Home » ZyXEL Manuals » Bridges & Routers » ZyXEL NBG6615 » Manual Viewer

ZyXEL NBG6615 User Guide - Page 191

EAP-TLS Transport Layer Security, EAP-TTLS Tunneled Transport Layer Service, PEAP Protected EAP

Add to My Manuals
Save this manual to your list of manuals

Page 191 highlights

Appendix D Wireless LANs However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAPTLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or re-authentication times out. A new WEP key is generated each time re-authentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a NBG6615's User's Guide 191

Section	Page
NBG6615	1
Contents Overview	3
Table of Contents	4
User’s Guide	10
Introduction	11
1.1 Overview	11
1.2 Securing the NBG6615	12
1.3 LEDs	13
1.4 The WPS Button	13
1.4.1 Using the WPS Button	14
1.5 Reboot/Reset Button	14
1.6 Wall Mounting	14
The Web Configurator	16
2.1 Overview	16
2.2 Accessing the Web Configurator	16
2.3 Resetting the NBG6615	18
Connection Wizard	20
3.1 Wizard Setup	20
3.1.1 Static IP Connection	22
3.1.2 DHCP Client	22
3.1.3 PPPoE Connection	23
3.1.4 PPTP Connection	24
Modes	28
4.1 Overview	28
4.2 Setting your NBG6615 to Router Mode	29
4.2.1 Status Screen (Router Mode)	29
4.2.2 Router Mode Navigation Panel	33
4.3 Setting your NBG6615 to AP Mode	34
4.3.1 Status Screen (AP Mode)	35
4.3.2 AP Navigation Panel	37
Tutorials	39
5.1 Overview	39
5.2 How to Connect to the Internet from an AP	39
5.3 Configure Wireless Security Using WPS on both your NBG6615 and Wireless Client	39
5.3.1 Push Button Configuration	40
5.3.2 PIN Configuration	41
5.4 Enable and Configure Wireless Security without WPS on your NBG6615	43
5.4.1 Configure Your Wireless Client	44
5.5 Using Multiple SSIDs on the NBG6615	46
5.5.1 Configuring Security Settings of Multiple SSIDs	47
5.6 Installing UPnP in Windows 7 Example	50
5.7 Using Bandwidth Management on the NBG6615	50
Technical Reference	53
Wireless LAN	54
6.1 Overview	54
6.2 What You Can Do	54
6.3 What You Should Know	55
6.3.1 Wireless Security Overview	55
6.3.2 MBSSID	55
6.3.3 MAC Address Filter	56
6.3.4 Encryption	56
6.3.5 WPS	56
6.4 General Wireless LAN Screen	57
6.4.1 No Security	58
6.4.2 WPA2-PSK or WPA-PSK/WPA2-PSK	58
6.5 MAC Filter	59
6.6 Wireless LAN Advanced Screen	60
6.7 WPS Screen	61
6.8 WPS Station Screen	63
6.9 Scheduling Screen	63
6.10 MBSSID Screen	64
WAN	67
7.1 Overview	67
7.2 What You Need To Know	67
7.2.1 Configuring Your Internet Connection	67
7.3 Internet Connection Screen	68
7.3.1 Static IP	68
7.3.2 DHCP Client	70
7.3.3 PPPoE Connection	71
7.3.4 PPTP Connection	73
7.4 Advanced Screen	75
LAN	77
8.1 Overview	77
8.2 What You Need To Know	77
8.2.1 IP Address and Subnet Mask	78
8.2.2 DNS Server Address Assignment	78
8.2.3 IP Pool Setup	79
8.2.4 LAN TCP/IP	79
8.3 LAN IP Screen	79
DHCP Server	81
9.1 Overview	81
9.2 What You Can Do	81
9.3 What You Need To Know	81
9.4 General Screen	81
9.5 Static DHCP Screen	82
9.6 Client List Screen	83
Network Address Translation	85
10.1 Overview	85
10.2 What You Can Do	85
10.2.1 What You Need To Know	86
10.3 General NAT Screen	87
10.4 NAT Application Screen	88
10.5 Port Triggering Screen	90
10.6 Technical Reference	91
10.6.1 NAT Port Forwarding: Services and Port Numbers	92
10.6.2 NAT Port Forwarding Example	92
10.6.3 Trigger Port Forwarding	92
10.6.4 Trigger Port Forwarding Example	93
10.6.5 Two Points To Remember About Trigger Ports	93
Dynamic DNS	94
11.1 Overview	94
11.2 Dynamic DNS Screen	94
Static Route	96
12.1 Overview	96
12.2 IP Static Route Screen	96
Firewall	99
13.1 Overview	99
13.2 What You Can Do	99
13.3 What You Need To Know	100
13.3.1 About the NBG6615 Firewall	100
13.3.2 VPN Pass Through Features	100
13.4 General Firewall Screen	100
13.5 Services Screen	101
13.6 MAC Filter Screen	102
