all | frequencies |
|
|
|
exhibits | applications |
---|---|---|---|---|---|---|
manuals |
app s | submitted / available | |||||||
---|---|---|---|---|---|---|---|---|
1 2 |
|
User Manual | Users Manual | 5.83 MiB | ||||
1 2 |
|
User Manual (Statements) | Users Manual | 11.93 KiB | June 08 2013 | |||
1 2 |
|
User Manual | Users Manual | 5.04 MiB | June 08 2013 | |||
1 2 | Cover Letter(s) | June 08 2013 | ||||||
1 2 | Cover Letter(s) | June 08 2013 | ||||||
1 2 | External Photos | June 08 2013 | ||||||
1 2 | Internal Photos | June 08 2013 | ||||||
1 2 | ID Label/Location Info | June 08 2013 | ||||||
1 2 | ID Label/Location Info | June 08 2013 | ||||||
1 2 | ID Label/Location Info | June 08 2013 | ||||||
1 2 | RF Exposure Info | June 08 2013 | ||||||
1 2 | Test Report | June 08 2013 | ||||||
1 2 | Test Setup Photos | June 08 2013 | ||||||
1 2 | Attestation Statements | |||||||
1 2 | Cover Letter(s) | |||||||
1 2 | Cover Letter(s) | |||||||
1 2 | External Photos | |||||||
1 2 | Internal Photos | |||||||
1 2 | ID Label/Location Info | |||||||
1 2 | ID Label/Location Info | |||||||
1 2 | Operational Description | |||||||
1 2 | RF Exposure Info | |||||||
1 2 | Test Report | |||||||
1 2 | Test Setup Photos |
1 2 | User Manual | Users Manual | 5.83 MiB |
Contents Overview Contents Overview Users Guide .........................................................................................................................................9 Introducing the NWA1121-NI ................................................................................................................... 11 Introducing the Web Configurator ...........................................................................................................19 Dashboard ...............................................................................................................................................25 Tutorial ....................................................................................................................................................29 Technical Reference ..........................................................................................................................47 Monitor ....................................................................................................................................................49 Wireless LAN ..........................................................................................................................................55 LAN .........................................................................................................................................................94 VLAN .......................................................................................................................................................98 System ..................................................................................................................................................101 Log Settings .......................................................................................................................................... 115 Maintenance .......................................................................................................................................... 119 Troubleshooting ....................................................................................................................................129 NWA1121-NI Users Guide 3 Contents Overview 4 NWA1121-NI Users Guide Table of Contents Table of Contents Contents Overview ..............................................................................................................................3 Table of Contents .................................................................................................................................5 Part I: Users Guide ........................................................................................... 9 Chapter 1 Introducing the NWA1121-NI.............................................................................................................. 11 1.1 Introducing the NWA1121-NI ............................................................................................................. 11 1.2 Wireless Modes ................................................................................................................................. 11 1.2.1 MBSSID ...................................................................................................................................12 1.2.2 Wireless Client .........................................................................................................................13 1.2.3 Root AP ...................................................................................................................................14 1.2.4 Repeater ..................................................................................................................................14 1.3 Ways to Manage the NWA1121-NI ...................................................................................................15 1.4 Configuring Your NWA1121-NIs Security Features ..........................................................................16 1.4.1 Control Access to Your Device ................................................................................................16 1.4.2 Wireless Security .....................................................................................................................16 1.5 Good Habits for Managing the NWA1121-NI ....................................................................................16 1.6 Hardware Connections ......................................................................................................................17 1.7 LED ...................................................................................................................................................17 Chapter 2 Introducing the Web Configurator ....................................................................................................19 2.1 Accessing the Web Configurator .......................................................................................................19 2.2 Resetting the NWA1121-NI ...............................................................................................................20 2.2.1 Methods of Restoring Factory-Defaults ...................................................................................21 2.3 Navigating the Web Configurator ......................................................................................................22 2.3.1 Title Bar ...................................................................................................................................22 2.3.2 Navigation Panel .....................................................................................................................23 2.3.3 Main Window ...........................................................................................................................24 Chapter 3 Dashboard ...........................................................................................................................................25 3.1 The Dashboard Screen .....................................................................................................................25 Chapter 4 Tutorial.................................................................................................................................................29 NWA1121-NI Users Guide 5 Table of Contents 4.1 How to Configure the Wireless LAN ..................................................................................................29 4.1.1 Choosing the Wireless Mode ...................................................................................................29 4.1.2 Further Reading .......................................................................................................................29 4.2 How to Configure Multiple Wireless Networks ..................................................................................29 4.2.1 Configure the SSID Profiles .....................................................................................................31 4.2.2 Configure the Standard Network .............................................................................................33 4.2.3 Configure the VoIP Network ....................................................................................................34 4.2.4 Configure the Guest Network ..................................................................................................36 4.2.5 Testing the Wireless Networks ................................................................................................38 4.3 NWA1121-NI Setup in AP and Wireless Client Modes ......................................................................38 4.3.1 Scenario ..................................................................................................................................38 4.3.2 Configuring the NWA1121-NI in MBSSID or Root AP Mode ...................................................39 4.3.3 Configuring the NWA1121-NI in Wireless Client Mode ............................................................42 4.3.4 MAC Filter Setup .....................................................................................................................44 4.3.5 Testing the Connection and Troubleshooting ..........................................................................45 Part II: Technical Reference............................................................................ 47 Chapter 5 Monitor.................................................................................................................................................49 5.1 Overview ...........................................................................................................................................49 5.2 What You Can Do .............................................................................................................................49 5.3 View Logs .........................................................................................................................................49 5.4 Statistics ............................................................................................................................................50 5.5 Association List .................................................................................................................................51 5.6 Channel Usage .................................................................................................................................52 Chapter 6 Wireless LAN.......................................................................................................................................55 6.1 Overview ...........................................................................................................................................55 6.2 What You Can Do in this Chapter .....................................................................................................55 6.3 What You Need To Know ..................................................................................................................56 6.4 Wireless Settings Screen ..................................................................................................................60 6.4.1 Root AP Mode .........................................................................................................................61 6.4.2 Repeater Mode ........................................................................................................................64 6.4.3 Wireless Client Mode ...............................................................................................................67 6.4.4 MBSSID Mode .........................................................................................................................69 6.5 SSID Screen .....................................................................................................................................72 6.5.1 Configuring SSID .....................................................................................................................73 6.6 Wireless Security Screen ..................................................................................................................74 6.6.1 Security: WEP .........................................................................................................................76 6 NWA1121-NI Users Guide Table of Contents 6.6.2 Security: 802.1x Only ..............................................................................................................77 6.6.3 Security: 802.1x Static WEP ....................................................................................................79 6.6.4 Security: WPA, WPA2, WPA2-MIX ..........................................................................................83 6.6.5 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX .................................................................86 6.7 RADIUS Screen ................................................................................................................................87 6.8 MAC Filter Screen .............................................................................................................................89 6.9 Technical Reference ..........................................................................................................................91 6.9.1 Additional Wireless Terms .......................................................................................................91 6.9.2 WMM QoS ...............................................................................................................................92 6.9.3 Security Mode Guideline .........................................................................................................93 Chapter 7 LAN ......................................................................................................................................................94 7.1 Overview ...........................................................................................................................................94 7.2 What You Can Do in this Chapter .....................................................................................................94 7.3 What You Need to Know ...................................................................................................................94 7.4 LAN IP Screen ..................................................................................................................................96 Chapter 8 VLAN ....................................................................................................................................................98 8.1 Overview ...........................................................................................................................................98 8.1.1 What You Can Do in This Chapter ...........................................................................................98 8.2 What You Need to Know ...................................................................................................................98 8.3 VLAN Screen ....................................................................................................................................99 Chapter 9 System ...............................................................................................................................................101 9.1 Overview .........................................................................................................................................101 9.2 What You Can Do in this Chapter ...................................................................................................101 9.3 What You Need To Know ................................................................................................................102 9.4 WWW Screen ..................................................................................................................................104 9.5 Certificates Screen ..........................................................................................................................105 9.6 Telnet Screen ..................................................................................................................................106 9.7 SNMP Screen .................................................................................................................................107 9.8 FTP Screen ..................................................................................................................................... 110 9.9 Technical Reference ........................................................................................................................ 111 9.9.1 MIB ........................................................................................................................................ 111 9.9.2 Supported MIBs ..................................................................................................................... 111 9.9.3 SNMP Traps .......................................................................................................................... 112 9.9.4 Private-Public Certificates ..................................................................................................... 113 9.9.5 Certification Authorities .......................................................................................................... 113 9.9.6 Checking the Fingerprint of a Certificate on Your Computer ................................................. 113 NWA1121-NI Users Guide 7 Table of Contents Chapter 10 Log Settings ...................................................................................................................................... 115 10.1 Overview ....................................................................................................................................... 115 10.2 What You Can Do in this Chapter ................................................................................................. 115 10.3 What You Need To Know .............................................................................................................. 116 10.4 Log Settings Screen ...................................................................................................................... 116 Chapter 11 Maintenance ...................................................................................................................................... 119 11.1 Overview ....................................................................................................................................... 119 11.2 What You Can Do in this Chapter .................................................................................................. 119 11.3 What You Need To Know ...............................................................................................................120 11.4 General Screen .............................................................................................................................120 11.5 Password Screen ..........................................................................................................................121 11.6 Time Screen ..................................................................................................................................122 11.7 Firmware Upgrade Screen ............................................................................................................123 11.8 Configuration File Screen ..............................................................................................................124 11.8.1 Backup Configuration ...........................................................................................................124 11.8.2 Restore Configuration ..........................................................................................................125 11.8.3 Back to Factory Defaults ......................................................................................................126 11.9 Restart Screen ..............................................................................................................................126 Chapter 12 Troubleshooting................................................................................................................................129 12.1 Power, Hardware Connections, and LEDs ....................................................................................129 12.2 NWA1121-NI Access and Login ....................................................................................................130 12.3 Internet Access .............................................................................................................................131 Appendix A Setting Up Your Computers IP Address ......................................................................133 Appendix B Pop-up Windows, JavaScript and Java Permissions ...................................................161 Appendix C IP Addresses and Subnetting.......................................................................................173 Appendix D Wireless LANs..............................................................................................................181 Appendix E Legal Information..........................................................................................................195 Index ..................................................................................................................................................203 8 NWA1121-NI Users Guide PART I Users Guide 9 10 CHAPTER 1 Introducing the NWA1121-NI This chapter introduces the main applications and features of the NWA1121-NI. It also discusses the ways you can manage your NWA1121-NI. 1.1 Introducing the NWA1121-NI Your NWA1121-NI is an IPv6 wireless AP (Access Point) that can function in several wireless modes. It extends the range of your existing wired network without additional wiring, providing easy network access to mobile users. The NWA1121-NI controls network access with MAC address filtering and RADIUS server authentication. It also provides a high level of network traffic security, supporting IEEE 802.1x, Wi-
