 35, 37 WEP 23 WEP encryption 163 Wi-Fi Multimedia QoS 153 Wi-Fi Protected Access 23, 313 wired network 23, 24, 25 wireless 23 wireless channel 295 NWA-3160 Series User's Guide - ZyXEL NWA-3163 | User Guide - Page 371
RADIUS application example 315 WPA2 23, 313 user authentication 314 vs WPA2-PSK 314 wireless client supplicant 314 with RADIUS application example 315 WPA2-Pre-Shared Key 313 WPA2-PSK 313, 314 application example 315 WPA-PSK 313, 314 application example 315 Index NWA-3160 Series User's Guide 371 - ZyXEL NWA-3163 | User Guide - Page 372
Index 372 NWA-3160 Series User's Guide
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
 |
 |
www.zyxel.com
www.zyxel.com
NWA-3160 Series
Models: NWA-3160, NWA-3163 & NWA-3166
Copyright © 2010
ZyXEL Communications Corporation
Firmware Version 3.70
Edition 3, 01/2010
Default Login Details
IP Address
Password
1234