Home » ZyXEL Manuals » Networking » ZyXEL VMG3927-B50B » Manual Viewer

ZyXEL VMG3927-B50B User Guide - Page 305

EAP-TLS Transport Layer Security, EAP-TTLS Tunneled Transport Layer Service, PEAP Protected EAP,

Add to My Manuals
Save this manual to your list of manuals

Page 305 highlights

Appendix B Wireless LANs may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender's identity. However, to implement EAPTLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. You should use Encryption AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with AES it is more difficult to decrypt data on a WiFi network and difficult for an intruder to break into the network. WPA2-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA2-PSK susceptible to brute-force password-guessing attacks but it employs a VMG4927-B50A / VMG9827-B50A / VMG3927-B50B User's Guide 305

Section	Page
VMG4927-B50A / VMG9827-B50A/ VMG3927-B50B	1
Document Conventions	3
Contents Overview	4
Table of Contents	6
User’s Guide	15
VMG Introduction	16
1.1 Overview	16
1.1.1 Internet Access	16
1.1.2 Wireless Access	20
1.1.3 VoIP Features	20
1.2 Ways to Manage the VMG	21
1.3 Good Habits for Managing the VMG	21
1.4 Hardware	21
1.4.1 Front Panels	21
1.4.2 WPS Button	24
1.4.3 LEDs (Lights)	25
1.4.4 Rear Panel	28
1.4.5 RESET Button	29
1.4.6 Wall Mounting	29
The Web Configurator	32
2.1 Overview	32
2.1.1 Access the Web Configurator	32
2.2 Web Configurator Layout	34
2.2.1 Title Bar	34
2.2.2 Navigation Panel	35
Quick Start	39
3.1 Overview	39
3.2 Quick Start Setup	39
Tutorials	42
4.1 Overview	42
4.2 Set Up an ADSL PPPoE Connection	42
4.3 Set Up a Secure WiFi Network	45
4.3.1 Configure the WiFi Network Settings	45
4.3.2 Use WPS	47
4.3.3 Connect to the VMG’s WiFi Network Manually (No WPS)	49
4.3.4 Configure Wireless Security on the VMG	49
4.3.5 Configure Your Laptop	51
4.4 Set Up Multiple Wireless Groups	53
4.5 Configure Static Route for Routing to Another Network	56
4.6 Configure QoS Queue and Class Setup	58
4.7 Access the VMG Using DDNS	62
4.7.1 Register a DDNS Account on www.dyndns.org	62
4.7.2 Configure DDNS on Your VMG	63
4.7.3 Test the DDNS Setting	63
4.8 Configure the MAC Address Filter	63
Technical Reference	65
Network Map and Status Screens	66
5.1 Overview	66
5.2 Network Map	66
5.3 Status	68
Broadband	71
6.1 Overview	71
6.1.1 What You Can Do in this Chapter	71
6.1.2 What You Need to Know	72
6.1.3 Before You Begin	74
6.2 Broadband	75
6.2.1 Add/Edit Internet Connection	76
6.3 Advanced Settings	84
6.4 Ethernet WAN	87
6.5 Technical Reference	87
Wireless	93
7.1 Overview	93
7.1.1 What You Can Do in this Chapter	93
7.1.2 What You Need to Know	93
7.2 WiFi	94
7.2.1 WiFi Edit	94
7.3 Guest WiFi	96
7.3.1 Edit Guest WiFi	97
7.4 WPS	98
7.5 Advanced Settings	98
7.6 Channel Status	101
7.7 MESH	103
7.8 Technical Reference	105
7.8.1 Wireless Network Overview	105
7.8.2 Additional Wireless Terms	107
7.8.3 Wireless Security Overview	107
7.8.4 Signal Problems	109
7.8.5 BSS	109
7.8.6 MBSSID	110
7.8.7 Preamble Type	110
7.8.8 WiFi Protected Setup (WPS)	110
Home Networking	116
8.1 Overview	116
8.1.1 What You Can Do in this Chapter	116
8.1.2 What You Need To Know	117
8.1.3 Before You Begin	118
8.2 LAN Setup	118
8.3 Static DHCP	122
8.4 UPnP	123
8.4.1 Turn On UPnP in Windows 7 Example	125
8.5 Additional Subnet	126
8.6 STB Vendor ID	128
8.7 Wake on LAN	128
8.8 TFTP Server Name	129
8.9 Technical Reference	130
8.9.1 LANs, WANs and the VMG	130
8.9.2 DHCP Setup	130
8.9.3 DNS Server Addresses	130
8.9.4 LAN TCP/IP	131
Routing	133
9.1 Overview	133
9.2 Routing	133
9.2.1 Add/Edit Static Route	134
9.3 DNS Route	135
9.3.1 DNS Route Add	136
9.4 Policy Route	137
9.4.1 Add/Edit Policy Route	138
9.5 RIP Overview	139
9.5.1 RIP	139
Quality of Service (QoS)	140
10.1 Overview	140
10.1.1 What You Can Do in this Chapter	140
10.2 What You Need to Know	141
10.3 Quality of Service General Settings	142
10.4 Queue Setup	143
10.4.1 Adding a QoS Queue	145
10.5 Classification Setup	145
10.5.1 Add/Edit QoS Class	146
10.6 QoS Shaper Setup	150
10.6.1 Add/Edit a QoS Shaper	151
10.7 QoS Policer Setup	151
10.7.1 Add/Edit a QoS Policer	152
10.8 QoS Monitor	153