Fi Protected Access (WPA), WPA2 and WEP data encryption. Its Quality of Service (QoS) features allow you to prioritize time-sensitive or highly important applications such as VoIP. Your NWA1121-NI is easy to install, configure and use. The embedded Web-based configurator enables simple, straightforward management and maintenance. See the Quick Start Guide for instructions on how to make hardware connections. 1.2 Wireless Modes The NWA1121-NI can be configured to use the following WLAN operating modes:
UNIVERSAL REPEATER FUNCTION AP FUNCTION No No Yes Yes Yes No Yes Yes OPERATING MODE NUMBER OF SUPPORTED SSID 8 1 5 1 MBSSID Client Root AP Repeater 1 MBSSID 2 3 4 Client Root AP Repeater Applications for each operating mode are shown below. NWA1121-NI Users Guide 11 Chapter 1 Introducing the NWA1121-NI 1.2.1 MBSSID A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA1121-NI provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile. You can configure up to eight multiple SSID profiles, and have all of them active at any one time. You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs. To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings. For example, you might want to set up a wireless network in your office where Internet telephony
(VoIP) users have priority. You also want a regular wireless network for standard users, as well as a guest wireless network for visitors. In the following figure, VoIP_SSID users have QoS priority, SSID01 is the wireless network for standard users, and Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network
(LAN) behind the AP and can access only the Internet. Figure 1 Multiple BSSs 12 NWA1121-NI Users Guide Chapter 1 Introducing the NWA1121-NI 1.2.2 Wireless Client The NWA1121-NI can be used as a wireless client to communicate with an existing network. In the figure below, the printer can receive requests from the wired computer clients A and B via the NWA1121-NI in Client mode (Z). Figure 2 Wireless Client Application NWA1121-NI Users Guide 13 Chapter 1 Introducing the NWA1121-NI 1.2.3 Root AP In Root AP mode, the NWA1121-NI (Z) can act as the root AP in a wireless network and also allow repeaters (X and Y) to extend the range of its wireless network at the same time. In the figure below, both clients A, B and C can access the wired network through the root AP. Figure 3 Root AP Application On the NWA1121-NI in Root AP mode, you can have up to four multiple SSIDs active for reqular wireless connections and one SSID for the connection with a repeater (universal repeater SSID). Wireless clients can use either SSID to associate with the NWA1121-NI in Root AP mode. A repeater must use the universal repeater SSID to connect to the NWA1121-NI in Root AP mode. When the NWA1121-NI is in Root AP mode, universal repeater security between the NWA1121-NI and other repeater is independent of the security between the wireless clients and the AP or repeater. If you do not enable universal repeater security, traffic between APs is not encrypted. When universal repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 6.6 on page 74 for more details. Unless specified, the term security settings refers to the traffic between the wireless clients and the AP. At the time of writing, universal repeater security is compatible with the NWA1121-NI only. 1.2.4 Repeater The NWA can act as a wireless network repeater to extend a root APs wireless network range, and also establish wireless connections with wireless clients. Using Repeater mode, your NWA1121-NI can extend the range of the WLAN. In the figure below, the NWA1121-NI in Repeater mode (Z) has a wireless connection to the NWA1121-NI in Root AP mode (X) which is connected to a wired network and also has a wireless connection to another NWA1121-NI in Repeater mode (Y) at the same time. Z and Y act as repeaters that forward traffic 14 NWA1121-NI Users Guide Chapter 1 Introducing the NWA1121-NI between associated wireless clients and the wired LAN. Clients A, B and C access the AP and the wired network behind the AP throught repeaters Z and Y. Figure 4 Repeater Application When the NWA1121-NI is in Repeater mode, universal repeater security between the NWA1121-NI and other repeater is independent of the security between the wireless clients and the AP or repeater. If you do not enable universal repeater security, traffic between APs is not encrypted. When universal repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 6.6 on page 74 for more details. Once the security settings of peer sides match one another, the connection between devices is made. At the time of writing, universal repeater security is compatible with the NWA1121-NI only. 1.3 Ways to Manage the NWA1121-NI Use any of the following methods to manage the NWA1121-NI. Web Configurator. This is recommended for everyday management of the NWA1121-NI using a
(supported) web browser. Command Line Interface. Line commands are mostly used for troubleshooting by service engineers. FTP (File Transfer Protocol) for firmware upgrades. SNMP (Simple Network Management Protocol). The device can be monitored by an SNMP manager. NWA1121-NI Users Guide 15 Chapter 1 Introducing the NWA1121-NI 1.4 Configuring Your NWA1121-NIs Security Features Your NWA1121-NI comes with a variety of security features. This section summarizes these features and provides links to sections in the Users Guide to configure security settings on your NWA1121-NI. Follow the suggestions below to improve security on your NWA1121-NI and network. 1.4.1 Control Access to Your Device Ensure only people with permission can access your NWA1121-NI. Control physical access by locating devices in secure areas, such as locked rooms. Most NWA1121-NIs have a reset button. If an unauthorized person has access to the reset button, they can then reset the devices password to its default password, log in and reconfigure its settings. Change any default passwords on the NWA1121-NI, such as the password used for accessing the NWA1121-NIs web configurator (if it has a web configurator). Use a password with a combination of letters and numbers and change your password regularly. Write down the password and put it in a safe place. Avoid setting a long timeout period before the NWA1121-NIs web configurator automatically times out. A short timeout reduces the risk of unauthorized person accessing the web configurator while it is left idle. See Section 11.5 on page 121 for instructions on changing your password and setting the timeout period. Configure remote management to control who can manage your NWA1121-NI. See Chapter 9 on page 101 for more information. If you enable remote management, ensure you have enabled remote management only on the IP addresses, services or interfaces you intended and that other remote management settings are disabled. 1.4.2 Wireless Security Wireless devices are especially vulnerable to attack. If your NWA1121-NI has a wireless function, take the following measures to improve wireless security. Enable wireless security on your NWA1121-NI. Choose the most secure encryption method that all devices on your network support. See Section 6.6 on page 74 for directions on configuring encryption. If you have a RADIUS server, enable IEEE 802.1x or WPA(2) user identification on your network so users must log in. This method is more common in business environments. Hide your wireless network name (SSID). The SSID can be regularly broadcast and unauthorized users may use this information to access your network. See Section 6.5 on page 72 for directions on using the web configurator to hide the SSID. Enable the MAC filter to allow only trusted users to access your wireless network or deny unwanted users access based on their MAC address. See Section 6.8 on page 89 for directions on configuring the MAC filter. 1.5 Good Habits for Managing the NWA1121-NI Do the following things regularly to make the NWA1121-NI more secure and to manage it more effectively. 16 NWA1121-NI Users Guide 1.6 Hardware Connections See your Quick Start Guide for information on making hardware connections. Chapter 1 Introducing the NWA1121-NI 1.7 LED Figure 5 LED Table 1 LED COLOR Amber Green STATUS On Flashing Off Blinking Off DESCRIPTION There is system error and the NWA1121-NI cannot boot up, or the NWA1121-NI doesnt have an Ethernet connection with the LAN. The NWA1121-NI is starting up. The NWA1121-NI is receiving power and ready for use. The WLAN is active, and transmitting or receiving data. The WLAN is not active. NWA1121-NI Users Guide 17 Chapter 1 Introducing the NWA1121-NI 18 NWA1121-NI Users Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the NWA1121-NIs web configurator and provides an overview of its screens. 2.1 Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your computer or computer network to connect to the NWA1121-NI (refer to the Quick Start Guide). 2 3 4 5 Launch your web browser. Type "192.168.1.2" as the URL (default). The login screen appears. Figure 6 The Login Screen Type admin as the (default) username and 1234 as the (default) password. Click Login. You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) then click Apply. Alternatively, click Ignore. NWA1121-NI Users Guide 19 Chapter 2 Introducing the Web Configurator Note: If you do not change the password, the following screen appears every time you login. Figure 7 Change Password Screen You should now see the Dashboard screen. See Chapter 2 on page 19 for details about the Dashboard screen. Note: For security reasons, the NWA1121-NI automatically logs you out if you do not use the web configurator for five minutes (default). Simply log back into the NWA1121-
NI if this happens. 2.2 Resetting the NWA1121-NI If you forget your password or cannot access the web configurator, you will need to use the RESET button at the rear panel of the NWA1121-NI. This replaces the current configuration file with the 20 NWA1121-NI Users Guide Chapter 2 Introducing the Web Configurator factory-default configuration file. This means that you will lose all the settings you previously configured. The password will be reset to 1234. Figure 8 The RESET Button 2.2.1 Methods of Restoring Factory-Defaults You can erase the current configuration and restore factory defaults in two ways:
Use the RESET button to upload the default configuration file. Hold this button in for about 3 seconds (the light will begin to blink). Use this method for cases when the password or IP address of the NWA1121-NI is not known. Use the web configurator to restore defaults (refer to Section 11.8 on page 124). NWA1121-NI Users Guide 21 Chapter 2 Introducing the Web Configurator 2.3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Dashboard screen. Figure 9 Status Screen of the Web Configurator B A C As illustrated above, the Web Configurator screen is divided into these parts:
A - title bar B - navigation panel C - main window 2.3.1 Title Bar Click Logout at any time to exit the Web Configurator. Click ZAbout to open the about window, which provides information of the boot module and driver versions. 22 NWA1121-NI Users Guide Chapter 2 Introducing the Web Configurator 2.3.2 Navigation Panel Use the menu items on the navigation panel to open screens to configure NWA1121-NI features. The following tables describe each menu item. Table 2 Navigation Panel Summary LINK Dashboard TAB FUNCTION This screen shows the NWA1121-NIs general device and network status information. Use this screen to access the statistics and client list. View Log Use this screen to view the logs for the categories that you selected. Use this screen to view port status, packet specific statistics, the
"system up time" and so on. Use this screen to view the wireless stations that are currently associated to the NWA1121-NI. Use this screen to know whether a channel is used by another wireless network or not. Monitor Logs Statistics Association List Channel Usage Configuration Network Wireless LAN Wireless Settings SSID Security RADIUS MAC Filter Use this screen to configure the wireless LAN settings and NWA1121-
NIs operation mode. Use this screen to configure up to eight SSID profiles for your NWA1121-NI. Use this screen to configure wireless security profiles on the NWA1121-NI. Use this screen to configure up to four RADIUS profiles. Use this screen to configure MAC filtering profiles. Use this screen to configure the NWA1121-NIs LAN IP address. Use this screen to configure the NWA1121-NIs VLAN settings. Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTP to manage the NWA1121-
NI. LAN VLAN System WWW Certificates Use this screen to import or remove a certificate from the NWA1121-
NI. Telent SNMP FTP Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the NWA1121-
NI. Use this screen to configure the NWA1121-NI for SNMP management. Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the NWA1121-NI. Use this screen to change your log settings. Use this screen to configure your devices name. Use this screen to configure your devices password. Use this screen to change your NWA1121-NIs time and date. Log Settings Maintenance General Password Time Firmware Upgrade Use this screen to upload firmware to your device. NWA1121-NI Users Guide 23 Chapter 2 Introducing the Web Configurator Table 2 Navigation Panel Summary LINK Configuration File TAB Restart FUNCTION Use this screen to backup and restore your devices configuration
(settings) or reset the factory default settings. Use this screen to reboot the NWA1121-NI without turning the power off. 2.3.3 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. 24 NWA1121-NI Users Guide CHAPTER 3 Dashboard The Dashboard screens display when you log into the NWA1121-NI, or click Dashboard in the navigation menu. Use the Dashboard screen to look at the current status of the device, system resources, and interfaces. The Dashboard screens also provide detailed information about system statistics, associated wireless clients, and logs. 3.1 The Dashboard Screen Use this screen to get a quick view of system, Ethernet, WLAN and other information regarding your NWA1121-NI. Click Dashboard. The following screen displays. Figure 10 The Dashboard Screen NWA1121-NI Users Guide 25 Chapter 3 Dashboard The following table describes the labels in this screen. Table 3 The Dashboard Screen LABEL Refresh Interval DESCRIPTION Select how often you want the NWA1121-NI to update this screen. Refresh Now Click this to update this screen immediately. System Information System Name WLAN Operating Mode Firmware Version This field displays the NWA1121-NI system name. It is used for identification. You can change this in the Maintenance > General screens System Name field. This field displays the current operating mode of the first wireless module
(RootAP, Repeater, Client, or MBSSID). You can change the operating mode in the Configuration > Wireless LAN > Wireless Settings screen. This field displays the current version of the firmware inside the device. It also shows the date the firmware version was created. You can change the firmware version by uploading new firmware in Maintenance > Firmware Upgrade. Serial Number This field displays the serial number of the NWA1121-NI. Ethernet Information LAN MAC Address IPv4 Address Subnet Mask Gateway IP Address IPv6 Address Link Local Global WLAN Information SSID Channel Status This displays the MAC (Media Access Control) address of the NWA1121-NI on the LAN. Every network device has a unique MAC address which identifies it across the network. This field displays the current IPv4 address of the NWA1121-NI on the network. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN port. The gateway helps forward packets to their destinations. This field displays the current IPv6 address(es) of the NWA1121-NI on the network. This is the IPv6 link-local address that the NWA1121-NI generates automatically. This is the NWA1121-NIs IPv6 global address that you specify manually in the Configuration > LAN screen. This field displays the SSID (Service Set Identifier). This is available only when the WLAN operation mode is Client. The channel or frequency used by the NWA1121-NI to send and receive information. This shows the current status of the wireless LAN. This is available only when the WLAN operation mode is Client. Security Mode This displays the security mode the NWA1121-NI is using. This is available only when the WLAN operation mode is Client. Summary Statistics Click this link to view port status and packet specific statistics. See Section 5.4 on page 50. Association List Click this to see a list of wireless clients currently associated to each of the NWA1121-NIs wireless modules. See Section 5.5 on page 51. View Log System Status Click this to see a list of logs produced by the NWA1121-NI. See Section 5.3 on page 49. System Up Time This field displays the elapsed time since the NWA1121-NI was turned on. 26 NWA1121-NI Users Guide Table 3 The Dashboard Screen (continued) LABEL DESCRIPTION This field displays the date and time configured on the NWA1121-NI. You can change this in the Maintenance > Time screen. Chapter 3 Dashboard Current Date/Time System Resource CPU Usage Memory Usage Interface Status Interface Status Channel Rate This field displays what percentage of the NWA1121-NIs processing ability is currently being used. The higher the CPU usage, the more likely the NWA1121-NI is to slow down. This field displays what percentage of the NWA1121-NIs volatile memory is currently in use. The higher the memory usage, the more likely the NWA1121-NI is to slow down. Some memory is required just to start the NWA1121-NI and to run the web configurator. This column displays each interface of the NWA1121-NI. This field indicates whether or not the NWA1121-NI is using the interface. For each interface, this field displays Up when the NWA1121-NI is using the interface and Down when the NWA1121-NI is not using the interface. This shows the channel number which the NWA1121-NI is currently using over the wireless LAN. For the LAN port this displays the port speed and duplex setting. For the WLAN interface, it displays the downstream and upstream transmission rate or N/A if the interface is not in use. SSID Status This section is not available when the WLAN operation mode is Client. Interface SSID BSSID Security VLAN This column displays each of the NWA1121-NIs wireless interfaces. This field displays the SSID(s) currently used by each wireless module. This field displays the MAC address of the wireless module. This field displays the type of wireless security used by each SSID. This field displays the VLAN ID of each SSID in use, or Disabled if the SSID does not use VLAN. NWA1121-NI Users Guide 27 Chapter 3 Dashboard 28 NWA1121-NI Users Guide CHAPTER 4 Tutorial This chapter first provides an overview of how to configure the wireless LAN on your NWA1121-NI, and then gives step-by-step guidelines showing how to configure your NWA1121-NI for some example scenarios. 4.1 How to Configure the Wireless LAN This section illustrates how to choose which wireless operating mode to use on the NWA1121-NI and how to set up the wireless LAN in each wireless mode. See Section 4.1.2 on page 29 for links to more information on each step. 4.1.1 Choosing the Wireless Mode Use MBSSID (Multiple Basic Service Set Identifier) operating mode if you want to use the NWA1121-NI as an access point with some groups of users having different security or QoS settings from other groups of users. See Section 1.2.1 on page 12 for details. Use Client operating mode if you want to use the NWA1121-NI to access a wireless network. See Section 1.2.2 on page 13 for details. Use Root AP operating mode if you want to allow wireless clients to access your wired network through the NWA1121-NI and also have repeaters communicate with the NWA1121-NI to expand wireleass coverage. See Section 1.2.3 on page 14 for details. Use Repeater operating mode if you want to use the NWA1121-NI to communicate with the root AP or other repeaters. See Section 1.2.4 on page 14 for details. 4.1.2 Further Reading Use these links to find more information on the steps:
