Home » ZyXEL Manuals » Networking » ZyXEL P-662HW-61 » Manual Viewer

ZyXEL P-662HW-61 User Guide - Page 402

EAP-MD5 Message-Digest Algorithm 5, EAP-TLS Transport Layer Security, EAP-TTLS Tunneled Transport

Get ZyXEL P-662HW-61 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 402 highlights

Appendix D Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client 'proves' that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. 402 P-662H/HW-D Series User's Guide

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	23
List of Tables	31
Introduction and Wizards	37
Getting To Know Your ZyXEL Device	39
1.1 Introducing the ZyXEL Device	39
1.1.1 Applications of the ZyXEL Device	39
1.1.2 Firewall for Secure Broadband Internet Access	40
1.1.3 Front Panel LEDs	41
Introducing the Web Configurator	43
2.1 Web Configurator Overview	43
2.2 Accessing the Web Configurator	43
2.3 Resetting the ZyXEL Device	46
2.3.1 Using the Reset Button	46
2.4 Navigating the Web Configurator	47
2.4.1 Navigation Panel	47
2.4.2 Status Screen	50
2.4.3 Status: Any IP Table	53
2.4.4 Status: WLAN Status	53
2.4.5 Status: Bandwidth Status	54
2.4.6 Status: VPN Status	54
2.4.7 Status: Packet Statistics	55
2.4.8 Changing Login Password	57
Wizard Setup for Internet Access	59
3.1 Introduction	59
3.2 Internet Access Wizard Setup	59
3.2.1 Automatic Detection	61
3.2.2 Manual Configuration	61
3.3 Wireless Connection Wizard Setup	66
3.3.1 Automatically assign a WPA key	69
3.3.2 Manually assign a WPA-PSK key	69
3.3.3 Manually assign a WEP key	69
Bandwidth Management Wizard	73
4.1 Introduction	73
4.2 Predefined Media Bandwidth Management Services	73
4.3 Bandwidth Management Wizard Setup	74
Network	79
WAN Setup	81
5.1 WAN Overview	81
5.1.1 Encapsulation	81
5.1.2 Multiplexing	82
5.1.3 VPI and VCI	82
5.1.4 IP Address Assignment	82
5.1.5 Nailed-Up Connection (PPP)	83
5.1.6 NAT	83
5.2 Metric	83
5.3 Traffic Shaping	84
5.3.1 ATM Traffic Classes	85
5.4 Zero Configuration Internet Access	85
5.5 Internet Connection	86
5.5.1 Configuring Advanced Internet Connection	87
5.6 Configuring More Connections	89
5.6.1 More Connections Edit	90
5.6.2 Configuring More Connections Advanced Setup	92
5.7 Traffic Redirect	94
5.8 Configuring WAN Backup	94
5.9 WAN Backup Advanced Screen	96
5.10 Dial Backup Modem Setup	99
LAN Setup	101
6.1 LAN Overview	101
6.1.1 LANs, WANs and the ZyXEL Device	101
6.1.2 DHCP Setup	102
6.1.3 DNS Server Address	102
6.1.4 DNS Server Address Assignment	102
6.2 LAN TCP/IP	103
6.2.1 IP Address and Subnet Mask	103
6.2.2 RIP Setup	104
6.2.3 Multicast	104
6.2.4 Any IP	105
6.3 Configuring LAN IP	106
6.3.1 Configuring Advanced LAN Setup	107
6.4 DHCP Setup	108
6.5 LAN Client List	109
6.6 LAN IP Alias	110
Wireless LAN	113
7.1 Wireless Network Overview	113
7.2 Wireless Security Overview	114
7.2.1 SSID	114
7.2.2 MAC Address Filter	114
7.2.3 User Authentication	114
7.2.4 Encryption	115
7.2.5 One-Touch Intelligent Security Technology (OTIST)	116
7.3 Wireless Performance Overview	116
7.3.1 Quality of Service (QoS)	116
7.4 Additional Wireless Terms	116
7.5 General Wireless LAN Screen	117
7.5.1 No Security	118
7.5.2 WEP Encryption Screen	119
7.5.3 WPA(2)-PSK	120
7.5.4 WPA(2) Authentication Screen	122
7.5.5 Wireless LAN Advanced Setup	124
7.6 OTIST	125
7.6.1 Enabling OTIST	125
7.6.2 Starting OTIST	127
7.6.3 Notes on OTIST	128
7.7 MAC Filter	129
7.8 WMM QoS	130
7.8.1 WMM QoS Example	130
7.8.2 WMM QoS Priorities	130
7.8.3 Services	131
7.9 QoS Screen	131
7.9.1 ToS (Type of Service) and WMM QoS	131
