Home » ZyXEL Manuals » Networking » ZyXEL SBG3300-NB00 » Manual Viewer

ZyXEL SBG3300-NB00 User Guide - Page 410

EAP-TTLS Tunneled Transport Layer Service, PEAP Protected EAP, Dynamic WEP Key Exchange

Get ZyXEL SBG3300-NB00 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 410 highlights

Appendix D Wireless LANs EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the serverside authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 141 Comparison of EAP Authentication Types EAP-MD5 EAP-TLS Mutual Authentication No Yes Certificate - Client No Yes Certificate - Server No Yes Dynamic Key Exchange No Yes Credential Integrity None Strong Deployment Difficulty Easy Hard Client Identity Protection No No EAP-TTLS Yes Optional Yes Yes Strong Moderate Yes PEAP Yes Optional Yes Yes Strong Moderate Yes LEAP Yes No No Yes Moderate Moderate No 410 SBG3300-N Series User's Guide

Section	Page
SBG3300-N Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	15
Introducing the Device	17
1.1 Overview	17
1.2 Ways to Manage the Device	17
1.3 Good Habits for Managing the Device	17
1.4 Applications for the Device	18
1.4.1 Internet Access	18
1.4.2 Device’s USB Support	19
1.5 LEDs (Lights)	19
1.6 The RESET Button	21
1.7 Wireless Access	21
1.7.1 Using the WLAN Button	21
The Web Configurator	23
2.1 Overview	23
2.1.1 Accessing the Web Configurator	23
2.2 Web Configurator Layout	25
2.2.1 Title Bar	25
2.2.2 Main Window	26
2.2.3 Navigation Panel	26
Quick Start	31
3.1 Overview	31
3.2 Quick Start Setup	31
Tutorials	35
4.1 Overview	35
4.2 Setting Up an ADSL PPPoE Connection	35
4.3 Setting Up a Secure Wireless Network	38
4.3.1 Configuring the Wireless Network Settings	38
4.3.2 Using WPS	40
4.3.3 Without WPS	43
4.4 Setting Up Multiple Wireless Groups	44
4.5 Configuring Static Route for Routing to Another Network	47
4.6 Configuring QoS Queue and Class Setup	50
4.7 Access the Device Using DDNS	53
4.7.1 Registering a DDNS Account on www.dyndns.org	53
4.7.2 Configuring DDNS on Your Device	54
4.7.3 Testing the DDNS Setting	54
4.8 Configuring the MAC Address Filter	55
4.9 Access Your Shared Files From a Computer	56
4.10 Certificate Configuration for VPN	57
4.11 Examples of Configuring IPSec VPN Rules	60
4.11.1 Example 1: Use 3DES Encryption	60
4.11.2 Example 2: Use AES128 Encryption	63
4.11.3 Example 3: Configuring a Site-to-Site with Dynamic Peer Rule	64
4.11.4 Example 4: Configuring a Remote Access Rule	64
4.12 PPTP VPN Tutorial	65
4.12.1 Configuring PPTP VPN Setup (Server)	65
4.12.2 Configuring PPTP VPN on Windows (Client)	66
4.12.3 Configuring PPTP VPN on Android Devices (Client)	81
4.12.4 Configuring PPTP VPN in iOS Devices (Client)	83
4.13 L2TP VPN Tutorial	85
4.13.1 Configuring the Default_L2TPVPN IPSec VPN Rule (Server)	86
4.13.2 Configuring the L2TP VPN Setup (Server)	87
4.13.3 Configuring L2TP VPN in Windows (Client)	88
4.13.4 Configuring L2TP VPN on Windows 7 and Vista	90
4.13.5 Configuring L2TP VPN on Windows XP	101
4.13.6 Configuring L2TP VPN on Android Devices (Client)	107
4.13.7 Configuring L2TP VPN in iOS Devices (Client)	110
Technical Reference	113
Status Screens	115
5.1 Overview	115
5.2 The Status Screen	115
Broadband	119
6.1 Overview	119
6.1.1 What You Can Do in this Chapter	119
6.1.2 What You Need to Know	120
6.1.3 Before You Begin	123
6.2 The Broadband Screen	123
6.2.1 Add/Edit Internet Connection	125
6.3 The 3G WAN Screen	133
6.4 The Add New 3G Dongle Screen	136
6.4.1 Add 3G Dongle Information	136
6.5 The Advanced Screen	137
6.6 The 802.1x Screen	138
6.6.1 Edit 802.1x Settings	139
6.7 The multi-WAN Screen	139
6.7.1 Add/Edit multi-WAN	140
6.7.2 How to Configure multi-WAN for Load Balancing and Failover	141
6.8 Technical Reference	142
Wireless	147
7.1 Overview	147
7.1.1 What You Can Do in this Chapter	147
7.1.2 What You Need to Know	148
7.2 The General Screen	148
7.2.1 No Security	151
7.2.2 Basic (WEP Encryption)	151
7.2.3 More Secure (WPA(2)-PSK)	153
7.2.4 WPA(2) Authentication	154
7.3 The More AP Screen	155