Choosing 802.11 Mode: see Section 6.4 on page 60. Choosing a wireless Channel ID: see Section 6.4 on page 60. Choosing a Security mode: see Section 6.6 on page 74. Configuring an external RADIUS server: see Section 6.7 on page 87. Configuring MAC Filtering: see Section 6.8 on page 89. 4.2 How to Configure Multiple Wireless Networks In this example, you have been using your NWA1121-NI as an access point for your office network. Now your network is expanding and you want to make use of the MBSSID feature (see Section NWA1121-NI Users Guide 29 Chapter 4 Tutorial 6.4.4 on page 69) to provide multiple wireless networks. Each wireless network will cater to a different type of user. You want to make three wireless networks: one standard office wireless network with all the same settings you already have, another wireless network with high priority QoS settings for Voice over IP (VoIP) users, and a guest network that allows visitors to access only the Internet and the network printer. To do this, you will take the following steps:
Edit the SSID profiles. Change the operating mode from Root AP to MBSSID and reactivate the standard network. Configure different security modes for the networks. Configure a wireless network for standard office use. Configure a wireless network for VoIP users. Configure a wireless network for guests to your office. 1 2 3 4 5 6 The following figure shows the multiple networks you want to set up. Your NWA1121-NI is marked Z, the main network router is marked A, and your network printer is marked B. B A Z The standard network (SSID01) has access to all resources. The VoIP network (VoIP_SSID) has access to all resources and a high QoS priority. The guest network (Guest_SSID) has access to the Internet and the network printer only, and a low QoS priority. 30 NWA1121-NI Users Guide To configure these settings, you need to know the Media Access Control (MAC) addresses of the devices you want to allow users of the guest network to access. The following table shows the addresses used in this example. Chapter 4 Tutorial Table 4 Tutorial: Example Information Network router (A) MAC address 00:AA:00:AA:00:AA Network printer (B) MAC address AA:00:AA:00:AA:00 4.2.1 Configure the SSID Profiles 1 2 Log in to the NWA1121-NI (see Section 2.1 on page 19). Click Wireless LAN > SSID. The SSID screen appears. Click the Edit icon next to the Profile1. 3 Rename the Profile Name and SSID as SSID01. Click Apply. 4 Repeat Step 2 and 3 to change Profile2 and Profile3 to VoIP_SSID and Guest_SSID. NWA1121-NI Users Guide 31 Chapter 4 Tutorial 4.2.1.1 MBSSID 1 Go to Wireless LAN > Wireless Settings. Select MBSSID from the Operation Mode drop-down list box. 2 3 4 SSID01 is the standard network, so select SSID01 as the first profile. It is always active. Select VoIP_SSID as the second profile, and Guest_SSID as the third profile. Select the corresponding Active check-boxes. Click Apply to save your settings. Now the three SSIDs are activated. 32 NWA1121-NI Users Guide 4.2.2 Configure the Standard Network 1 Click Wireless LAN > SSID. Click the Edit icon next to SSID01. Chapter 4 Tutorial 2 Select SecProfile1 as SSID01s security profile. Select the Hidden SSID checkbox as you want only authorized company employees to use this network, so there is no need to broadcast the SSID to wireless clients scanning the area. Also, the clients on SSID01 might need to access other clients on the same wireless network. Do not select the Intra-BSS Traffic blocking check-box. Click Apply. NWA1121-NI Users Guide 33 Chapter 4 Tutorial 3 Next, click Wireless LAN > Security. Click the Edit icon next to SecProfile1. 4 Since SSID01 is the standard network that has access to all resources, assign a more secure security mode. Select WPA2-PSK-MIX as the Security Mode, and enter the Pre-Shared Key. In this example, use ThisisSSID01PreSharedKey. Click Apply. 5 You have finished configuring the standard network, SSID01. 4.2.3 Configure the VoIP Network 1 Go to Wireless LAN > SSID. Click the Edit icon next to VoIP_SSID. 2 Select SecProfile2 as the Security Profile for the VoIP network. Select the Hidden SSID check-
box. 34 NWA1121-NI Users Guide 3 Select WMM_VOICE in the QoS field to give VoIP the highest priority in the wireless network. Click Apply. Chapter 4 Tutorial 4 Next, click Wireless LAN > Security. Click the Edit icon next to SecProfile2. NWA1121-NI Users Guide 35 Chapter 4 Tutorial 5 6 Select WPA2-PSK as the Security Mode, and enter the Pre-Shared Key. In this example, use ThisisVoIPPreSharedKey. Click Apply. Your VoIP wireless network is now ready to use. Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network. 4.2.4 Configure the Guest Network When you are setting up the wireless network for guests to your office, your primary concern is to keep your network secure while allowing access to certain resources (such as a network printer, or the Internet). For this reason, the pre-configured Guest_SSID profile has intra-BSS traffic blocking enabled by default. Intra-BSS traffic blocking means that the client cannot access other clients on the same wireless network. 1 Click Wireless LAN > SSID. Click the Edit icon next to Guest_SSID. 2 3 36 Select SecProfile3 in the Security field. Do not select the Hidden SSID check-box so the guests can easily find the wireless network. Select WMM_BESTEFFORT in the QoS field to give the guest a lower QoS priority. NWA1121-NI Users Guide 4 Select the check-box of Intra-BSS Traffic blocking Enabled. Click Apply. Chapter 4 Tutorial 5 Next, click Wireless LAN > Security. Click the Edit icon next to SecProfile3. 6 Select WPA-PSK in the Security Mode field. WPA-PSK provides strong security that is supported by most wireless clients. Even though your Guest_SSID clients do not have access to sensitive information on the network, you should not leave the network without security. An attacker could still cause damage to the network or intercept unsecured communications or use your Internet access for illegal activities. NWA1121-NI Users Guide 37 Chapter 4 Tutorial 7 Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is ThisismyGuestWPApre-sharedkey. Click Apply. 8 Your guest wireless network is now ready to use. 4.2.5 Testing the Wireless Networks To make sure that the three networks are correctly configured, do the following. On a computer with a wireless client, scan for access points. You should see the Guest_SSID network, but not the SSID01 and VoIP_SSID networks. If you can see the SSID01 and VoIP_SSID networks, go to its SSID Edit screen and make sure to select the Hidden SSID check-box and click Apply. Try to access each network using the correct security settings, and then using incorrect security settings, such as the WPA-PSK for another active network. If the behavior is different from expected (for example, if you can access the SSID01 or VoIP_SSID wireless network using the security settings for the Guest_SSID wireless network) check that the SSID profile is set to use the correct security profile, and that the settings of the security profile are correct. 4.3 NWA1121-NI Setup in AP and Wireless Client Modes This example shows you how to restrict wireless access to your NWA1121-NI. 4.3.1 Scenario In the figure below, there are two NWA1121-NIs (A and B) in the network. A is in MBSSID or root AP mode while station B is in wireless client mode. Station B is connected to a File Transfer Protocol
(FTP) server. You want only specified wireless clients to be able to access station B. You also want 38 NWA1121-NI Users Guide to allow wireless traffic between B and wireless clients connected to A (W, Y and Z). Other wireless devices (X) must not be able to connect to the FTP server. Figure 11 FTP Server Connected to a Wireless Client Chapter 4 Tutorial 4.3.2 Configuring the NWA1121-NI in MBSSID or Root AP Mode Before setting up the NWA1121-NI as a wireless client (B), you need to make sure there is an access point to connect to. Use the Ethernet port on NWA1121-NI (A) to configure it via a wired connection. NWA1121-NI Users Guide 39 Chapter 4 Tutorial Log into the Web Configurator on NWA1121-NI (A) and go to the Wireless LAN > Wireless Settings screen. Set the Operation Mode to Root AP. Select the Wireless Mode. In this example, select 802.11b/g/n. Select Profile1 as the SSID Profile. Choose the Channel you want NWA1121-NI (A) to use. Click Apply. 1 2 3 4 5 40 NWA1121-NI Users Guide 6 Go to Wireless LAN > SSID. Click the Edit icon next to Profile1. Chapter 4 Tutorial 7 8 9 Change the SSID to AP-A. Select SecProfile1 in the Security field. Select the check-box for Intra-BSS Traffic blocking Enabled so the client cannot access other clients on the same wireless network. 10 Click Apply. NWA1121-NI Users Guide 41 Chapter 4 Tutorial 11 Go to Wireless LAN > Security. Click the Edit icon next to SecProfile1. 12 Configure WPA-PSK as the Security Mode and enter ThisisMyPreSharedKey in the Pre-
Shared Key field. 13 Click Apply to finish configuration for NWA1121-NI (A). 4.3.3 Configuring the NWA1121-NI in Wireless Client Mode The NWA1121-NI (B) should have a wired connection before it can be set to wireless client operating mode. Connect your NWA1121-NI to the FTP server. Login to NWA1121-NI (B)s Web Configurator and go to the Wireless LAN > Wireless Settings screen. Follow these steps to configure station B. 42 NWA1121-NI Users Guide 1 Select Client as Operation Mode. Click Apply. Chapter 4 Tutorial 2 3 Click on the Site Survey button. A window should pop up which contains a list of all available wireless devices within your NWA1121-NIs range. Find and select NWA1121-NI (A)s SSID: AP-A. NWA1121-NI Users Guide 43 Chapter 4 Tutorial 4 Go to Wireless LAN > Security to configure the NWA1121-NI to use the same security mode and Pre-Shared Key as NWA1121-NI (A): WPA-PSK/ThisisMyPreSharedKey. Click Apply. Figure 12 4.3.4 MAC Filter Setup One way to ensure that only specified wireless clients can access the FTP server is by enabling MAC filtering on NWA1121-NI (B) (See Section 6.8 on page 89 for more information on MAC Filter). 1 Go to Wireless LAN > MAC Filter. Click the Edit icon next to MacProfile1. 2 Select Allow in the Access Control Mode field. Enter the MAC addresses of the wireless clients
(W, Y and Z) you want to associate with the NWA1121-NI. Click Apply. Now, only the authorized wireless clients (W, Y and Z) can access the FTP server. 44 NWA1121-NI Users Guide Chapter 4 Tutorial 4.3.5 Testing the Connection and Troubleshooting This section discusses how you can check if you have correctly configured your network setup as described in this tutorial. Try accessing the FTP server from wireless clients W, Y or Z. Test if you can send or retrieve a file. If you cannot establish a connection with the FTP server, do the following steps. 1 Make sure W, Y and Z use the same wireless security settings as A and can access A. 2 Make sure B uses the same wireless and wireless security settings as A and can access A. 3 Make sure intra-BSS traffic is enabled on A. Try accessing the FTP server from X. If you are able to access the FTP server, do the following. 1 Make sure MAC filtering is enabled. 2 Make sure Xs MAC address is not entered in the list of allowed devices. NWA1121-NI Users Guide 45 Chapter 4 Tutorial 46 NWA1121-NI Users Guide PART II Technical Reference The appendices provide general information. Some details may not apply to your NWA1121-NI. 47 48 CHAPTER 5 Monitor 5.1 Overview This chapter discusses read-only information related to the device state of the NWA1121-NI. Note: To access the Monitor screens, you can also click the links in the Summary table of the Dashboard screen to view the wireless packets sent/received as well as the status of clients connected to the NWA1121-NI. 5.2 What You Can Do Use the Logs screen to see the logs for the categories that you selected in the Configuration >
Log Settings screen (see Section 5.3 on page 49). You can view logs in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted. use the Statistics screen to view 802.11 mode, channel number, wireless packet specific statistics and so on (see Section 5.4 on page 50). Use the Association List screen to view the wireless devices that are currently associated to the NWA1121-NI (see Section 5.5 on page 51). Use the Channel Usage screen to view whether a channel is used by another wireless network or not. If a channel is being used, you should select a channel removed from it by five channels to completely avoid overlap (see Section 5.6 on page 52). 5.3 View Logs Use the Logs screen to see the logged messages for the NWA1121-NI. Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. NWA1121-NI Users Guide 49 Chapter 5 Monitor Click Monitor > Logs. Figure 13 Logs The following table describes the labels in this screen. Table 5 Logs LABEL Display E-Mail Log Now Refresh Clear Log
Time Message Source DESCRIPTION Select a category of logs to view. Select All Log to view logs from all of the log categories that you selected in the Configuration > Log Settings screen. Click E-Mail Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Configuration > Log Settings). Click Refresh to renew the log screen. Click Clear Log to delete all the logs. This field is a sequential value and is not associated with a specific entry. This field displays the time the log was recorded. This field states the reason for the log. This field lists the source IP address and the port number of the incoming packet. 5.4 Statistics Use this screen to view read-only information, including 802.11 Mode, Channel ID, Retry Count and FCS Error Count. Also provided is the "poll interval". The Poll Interval field is configurable and is used for refreshing the screen. 50 NWA1121-NI Users Guide Click Monitor > Statistics. The following screen pops up. Figure 14 Statistics Chapter 5 Monitor The following table describes the labels in this screen. Table 6 Statistics LABEL Description 802.11 Mode Channel ID DESCRIPTION This is the wireless interface on the NWA1121-NI. This field shows which 802.11 mode the NWA1121-NI is using. This shows the channel number which the NWA1121-NI is currently using over the wireless LAN. RX Pkts TX Pkts This is the number of received packets on this port. This is the number of transmitted packets on this port. Retry Count This is the total number of retries for transmitted packets (TX). FCS Error Count This is the ratio percentage showing the total number of checksum error of received packets (RX) over total RX. Poll Interval Set Interval Stop Enter the time interval for refreshing statistics. Click this button to apply the new poll interval you entered above. Click this button to stop refreshing statistics. 5.5 Association List View the wireless devices that are currently associated with the NWA1121-NI in the Association List screen. Association means that a wireless client (for example, your network or computer with a wireless network card) has connected successfully to the AP (or wireless router) using the same SSID, channel and security settings. NWA1121-NI Users Guide 51 Chapter 5 Monitor Click Monitor > Association List to display the screen as shown next. Figure 15 Association List The following table describes the labels in this screen. Table 7 Association List LABEL
DESCRIPTION This is the index number of an associated wireless device. MAC Address This field displays the MAC address of an associated wireless device. SSID This field displays the SSID to which the wireless device is associated. Association Time Signal Strength This field displays the time a wireless device first associated with the NWA1121-NIs wireless network. This field displays the RSSI (Received Signal Strength Indicator) of the wireless connection. Refresh Click Refresh to reload the list. 5.6 Channel Usage Use this screen to know whether a channel is used by another wireless network or not. If a channel is being used, you should select a channel removed from it by five channels to completely avoid overlap. Click Monitor > Channel Usage to display the screen shown next. 52 NWA1121-NI Users Guide Wait a moment while the NWA1121-NI compiles the information. Figure 16 Channel Usage Chapter 5 Monitor The following table describes the labels in this screen. Table 8 Channel Usage LABEL SSID DESCRIPTION This is the Service Set IDentification (SSID) name of the AP in an Infrastructure wireless network or wireless station in an Ad-Hoc wireless network. For our purposes, we define an Infrastructure network as a wireless network that uses an AP and an Ad-
