Home » ZyXEL Manuals » Networking » ZyXEL VMG1312-B10A » Manual Viewer

ZyXEL VMG1312-B10A User Guide - Page 299

Types of EAP Authentication, EAP-MD5 Message-Digest Algorithm 5, EAP-TLS Transport Layer Security,

Get ZyXEL VMG1312-B10A PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 299 highlights

Appendix B Wireless LANs shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the serverside authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. VMG1312-B Series User's Guide 299

Section	Page
VMG1312-B Series	1
Contents Overview	3
Table of Contents	5
User’s Guide	15
Introducing the Device	17
1.1 Overview	17
1.2 Ways to Manage the Device	17
1.3 Good Habits for Managing the Device	17
1.4 Applications for the Device	18
1.4.1 Internet Access	18
1.4.2 Device’s USB Support	18
1.5 LEDs (Lights)	20
1.6 The RESET Button	21
1.7 Wireless Access	21
1.7.1 Using the WLAN/WPS Button	22
The Web Configurator	23
2.1 Overview	23
2.1.1 Accessing the Web Configurator	23
2.2 Web Configurator Layout	25
2.2.1 Title Bar	25
2.2.2 Main Window	26
2.2.3 Navigation Panel	26
Quick Start	31
3.1 Overview	31
3.2 Quick Start Setup	31
Tutorials	33
4.1 Overview	33
4.2 Setting Up an ADSL PPPoE Connection	33
4.3 Setting Up a Secure Wireless Network	36
4.3.1 Configuring the Wireless Network Settings	36
4.3.2 Using WPS	37
4.3.3 Without WPS	41
4.4 Setting Up Multiple Wireless Groups	42
4.5 Configuring Static Route for Routing to Another Network	45
4.6 Configuring QoS Queue and Class Setup	47
4.7 Access the Device Using DDNS	51
4.7.1 Registering a DDNS Account on www.dyndns.org	51
4.7.2 Configuring DDNS on Your Device	52
4.7.3 Testing the DDNS Setting	52
4.8 Configuring the MAC Address Filter	52
4.9 Access Your Shared Files From a Computer	53
4.10 Using the Print Server Feature	54
Technical Reference	60
Network Map and Status Screens	62
5.1 Overview	62
5.2 The Network Map Screen	62
5.3 The Status Screen	63
Broadband	66
6.1 Overview	66
6.1.1 What You Can Do in this Chapter	66
6.1.2 What You Need to Know	67
6.1.3 Before You Begin	70
6.2 The Broadband Screen	70
6.2.1 Add/Edit Internet Connection	72
6.3 The 3G Backup Screen	79
6.4 The Advanced Screen	83
6.5 The 802.1x Screen	86
6.5.1 Modify 802.1X Settings	87
6.6 The Ethernet WAN Screen	87
6.7 Technical Reference	88
Wireless	94
7.1 Overview	94
7.1.1 What You Can Do in this Chapter	94
7.1.2 What You Need to Know	94
7.2 The General Screen	95
7.2.1 No Security	97
7.2.2 Basic (WEP Encryption)	97
7.2.3 More Secure (WPA(2)-PSK)	98
7.3 The Guest / More AP Screen	99
7.3.1 Edit Guest / More AP	100
7.4 MAC Authentication	102
7.5 The WPS Screen	103
7.6 The WMM Screen	105
7.7 The WDS Screen	106
7.7.1 WDS Scan	108
7.8 The Others Screen	108
7.9 The Channel Status Screen	110
7.10 Technical Reference	111
7.10.1 Wireless Network Overview	111
7.10.2 Additional Wireless Terms	113
7.10.3 Wireless Security Overview	113
7.10.4 Signal Problems	115
7.10.5 BSS	116
7.10.6 MBSSID	116
7.10.7 Preamble Type	117
7.10.8 Wireless Distribution System (WDS)	117
7.10.9 WiFi Protected Setup (WPS)	117
Home Networking	125
8.1 Overview	125
8.1.1 What You Can Do in this Chapter	125
8.1.2 What You Need To Know	126
8.1.3 Before You Begin	127
8.2 The LAN Setup Screen	127
8.3 The Static DHCP Screen	131
8.4 The UPnP Screen	132
8.4.1 Turning On UPnP in Windows 7 Example	133
8.5 The Additional Subnet Screen	135
8.6 The STB Vendor ID Screen	136
8.6.1 The Add/Edit STB Vendor ID Screen	136
8.7 The TFTP Server Name Screen	137
8.8 Technical Reference	138
8.8.1 LANs, WANs and the Device	138
8.8.2 DHCP Setup	138
8.8.3 DNS Server Addresses	138
8.8.4 LAN TCP/IP	139
Routing	141
9.1 Overview	141
9.2 The Routing Screen	141
9.2.1 Add/Edit Static Route	142
9.3 The DNS Route Screen	143
9.3.1 The DNS Route Add Screen	144
9.4 The Policy Forwarding Screen	144
9.4.1 Add/Edit Policy Forwarding	146
9.5 RIP	146
9.5.1 The RIP Screen	147
Quality of Service (QoS)	148
10.1 Overview	148
10.1.1 What You Can Do in this Chapter	148
10.2 What You Need to Know	148
10.3 The Quality of Service General Screen	150
10.4 The Queue Setup Screen	151
10.4.1 Adding a QoS Queue	152
10.5 The Class Setup Screen	153
10.5.1 Add/Edit QoS Class	154
10.6 The QoS Policer Setup Screen	158
10.6.1 Add/Edit a QoS Policer	159
10.7 Technical Reference	160
Network Address Translation (NAT)	165
11.1 Overview	165
11.1.1 What You Can Do in this Chapter	165
11.1.2 What You Need To Know	165
11.2 The Port Forwarding Screen	166
11.2.1 Add/Edit Port Forwarding	168
11.3 The Applications Screen	169
11.3.1 Add New Application	170