7.3.1 Edit More AP	156
7.4 MAC Authentication	158
7.5 The WPS Screen	159
7.6 The WMM Screen	160
7.7 The Others Screen	161
7.8 The Channel Status Screen	163
7.9 Technical Reference	163
7.9.1 Wireless Network Overview	163
7.9.2 Additional Wireless Terms	165
7.9.3 Wireless Security Overview	165
7.9.4 Signal Problems	167
7.9.5 BSS	168
7.9.6 MBSSID	168
7.9.7 Preamble Type	169
7.9.8 WiFi Protected Setup (WPS)	169
LAN	177
8.1 Overview	177
8.1.1 What You Can Do in this Chapter	177
8.1.2 What You Need To Know	178
8.1.3 Before You Begin	179
8.2 The LAN Setup Screen	179
8.3 The Static DHCP Screen	182
8.4 The UPnP Screen	184
8.5 Installing UPnP in Windows Example	185
8.6 Using UPnP in Windows XP Example	188
8.7 The Additional Subnet Screen	194
8.8 The 5th Ethernet Port Screen	195
8.9 Technical Reference	195
8.9.1 LANs, WANs and the Device	196
8.9.2 DHCP Setup	196
8.9.3 DNS Server Addresses	196
8.9.4 LAN TCP/IP	197
Routing	199
9.1 Overview	199
9.1.1 What You Can Do in this Chapter	199
9.2 The Routing Screen	200
9.2.1 Add/Edit Static Route	201
9.3 The Policy Forwarding Screen	201
9.3.1 Add/Edit Policy Forwarding	203
9.4 The RIP Screen	203
Quality of Service (QoS)	205
10.1 Overview	205
10.1.1 What You Can Do in this Chapter	205
10.2 What You Need to Know	206
10.3 The Quality of Service General Screen	207
10.4 The Queue Setup Screen	208
10.4.1 Adding a QoS Queue	210
10.5 The Class Setup Screen	210
10.5.1 Add/Edit QoS Class	212
10.6 The QoS Policer Setup Screen	215
10.6.1 Add/Edit a QoS Policer	216
10.7 The QoS Monitor Screen	217
10.8 Technical Reference	218
Network Address Translation (NAT)	223
11.1 Overview	223
11.1.1 What You Can Do in this Chapter	223
11.1.2 What You Need To Know	223
11.2 The Port Forwarding Screen	224
11.2.1 Add/Edit Port Forwarding	226
11.3 The Applications Screen	227
11.3.1 Add New Application	228
11.4 The Port Triggering Screen	228
11.4.1 Add/Edit Port Triggering Rule	230
11.5 The DMZ Screen	231
11.6 The ALG Screen	232
11.7 The Address Mapping Screen	232
11.7.1 Add/Edit Address Mapping Rule	233
11.8 Technical Reference	234
11.8.1 NAT Definitions	234
11.8.2 What NAT Does	235
11.8.3 How NAT Works	236
11.8.4 NAT Application	237
Dynamic DNS Setup	239
12.1 Overview	239
12.1.1 What You Can Do in this Chapter	239
12.1.2 What You Need To Know	240
12.2 The DNS Entry Screen	240
12.2.1 Add/Edit DNS Entry	241
12.3 The Dynamic DNS Screen	241
Interface Group	243
13.1 Overview	243
13.2 The Interface Group Screen	243
13.2.1 Interface Group Configuration	244
13.2.2 Interface Grouping Criteria	245
USB Service	247
14.1 Overview	247
14.1.1 What You Can Do in this Chapter	247
14.1.2 What You Need To Know	247
14.2 The File Sharing Screen	248
14.2.1 Before You Begin	248
Firewall	251
15.1 Overview	251
15.1.1 What You Can Do in this Chapter	251
15.1.2 What You Need to Know	252
15.2 The Firewall Screen	253
15.3 The Service Screen	253
15.3.1 Add/Edit a Service	255
15.4 The Access Control Screen	256
15.4.1 Add/Edit an ACL Rule	257
15.5 The DoS Screen	258
MAC Filter	261
16.1 Overview	261
16.2 The MAC Filter Screen	261
User Access Control	263
17.1 Overview	263
17.2 The User Access Control Screen	263
17.2.1 Add/Edit a User Access Control Rule	264
Scheduler Rules	267
18.1 Overview	267
18.2 The Scheduler Rules Screen	267
18.2.1 Add/Edit a Schedule	268
Certificates	269
19.1 Overview	269
19.1.1 What You Can Do in this Chapter	269
19.2 What You Need to Know	269
19.3 The Local Certificates Screen	270
19.3.1 Create Certificate Request	271
19.3.2 Load Signed Certificate	272
19.4 The Trusted CA Screen	273
19.4.1 View Trusted CA Certificate	274
19.4.2 Import Trusted CA Certificate	275
IPSec VPN	277
20.1 Overview	277
20.2 What You Can Do in this Chapter	277
20.3 What You Need To Know	278
20.4 The Setup Screen	278
20.4.1 Add/Edit VPN Rule	279
20.4.2 The VPN Connection Add/Edit Screen	280
20.4.3 The Default_L2TPVPN IPSec VPN Rule	286
20.5 The IPSec VPN Monitor Screen	287
20.6 The Radius Screen	287
20.7 Technical Reference	288
20.7.1 IPSec Architecture	289