Hoc network (also known as Independent Basic Service Set (IBSS)) as one that doesnt. See the chapter on wireless configuration for more information on basic service sets (BSS) and extended service sets (ESS). Channel MAC Address This is the index number of the channel currently used by the associated AP in an Infrastructure wireless network or wireless station in an Ad-Hoc wireless network. This field displays the MAC address of the AP in an Infrastructure wireless network. It is randomly generated (so ignore it) in an Ad-Hoc wireless network. Wireless Mode This is the IEEE 802.1x standard used by the wireless network. Signal Strength This field displays the strength of the APs signal. If you must choose a channel that is currently in use, choose one with low signal strength for minimum interference. Security Refresh This is the wireless security method used by the wireless network to protect wireless communication between wireless stations, access points and the wired network. Click Refresh to reload the screen. NWA1121-NI Users Guide 53 Chapter 5 Monitor 54 NWA1121-NI Users Guide CHAPTER 6 Wireless LAN 6.1 Overview This chapter discusses the steps to configure the Wireless Settings screen on the NWA1121-NI. It also introduces the wireless LAN (WLAN) and some basic scenarios. Figure 17 Wireless Mode In the figure above, the NWA1121-NI allows access to another bridge device (A) and a notebook computer (B) upon verifying their settings and credentials. It denies access to other devices (C and D) with configurations that do not match those specified in your NWA1121-NI. 6.2 What You Can Do in this Chapter Use the Wireless Settings screen to configure the NWA1121-NIs operation mode (see Section 6.4 on page 60). Uee the SSID screen to configure up to eight SSID profiles for your NWA1121-NI (see Section 6.5 on page 72). Use the Security screen to choose the wireless security mode for your NWA1121-NI (see Section 6.6 on page 74). Use the RADIUS screen if you want to authenticate wireless users using a RADIUS Server and/or accounting server (see Section 6.7 on page 87). Use the MAC Filter screen to specify which wireless station is allowed or denied access to the NWA1121-NI (see Section 6.8 on page 89). NWA1121-NI Users Guide 55 Chapter 6 Wireless LAN 6.3 What You Need To Know BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). Operating Mode The NWA1121-NI can run in four operating modes as follows:
Root AP. The NWA1121-NI is a wireless access point that allows wireless communication to other devices in the network. Repeater. The NWA1121-NI acts as a wireless repeater and increase a root APs wireless coverage area. Client. The NWA1121-NI acts as a wireless client to access a wireless network. MBSSID. The Multiple Basic Service Set Identifier (MBSSID) mode allows you to use one access point to provide several BSSs simultaneously. Refer to Chapter 1 on page 11 for illustrations of these wireless applications. SSID The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it. Normally, the NWA1121-NI acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the NWA1121-NI does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess. This type of security is fairly weak, however, because there are ways for unauthorized wireless devices to get the SSID. In addition, unauthorized wireless devices can still see the information that is sent in the wireless network. Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. 56 NWA1121-NI Users Guide Chapter 6 Wireless LAN Wireless Mode The IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. Your NWA1121-NI can support 802.11b/g, 802.11n and 802.11b/g/n. MBSSID Traditionally, you needed to use different APs to configure different Basic Service Sets (BSSs). As well as the cost of buying extra APs, there was also the possibility of channel interference. The NWA1121-NIs MBSSID (Multiple Basic Service Set IDentifier) function allows you to use one access point to provide several BSSs simultaneously. You can then assign varying levels of privilege to different SSIDs. Wireless stations can use different BSSIDs to associate with the same AP. The following are some notes on multiple BSS. A maximum of four BSSs are allowed on one AP simultaneously. You must use different WEP keys for different BSSs. If two stations have different BSSIDs (they are in different BSSs), but have the same WEP keys, they may hear each others communications
(but not communicate with each other). MBSSID should not replace but rather be used in conjunction with 802.1x security. Wireless Security Wireless security is vital to your network. It protects communications between wireless stations, access points and the wired network. Figure 18 Securing the Wireless Network In the figure above, the NWA1121-NI checks the identity of devices before giving them access to the network. In this scenario, Computer A is denied access to the network, while Computer B is granted connectivity. The NWA1121-NI secure communications via data encryption, wireless client authentication and MAC address filtering. It can also hide its identity in the network. NWA1121-NI Users Guide 57 Chapter 6 Wireless LAN User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it. However, every device in the wireless network has to support IEEE 802.1x to do this. For wireless networks, you can store the user names and passwords for each user in a RADIUS server. This is a server used in businesses more than in homes. If you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network. The following table shows the relative effectiveness of wireless security methods:. Table 9 Wireless Security Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) Most Secure WPA2 The available security modes in your NWA1121-NI are as follows:
None. No data encryption. WEP. Wired Equivalent Privacy (WEP) encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. 802.1x-Only. This is a standard that extends the features of IEEE 802.11 to support extended authentication. It provides additional accounting and control features. This option does not support data encryption. 802.1x-Static WEP. This provides 802.1x-Only authentication with a static 64bit or 128bit WEP key and an authentication server. WPA. Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. WPA2-MIX. This commands the NWA1121-NI to use either WPA2 or WPA depending on which security mode the wireless client uses. WPA2-PSK. This adds a pre-shared key on top of WPA2 standard. WPA2-PSK-MIX. This commands the NWA1121-NI to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses. Note: To guarantee 802.11n wireless speed, please only use WPA2 or WPA2-PSK security mode. Other security modes may degrate the wireless speed performance to 802.11g. 58 NWA1121-NI Users Guide Chapter 6 Wireless LAN Passphrase A passphrase functions like a password. In WEP security mode, it is further converted by the NWA1121-NI into a complicated string that is referred to as the key. This key is requested from all devices wishing to connect to a wireless network. PSK The Pre-Shared Key (PSK) is a password shared by a wireless access point and a client during a previous secure connection. The key can then be used to establish a connection between the two parties. Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message. Encryption is the process of converting data into unreadable text. This secures information in network communications. The intended recipient of the data can unlock it with a pre-assigned key, making the information readable only to him. The NWA1121-NI when used as a wireless client employs Temporal Key Integrity Protocol (TKIP) data encryption. EAP Extensible Authentication Protocol (EAP) is a protocol used by a wireless client, an access point and an authentication server to negotiate a connection. The EAP methods employed by the NWA1121-NI when in Wireless Client operating mode are Transport Layer Security (TLS), Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP) and Tunneled Transport Layer Security (TTLS). The authentication protocol may either be Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2) or Generic Token Card (GTC). Further information on these terms can be found in Appendix D on page 181. RADIUS Remote Authentication Dial In User Service (RADIUS) is a protocol that can be used to manage user access to large networks. It is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. Figure 19 RADIUS Server Setup NWA1121-NI Users Guide 59 Chapter 6 Wireless LAN In the figure above, wireless clients A and B are trying to access the Internet via the NWA1121-NI. The NWA1121-NI in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet. In this scenario, only client Us identity is verified by the RADIUS server and allowed access to the Internet. The RADIUS server handles the following tasks:
Authentication which determines the identity of the users. Authorization which determines the network services available to authenticated users once they are connected to the network. Accounting which keeps track of the clients network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. You should know the IP addresses, ports and share secrets of the external RADIUS server and/or the external RADIUS accounting server you want to use with your NWA1121-NI. You can configure a primary and backup RADIUS and RADIUS accounting server for your NWA1121-NI. 6.4 Wireless Settings Screen Use this screen to choose the operating mode for your NWA1121-NI. Click Network > Wireless LAN > Wireless Settings. The screen varies depending upon the operating mode you select. 60 NWA1121-NI Users Guide 6.4.1 Root AP Mode Use this screen to use your NWA1121-NI as an access point. Select Root AP as the Operation Mode. The following screen displays. Figure 20 Wireless LAN > Wireless Settings: Root AP Chapter 6 Wireless LAN NWA1121-NI Users Guide 61 Chapter 6 Wireless LAN The following table describes the general wireless LAN labels in this screen. Table 10 Wireless LAN > Wireless Settings: Root AP LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select Root AP from the drop-down list. Wireless Mode Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of your NWA1121-NI might be reduced. Select 802.11b/g/n to allow IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of the NWA1121-
NI might be reduced. Select 802.11n to allow only IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. Channel Select the operating frequency/channel depending on your particular region from the drop-down list box. Channel Width This field displays only when you select 802.11n or 802.11b/g/n in the Wireless Mode field. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. It is recommended that you select 20/40MHz. This allows the NWA1121-NI to adjust the channel bandwidth depending on network conditions. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Select SSID Profile The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. You can have up to four SSIDs active at the same time. Note: If you are configuring the NWA1121-NI from a computer connected to the wireless LAN and you change the NWA1121-NIs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA1121-NIs new settings.
Activve Profile This is the index number of each SSID profile. Select the check box to enable an SSID profile. Otherwise, clear the check box. Select an SSID Profile from the drop-down list box. Universal Repeater Settings The Universal repeater function allows the NWA1121-NI in root AP or repeater mode to set up a wireless connection between it and another NWA1121-NI in root AP or repeater mode. Note: Universal repeater security is independent of the security settings between the NWA1121-NI and any wireless clients. Local MAC Address Universal Repeater SSID Profile Local MAC Address is the MAC address of your NWA1121-NI. Select the SSID profile you want to use for universal repeater connections. Note: You can only configure None, WPA-PSK or WPA2-PSK security mode for the SSID used by a universal repeater connection. 62 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 10 Wireless LAN > Wireless Settings: Root AP (continued) LABEL Advanced Settings DESCRIPTION Beacon Interval DTIM Interval Output Power When a wirelessly network device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in lowpower mode before waking up to handle the beacon. A high value helps save current consumption of the access point. Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25%, or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. Preamble Type Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. RTS/CTS Threshold Select Long if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Fragmentation The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Extension Channel Protection Mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Short GI This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. MCS Rate The MCS Rate table is available only when 802.11 b/g/n is selected in the Wireless Mode field. IEEE 802.11n supports many different data rates which are called MCS rates. MCS stands for Modulation and Coding Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enabled to have the NWA1121-NI use the data rate. Clear the Enabled check box if you do not want the NWA1121-NI to use the data rate. Turn on the Auto option to have the NWA1121-NI set the data rates automatically to optimize the throughput. Apply Cancel Note: You can set the NWA1121-NI to use up to four MCS rates at a time. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 63 Chapter 6 Wireless LAN 6.4.2 Repeater Mode Use this screen to have the NWA1121-NI act as a wireless repeater. You need to know the MAC address of the peer device, which also must be in Repeater or Root AP mode. Figure 21 Wireless LAN > Wireless Settings: Repeater The following table describes the bridge labels in this screen. Table 11 Wireless LAN > Wireless Settings: Repeater LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select Repeater from the drop-down list. 64 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 11 Wireless LAN > Wireless Settings: Repeater (continued) LABEL Wireless Mode DESCRIPTION Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of your NWA1121-NI might be reduced. Select 802.11b/g/n to allow IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of the NWA1121-
NI might be reduced. Select 802.11n to allow only IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. Channel Select the operating frequency/channel depending on your particular region from the drop-down list box. Channel Width This field displays only when you select 802.11n or 802.11b/g/n in the Wireless Mode field. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. It is recommended that you select 20/40MHz. This allows the NWA1121-NI to adjust the channel bandwidth depending on network conditions. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Universal Repeater Settings The Universal repeater function allows the NWA1121-NI in root AP or repeater mode to set up a wireless connection between it and another NWA1121-NI in root AP or repeater mode. Note: Universal repeater security is independent of the security settings between the NWA1121-NI and any wireless clients. Local MAC Address Universal Repeater SSID Profile Local MAC Address is the MAC address of your NWA1121-NI. Select the SSID profile you want to use for universal repeater connections with an AP or repeater or regular wireless connections with wireless clients. Note: You can only configure None, WPA-PSK or WPA2-PSK security mode for the SSID used by a universal repeater connection. Root MAC Address Specify the peer devices MAC address. The peer device can be a NWA1121-NI in either root AP mode or repeater mode. Advanced Settings Beacon Interval DTIM Interval Output Power When a wirelessly network device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in lowpower mode before waking up to handle the beacon. A high value helps save current consumption of the access point. Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25% or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. NWA1121-NI Users Guide 65 Chapter 6 Wireless LAN Table 11 Wireless LAN > Wireless Settings: Repeater (continued) LABEL Preamble Type DESCRIPTION Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. RTS/CTS Threshold Select Long if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Fragmentation The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Extension Channel Protection Mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Short GI This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. MCS Rate The MCS Rate table is available only when 802.11 b/g/n is selected in the Wireless Mode field. IEEE 802.11n supports many different data rates which are called MCS rates. MCS stands for Modulation and Coding Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enabled to have the NWA1121-NI use the data rate. Clear the Enabled check box if you do not want the NWA1121-NI to use the data rate. Turn on the Auto option to have the NWA1121-NI set the data rates automatically to optimize the throughput. Apply Cancel Note: You can set the NWA1121-NI to use up to four MCS rates at a time. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 66 NWA1121-NI Users Guide 6.4.3 Wireless Client Mode Use this screen to turn your NWA1121-NI into a wireless client. Select Client as the Operation Mode. The following screen displays. Figure 22 Wireless LAN > Wireless Settings: Wireless Client Chapter 6 Wireless LAN The following table describes the general wireless LAN labels in this screen. Table 12 Wireless LAN > Wireless Settings: Wireless Client LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select Client in this field. Site Survey Click this to view a list of available wireless access points within the range. Select the AP you want to use. Note: After selecting Client as the Operation Mode in the Basic Settings section, you must click Apply to be able to select from the AP list. NWA1121-NI Users Guide 67 Chapter 6 Wireless LAN Table 12 Wireless LAN > Wireless Settings: Wireless Client (continued) LABEL SSID Profile DESCRIPTION The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In this field, select the SSID profile of the AP you want to use. Click Apply. The SSID used in the selected SSID profile automatically changes to be the one you select in the Site Survey screen. Set the security configuration for this operating mode in the Wireless LAN > Security screen. Check the Dashboard screen to check if the settings you set show in the WLAN information. Note: If you are configuring the NWA1121-NI from a computer connected to the wireless LAN and you change the NWA1121-NIs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA1121-NIs new settings. Channel This shows the operating frequency/channel in use. This field is read-only when you select Client as your operation mode. Channel Width A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. It is recommended that you select 20/40MHz. This allows the NWA1121-NI to adjust the channel bandwidth depending on network conditions. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the AP do not support channel bonding. Advanced Settings Output Power Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25% or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. Preamble Type Select Dynamic to have the NWA1121-NI automatically use short preamble when the wireless network your NWA1121-NI is connected to supports it, otherwise the NWA1121-NI uses long preamble. RTS/CTS Threshold Select Long preamble if you are unsure what preamble mode the wireless device your NWA1121-NI is connected to supports, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Fragmentation The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Extension channel protection mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. 68 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 12 Wireless LAN > Wireless Settings: Wireless Client (continued) LABEL Short GI DESCRIPTION Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. Apply Cancel Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.4.4 MBSSID Mode Use this screen to have the NWA1121-NI function in MBSSID mode. Select MBSSID as the Operation Mode. The following screen diplays. Figure 23 Wireless LAN > Wireless Settings: MBSSID NWA1121-NI Users Guide 69 Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 13 Wireless LAN > Wireless Settings: MBSSID LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select MBSSID from the drop-down list. Wireless Mode Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of your NWA1121-NI might be reduced. Select 802.11b/g/n to allow IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of the NWA1121-
NI might be reduced. Select 802.11n to allow only IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. Channel Select the operating frequency/channel depending on your particular region from the drop-down list box. Channel Width This field displays only when you select 802.11n or 802.11b/g/n in the Wireless Mode field. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Select SSID Profile The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. You can have up to eight SSIDs active at the same time.