11.4 The Port Triggering Screen	171
11.4.1 Add/Edit Port Triggering Rule	172
11.5 The DMZ Screen	173
11.6 The ALG Screen	174
11.7 The Address Mapping Screen	175
11.7.1 Add/Edit Address Mapping Rule	176
11.8 The Sessions Screen	177
11.9 Technical Reference	177
11.9.1 NAT Definitions	178
11.9.2 What NAT Does	178
11.9.3 How NAT Works	179
11.9.4 NAT Application	179
Dynamic DNS Setup	182
12.1 Overview	182
12.1.1 What You Can Do in this Chapter	182
12.1.2 What You Need To Know	182
12.2 The DNS Entry Screen	183
12.2.1 Add/Edit DNS Entry	183
12.3 The Dynamic DNS Screen	184
IGMP/MLD	186
13.1 Overview	186
13.1.1 What You Need To Know	186
13.2 The IGMP/MLD Screen	186
Vlan Group	189
14.1 Overview	189
14.1.1 What You Can Do in this Chapter	189
14.2 The Vlan Group Screen	189
14.2.1 Add/Edit a VLAN Group	190
Interface Group	191
15.1 Overview	191
15.1.1 What You Can Do in this Chapter	191
15.2 The Interface Group Screen	191
15.2.1 Interface Group Configuration	192
15.2.2 Interface Grouping Criteria	194
USB Service	196
16.1 Overview	196
16.1.1 What You Can Do in this Chapter	196
16.1.2 What You Need To Know	196
16.1.3 Before You Begin	198
16.2 The File Sharing Screen	198
16.2.1 The Add New User Screen	199
16.3 The Media Server Screen	200
16.4 Print Server	201
16.4.1 Before You Begin	201
16.4.2 The Print Server Screen	202
Power Management	203
17.1 Overview	203
17.1.1 What You Can Do in this Chapter	203
17.1.2 What You Need To Know	203
17.2 The Power Management Screen	203
17.3 The Auto Switch Off Screen	204
17.3.1 The Auto Switch Off Add or Modify Screen	205
17.3.2 The Add/Edit Rule Screen	206
Firewall	207
18.1 Overview	207
18.1.1 What You Can Do in this Chapter	207
18.1.2 What You Need to Know	208
18.2 The Firewall Screen	208
18.3 The Protocol Screen	209
18.3.1 Add/Edit a Service	210
18.4 The Access Control Screen	212
18.4.1 Add/Edit an ACL Rule	212
18.5 The DoS Screen	214
MAC Filter	216
19.1 Overview	216
19.2 The MAC Filter Screen	216
Parental Control	218
20.1 Overview	218
20.2 The Parental Control Screen	218
20.2.1 Add/Edit a Parental Control Profile	219
Scheduler Rule	223
21.1 Overview	223
21.2 The Scheduler Rule Screen	223
21.2.1 Add/Edit a Schedule	224
Certificates	225
22.1 Overview	225
22.1.1 What You Can Do in this Chapter	225
22.2 What You Need to Know	225
22.3 The Local Certificates Screen	225
22.3.1 Create Certificate Request	226
22.3.2 Load Signed Certificate	228
22.4 The Trusted CA Screen	228
22.4.1 View Trusted CA Certificate	229
22.4.2 Import Trusted CA Certificate	230
Log	232
23.1 Overview	232
23.1.1 What You Can Do in this Chapter	232
23.1.2 What You Need To Know	232
23.2 The System Log Screen	233
23.3 The Security Log Screen	234
Traffic Status	235
24.1 Overview	235
24.1.1 What You Can Do in this Chapter	235
24.2 The WAN Status Screen	235
24.3 The LAN Status Screen	236
24.4 The NAT Status Screen	237
ARP Table	239
25.1 Overview	239
25.1.1 How ARP Works	239
25.2 ARP Table Screen	240
Routing Table	241
26.1 Overview	241
26.2 The Routing Table Screen	241
IGMP/MLD Status	243
27.1 Overview	243
27.2 The IGMP/MLD Group Status Screen	243
xDSL Statistics	245
28.1 The xDSL Statistics Screen	245
3G Statistics	249
29.1 Overview	249
29.2 The 3G Statistics Screen	249
User Account	251
30.1 Overview	251
30.2 The User Account Screen	251
30.2.1 The User Account Add/Edit Screen	252
Remote Management	253
31.1 Overview	253
31.2 The Remote MGMT Screen	253
TR-069 Client	255
32.1 Overview	255
32.2 The TR-069 Client Screen	255
TR-064	257
33.1 Overview	257
33.2 The TR-064 Screen	257
SNMP	258
34.1 Overview	258
34.2 The SNMP Screen	258
Time Settings	260
35.1 Overview	260
35.2 The Time Screen	260
E-mail Notification	262
36.1 Overview	262
36.2 The Email Notification Screen	262
36.2.1 Email Notification Edit	263
Log Setting	264
37.1 Overview	264
37.2 The Log Settings Screen	264
37.2.1 Example E-mail Log	265
Firmware Upgrade	267
38.1 Overview	267
38.2 The Firmware Screen	267
Configuration	270
39.1 Overview	270
39.2 The Configuration Screen	270
39.3 The Reboot Screen	272
Diagnostic	273
40.1 Overview	273
40.1.1 What You Can Do in this Chapter	273
40.2 What You Need to Know	273
40.3 Ping & TraceRoute & NsLookup	274
40.4 802.1ag	274
40.5 OAM Ping	275
Troubleshooting	278
41.1 Power, Hardware Connections, and LEDs	278
41.2 Device Access and Login	279
41.3 Internet Access	281
41.4 Wireless Internet Access	282
41.5 USB Device Connection	283
41.6 UPnP	283
Appendices	285
Customer Support	287
Wireless LANs	293
IPv6	306
Services	314
Legal Information	318