20.7.2 Encapsulation	290
20.7.3 IKE Phases	291
20.7.4 Negotiation Mode	291
20.7.5 IPSec and NAT	292
20.7.6 VPN, NAT, and NAT Traversal	292
20.7.7 ID Type and Content	293
20.7.8 Pre-Shared Key	294
20.7.9 Diffie-Hellman (DH) Key Groups	295
PPTP VPN	296
21.1 Overview	296
21.2 What You Can Do in this Chapter	296
21.3 PPTP VPN Setup	297
21.4 The PPTP VPN Monitor Screen	298
21.5 PPTP VPN Troubleshooting Tips	298
L2TP VPN	301
22.1 Overview	301
22.1.1 What You Can Do in this Chapter	301
22.2 L2TP VPN Screen	302
22.3 The L2TP VPN Monitor Screen	303
22.4 L2TP VPN Troubleshooting Tips	303
Log	307
23.1 Overview	307
23.1.1 What You Can Do in this Chapter	307
23.1.2 What You Need To Know	307
23.2 The System Log Screen	308
23.3 The Security Log Screen	309
Network Status	311
24.1 Overview	311
24.1.1 What You Can Do in this Chapter	311
24.2 The WAN Status Screen	311
24.3 The LAN Status Screen	312
ARP Table	315
25.1 Overview	315
25.1.1 How ARP Works	315
25.2 ARP Table Screen	315
Routing Table	317
26.1 Overview	317
26.2 The Routing Table Screen	317
IGMP Status	319
27.1 Overview	319
27.2 The IGMP Group Status Screen	319
xDSL Statistics	321
28.1 The xDSL Statistics Screen	321
User Account	325
29.1 Overview	325
29.2 The User Account Screen	325
29.2.1 Add/Edit a Users Account	326
Remote Management	329
30.1 Overview	329
30.2 The Remote MGMT Screen	329
TR-069 Client	331
31.1 Overview	331
31.2 The TR-069 Client Screen	331
SNMP	333
32.1 The SNMP Agent Screen	333
Time	335
33.1 Overview	335
33.2 The Time Screen	335
E-mail Notification	339
34.1 Overview	339
34.2 The Email Notification Screen	339
34.2.1 Email Notification Edit	340
Logs Setting	341
35.1 Overview	341
35.2 The Log Setting Screen	341
35.2.1 Example E-mail Log	342
Firmware Upgrade	345
36.1 Overview	345
36.2 The Firmware Screen	345
Configuration	347
37.1 Overview	347
37.2 The Configuration Screen	347
37.3 The Reboot Screen	349
Diagnostic	350
38.1 Overview	350
38.1.1 What You Can Do in this Chapter	350
38.2 What You Need to Know	350
38.3 Ping & TraceRoute & NsLookup	351
38.4 802.1ag	352
38.5 OAM Ping Test	353
Troubleshooting	355
39.1 Power, Hardware Connections, and LEDs	355
39.2 Device Access and Login	356
39.3 Internet Access	358
39.4 Wireless Internet Access	359
39.5 USB Device Connection	360
39.6 UPnP	360
Setting up Your Computer’s IP Address	363
IP Addresses and Subnetting	385
Pop-up Windows, JavaScript and Java Permissions	393
Wireless LANs	403
IPv6	417
Services	425
Legal Information	429

Match case Limit results 1 per page

Appendix D Wireless LANs

SBG3300-N Series User’s Guide

410

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-

side authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP,

CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then

use simple username and password methods through the secured connection to authenticate the

clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5,

EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is

implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the

wireless connection times out, disconnects or reauthentication times out. A new WEP key is

generated each time reauthentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the wireless

security configuration screen. You may still configure and store keys, but they will not be used while

dynamic WEP is enabled.

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic

keys for data encryption. They are often deployed in corporate environments, but for public

deployment, a simple user name and password pair is more practical. The following table is a

comparison of the features of authentication types.

Table 141

Comparison of EAP Authentication Types

EAP-MD5

EAP-TLS

EAP-TTLS

PEAP

LEAP

Mutual Authentication

Yes

Certificate – Client

Yes

Optional

Certificate – Server

Yes

Dynamic Key Exchange

Yes

Credential Integrity

None

Strong

Moderate

Deployment Difficulty

Easy

Hard

Moderate

Client Identity Protection

Yes