Activve Profile Advanced Settings Beacon Interval DTIM Interval Output Power Note: If you are configuring the NWA1121-NI from a computer connected to the wireless LAN and you change the NWA1121-NIs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA1121-NIs new settings. This is the index number of each SSID profile. Select the check box to enable an SSID profile. Otherwise, clear the check box. Select an SSID Profile from the drop-down list box. When a wirelessly network device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in lowpower mode before waking up to handle the beacon. A high value helps save current consumption of the access point. Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25% or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. 70 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 13 Wireless LAN > Wireless Settings: MBSSID (continued) LABEL Preamble Type DESCRIPTION Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. RTS/CTS Threshold Select Long if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Extension Channel Protection Mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Short GI This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. MCS Rate The MCS Rate table is available only when 802.11 b/g/n is selected in the Wireless Mode field. IEEE 802.11n supports many different data rates which are called MCS rates. MCS stands for Modulation and Coding Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enabled to have the NWA1121-NI use the data rate. Clear the Enabled check box if you do not want the NWA1121-NI to use the data rate. Turn on the Auto option to have the NWA1121-NI set the data rates automatically to optimize the throughput. Apply Cancel Note: You can set the NWA1121-NI to use up to four MCS rates at a time. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 71 Chapter 6 Wireless LAN 6.5 SSID Screen Use this screen to view and modify the settings of the SSID profiles on the NWA1121-NI. Click Wireless LAN > SSID to display the screen as shown. Figure 24 Wireless LAN > SSID The following table describes the labels in this screen. Figure 25 Wireless LAN > SSID LABEL DESCRIPTION Profile Settings
This field displays the index number of each SSID profile. Profile Name This field displays the identification name of each SSID profile on the NWA1121-NI. SSID Security RADIUS QoS MAC Filter Modify This field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. This field indicates which security profile is currently associated with each SSID profile. See Section 6.6 on page 74 for more information. This field displays which RADIUS profile is currently associated with each SSID profile, if you have a RADIUS server configured. This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile. This field displays which MAC filter profile is currently associated with each SSID profile, or Disable if MAC filtering is not configured on an SSID profile. Click Edit to go to the SSID configuration screen where you can modify settings in an SSID profile. 72 NWA1121-NI Users Guide 6.5.1 Configuring SSID Use this screen to configure an SSID profile. In the Wireless LAN > SSID screen, click Edit next to the SSID profile you want to configure to display the following screen. Figure 26 SSID: Edit Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 14 SSID: Edit LABEL DESCRIPTION Profile Name This is the name that identifying this profile. SSID Security RADIUS When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. Select a security profile to use with this SSID profile. See Section 6.6 on page 74 for more information. If you do not want this profile to use wireless security, select Disabled. Select a RADIUS profile from the drop-down list box, if you have a RADIUS server configured. If you do not need to use RADIUS authentication, ignore this field. See Section 6.7 on page 87 for more information. MAC Filtering Select a MAC filter profile from the drop-down list box. If you do not want to use MAC filtering on this profile, select Disabled. QoS Select the Quality of Service priority for this BSSs traffic. If you select WMM from the QoS list, the priority of a data packet depends on the packets IEEE 802.1q or DSCP header. If a packet has no WMM value assigned to it, it is assigned the default priority. If you select WMM_VOICE, WMM_VIDEO, WMM_BESTEFFORT or WMM_BACKGROUND, the NWA1121-NI applies that QoS setting to all of that SSIDs traffic. If you select None, the NWA1121-NI applies no priority to traffic on this SSID. Note: When you configure an SSID profiles QoS settings, the NWA1121-NI applies the same QoS setting to all of the profiles traffic. NWA1121-NI Users Guide 73 Chapter 6 Wireless LAN Table 14 SSID: Edit (continued) LABEL DESCRIPTION BSSID VLAN ID Enter a VLAN ID for the SSID profile. Number of Wireless Stations Allowed to Associate Hidden SSID Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the NWA1121-NI. Use this field to set a maximum number of wireless stations that may connect to the device. If you do not select the checkbox, the NWA1121-NI broadcasts this SSID (a wireless client scanning for an AP will find this SSID). Alternatively, if you select the checkbox, the NWA1121-NI hides this SSID (a wireless client scanning for an AP will not find this SSID). Intra-BSS Traffic Blocking Select the check box to prevent wireless clients in this profiles BSS from communicating with one another. Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6 Wireless Security Screen Use this screen to choose the security mode for your NWA1121-NI. Click Wireless LAN > Security. Select the profile that you want to configure and click Edit. Figure 27 Wireless > Security 74 NWA1121-NI Users Guide The Security Settings screen varies depending upon the security mode you select. Figure 28 Security: None Chapter 6 Wireless LAN Note that some screens display differently depending on the operating mode selected in the Wireless LAN > Wireless Settings screen. Note: You must enable the same wireless security settings on the NWA1121-NI and on all wireless clients that you want to associate with it. NWA1121-NI Users Guide 75 Chapter 6 Wireless LAN 6.6.1 Security: WEP Use this screen to use WEP as the security mode for your NWA1121-NI. Select WEP in the Security Mode field to display the following screen. Figure 29 Security: WEP The following table describes the labels in this screen. Table 15 Security: WEP LABEL Profile Name DESCRIPTION This is the name that identifying this profile. Security Mode Choose WEP in this field. Authentication Type Select Open or Shared from the drop-down list box. Data Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption. Passphrase Enter the passphrase or string of text used for automatic WEP key generation on wireless client adapters. Generate Click this to get the keys from the Passphrase you entered. 76 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 15 Security: WEP (continued) LABEL Key 1 to DESCRIPTION The WEP keys are used to encrypt data. Both the NWA1121-NI and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters
("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. Key 4 Back Apply Cancel 6.6.2 Security: 802.1x Only This screen varies depending on the operating mode you select in the Wireless LAN > Wireless Settings screen. 6.6.2.1 Access Point Use this screen to use 802.1x-Only security mode for your NWA1121-NI that is in root AP, MBSSID or repeater operating mode. Select 802.1x-Only in the Security Mode field to display the following screen. Figure 30 Security: 802.1x Only for Access Point The following table describes the labels in this screen. Table 16 Security: 802.1x Only for Access Point LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose 802.1x-Only in this field. Rekey Options NWA1121-NI Users Guide 77 Chapter 6 Wireless LAN Table 16 Security: 802.1x Only for Access Point (continued) LABEL Reauthentication Time DESCRIPTION Specify how often wireless stations have to resend user names and passwords in order to stay connected. Enter a time interval between 100 and 3600 seconds. Alternatively, enter 0 to turn reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Enable Group-Key Update Select this option to have the NWA1121-NI automatically disconnect a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. Back Apply Cancel Enter a time interval between 100 and 3600 seconds. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.2.2 Wireless Client Use this screen to use 802.1x-Only security mode for your NWA1121-NI that is in wireless client operating mode. Select 802.1x-Only in the Security Mode field to display the following screen. Figure 31 Security: 802.1x Only for Wireless Client The following table describes the labels in this screen. Table 17 Security: 802.1x Only for Wireless Client LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. 78 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 17 Security: 802.1x Only for Wireless Client (continued) LABEL Security Mode DESCRIPTION Choose the same security mode used by the AP. IEEE802.1x Authentication Eap Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or TTLS. If you select TTLS or PEAP, the options on the right refer to authentication protocols. You can choose between PAP, CHAP, MSCHAP, MSCHAPv2 and/or GTC. User Information Username Login Name Password Certificate Supply the user name of the account created in the RADIUS server. Supply the password of the account created in the RADIUS server. User Certificate If you select TLS, enter the name of the certificate used to to verify the identity of clients. Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.3 Security: 802.1x Static WEP This screen varies depending on the operating mode you select in the Wireless LAN > Wireless Settings screen. NWA1121-NI Users Guide 79 Chapter 6 Wireless LAN 6.6.3.1 Access Point Use this screen to use 802.1x static WEP security mode for your NWA1121-NI that is in root AP, MBSSID or repeater operating mode. Select 802.1X-Static WEP in the Security Mode field to display the following screen. Figure 32 Security: 802.1X-Static WEP for Access Point The following table describes the labels in this screen. Table 18 Security: 802.1X-Static WEP for Access Point LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose 802.1X-Static WEP in this field. Data Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption. Passphrase Enter the passphrase or string of text used for automatic WEP key generation on wireless client adapters. Generate Click this to get the keys from the Passphrase you entered. 80 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 18 Security: 802.1X-Static WEP for Access Point (continued) LABEL Key 1 to DESCRIPTION The WEP keys are used to encrypt data. Both the NWA1121-NI and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters
("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time. Key 4 Rekey Options Reauthentication Time Specify how often wireless stations have to resend user names and passwords in order to stay connected. Enter a time interval between 100 and 3600 seconds. Alternatively, enter 0 to turn reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Enable Group-Key Update Select this option to have the NWA1121-NI automatically disconnect a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. Back Apply Cancel Enter a time interval between 100 and 3600 seconds. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 81 Chapter 6 Wireless LAN 6.6.3.2 Wireless Client Use this screen to use 802.1x-Only security mode for your NWA1121-NI that is in wireless client operating mode. Select 802.1X-Static WEP in the Security Mode field to display the following screen. Figure 33 Security: 802.1X-Static WEP for Wireless Client The following table describes the labels in this screen. Table 19 Security: 802.1X-Static WEP for Wireless Client LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose the same security mode used by the AP. 82 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 19 Security: 802.1X-Static WEP for Wireless Client (continued) LABEL Data Encryption DESCRIPTION Select 64-bit WEP or 128-bit WEP to enable data encryption. Passphrase Enter the passphrase or string of text used for automatic WEP key generation. Generate Key 1 to Key 4 Click this to get the keys from the Passphrase you entered. The WEP keys are used to encrypt data. Both the NWA1121-NI and the AP must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time. IEEE802.1x Authentication Eap Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or TTLS. If you select TTLS or PEAP, the options on the right refer to authentication protocols. You can choose between PAP, CHAP, MSCHAP, MSCHAPv2 and/or GTC. User Information Username Login Name Password Certificate Supply the user name of the account created in the RADIUS server. Supply the password of the account created in the RADIUS server. User Certificate If you select TLS, enter the name of the certificate used to to verify the identity of clients. Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.4 Security: WPA, WPA2, WPA2-MIX This screen varies depending on the operating mode you select in the Wireless LAN > Wireless Settings screen. NWA1121-NI Users Guide 83 Chapter 6 Wireless LAN 6.6.4.1 Access Point Use this screen to employ WPA or WPA2 as the security mode for your NWA1121-NI that is in root AP, MBSSID or repeater operating mode. Select WPA, WPA2 or WPA2-MIX in the Security Mode field to display the following screen. Figure 34 Security: WPA/WPA2 for Access Point The following table describes the labels in this screen. Table 20 Security: WPA/WPA2 for Access Point LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose WPA, WPA2 or WPA-MIX in this field. Rekey Options Reauthentication Time Specify how often wireless stations have to resend user names and passwords in order to stay connected. Enter a time interval between 100 and 3600 seconds. Alternatively, enter 0 to turn reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Enable Group-Key Update Select this option to have the NWA1121-NI automatically disconnect a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. Back Apply Cancel Enter a time interval between 100 and 3600 seconds. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 84 NWA1121-NI Users Guide Chapter 6 Wireless LAN 6.6.4.2 Wireless Client Use this screen to employ WPA or WPA2 as the security mode for your NWA1121-NI that is in wireless client operating mode. Select WPA or WPA2 in the Security Mode field to display the following screen. Figure 35 Security: WPA for Wireless Client The following table describes the labels in this screen. Table 21 Security: WPA/WPA2 for Wireless Client LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose the same security mode used by the AP. Data Encryption This shows the encryption method used by the NWA1121-NI. IEEE802.1x Authentication Eap Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or TTLS. If you select TTLS or PEAP, the options on the right refer to authentication protocols. You can choose between PAP, CHAP, MSCHAP, MSCHAPv2 and/or GTC. User Information Username Supply the user name of the account created in the RADIUS server. Login Name Password Certificate Supply the password of the account created in the RADIUS server. User Certificate If you select TLS, enter the name of the certificate used to to verify the identity of clients. NWA1121-NI Users Guide 85 Chapter 6 Wireless LAN Table 21 Security: WPA/WPA2 for Wireless Client (continued) LABEL Back DESCRIPTION Click Back to return to the previous screen. Apply Cancel Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.5 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Use this screen to employ WPA-PSK, WPA2-PSK or WPA2-PSK-MIX as the security mode of your NWA1121-NI. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen. Figure 36 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX The following table describes the labels not previously discussed Table 22 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX LABEL Profile Name DESCRIPTION This is the name that identifying this profile. Security Mode Choose WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in this field. Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols). Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 86 NWA1121-NI Users Guide 6.7 RADIUS Screen Use this screen to set up your NWA1121-NIs RADIUS server settings. Click Wireless LAN >
RADIUS. The screen appears as shown. Figure 37 Wireless LAN > RADIUS Chapter 6 Wireless LAN Select a profile you want to configure and click Edit. Figure 38 Wireless LAN > RADIUS NWA1121-NI Users Guide 87 Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 23 Wireless LAN > RADIUS LABEL Profile Name DESCRIPTION This is the name that identifying this RADIUS profile. Primary RADIUS Server Select the check box to enable user authentication through an external authentication server. Primary Server IP Address Primary Server Port Primary Share Secret Enter the IP address of the RADIUS server to be used for authentication. Enter the port number of the RADIUS server to be used for authentication. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external authentication server and the NWA1121-NI. The key must be the same on the external authentication server and your NWA1121-NI. The key is not sent over the network. Backup RADIUS Server If the NWA1121-NI cannot communicate with the primary RADIUS server, you can have the NWA1121-NI use a backup RADIUS server. Make sure the check boxe is selected if you want to use the backup server. The NWA1121-NI will attempt to communicate three times before using the backup server. Requests can be issued from the client interface to use the backup server. The length of time for each authentication is decided by the wireless client or based on the configuration of the Reauthentication Time field in the Wireless LAN >
Security screen. Enter the IP address of the RADIUS server to be used for authentication. Enter the port number of the RADIUS server to be used for authentication. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external authentication server and the NWA1121-NI. The key must be the same on the external authentication server and your NWA1121-NI. The key is not sent over the network. Backup Server IP Address Backup Server Port Backup Share Secret Primary Accounting Server Select the check box to enable user accounting through an external authentication server. Primary Server IP Address Primary Server Port Primary Share Secret Enter the IP address of the external accounting server in dotted decimal notation. Enter the port number of the external accounting server. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the NWA1121-NI. The key must be the same on the external accounting server and your NWA1121-NI. The key is not sent over the network. Backup Accounting Server If the NWA1121-NI cannot communicate with the primary accounting server, you can have the NWA1121-NI use a backup accounting server. Make sure the check boxe is selected if you want to use the backup server. Backup Server IP Address Backup Server Port Backup Share Secret The NWA1121-NI will attempt to communicate three times before using the backup server. Enter the IP address of the external accounting server in dotted decimal notation. Enter the port number of the external accounting server. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the NWA1121-NI. The key must be the same on the external accounting and your NWA1121-NI. The key is not sent over the network. Back Click Back to return to the previous screen. 88 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 23 Wireless LAN > RADIUS (continued) LABEL Apply DESCRIPTION Click Apply to save your changes. Cancel Click Cancel to begin configuring this screen afresh. 6.8 MAC Filter Screen Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of each device to configure MAC filtering on the NWA1121-NI. The MAC filter function allows you to configure the NWA1121-NI to grant access to the NWA1121-
NI from other wireless devices (Allow Association) or exclude devices from accessing the NWA1121-
NI (Deny Association). Figure 39 MAC Filtering In the figure above, wireless client U is able to connect to the Internet because its MAC address is in the allowed association list specified in the NWA1121-NI. The MAC address of client A is either denied association or is not in the list of allowed wireless clients specified in the NWA1121-NI. NWA1121-NI Users Guide 89 Chapter 6 Wireless LAN Use this screen to enable MAC address filtering in your NWA1121-NI. You can specify MAC addresses to either allow or deny association with your NWA1121-NI. Click Wireless LAN > MAC Filter. The screen displays as shown. Figure 40 Wireless LAN > MAC Filter Select a profile you want to configure and click Edit. Figure 41 MAC Filter: Edit 90 NWA1121-NI Users Guide Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 24 Wireless LAN > MAC Filter LABEL DESCRIPTION This is the name that identifying this profile. Profile Name Access Control Mode Select Disabled if you do not want to use this feature. Select Allow to permit access to the NWA1121-NI. MAC addresses not listed will be denied access to the NWA1121-NI. Select Deny to block access to theNWA1121-NI. MAC addresses not listed will be allowed to access the NWA1121-NI. This is the index number of the MAC address listed. Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless station to be allowed or denied access to the NWA1121-NI. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh.