7.9.2 Application Priority Configuration	132
7.10 Multiple SSID (P-662HW-D Models only)	133
7.10.1 Multiple SSID Commands	134
7.10.2 Multiple SSID Example	135
DMZ	137
8.1 Introduction	137
8.2 Configuring DMZ	137
8.3 DMZ Public IP Address Example	139
Network Address Translation (NAT) Screens	141
9.1 NAT Overview	141
9.1.1 NAT Definitions	141
9.1.2 What NAT Does	142
9.1.3 How NAT Works	142
9.1.4 NAT Application	142
9.1.5 NAT Mapping Types	143
9.2 SUA (Single User Account) Versus NAT	144
9.3 NAT General Setup	144
9.4 Port Forwarding	145
9.4.1 Default Server IP Address	146
9.4.2 Port Forwarding: Services and Port Numbers	146
9.4.3 Configuring Servers Behind Port Forwarding (Example)	146
9.5 Configuring Port Forwarding	147
9.5.1 Port Forwarding Rule Edit	148
9.6 Address Mapping	149
9.6.1 Address Mapping Rule Edit	150
9.7 Trigger Port	151
9.8 Edit Trigger Port	153
Security	155
Firewalls	157
10.1 Firewall Overview	157
10.2 Types of Firewalls	157
10.2.1 Packet Filtering Firewalls	157
10.2.2 Application-level Firewalls	158
10.2.3 Stateful Inspection Firewalls	158
10.3 Introduction to ZyXEL’s Firewall	158
10.3.1 Denial of Service Attacks	159
10.4 Denial of Service	159
10.4.1 Basics	159
10.4.2 Types of DoS Attacks	160
10.5 Stateful Inspection	162
10.5.1 Stateful Inspection Process	163
10.5.2 Stateful Inspection and the ZyXEL Device	164
10.5.3 TCP Security	164
10.5.4 UDP/ICMP Security	165
10.5.5 Upper Layer Protocols	165
10.6 Guidelines for Enhancing Security with Your Firewall	166
10.6.1 Security In General	166
10.7 Packet Filtering Vs Firewall	167
10.7.1 Packet Filtering:	167
10.7.2 Firewall	167
Firewall Configuration	169
11.1 Access Methods	169
11.2 Firewall Policies Overview	169
11.3 Rule Logic Overview	170
11.3.1 Security Ramifications	170
11.3.2 Key Fields For Configuring Rules	171
11.4 Connection Direction	171
11.4.1 LAN to WAN Rules	172
11.4.2 Alerts	172
11.5 General Firewall Policy	172
11.6 Firewall Rules Summary	173
11.6.1 Configuring Firewall Rules	175
11.6.2 Customized Services	178
11.6.3 Configuring A Customized Service	178
11.7 Example Firewall Rule	179
11.8 Predefined Services	183
11.9 Anti-Probing	185
11.10 DoS Thresholds	186
11.10.1 Threshold Values	186
11.10.2 Half-Open Sessions	187
11.10.3 Configuring Firewall Thresholds	187
Content Filtering	191
12.1 Content Filtering Overview	191
12.2 Configuring Keyword Blocking	191
12.3 Configuring the Schedule	192
12.4 Configuring Trusted Computers	193
Content Access Control	195
13.1 Content Access Control Overview	195
13.1.1 Content Access Control WLAN Application	195
13.1.2 Configuration Steps	195
13.2 Activating CAC and Creating User Groups	196
13.2.1 Configuring Time Schedule	197
13.2.2 Configuring Services	198
13.2.3 Configuring Web Site Filters	200
13.2.4 Testing Web Site Access Privileges	205
13.3 User Account Setup	206
13.4 User Online Status	207
13.5 Trusted Devices	208
13.6 Trusted-external Websites	208
13.7 Content Access Control Logins	209
13.7.1 User Login	209
13.7.2 Administrator Login	210
Register	211
14.1 myZyXEL.com overview	211
14.1.1 Subscription Services Available on the ZyXEL Device	211
14.2 Registration	212
14.3 Service	213
Introduction to IPSec	215
15.1 VPN Overview	215
15.1.1 IPSec	215
15.1.2 Security Association	215
15.1.3 Other Terminology	215
15.1.4 VPN Applications	216
15.2 IPSec Architecture	216
15.2.1 IPSec Algorithms	217
15.2.2 Key Management	217
15.3 Encapsulation	217
15.3.1 Transport Mode	218
15.3.2 Tunnel Mode	218
