Home » ZyXEL Manuals » Networking » ZyXEL VMG4927-B50A » Manual Viewer

ZyXEL VMG4927-B50A User Guide - Page 299

EAP-MD5 Message-Digest Algorithm 5, EAP-TLS Transport Layer Security, EAP-TTLS Tunneled Transport

Add to My Manuals
Save this manual to your list of manuals

Page 299 highlights

Appendix B Wireless LANs EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAPTLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. You should use Encryption AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the VMG4927-B50A / VMG9827-B50A User's Guide 299

Section	Page
VMG4927-B50A / VMG9827-B50A	1
Document Conventions	3
Contents Overview	4
Table of Contents	6
User’s Guide	15
VMG Introduction	16
1.1 Overview	16
1.1.1 Internet Access	16
1.1.2 Wireless Access	20
1.1.3 VoIP Features	20
1.2 Ways to Manage the VMG	21
1.3 Good Habits for Managing the VMG	21
1.4 Hardware	21
1.4.1 Front Panels	21
1.4.2 WPS Button	23
1.4.3 LEDs (Lights)	24
1.4.4 Rear Panel	26
1.4.5 RESET Button	27
1.4.6 Wall Mounting	27
The Web Configurator	29
2.1 Overview	29
2.1.1 Access the Web Configurator	29
2.2 Web Configurator Layout	31
2.2.1 Title Bar	31
2.2.2 Navigation Panel	32
Quick Start	36
3.1 Overview	36
3.2 Quick Start Setup	36
Tutorials	39
4.1 Overview	39
4.2 Set Up an ADSL PPPoE Connection	39
4.3 Set Up a Secure WiFi Network	42
4.3.1 Configure the WiFi Network Settings	42
4.3.2 Use WPS	44
4.3.3 Connect to the VMG’s WiFi Network Manually (No WPS)	46
4.3.4 Configure Wireless Security on the VMG	46
4.3.5 Configure Your Laptop	48
4.4 Set Up Multiple Wireless Groups	50
4.5 Configure Static Route for Routing to Another Network	53
4.6 Configure QoS Queue and Class Setup	55
4.7 Access the VMG Using DDNS	59
4.7.1 Register a DDNS Account on www.dyndns.org	59
4.7.2 Configure DDNS on Your VMG	60
4.7.3 Test the DDNS Setting	60
4.8 Configure the MAC Address Filter	60
Technical Reference	62
Network Map and Status Screens	63
5.1 Overview	63
5.2 Network Map	63
5.3 Status	65
Broadband	68
6.1 Overview	68
6.1.1 What You Can Do in this Chapter	68
6.1.2 What You Need to Know	69
6.1.3 Before You Begin	71
6.2 Broadband	72
6.2.1 Add/Edit Internet Connection	73
6.3 Advanced Settings	81
6.4 Ethernet WAN	84
6.5 Technical Reference	84
Wireless	90
7.1 Overview	90
7.1.1 What You Can Do in this Chapter	90
7.1.2 What You Need to Know	90
7.2 WiFi	91
7.2.1 WiFi Edit	91
7.3 Guest WiFi	93
7.3.1 Edit Guest WiFi	93
7.4 WPS	94
7.5 Advanced Settings	95
7.6 Channel Status	98
7.7 MESH	100
7.8 Technical Reference	102
7.8.1 Wireless Network Overview	102
7.8.2 Additional Wireless Terms	104
7.8.3 Wireless Security Overview	104
7.8.4 Signal Problems	106
7.8.5 BSS	106
7.8.6 MBSSID	107
7.8.7 Preamble Type	107
7.8.8 WiFi Protected Setup (WPS)	107
Home Networking	113
8.1 Overview	113
8.1.1 What You Can Do in this Chapter	113
8.1.2 What You Need To Know	114
8.1.3 Before You Begin	115
8.2 LAN Setup	115
8.3 Static DHCP	119
8.4 UPnP	120
8.4.1 Turn On UPnP in Windows 7 Example	121
8.5 Additional Subnet	123
8.6 STB Vendor ID	124
8.7 Wake on LAN	125
8.8 TFTP Server Name	125
8.9 Technical Reference	126
8.9.1 LANs, WANs and the VMG	126
8.9.2 DHCP Setup	127
8.9.3 DNS Server Addresses	127
8.9.4 LAN TCP/IP	127
Routing	129
9.1 Overview	129
9.2 Routing	129
9.2.1 Add/Edit Static Route	130
9.3 DNS Route	131
9.3.1 DNS Route Add	132
9.4 Policy Route	133
9.4.1 Add/Edit Policy Route	134
9.5 RIP Overview	135