MAC Address Back Apply Cancel 6.9 Technical Reference This section provides technical background information about the topics covered in this chapter. Refer to Appendix D on page 181 for further readings on Wireless LAN. 6.9.1 Additional Wireless Terms Table 25 Additional Wireless Terms TERM Intra-BSS Traffic DESCRIPTION This describes direct communication (not through the NWA1121-NI) between two wireless devices within a wireless network. You might disable this kind of communication to enhance security within your wireless network. RTS/CTS Threshold In a wireless network which covers a large area, wireless devices are sometimes not aware of each others presence. This may cause them to send information to the AP at the same time and result in information colliding and not getting through. By setting this value lower than the default value, the wireless devices must sometimes get permission to send information to the NWA1121-NI. The lower the value, the more often the devices must get permission. If this value is greater than the fragmentation threshold value (see below), then wireless devices never have to get permission to send information to the NWA1121-
NI. A preamble affects the timing in your wireless network. There are two preamble modes: long and short. If a device uses a different preamble mode than the NWA1121-NI does, it cannot communicate with the NWA1121-NI. Preamble Fragmentation Threshold A small fragmentation threshold is recommended for busy networks, while a larger threshold provides faster performance if the network is not very busy. NWA1121-NI Users Guide 91 Chapter 6 Wireless LAN TERM Roaming Antenna 6.9.2 WMM QoS DESCRIPTION If you have two or more NWA1121-NIs (or other wireless access points) on your wireless network, you can enable this option so that wireless devices can change locations without having to log in again. This is useful for devices, such as notebooks, that move around a lot. An antenna couples Radio Frequency (RF) signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. WMM (Wi-Fi MultiMedia) QoS (Quality of Service) ensures quality of service in wireless networks. It controls WLAN transmission priority on packets to be transmitted over the wireless network. WMM QoS prioritizes wireless traffic according to the delivery requirements of the individual and applications. WMM QoS is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks. On APs without WMM QoS, all traffic streams are given the same access priority to the wireless network. If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity, then the new traffic stream reduces the throughput of the other traffic streams. The NWA1121-NI uses WMM QoS to prioritize traffic streams according to the IEEE 802.1q or DSCP information in each packets header. The NWA1121-NI automatically determines the priority to use for an individual traffic stream. This prevents reductions in data transmission for applications that are sensitive to latency and jitter (variations in delay). 6.9.2.1 WMM QoS Priorities The following table describes the WMM QoS priority levels that the NWA1121-NI uses. Table 26 WMM QoS Priorities Priority Level description voice
(WMM_VOICE) video
(WMM_VIDEO) best effort
(WMM_BESTEFFORT) background
(WMM_BACKGROUND) Typically used for traffic that is especially sensitive to jitter. Use this priority to reduce latency for improved voice quality. Typically used for traffic which has some tolerance for jitter but needs to be prioritized over other data traffic. Typically used for traffic from applications or devices that lack QoS capabilities. Use best effort priority for traffic that is less sensitive to latency, but is affected by long delays, such as Internet surfing. This is typically used for non-critical traffic such as bulk transfers and print jobs that are allowed but that should not affect other applications and users. Use background priority for applications that do not have strict latency and throughput requirements. 92 NWA1121-NI Users Guide Chapter 6 Wireless LAN 6.9.3 Security Mode Guideline The following is a general guideline in choosing the security mode for your NWA1121-NI. Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server. Use WPA(2) security if you have WPA(2)-aware wireless clients and a RADIUS server. WPA has user authentication and improved data encryption over WEP. Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server. If you dont have WPA(2)-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security. You can manually enter 64-bit or 128-bit WEP keys. More information on Wireless Security can be found in Appendix D on page 181. NWA1121-NI Users Guide 93 CHAPTER 7 LAN 7.1 Overview This chapter describes how you can configure the IP address of your NWA1121-NI. The Internet Protocol (IP) address identifies a device on a network. Every networking device
(including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Figure 42 IPv4 Setup The figure above illustrates one possible setup of your NWA1121-NI. The gateway IPv4 address is 192.168.1.1 and the IPv4 address of the NWA1121-NI is 192.168.1.2 (default). The gateway and the device must belong in the same subnet mask to be able to communicate with each other. 7.2 What You Can Do in this Chapter Use the LAN IP screen to configure the IP address of your NWA1121-NI (see Section 7.4 on page 96). 7.3 What You Need to Know The Ethernet parameters of the NWA1121-NI are preset in the factory with the following values:
1 2 IP address of 192.168.1.2 Subnet mask of 255.255.255.0 (24 bits) NWA1121-NI Users Guide 94 Chapter 7 LAN IPv6 IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses. IPv6 Addressing The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways:
Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15. Prefix and Prefix Length Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as /x where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) is the subnet prefix. Link-local Address A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a private IP address in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows. Table 27 Link-local Unicast Address Format 1111 1110 10 0 Interface ID 10 bits 54 bits 64 bits Global Address A global address uniquely identifies a device on the Internet. It is similar to a public IP address in IPv4. A global unicast address starts with a 2 or 3. NWA1121-NI Users Guide 95 Chapter 7 LAN 7.4 LAN IP Screen Use this screen to configure the IP address for your NWA1121-NI. Click Network > LAN to display the following screen. Figure 43 LAN IP The following table describes the labels in this screen. Table 28 LAN IP LABEL IPv4 Address Assignment DESCRIPTION Obtain IP Address Automatically Select this option if your NWA1121-NI is using a dynamically assigned IPv4 address from a DHCP server each time. Note: You must know the IP address assigned to the NWA1121-NI (by the DHCP server) to access the NWA1121-NI again. Use Fixed IP Address Select this option if your NWA1121-NI is using a static IPv4 address. When you select this option, fill in the fields below. IP Address Enter the IP address of your NWA1121-NI in dotted decimal notation. Subnet Mask Gateway IP Address Note: If you change the NWA1121-NI's IP address, you must use the new IP address if you want to access the web configurator again. Type the subnet mask. Type the IPv4 address of the gateway. The gateway is an immediate neighbor of your NWA1121-NI that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your NWA1121-NI; over the WAN, the gateway must be the IP address of one of the remote nodes. 96 NWA1121-NI Users Guide Chapter 7 LAN Table 28 LAN IP (continued) LABEL IPv6 Address Assignment DESCRIPTION Enable Stateful Address Auto-
configuration IPv6 Address/Prefix Length System DNS Servers Select this to turn on IPv6 stateful autoconfiguration to have the NWA1121-NI obtain an IPv6 global address from a DHCPv6 server in your network. Enter your IPv6 address and prefix manually. Primary DNS Server Enter the IPv4 address of the first DNS (Domain Name Service) server, if provided. Secondary DNS Server Enter the IPv4 address of the second DNS (Domain Name Service) server address, if Apply Cancel provided. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 97 CHAPTER 8 VLAN 8.1 Overview This chapter discusses how to configure the NWA1121-NIs VLAN settings. Figure 44 Management VLAN Setup B A In the figure above, to access and manage the NWA1121-NI from computer A, the NWA1121-NI and switch Bs ports to which computer A and the NWA1121-NI are connected should be in the same VLAN. 8.1.1 What You Can Do in This Chapter The VLAN screens let you set up the NWA1121-NIs mangement VLAN (Section 8.3 on page 99). 8.2 What You Need to Know Introduction to VLANs A Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same group(s); the traffic must first go through a router. In Multi-Tenant Unit (MTU) applications, VLAN is vital in providing isolation and security among the subscribers. When properly configured, VLAN prevents one subscriber from accessing the network resources of another on the same LAN, thus a user will not see the printers and hard disks of another user in the same building. NWA1121-NI Users Guide 98 Chapter 8 VLAN VLAN also increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. In traditional switched environments, all broadcast packets go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain. IEEE 802.1Q Tag The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges. A VLAN tag includes the 12-bit VLAN ID and 3-bit user priority. The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network. 8.3 VLAN Screen Use this screen to set up the VLAN for managing the NWA1121-NI. Click Network > VLAN to display the screen as shown. Figure 45 Network > VLAN The following table describes the labels in this screen. Figure 46 Network > VLAN LABEL DESCRIPTION 802.1Q VLAN Select this to enable VLAN tagging on the NWA1121-NI. Management VLAN Select this to enable VLAN management. Only traffic tagged with the management VLAN ID can access the NWA1121-NI. At least one device in your network must belong to the VLAN specified below in order to manage the NWA1121-NI. Management VLAN ID Enter a number from 1 to 4094 to define the NWA1121-NIs management VLAN Apply Cancel group. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 99 Chapter 8 VLAN 100 NWA1121-NI Users Guide CHAPTER 9 System 9.1 Overview This chapter shows you how to enable remote management of your NWA1121-NI. It provides information on determining which services or protocols can access which of the NWA1121-NIs interfaces. Remote Management allows a user to administrate the device over the network. You can manage your NWA1121-NI from a remote location via the following interfaces:
WLAN LAN Both WLAN and LAN Neither (Disable) Figure 47 Remote Management Example In the figure above, the NWA1121-NI (A) is being managed by a desktop computer (B) connected via LAN (Land Area Network). It is also being accessed by a notebook (C) connected via WLAN
(Wireless LAN). 9.2 What You Can Do in this Chapter Use the WWW screen to configure through which interface(s) and from which IP address(es) you can use the Web Browser to manage the NWA1121-NI (see Section 9.4 on page 104). Use the Certificates screen to delete and import certificates (seen Section 9.5 on page 105). NWA1121-NI Users Guide 101 Chapter 9 System Use the Telnet screen to configure through which interface(s) and from which IP address(es) you can use Telnet to manage the NWA1121-NI. A Telnet connection is prioritized by the NWA1121-NI over other remote management sessions (see Section 9.6 on page 106). Use the SNMP screen to configure through which interface(s) and from which IP address(es) a network systems manager can access the NWA1121-NI (see Section 9.7 on page 107). Use the FTP screen to configure through which interface(s) and from which IP address(es) you can use File Transfer Protocol (FTP) to manage the NWA1121-NI. You can use FTP to upload the latest firmware for example (see Section 9.8 on page 110). 9.3 What You Need To Know WWW The World Wide Web allows you to access files hosted in a remote server. For example, you can view text files (usually referred to as pages) using your web browser via HyperText Transfer Protocol (HTTP). Telnet Telnet is short for Telecommunications Network, which is a client-side protocol that enables you to access a device over the network. FTP File Transfer Protocol (FTP) allows you to upload or download a file or several files to and from a remote location using a client or the command console. SNMP Simple Network Management Protocol (SNMP) is a member of the TCP/IP protocol suite used for exchanging management information between network devices. Your NWA1121-NI supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA1121-NI through the network. The NWA1121-NI supports SNMP version one
(SNMPv1), version two (SNMPv2c) and version three (SNMPv3). 102 NWA1121-NI Users Guide The next figure illustrates an SNMP management operation. Figure 48 SNMP Management Mode Chapter 9 System An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the NWA1121-NI). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. SNMP allows a manager and agents to communicate for the purpose of accessing information such as packets received, node port status, etc. SNMP v3 and Security SNMP v3 enhances security for SNMP management. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions. Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. Remote Management Limitations Remote management over LAN or WLAN will not work when:
You have disabled that service in one of the remote management screens. The IP address in the Secured Client IP Address field does not match the client IP address. If it does not match, the NWA1121-NI will disconnect the session immediately. NWA1121-NI Users Guide 103 Chapter 9 System You may only have one remote management session running at one time. The NWA1121-NI automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows:
1 Telnet 2 HTTP System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The NWA1121-NI automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the SYSTEM screen. Certificate A certificate contains the certificate owners identity and public key. Certificates provide a way to exchange public keys for use in authentication. Figure 49 Certificates Example In the figure above, the NWA1121-NI (Z) checks the identity of the notebook (A) using a certificate before granting access to the network. The certification authority certificate that you can import to your NWA1121-NI should be in PFX PKCS#12 file format. This format referred to as the Personal Information Exchange Syntax Standard is comprised of a private key-public certificate pair that is further encrypted with a password. Before you import a certificate into the NWA1121-NI, you should verify that you have the correct certificate. Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. 9.4 WWW Screen Use this screen to configure your NWA1121-NI via the World Wide Web (WWW) using a Web browser. This lets you specify which IP addresses or computers are able to communicate with and access the NWA1121-NI. 104 NWA1121-NI Users Guide To change your NWA1121-NIs WWW settings, click System > WWW. The following screen shows. Figure 50 System > WWW Chapter 9 System The following table describes the labels in this screen. Table 29 System > WWW LABEL WWW DESCRIPTION HTTP Port HTTPS Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the NWA1121-NI, for example 8443, then you must notify people who need to access the NWA1121-NI web configurator to use https://
NWA1121-NI IP Address:8443 as the URL. Server Access Select the interface(s) through which a computer may access the NWA1121-NI using this service. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NI using this service. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.5 Certificates Screen Use this screen to delete or import certificates. NWA1121-NI Users Guide 105 Chapter 9 System Click System > Certificates. The following screen shows. Figure 51 System > Certificates The following table describes the labels in this screen. Table 30 System > Certificates LABEL Import Certificate DESCRIPTION Import Certificate Browse Import Enter the location of a previously-saved certificate to upload to the NWA1121-NI. Alternatively, click the Browse button to locate a list. Click this button to locate a previously-saved certificate to upload to the NWA1121-NI. Click this button to upload the previously-saved certificate displayed in the Import Certificate field to the NWA1121-NI. Delete Certificate You can delete a certificate Select the certificate from the list that you want to delete. Delete Click this to delete the selected certificate. 9.6 Telnet Screen Use this screen to configure your NWA1121-NI for remote Telnet access. You can use Telnet to access the NWA1121-NIs Command Line Interface (CLI). Click System > Telnet. The following screen displays. Figure 52 System > Telnet 106 NWA1121-NI Users Guide Chapter 9 System The following table describes the labels in this screen. Table 31 System > Telnet LABEL TELNET DESCRIPTION Port You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the NWA1121-NI using Telnet. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NI using this service. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.7 SNMP Screen Use this screen to have a manager station administrate your NWA1121-NI over the network and configure SNMP accounts on the SNMP v3 manager. An SNMP administrator/user is an SNMP NWA1121-NI Users Guide 107 Chapter 9 System manager. To change your NWA1121-NIs SNMP settings, click System > SNMP. The following screen displays. Figure 53 System > SNMP The following table describes the labels in this screen. Table 32 System > SNMP LABEL SNMP DESCRIPTION Port You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. 108 NWA1121-NI Users Guide Chapter 9 System Table 32 System > SNMP (continued) LABEL Server Access DESCRIPTION Select the interface(s) through which a computer may access the NWA1121-NI using Telnet. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address SNMP Configuration Protocol Version Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NI using this service. Select the SNMP version for the NWA1121-NI, which you allow the SNMP manager to use to access the NWA1121-NI. The SNMP version on the NWA1121-NI must match the version on the SNMP manager. Get Community Set Community Note: SNMP version 2c is backwards compatible with SNMP version 1. Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. Enter the Set community, which is the password for incoming Set requests from the management station. Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager. Trap Destination Type the IP address of the station to send your SNMP traps to. SNMPv3 Admin Settings SNMPv3 Admin Select the check box to enable the SNMP administrator account for authentication with SNMP managers using SNMP v3. User Name Password Specify the user name of the SNMP administrator account. Enter the password for SNMP administrator authentication. Confirm Password Retype the password for confirmation. Access Type Specify the SNMP administrators access rights to MIBs. Read/Write - The SNMP administrator has read and write rights, meaning that the user can create and edit the MIBs on the NWA1121-NI. Read Only - The SNMP administrator has read rights only, meaning the user can collect information from the NWA1121-NI. Authentication Protocol Select an authentication algorithm used for SNMP communication with the SNMP administrator. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. Privacy Protocol Specify the encryption method used for SNMP communication with the SNMP administrator. DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. NWA1121-NI Users Guide 109 Chapter 9 System Table 32 System > SNMP (continued) LABEL SNMPv3 User Settings DESCRIPTION SNMPv3 User User Name Password Select the check box to enable the SNMP user account for authentication with SNMP managers using SNMP v3. Specify the user name of the SNMP user account. Enter the password for SNMP user authentication. Confirm Password Retype the password for confirmation. Access Type Specify the SNMP users access rights to MIBs. Authentication Protocol Read Only - The SNMP user has read rights only, meaning the user can collect information from the NWA1121-NI. Read/Write - The SNMP user has read and write rights, meaning that the user can create and edit the MIBs on the NWA1121-NI. Select an authentication algorithm used for SNMP communication with the SNMP user. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. Privacy Protocol Specify the encryption method used for SNMP communication with the SNMP user. DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.8 FTP Screen Use this screen to upload and download the NWA1121-NIs firmware using FTP. To use this feature, your computer must have an FTP client. To change your NWA1121-NIs FTP settings, click System > FTP. The following screen displays. Figure 54 System > FTP 110 NWA1121-NI Users Guide Chapter 9 System The following table describes the labels in this screen. Table 33 System > FTP LABEL FTP DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the NWA1121-NI using this service. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NIe using this service. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.9 Technical Reference This section provides some technical background information about the topics covered in this chapter. 9.9.1 MIB Managed devices in an SMNP managed network contain object variables or managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects.SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:
Get - Allows the manager to retrieve an object variable from the agent. GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set - Allows the manager to set values for object variables within an agent. Trap - Used by the agent to inform the manager of some events. 9.9.2 Supported MIBs The NWA1121-NI supports MIB II that is defined in RFC-1213 and RFC-1215 as well as the proprietary ZyXEL private MIB. The purpose of the MIBs is to let administrators collect statistical data and monitor status and performance. NWA1121-NI Users Guide 111 Chapter 9 System 9.9.3 SNMP Traps SNMP traps are messages sent by the agents of each managed device to the SNMP manager. These messages inform the administrator of events in data networks handled by the device. The NWA1121-NI can send the following traps to the SNMP manager. Table 34 SNMP Traps TRAP NAME Generic Traps coldStart OBJECT IDENTIFIER #
(OID) DESCRIPTION 1.3.6.1.6.3.1.1.5.1 warmStart 1.3.6.1.6.3.1.1.5.2 This trap is sent after booting (power on). This trap is defined in RFC-1215. This trap is sent after booting (software reboot). This trap is defined in RFC-1215. linkDown linkUp 1.3.6.1.6.3.1.1.5.3 This trap is sent when the Ethernet link is down. 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. authenticationFailure
(defined in RFC-1215) 1.3.6.1.6.3.1.1.5.5 The device sends this trap when it receives any SNMP get or set requirements with the wrong community
(password). Note: snmpEnableAuthenTraps, OID 1.3.6.1.2.1.11.30
(defined in RFC 1214 and RFC 1907) must be enabled on in order for the device to send authenticationFailure traps. Use a MIB browser to enable or disable snmpEnableAuthenTraps. Traps defined in the ZyXEL Private MIB. whyReboot 1.3.6.1.4.1.890.1.5.13.0. 1 This trap is sent with the reason for restarting before the system reboots (warm start).