15.4 IPSec and NAT	218
VPN Screens	221
16.1 VPN/IPSec Overview	221
16.2 IPSec Algorithms	221
16.2.1 AH (Authentication Header) Protocol	221
16.2.2 ESP (Encapsulating Security Payload) Protocol	221
16.3 My IP Address	222
16.4 Secure Gateway Address	222
16.4.1 Dynamic Secure Gateway Address	223
16.5 VPN Setup Screen	223
16.6 Keep Alive	225
16.7 VPN, NAT, and NAT Traversal	225
16.8 Remote DNS Server	226
16.9 ID Type and Content	227
16.9.1 ID Type and Content Examples	228
16.10 Pre-Shared Key	229
16.11 Editing VPN Policies	229
16.12 IKE Phases	233
16.12.1 Negotiation Mode	234
16.12.2 Diffie-Hellman (DH) Key Groups	235
16.12.3 Perfect Forward Secrecy (PFS)	235
16.13 Configuring Advanced IKE Settings	235
16.14 Manual Key Setup	238
16.14.1 Security Parameter Index (SPI)	238
16.15 Configuring Manual Key	238
16.16 Viewing SA Monitor	241
16.17 Configuring Global Setting	242
16.18 Telecommuter VPN/IPSec Examples	243
16.18.1 Telecommuters Sharing One VPN Rule Example	243
16.18.2 Telecommuters Using Unique VPN Rules Example	244
16.19 VPN and Remote Management	245
Certificates	247
17.1 Certificates Overview	247
17.1.1 Advantages of Certificates	248
17.2 Self-signed Certificates	248
17.3 Configuration Summary	248
17.4 My Certificates	248
17.5 My Certificate Import	250
17.5.1 Certificate File Formats	251
17.6 My Certificate Create	252
17.7 My Certificate Details	254
17.8 Trusted CAs	257
17.9 Trusted CA Import	259
17.10 Trusted CA Details	260
17.11 Trusted Remote Hosts	262
17.12 Verifying a Trusted Remote Host’s Certificate	264
17.12.1 Trusted Remote Host Certificate Fingerprints	264
17.13 Trusted Remote Hosts Import	265
17.14 Trusted Remote Host Certificate Details	265
17.15 Directory Servers	268
17.16 Directory Server Add or Edit	269
Advanced	271
Static Route	273
18.1 Static Route Overview	273
18.2 Configuring Static Routes	274
18.2.1 Static Route Edit	275
Bandwidth Management	277
19.1 Bandwidth Management Overview	277
19.2 Application-based Bandwidth Management	277
19.3 Subnet-based Bandwidth Management	277
19.4 Application and Subnet-based Bandwidth Management	278
19.5 Scheduler	278
19.5.1 Priority-based Scheduler	278
19.5.2 Fairness-based Scheduler	279
19.6 Maximize Bandwidth Usage	279
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	279
19.6.2 Maximize Bandwidth Usage Example	279
19.6.3 Bandwidth Management Priorities	281
19.7 Configuring Summary	281
19.8 Bandwidth Management Rule Setup	282
19.8.1 Rule Configuration	283
19.9 Bandwidth Monitor	286
Dynamic DNS Setup	287
20.1 Dynamic DNS Overview	287
20.1.1 DYNDNS Wildcard	287
20.2 Configuring Dynamic DNS	287
Remote Management Configuration	291
21.1 Remote Management Overview	291
21.1.1 Remote Management Limitations	292
21.1.2 Remote Management and NAT	292
21.1.3 System Timeout	292
21.2 WWW	292
21.3 Telnet	294
21.4 Configuring Telnet	294
21.5 Configuring FTP	295
21.6 SNMP	296
21.6.1 Supported MIBs	297
21.6.2 SNMP Traps	297
21.6.3 Configuring SNMP	297
21.7 Configuring DNS	299
21.8 Configuring ICMP	299
21.9 TR-069	300
Universal Plug-and-Play (UPnP)	303
22.1 Introducing Universal Plug and Play	303
22.1.1 How do I know if I'm using UPnP?	303
22.1.2 NAT Traversal	303
22.1.3 Cautions with UPnP	303
22.2 UPnP and ZyXEL	304
22.2.1 Configuring UPnP	304
22.3 Installing UPnP in Windows Example	305
22.4 Using UPnP in Windows XP Example	308
Maintenance, Troubleshooting and Specifications	315
System	317
23.1 General Setup and System Name	317
23.1.1 System Configuration	317
23.2 Time Setting	319