9.5.1 RIP	135
Quality of Service (QoS)	137
10.1 Overview	137
10.1.1 What You Can Do in this Chapter	137
10.2 What You Need to Know	138
10.3 Quality of Service General Settings	139
10.4 Queue Setup	140
10.4.1 Adding a QoS Queue	142
10.5 Classification Setup	143
10.5.1 Add/Edit QoS Class	143
10.6 QoS Shaper Setup	147
10.6.1 Add/Edit a QoS Shaper	148
10.7 QoS Policer Setup	148
10.7.1 Add/Edit a QoS Policer	149
10.8 QoS Monitor	150
10.9 Technical Reference	151
Network Address Translation (NAT)	156
11.1 Overview	156
11.1.1 What You Can Do in this Chapter	156
11.1.2 What You Need To Know	156
11.2 Port Forwarding	157
11.2.1 Add/Edit Port Forwarding	159
11.3 Applications Settings	160
11.3.1 Add New Application	161
11.4 Port Triggering	162
11.4.1 Add/Edit Port Triggering Rule	163
11.5 DMZ	164
11.6 ALG	165
11.7 Address Mapping	166
11.7.1 Add/Edit Address Mapping Rule	167
11.8 Sessions	168
11.9 Technical Reference	169
11.9.1 NAT Definitions	169
11.9.2 What NAT Does	169
11.9.3 How NAT Works	170
11.9.4 NAT Application	170
Dynamic DNS Setup	173
12.1 Overview	173
12.1.1 What You Can Do in this Chapter	173
12.1.2 What You Need To Know	173
12.2 DNS Entry	174
12.2.1 Add/Edit DNS Entry	174
12.3 Dynamic DNS	175
IGMP/MLD	177
13.1 Overview	177
13.1.1 What You Need To Know	177
13.2 IGMP/MLD	177
VLAN Group	180
14.1 Overview	180
14.1.1 What You Can Do in this Chapter	180
14.2 VLAN Group	180
14.2.1 Add/Edit a VLAN Group	181
Interface Grouping	182
15.1 Overview	182
15.1.1 What You Can Do in this Chapter	182
15.2 Interface Grouping Overview	182
15.2.1 Interface Grouping Configuration	183
15.2.2 Interface Grouping Criteria	185
Firewall	187
16.1 Overview	187
16.1.1 What You Can Do in this Chapter	187
16.1.2 What You Need to Know	188
16.2 Firewall	188
16.3 Protocol	189
16.3.1 Add/Edit a Service	190
16.4 Access Control	191
16.4.1 Add/Edit an ACL Rule	192
16.5 DoS	193
MAC Filter	195
17.1 Overview	195
17.2 MAC Filter	195
Parental Control	197
18.1 Overview	197
18.2 Parental Control	197
18.2.1 Add/Edit a Parental Control Profile	198
Scheduler Rule	201
19.1 Overview	201
19.2 Scheduler Rule	201
19.2.1 Add/Edit a Schedule	201
Certificates	203
20.1 Overview	203
20.1.1 What You Can Do in this Chapter	203
20.2 What You Need to Know	203
20.3 Local Certificates	203
20.3.1 Create Certificate Request	204
20.3.2 View Certificate Request	205
20.4 Trusted CA	206
20.4.1 View Trusted CA Certificate	207
20.4.2 Import Trusted CA Certificate	208
Voice	210
21.1 Overview	210
21.1.1 What You Can Do in this Chapter	210
21.1.2 What You Need to Know About VoIP	210
21.2 Before You Begin	211
21.3 SIP Account	211
21.3.1 SIP Account Add/Edit	212
21.4 SIP Service Provider	216
21.4.1 SIP Service Provider Add/Edit	217
21.5 Phone Device	221
21.5.1 Phone Device Edit	222
21.6 Region	223
21.7 Call Rule	223
21.8 Technical Reference	224
21.8.1 Quality of Service (QoS)	232
21.8.2 Phone Services Overview	232
Log	237
22.1 Overview	237
22.1.1 What You Can Do in this Chapter	237
22.1.2 What You Need To Know	237
22.2 System Log	238
22.3 Security Log	239
Traffic Status	240
23.1 Overview	240
23.1.1 What You Can Do in this Chapter	240
23.2 WAN Status	240
23.3 LAN Status	241
23.4 NAT Status	242
ARP Table	244
24.1 Overview	244
24.1.1 How ARP Works	244
24.2 ARP Table	244
Routing Table	246
25.1 Overview	246
25.2 Routing Table	246
Multicast Status	248
26.1 Overview	248
26.2 IGMP Status	248
26.3 MLD Status	248