"System reboot by user!" is added for an intentional reboot (for example, download new files, CI command
"sys reboot"). If the system reboots because of fatal errors, a code for the error is listed. pwTFTPStatus 1.3.6.1.4.1.890.1.9.2.3.3
.1 This trap is sent to indicate the status and result of a TFTP client session that has ended. Some traps include an SNMP interface index. The following table maps the SNMP interface indexes to the NWA1121-NIs physical and virtual ports. Table 35 SNMP Interface Index to Physical and Virtual Port Mapping TYPE Physical PORT Wireless LAN adaptor WLAN1 INTERFACE enet0 enet1 enet2 Virtual enet3 ~ enet9 enet10 ~ enet16 enet17 ~ enet21 enet22 ~ enet26 Ethernet port (LAN) Wireless LAN adaptor WLAN2 WLAN1 in MBSSID mode WLAN2 in MBSSID mode WLAN1 in WDS mode WLAN2 in WDS mode 112 NWA1121-NI Users Guide Chapter 9 System 9.9.4 Private-Public Certificates When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as digital signatures). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key writes your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows. 1 2 3 4 5 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. Tim uses his private key to sign the message and sends it to Jenny. Jenny receives the message and uses Tims public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tims private key). Additionally, Jenny uses her own private key to sign a message and Tim uses Jennys public key to verify the message. 9.9.5 Certification Authorities A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the NWA1121-NI to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. 9.9.6 Checking the Fingerprint of a Certificate on Your Computer A certificates fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificates fingerprint to verify that you have the actual certificate. 1 Browse to where you have the certificate saved on your computer. 2 Make sure that the certificate has a .cer or .crt file name extension. Figure 55 Certificates on Your Computer NWA1121-NI Users Guide 113 Chapter 9 System 3 Double-click the certificates icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 56 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary according to your situation. Possible examples would be over the telephone or through an HTTPS connection. 114 NWA1121-NI Users Guide CHAPTER 10 Log Settings 10.1 Overview This chapter provides information on viewing and generating logs on your NWA1121-NI. Logs are files that contain recorded network activity over a set period. They are used by administrators to monitor the health of the system(s) they are managing. Logs enable administrators to effectively monitor events, errors, progress, etc. so that when network problems or system failures occur, the cause or origin can be traced. Logs are also essential for auditing and keeping track of changes made by users. Figure 57 Accessing Logs in the Network The figure above illustrates three ways to access logs. The user (U) can access logs directly from the NWA1121-NI (A) via the Web configurator. Logs can also be located in an external log server
(B). An email server (C) can also send harvested logs to the users email account. 10.2 What You Can Do in this Chapter Use the Log Settings screen to configure where and when the NWA1121-NI will send the logs, and which logs and/or immediate alerts it will send (Section 10.4 on page 116). Use the Monitor >
Logs screen to display all logs or logs for a certain category. NWA1121-NI Users Guide 115 Chapter 10 Log Settings 10.3 What You Need To Know Alerts and Logs An alert is a type of log that warrants more serious attention. Some categories such as System Error consist of both logs and alerts. You can differentiate them by their color in the Monitor >
Logs screen. Alerts are displayed in red and logs are displayed in black. Receiving Logs via E-mail If you want to receive logs in your e-mail account, you need to have the necessary details ready, such as the Server Name or Simple Mail Transfer Protocol (SMTP) Address of your e-mail account. Ensure that you have a valid e-mail address. Enabling Syslog Logging To enable Syslog Logging, obtain your Syslog servers IP address (or server name). 10.4 Log Settings Screen Use this screen to configure to where and when the NWA1121-NI is to send the logs and which logs and/or immediate alerts it is to send. 116 NWA1121-NI Users Guide To change your NWA1121-NIs log settings, click Configuration > Log Settings. The screen appears as shown. Figure 58 Log Settings Chapter 10 Log Settings The following table describes the labels in this screen. Table 36 Log Settings LABEL E-mail Log Settings Mail Server Mail Subject Send Log to DESCRIPTION Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Type a title that you want to be in the subject line of the log e-mail message that the NWA1121-NI sends. Logs are sent to the e-mail address specified in this field. If this field is left blank, logs will not be sent via e-mail. NWA1121-NI Users Guide 117 Chapter 10 Log Settings Table 36 Log Settings (continued) LABEL SMTP Authentication DESCRIPTION SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs. User Name Password If you use SMTP authentication, the mail receiver should be the owner of the SMTP account. If your e-mail account requires SMTP authentication, enter the username here. Enter the password associated with the above username. Syslog Logging Syslog logging sends a log to an external syslog server used to store logs. Syslog Logging Select the check box to enable syslog logging. Syslog Server IP Address Syslog Port Number Send Log Log Schedule Enter the IP address of the syslog server that will log the selected categories of logs. Enter the port number of the syslog server that will log the selected categories of logs. This drop-down menu is used to configure the frequency of log messages being sent as E-mail:
When Log is Full Hourly Daily Weekly None. If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent. This field is only available when you select Weekly in the Log Schedule field. Use the drop down list box to select which day of the week to send the logs. Day for Sending Log Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Clear log after sending mail Select the check box to clear all logs after logs and alert messages are sent via e-
mail. Log Category System Maintenance Click this to receive logs related to system maintenance. System Error Click this to receive logs related to system errors. 802.1x Wireless Email Log Now Apply Cancel Click this to receive logs related to the 802.1x mode. Click this to receive logs related to the wireless function. Select the categories of alerts for which you want the NWA1121-NI to immediately send e-mail alerts. Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 118 NWA1121-NI Users Guide CHAPTER 11 Maintenance 11.1 Overview This chapter describes the maintenance screens. It discusses how you can upload new firmware, manage configuration and restart your NWA1121-NI without turning it off and on. This chapter provides information and instructions on how to identify and manage your NWA1121-
NI over the network. Figure 59 NWA1121-NI Setup In the figure above, the NWA1121-NI connects to a Domain Name Server (DNS) server to avail of a domain name. It also connects to an Network Time Protocol (NTP) server to set the time on the device. 11.2 What You Can Do in this Chapter Use the General screen to specify the system name (see Section 11.4 on page 120). Use the Password screen to manage the password for your NWA1121-NI (see Section 11.5 on page 121). Use the Time screen to change your NWA1121-NIs time and date. This screen allows you to configure the NWA1121-NIs time based on your local time zone (see Section 11.6 on page 122). Use the Firmware Upload screen to upload the latest firmware for your NWA1121-NI (see Section 11.7 on page 123). Use the Backup/Restore screen to view information related to factory defaults, backup configuration, and restoring configuration (see Section 11.8 on page 124). NWA1121-NI Users Guide 119 Chapter 11 Maintenance Use Restart screen to reboot the NWA1121-NI without turning the power off (see Section 11.9 on page 126). 11.3 What You Need To Know You can find the firmware for your device at www.zyxel.com. It is a file that (usually) uses the system model name with a "*.bin" extension, for example "[Model #].bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. 11.4 General Screen Use the General screen to identify your NWA1121-NI over the network. Click Maintenance >
General. The following screen displays. Figure 60 Maintenance > General The following table describes the labels in this screen. Table 37 Maintenance > General LABEL System Settings DESCRIPTION System Name Type a descriptive name to identify the NWA1121-NI in the Ethernet network. This name can be up to 15 alphanumeric characters long. Spaces are not allowed, but dashes "-" are accepted. Apply Cancel Click Apply to save your changes. Click Cancel to reload the previous configuration for this screen. 120 NWA1121-NI Users Guide Chapter 11 Maintenance 11.5 Password Screen Use this screen to control access to your NWA1121-NI by assigning a password to it. Click Maintenance > Password. The following screen displays. Figure 61 Maintenance > Password The following table describes the labels in this screen. Table 38 Maintenance > Password LABEL Current Password DESCRIPTIONS Type in your existing system password. New Password Type your new system password. Note that as you type a password, the screen displays a dot (.) for each character you type. Retype to Confirm Retype your new system password for confirmation. Apply Cancel Click Apply to save your changes. Click Cancel to reload the previous configuration for this screen. NWA1121-NI Users Guide 121 Chapter 11 Maintenance 11.6 Time Screen Use this screen to change your NWA1121-NIs time and date, click Maintenance > Time. The following screen displays. Figure 62 Maintenance > Time The following table describes the labels in this screen. Table 39 Maintenance > Time LABEL Current Time and Date DESCRIPTION Current Time This field displays the time of your NWA1121-NI. Each time you reload this page, the NWA1121-NI synchronizes the time with the time server (if configured). When you disable NTP Client Update, you can manually enter the new time in this field and then click Apply. Current Date This field displays the last updated date from the time server. When you disable NTP Client Update, you can manually enter the new date in this field and then click Apply. Time and Date Setup NTP Client Update NTP server Manual IP Time Zone Setup Time Zone Apply Cancel Select this to have the NWA1121-NI get the time and date from the time server you specified below. Select this option to use the predefined list of Network Time Protocol (NTP) servers. Select an NTP server from the drop-list box. Select this option to enter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information. Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Click Apply to save your changes. Click Cancel to reload the previous configuration for this screen. 122 NWA1121-NI Users Guide Chapter 11 Maintenance 11.7 Firmware Upgrade Screen Use this screen to upload a firmware to your NWA1121-NI. Click Maintenance > Firmware Upgrade. Follow the instructions in this section to upload firmware to your NWA1121-NI. Figure 63 Maintenance > Firmware Upgrade The following table describes the labels in this screen. Table 40 Maintenance > Firmware Upgrade LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. Do not turn off the NWA1121-NI while firmware upload is in progress!