Logs	323
24.1 Logs Overview	323
24.1.1 Alerts and Logs	323
24.2 Viewing the Logs	323
24.3 Configuring Log Settings	324
24.4 SMTP Error Messages	326
24.4.1 Example E-mail Log	327
Tools	329
25.1 Firmware Upgrade	329
25.2 Configuration Screen	331
25.2.1 Backup Configuration	331
25.2.2 Restore Configuration	332
25.2.3 Back to Factory Defaults	333
25.3 Restart	333
Diagnostic	335
26.1 General Diagnostic	335
26.2 DSL Line Diagnostic	336
Troubleshooting	337
27.1 Problems Starting Up the ZyXEL Device	337
27.2 Problems with the LAN	337
27.3 Problems with the WAN	338
27.4 Problems Accessing the ZyXEL Device	338
27.4.1 Pop-up Windows, JavaScripts and Java Permissions	339
27.4.2 ActiveX Controls in Internet Explorer	344
Product Specifications	347
28.1 General ZyXEL Device Specifications	347
28.2 Wall-mounting Instructions	351
Appendices and Index	353
Setting up Your Computer’s IP Address	355
Pop-up Windows, JavaScripts and Java Permissions	377
IP Addresses and Subnetting	385
Wireless LANs	395
Management with Wireless Zero Configuration	409
Common Services	423
Virtual Circuit Topology	427
Importing Certificates	429
NetBIOS Filter Commands	435
Command Interpreter	437
Internal SPTGEN	443
Log Descriptions	459
Legal Information	475
Customer Support	479

Match case Limit results 1 per page

Appendix D Wireless LANs

P-662H/HW-D Series User’s Guide

402

For EAP-TLS authentication type, you must first have a wired connection to the network and

obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs)

can be used to authenticate users and a CA issues certificates and guarantees the identity of

each certificate owner.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server

sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password

by encrypting the password with the challenge and sends back the information. Password is

not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to

get the plaintext passwords, the passwords must be stored. Thus someone other than the

authentication server may access the password file. In addition, it is possible to impersonate an

authentication server as MD5 authentication method does not perform mutual authentication.

Finally, MD5 authentication method does not support data encryption with dynamic session

key. You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for

mutual authentication. The server presents a certificate to the client. After validating the

identity of the server, the client sends a different certificate to the server. The exchange of

certificates is done in the open before a secured tunnel is created. This makes user identity

vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the

sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to

handle certificates, which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the

server-side authentications to establish a secure connection. Client authentication is then done

by sending username and password through the secure connection, thus client identity is

protected. For client authentication, EAP-TTLS supports EAP methods and legacy

authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection,

then use simple username and password methods through the secured connection to

authenticate the clients, thus hiding client identity. However, PEAP only supports EAP

methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card),

for client authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE

802.1x.