10.9 Technical Reference	154
Network Address Translation (NAT)	159
11.1 Overview	159
11.1.1 What You Can Do in this Chapter	159
11.1.2 What You Need To Know	159
11.2 Port Forwarding	160
11.2.1 Add/Edit Port Forwarding	162
11.3 Applications Settings	163
11.3.1 Add New Application	164
11.4 Port Triggering	165
11.4.1 Add/Edit Port Triggering Rule	166
11.5 DMZ	167
11.6 ALG	168
11.7 Address Mapping	169
11.7.1 Add/Edit Address Mapping Rule	170
11.8 Sessions	171
11.9 Technical Reference	171
11.9.1 NAT Definitions	172
11.9.2 What NAT Does	172
11.9.3 How NAT Works	173
11.9.4 NAT Application	173
Dynamic DNS Setup	176
12.1 Overview	176
12.1.1 What You Can Do in this Chapter	176
12.1.2 What You Need To Know	176
12.2 DNS Entry	177
12.2.1 Add/Edit DNS Entry	177
12.3 Dynamic DNS	178
IGMP/MLD	180
13.1 Overview	180
13.1.1 What You Need To Know	180
13.2 IGMP/MLD	180
VLAN Group	183
14.1 Overview	183
14.1.1 What You Can Do in this Chapter	183
14.2 VLAN Group	183
14.2.1 Add/Edit a VLAN Group	184
Interface Grouping	185
15.1 Overview	185
15.1.1 What You Can Do in this Chapter	185
15.2 Interface Grouping Overview	185
15.2.1 Interface Grouping Configuration	186
15.2.2 Interface Grouping Criteria	188
Firewall	190
16.1 Overview	190
16.1.1 What You Can Do in this Chapter	190
16.1.2 What You Need to Know	191
16.2 Firewall	191
16.3 Protocol	192
16.3.1 Add/Edit a Service	193
16.4 Access Control	194
16.4.1 Add/Edit an ACL Rule	195
16.5 DoS	196
MAC Filter	198
17.1 Overview	198
17.2 MAC Filter	198
Parental Control	200
18.1 Overview	200
18.2 Parental Control	200
18.2.1 Add/Edit a Parental Control Profile	201
Scheduler Rule	204
19.1 Overview	204
19.2 Scheduler Rule	204
19.2.1 Add/Edit a Schedule	204
Certificates	206
20.1 Overview	206
20.1.1 What You Can Do in this Chapter	206
20.2 What You Need to Know	206
20.3 Local Certificates	206
20.3.1 Create Certificate Request	207
20.3.2 View Certificate Request	208
20.4 Trusted CA	209
20.4.1 View Trusted CA Certificate	210
20.4.2 Import Trusted CA Certificate	211
Voice	213
21.1 Overview	213
21.1.1 What You Can Do in this Chapter	213
21.1.2 What You Need to Know About VoIP	213
21.2 Before You Begin	214
21.3 SIP Account	214
21.3.1 SIP Account Add/Edit	215
21.4 SIP Service Provider	219
21.4.1 SIP Service Provider Add/Edit	220
21.5 Phone Device	224
21.5.1 Phone Device Edit	225
21.6 Region	226
21.7 Call Rule	226
21.8 Technical Reference	227
21.8.1 Quality of Service (QoS)	235
21.8.2 Phone Services Overview	235
Log	240
22.1 Overview	240
22.1.1 What You Can Do in this Chapter	240
22.1.2 What You Need To Know	240
22.2 System Log	241
22.3 Security Log	242
Traffic Status	243
23.1 Overview	243
23.1.1 What You Can Do in this Chapter	243
23.2 WAN Status	243
23.3 LAN Status	244
23.4 NAT Status	245
ARP Table	247
24.1 Overview	247
24.1.1 How ARP Works	247
24.2 ARP Table	248
Routing Table	249
25.1 Overview	249
25.2 Routing Table	249
Multicast Status	251
26.1 Overview	251
26.2 IGMP Status	251
26.3 MLD Status	251
xDSL Statistics	253
27.1 xDSL Statistics	253
System	256
28.1 Overview	256
28.2 System	256
User Account	257
29.1 Overview	257
29.2 User Account	257
29.2.1 User Account Add/Edit	258
Remote Management	260
30.1 Overview	260
30.2 MGMT Services	260
30.3 Trust Domain	261
30.3.1 Add Trust Domain	262
SNMP	263
31.1 Overview	263
31.2 SNMP	263
Time Settings	265
32.1 Overview	265
32.2 Time	265
Email Notification	268
33.1 Overview	268
33.2 Email Notification	268
33.2.1 Email Notification Edit	269
Log Setting	270
34.1 Overview	270
34.2 Log Settings	270
34.2.1 Example Email Log	271
Firmware Upgrade	273
35.1 Overview	273
35.2 Firmware	273
Backup/Restore	275
36.1 Overview	275
36.2 Backup/Restore	275
36.3 Reboot	277
Diagnostic	278
37.1 Overview	278
37.1.1 What You Can Do in this Chapter	278
37.2 What You Need to Know	278
37.3 Ping & TraceRoute & NsLookup	279
37.4 802.1ag	279
37.5 802.3ah	281
37.6 OAM Ping	282
Troubleshooting	285
38.1 Power, Hardware Connections, and LEDs	285
38.2 VMG Access and Login	286
38.3 Internet Access	287
38.4 Wireless Internet Access	289
38.5 UPnP	290
38.6 VoIP Call Quality	290
Appendices	292
Customer Support	293
Wireless LANs	299
IPv6	309
Services	317
Legal Information	321