Match case Limit results 1 per page

Appendix B Wireless LANs

VMG1312-B Series User’s Guide

299

shared key, password information exchanged is also encrypted to protect the network from

unauthorized access.

Types of EAP Authentication

This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and

LEAP. Your wireless LAN device may not support all authentication types.

EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE

802.1x transport mechanism in order to support multiple types of user authentication. By using EAP

to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a

RADIUS server perform authentication.

The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that

supports IEEE 802.1x.

For EAP-TLS authentication type, you must first have a wired connection to the network and obtain

the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used

to authenticate users and a CA issues certificates and guarantees the identity of each certificate

owner.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server

sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password by

encrypting the password with the challenge and sends back the information. Password is not sent in

plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get

the plaintext passwords, the passwords must be stored. Thus someone other than the

authentication server may access the password file. In addition, it is possible to impersonate an

authentication server as MD5 authentication method does not perform mutual authentication.

Finally, MD5 authentication method does not support data encryption with dynamic session key. You

must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for

mutual authentication. The server presents a certificate to the client. After validating the identity of

the server, the client sends a different certificate to the server. The exchange of certificates is done

in the open before a secured tunnel is created. This makes user identity vulnerable to passive

attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity.

However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which

imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-

side authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP,

CHAP, MS-CHAP and MS-CHAP v2.