Content Filter	104
14.1 Overview	104
14.2 What You Can Do	104
14.3 Filter Screen	104
Remote Management	106
15.1 Overview	106
15.1.1 Remote Management Limitations	107
15.1.2 Remote Management and NAT	107
15.1.3 System Timeout	107
15.2 WWW Screen	107
Universal Plug-and-Play (UPnP)	109
16.1 Overview	109
16.2 What You Need to Know	109
16.3 Configuring UPnP	110
16.4 Installing UPnP in Windows 7 Example	110
16.4.1 Using UPnP in Windows XP Example	112
16.4.2 Web Configurator Easy Access	114
Bandwidth MGMT	117
17.1 Overview	117
17.2 What You Can Do	117
17.3 What You Need To Know	117
17.4 Bandwidth MGMT Screen	117
17.5 Advanced Screen	118
System	120
18.1 Overview	120
18.2 What You Can Do	120
18.3 System General Screen	120
18.4 Time Setting Screen	121
Logs	123
19.1 Overview	123
19.2 What You Need to Know	123
19.3 View Log Screen	123
Tools	125
20.1 Overview	125
20.2 What You Can Do	125
20.3 Firmware Upload Screen	125
20.4 Configuration Screen	127
20.4.1 Backup Configuration	127
20.4.2 Restore Configuration	127
20.4.3 Back to Factory Defaults	128
20.5 Restart Screen	128
Sys OP Mode	130
21.1 Overview	130
21.2 General Screen	130
Language	132
22.1 Language Screen	132
Troubleshooting and Appendices	133
Troubleshooting	134
23.1 Power, Hardware Connections, and LEDs	134
23.2 NBG6615 Access and Login	135
23.3 Internet Access	136
23.4 Resetting the NBG6615 to Its Factory Defaults	137
23.5 Wireless Problems	138
IP Addresses and Subnetting	139
Pop-up Windows, JavaScripts and Java Permissions	148
Setting Up Your Computer’s IP Address	157
Wireless LANs	184
Common Services	197
Legal Information	200
Customer Support	207

Match case Limit results 1 per page

Appendix D Wireless LANs

NBG6615’s User’s Guide

191

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the

plaintext passwords, the passwords must be stored. Thus someone other than the authentication server

may access the password file. In addition, it is possible to impersonate an authentication server as MD5

authentication method does not perform mutual authentication. Finally, MD5 authentication method

does not support data encryption with dynamic session key. You must configure WEP encryption keys for

data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual

authentication. The server presents a certificate to the client. After validating the identity of the server,

the client sends a different certificate to the server. The exchange of certificates is done in the open

before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital

certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-

TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management

overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side

authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,

MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use

simple username and password methods through the secured connection to authenticate the clients,

thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2

and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by

Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

Dynamic WEP Key Exchange

The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless

connection times out, disconnects or re-authentication times out. A new WEP key is generated each

time re-authentication is performed.

If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security

configuration screen. You may still configure and store keys, but they will not be used while dynamic

WEP is enabled.

Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange

For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for

data encryption. They are often deployed in corporate environments, but for public deployment, a