Match case Limit results 1 per page

Appendix B Wireless LANs

VMG4927-B50A / VMG9827-B50A / VMG3927-B50B User’s Guide

305

may access the password file. In addition, it is possible to impersonate an authentication server as MD5

authentication method does not perform mutual authentication. Finally, MD5 authentication method

does not support data encryption with dynamic session key.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual

authentication. The server presents a certificate to the client. After validating the identity of the server,

the client sends a different certificate to the server. The exchange of certificates is done in the open

before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital

certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-

TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management

overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side

authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,

MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use

simple username and password methods through the secured connection to authenticate the clients,

thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2

and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by

Cisco.

You should use Encryption

AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm

called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC)

named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying

mechanism.

The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy

and management system, using the PMK to dynamically generate unique data encryption keys to

encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This

all happens in the background automatically.

The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets,

altering them and resending them. The MIC provides a strong mathematical function in which the

receiver and the transmitter each compute and then compare the MIC. If they do not match, it is

assumed that the data has been tampered with and the packet is dropped.

By generating unique data encryption keys for every data packet and by creating an integrity

checking mechanism (MIC), with AES it is more difficult to decrypt data on a WiFi network and difficult

for an intruder to break into the network.

WPA2-PSK uses a simple common password, instead of user-specific credentials. The common-password

approach makes WPA2-PSK susceptible to brute-force password-guessing attacks but it employs a