xDSL Statistics	250
27.1 xDSL Statistics	250
System	253
28.1 Overview	253
28.2 System	253
User Account	254
29.1 Overview	254
29.2 User Account	254
29.2.1 User Account Add/Edit	255
Remote Management	256
30.1 Overview	256
30.2 MGMT Services	256
30.3 Trust Domain	257
30.3.1 Add Trust Domain	258
SNMP	259
31.1 Overview	259
31.2 SNMP	259
Time Settings	261
32.1 Overview	261
32.2 Time	261
Email Notification	263
33.1 Overview	263
33.2 Email Notification	263
33.2.1 Email Notification Edit	264
Log Setting	265
34.1 Overview	265
34.2 Log Settings	265
34.2.1 Example Email Log	266
Firmware Upgrade	268
35.1 Overview	268
35.2 Firmware	268
Backup/Restore	270
36.1 Overview	270
36.2 Backup/Restore	270
36.3 Reboot	272
Diagnostic	273
37.1 Overview	273
37.1.1 What You Can Do in this Chapter	273
37.2 What You Need to Know	273
37.3 Ping & TraceRoute & NsLookup	274
37.4 802.1ag	274
37.5 802.3ah	276
37.6 OAM Ping	277
Troubleshooting	279
38.1 Power, Hardware Connections, and LEDs	279
38.2 VMG Access and Login	280
38.3 Internet Access	281
38.4 Wireless Internet Access	283
38.5 UPnP	284
38.6 VoIP Call Quality	284
Appendices	286
Customer Support	287
Wireless LANs	293
IPv6	303
Services	311
Legal Information	315

Match case Limit results 1 per page

Appendix B Wireless LANs

VMG4927-B50A / VMG9827-B50A User’s Guide

299

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server sends a

challenge to the wireless client. The wireless client ‘proves’ that it knows the password by encrypting the

password with the challenge and sends back the information. Password is not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the

plaintext passwords, the passwords must be stored. Thus someone other than the authentication server

may access the password file. In addition, it is possible to impersonate an authentication server as MD5

authentication method does not perform mutual authentication. Finally, MD5 authentication method

does not support data encryption with dynamic session key.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual

authentication. The server presents a certificate to the client. After validating the identity of the server,

the client sends a different certificate to the server. The exchange of certificates is done in the open

before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital

certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-

TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management

overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side

authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,

MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use

simple username and password methods through the secured connection to authenticate the clients,

thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2

and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by

Cisco.

You should use Encryption

AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm

called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC)

named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy

and management system, using the PMK to dynamically generate unique data encryption keys to

encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This

all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,

altering them and resending them. The MIC provides a strong mathematical function in which the