After you see the Firmware Upload in Process screen, wait two minutes before logging into the NWA1121-NI again. Figure 64 Firmware Upload In Process The NWA1121-NI automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 65 Network Temporarily Disconnected NWA1121-NI Users Guide 123 Chapter 11 Maintenance After the upload was finished, log in again and check your new firmware version in the Dashboard screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/
W Upload screen. Figure 66 Firmware Upload Error 11.8 Configuration File Screen Use this screen to backup, restore and reset the configuration of your NWA1121-NI. Click Maintenance > Configuration File. The screen appears as shown next. Figure 67 Maintenance > Configuration File 11.8.1 Backup Configuration Backup configuration allows you to back up (save) the NWA1121-NIs current configuration to a file on your computer. Once your NWA1121-NI is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the NWA1121-NIs current configuration to your computer. 124 NWA1121-NI Users Guide 11.8.2 Restore Configuration Chapter 11 Maintenance Restore configuration allows you to upload a new or previously saved configuration file from your computer to your NWA1121-NI. Table 41 Restore Configuration LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Do not turn off the NWA1121-NI while configuration file upload is in progress. After you see a restore configuration successful screen, you must then wait one minute before logging into the NWA1121-NI again. Figure 68 Configuration Upload Successful The NWA1121-NI automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 69 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA1121-NI IP address (192.168.1.2). See Appendix A on page 133 for details on how to set up your computers IP address. NWA1121-NI Users Guide 125 Chapter 11 Maintenance If the upload was not successful, the following screen will appear. Click Return to go back to the Backup/Restore screen. Figure 70 Configuration Upload Error 11.8.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the NWA1121-NI to its factory defaults as shown on the screen. The following warning screen will appear. Figure 71 Reset Message You can also press the RESET button to reset your NWA1121-NI to its factory default settings. Refer to Section 2.2 on page 20 for more information. 11.9 Restart Screen Use this screen to reboot the NWA1121-NI without turning the power off. Click Maintenance > Restart. The following screen displays. Figure 72 Maintenance > Restart Click Restart to have the NWA1121-NI reboot. This does not affect the NWA1121-NI's configuration. 126 NWA1121-NI Users Guide Chapter 11 Maintenance NWA1121-NI Users Guide 127 Chapter 11 Maintenance 128 NWA1121-NI Users Guide CHAPTER 12 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. Power, Hardware Connections, and LEDs NWA1121-NI Access and Login Internet Access 12.1 Power, Hardware Connections, and LEDs The NWA1121-NI does not turn on. None of the LEDs turn on. 1 Make sure you are using the power adaptor or cord included with the NWA1121-NI. 2 Make sure the power adaptor or cord is connected to the NWA1121-NI and plugged in to an appropriate power source. Make sure the power source is turned on. 3 Disconnect and re-connect the power adaptor or cord to the NWA1121-NI. 4 If the problem continues, contact the vendor. One of the LEDs does not behave as expected. 1 Make sure you understand the normal behavior of the LED. See Section 1.7 on page 17. 2 3 Check the hardware connections. See the Quick Start Guide. Inspect your cables for damage. Contact the vendor to replace any damaged cables. 4 Disconnect and re-connect the power adaptor to the NWA1121-NI. 5 If the problem continues, contact the vendor. NWA1121-NI Users Guide 129 Chapter 12 Troubleshooting 12.2 NWA1121-NI Access and Login I forgot the IP address for the NWA1121-NI. 1 2 3 The default IP address is 192.168.1.2. If you changed the IP address and have forgotten it, you might get the IP address of the NWA1121-
NI by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the NWA1121-NI (it depends on the network), so enter this IP address in your Internet browser. If this does not work, you have to reset the device to its factory defaults. See Section 2.2 on page 20. I forgot the password. 1 2 The default password is 1234. If this does not work, you have to reset the device to its factory defaults. See Section 2.2 on page 20. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. The default IP address is 192.168.1.2. If you changed the IP address (Section 7.4 on page 96), use the new IP address. If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the NWA1121-NI. 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page 17. 3 Make sure your Internet browser does not block pop-up windows and has JavaScript and Java enabled. See Section 12.1 on page 129. 4 Make sure your computer is in the same subnet as the NWA1121-NI. (If you know that there are routers between your computer and the NWA1121-NI, skip this step.) If there is no DHCP server on your network, make sure your computers IP address is in the same subnet as the NWA1121-NI. 5 Reset the device to its factory defaults, and try to access the NWA1121-NI with the default IP address. See Chapter 2 on page 20. 130 NWA1121-NI Users Guide Chapter 12 Troubleshooting 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions Try to access the NWA1121-NI using another service, such as Telnet. If you can access the NWA1121-NI, check the remote management settings to find out why the NWA1121-NI does not respond to HTTP. If your computer is connected wirelessly, use a computer that is connected to a LAN/Ethernet port. I can see the Login screen, but I cannot log in to the NWA1121-NI. 1 Make sure you have entered the user name and password correctly. The default password is 1234. This fields are case-sensitive, so make sure [Caps Lock] is not on. 2 You cannot log in to the web configurator while someone is using the Telnet to access the NWA1121-NI. Log out of the NWA1121-NI in the other session, or ask the person who is logged in to log out. 3 Disconnect and re-connect the power adaptor or cord to the NWA1121-NI. 4 If this does not work, you have to reset the device to its factory defaults. See Section 2.2 on page 20. I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. 12.3 Internet Access I cannot access the Internet. 1 2 3 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 12.1 on page 129. 2. Make sure your NWA1121-NI is connected to a networking device that provides Internet access. If you are trying to access the Internet wirelessly, make sure the wireless settings on the wireless client are the same as the settings on the AP. 4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. NWA1121-NI Users Guide 131 Chapter 12 Troubleshooting 5 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the NWA1121-NI), but my Internet connection is not available anymore. 1 2 3 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page 17. Reboot the NWA1121-NI. If the problem continues, contact your ISP or network administrator. The Internet connection is slow or intermittent. 1 2 3 4 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.7 on page 17. If the NWA1121-NI is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. Check the signal strength. If the signal is weak, try moving the NWA1121-NI (in wireless client mode) closer to the AP (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on). Reboot the NWA1121-NI. If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions Check the settings for QoS. If it is disabled, you might consider activating it. 132 NWA1121-NI Users Guide APPENDIX A Setting Up Your Computers IP Address Note: Your specific NWA1121-NI may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported. This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network. Windows Vista/XP/2000, Mac OS 9/
OS X, and all versions of UNIX/LINUX include the software components you need to use TCP/IP on your computer. If you manually assign IP information instead of using a dynamic IP, make sure that your networks computers have IP addresses that place them in the same subnet. In this appendix, you can set up an IP address for:
Windows XP/NT/2000 on page 133 Windows Vista on page 137 Windows 7 on page 141 Mac OS X: 10.3 and 10.4 on page 145 Mac OS X: 10.5 and 10.6 on page 148 Linux: Ubuntu 8 (GNOME) on page 151 Linux: openSUSE 10.3 (KDE) on page 155 Windows XP/NT/2000 The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT. NWA1121-NI Users Guide 133 Appendix A Setting Up Your Computers IP Address 1 Click Start > Control Panel. 2 In the Control Panel, click the Network Connections icon. 3 Right-click Local Area Connection and then select Properties. 134 NWA1121-NI Users Guide 4 On the General tab, select Internet Protocol (TCP/IP) and then click Properties. Appendix A Setting Up Your Computers IP Address NWA1121-NI Users Guide 135 Appendix A Setting Up Your Computers IP Address 5 The Internet Protocol TCP/IP Properties window opens. 6 7 8 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided. Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. Verifying Settings 1 2 136 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Windows Vista This section shows screens from Windows Vista Professional. 1 Click Start > Control Panel. 2 In the Control Panel, click the Network and Internet icon. 3 Click the Network and Sharing Center icon. NWA1121-NI Users Guide 137 Appendix A Setting Up Your Computers IP Address 4 Click Manage network connections. 5 Right-click Local Area Connection and then select Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 138 NWA1121-NI Users Guide 6 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Appendix A Setting Up Your Computers IP Address NWA1121-NI Users Guide 139 Appendix A Setting Up Your Computers IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. 8 9 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided.Click Advanced. Click OK to close the Internet Protocol (TCP/IP) Properties window. 10 Click OK to close the Local Area Connection Properties window. Verifying Settings 1 2 140 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Windows 7 This section shows screens from Windows 7 Enterprise. 1 Click Start > Control Panel. 2 In the Control Panel, click View network status and tasks under the Network and Internet category. 3 Click Change adapter settings. NWA1121-NI Users Guide 141 Appendix A Setting Up Your Computers IP Address 4 Double click Local Area Connection and then select Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 142 NWA1121-NI Users Guide 5 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Appendix A Setting Up Your Computers IP Address NWA1121-NI Users Guide 143 Appendix A Setting Up Your Computers IP Address 6 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. 7 8 9 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided. Click Advanced if you want to configure advanced settings for IP, DNS and WINS. Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. Verifying Settings 1 2 144 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. NWA1121-NI Users Guide 3 The IP settings are displayed as follows. Appendix A Setting Up Your Computers IP Address Mac OS X: 10.3 and 10.4 The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. 1 Click Apple > System Preferences. NWA1121-NI Users Guide 145 Appendix A Setting Up Your Computers IP Address 2 In the System Preferences window, click the Network icon. 3 When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure. 146 NWA1121-NI Users Guide 4 For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab. Appendix A Setting Up Your Computers IP Address 5 For statically assigned settings, do the following:
From the Configure IPv4 list, select Manually. In the IP Address field, type your IP address. In the Subnet Mask field, type your subnet mask. In the Router field, type the IP address of your device. 6 Click Apply Now and close the window. NWA1121-NI Users Guide 147 Appendix A Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab. Figure 73 Mac OS X 10.4: Network Utility Mac OS X: 10.5 and 10.6 The screens in this section are from Mac OS X 10.5 but can also apply to 10.6. 1 Click Apple > System Preferences. 148 NWA1121-NI Users Guide 2 In System Preferences, click the Network icon. Appendix A Setting Up Your Computers IP Address 3 When the Network preferences pane opens, select Ethernet from the list of available connection types. 4 5 From the Configure list, select Using DHCP for dynamically assigned settings. For statically assigned settings, do the following:
NWA1121-NI Users Guide 149 Appendix A Setting Up Your Computers IP Address From the Configure list, select Manually. In the IP Address field, enter your IP address. In the Subnet Mask field, enter your subnet mask. In the Router field, enter the IP address of your NWA1121-NI. 6 Click Apply and close the window. 150 NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab. Figure 74 Mac OS X 10.5: Network Utility Linux: Ubuntu 8 (GNOME) This section shows you how to configure your computers TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default Ubuntu 8 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in GNOME:
1 Click System > Administration > Network. NWA1121-NI Users Guide 151 Appendix A Setting Up Your Computers IP Address 2 When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password. 3 In the Authenticate window, enter your admin account name and password then click the Authenticate button. 152 NWA1121-NI Users Guide 4 In the Network Settings window, select the connection that you want to configure, then click Properties. Appendix A Setting Up Your Computers IP Address 5 The Properties dialog box opens. In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address. In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. 6 Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen. NWA1121-NI Users Guide 153 Appendix A Setting Up Your Computers IP Address 7 If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. 8 Click the Close button to apply the changes. 154 NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices tab. The Interface Statistics column shows data if your connection is working properly. Figure 75 Ubuntu 8: Network Tools Linux: openSUSE 10.3 (KDE) This section shows you how to configure your computers TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default openSUSE 10.3 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE:
NWA1121-NI Users Guide 155 Appendix A Setting Up Your Computers IP Address 1 Click K Menu > Computer > Administrator Settings (YaST). 2 When the Run as Root - KDE su dialog opens, enter the admin password and click OK. 156 NWA1121-NI Users Guide 3 When the YaST Control Center window opens, select Network Devices and then click the Network Card icon. Appendix A Setting Up Your Computers IP Address 4 When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. NWA1121-NI Users Guide 157 Appendix A Setting Up Your Computers IP Address 5 When the Network Card Setup window opens, click the Address tab Figure 76 openSUSE 10.3: Network Card Setup 6 7 Select Dynamic Address (DHCP) if you have a dynamic IP address. Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields. Click Next to save the changes and close the Network Card Setup window. 158 NWA1121-NI Users Guide 8 If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Appendix A Setting Up Your Computers IP Address 9 Click Finish to save your settings and close the window. Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information. Figure 77 openSUSE 10.3: KNetwork Manager NWA1121-NI Users Guide 159 Appendix A Setting Up Your Computers IP Address When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly. Figure 78 openSUSE: Connection Status - KNetwork Manager 160 NWA1121-NI Users Guide APPENDIX B Pop-up Windows, JavaScript and Java Permissions In order to use the web configurator you need to allow:
Web browser pop-up windows from your device. JavaScript (enabled by default). Java permissions (enabled by default). Note: The screens used below belong to Internet Explorer version 6, 7 and 8. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your devices IP address. Disable Pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 79 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. NWA1121-NI Users Guide 161 Appendix B Pop-up Windows, JavaScript and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 80 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 162 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions 2 Select Settingsto open the Pop-up Blocker Settings screen. Figure 81 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.167.1. NWA1121-NI Users Guide 163 Appendix B Pop-up Windows, JavaScript and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites. Figure 82 Pop-up Blocker Settings 5 6 Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScript If pages of the web configurator do not display properly in Internet Explorer, check that JavaScript are allowed. 164 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 83 Internet Options: Security 2 3 Click the Custom Level... button. Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). NWA1121-NI Users Guide 165 Appendix B Pop-up Windows, JavaScript and Java Permissions 6 Click OK to close the window. Figure 84 Security Settings - Java Scripting Java Permissions 1 2 3 From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 166 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions 5 Click OK to close the window. Figure 85 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. NWA1121-NI Users Guide 167 Appendix B Pop-up Windows, JavaScript and Java Permissions 3 Click OK to close the window. Figure 86 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary slightly. The steps below apply to Mozilla Firefox 3.0 as well. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears. Figure 87 Mozilla Firefox: TOOLS > Options 168 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions Click Content to show the screen below. Select the check boxes as shown in the following screen. Figure 88 Mozilla Firefox Content Security Opera Opera 10 screens are used here. Screens for other versions may vary slightly. NWA1121-NI Users Guide 169 Appendix B Pop-up Windows, JavaScript and Java Permissions Allowing Pop-Ups From Opera, click Tools, then Preferences. In the General tab, go to Choose how you prefer to handle pop-ups and select Open all pop-ups. Figure 89 Opera: Allowing Pop-Ups Enabling Java From Opera, click Tools, then Preferences. In the Advanced tab, select Content from the left-
side menu. Select the check boxes as shown in the following screen. Figure 90 Opera: Enabling Java 170 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions To customize JavaScript behavior in the Opera browser, click JavaScript Options. Figure 91 Opera: JavaScript Options Select the items you want Operas JavaScript to apply. NWA1121-NI Users Guide 171 Appendix B Pop-up Windows, JavaScript and Java Permissions 172 NWA1121-NI Users Guide APPENDIX C IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. Introduction to IP Addresses One part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered. Structure An IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. NWA1121-NI Users Guide 173 Appendix C IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. Figure 92 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term subnet is short for sub-network. A subnet mask has 32 bits. If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal). Table 42 Subnet Masks 1ST OCTET:
(192) IP Address (Binary) 11000000 2ND OCTET:
(168) 10101000 3RD OCTET:
(1) 00000001 4TH OCTET
(2) 00000010 Subnet Mask (Binary) 11111111 11111111 11111111 00000000 Network Number 11000000 10101000 00000001 Host ID 00000010 By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. 174 NWA1121-NI Users Guide Appendix C IP Addresses and Subnetting Subnet masks can be referred to by the size of the network number part (the bits with a 1 value). For example, an 8-bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 43 Subnet Masks BINARY 1ST OCTET 11111111 8-bit mask 2ND OCTET 00000000 3RD OCTET 00000000 4TH OCTET DECIMAL 00000000 255.0.0.0 16-bit mask 11111111 11111111 00000000 00000000 255.255.0.0 24-bit mask 11111111 11111111 11111111 00000000 255.255.255.0 29-bit mask 11111111 11111111 11111111 11111000 255.255.255.248 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:
Table 44 Maximum Host Numbers SUBNET MASK 8 bits HOST ID SIZE 24 bits 255.0.0.0 16 bits 255.255.0.0 16 bits 24 bits 255.255.255.0 29 bits 255.255.255.24 8 8 bits 3 bits Notation 224 2 216 2 28 2 23 2 MAXIMUM NUMBER OF HOSTS 16777214 65534 254 6 Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a /
followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. NWA1121-NI Users Guide 175 Appendix C IP Addresses and Subnetting The following table shows some possible subnet masks using both notations. Table 45 Alternative Subnet Mask Notation SUBNET MASK 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 ALTERNATIVE NOTATION
/24 LAST OCTET
(BINARY) 0000 0000 LAST OCTET
(DECIMAL) 0
/25
/26
/27
/28
/29
/30 1000 0000 1100 0000 1110 0000 1111 0000 1111 1000 1111 1100 128 192 224 240 248 252 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0. The first three octets of the address
(192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 2 or 254 possible hosts. The following figure shows the company network before subnetting. Figure 93 Subnetting Example: Before Subnetting You can borrow one of the host ID bits to divide the network 192.168.1.0 into two separate sub-
networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The borrowed host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. 176 NWA1121-NI Users Guide Appendix C IP Addresses and Subnetting The following figure shows the company network after subnetting. There are now two sub-
networks, A and B. Figure 94 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 2 or 126 possible hosts (a host ID of all zeroes is the subnets address itself, all ones is the subnets broadcast address). 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to borrow two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits
(11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnets broadcast address). Table 46 Subnet 1 IP/SUBNET MASK NETWORK NUMBER IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111. LAST OCTET BIT VALUE 0 00000000 11000000 NWA1121-NI Users Guide 177 Appendix C IP Addresses and Subnetting Table 46 Subnet 1 (continued) IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address:
192.168.1.0 Broadcast Address:
192.168.1.63 Table 47 Subnet 2 Lowest Host ID: 192.168.1.1 Highest Host ID: 192.168.1.62 IP/SUBNET MASK NETWORK NUMBER IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111. LAST OCTET BIT VALUE 64 01000000 11000000 Subnet Address:
192.168.1.64 Broadcast Address:
192.168.1.127 Table 48 Subnet 3 Lowest Host ID: 192.168.1.65 Highest Host ID: 192.168.1.126 IP/SUBNET MASK NETWORK NUMBER IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111. LAST OCTET BIT VALUE 128 10000000 11000000 Subnet Address:
192.168.1.128 Broadcast Address:
192.168.1.191 Table 49 Subnet 4 Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 IP/SUBNET MASK NETWORK NUMBER IP Address 192.168.1. LAST OCTET BIT VALUE 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address:
192.168.1.192 Broadcast Address:
192.168.1.255 Lowest Host ID: 192.168.1.193 Highest Host ID: 192.168.1.254 Example: Eight Subnets Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). 178 NWA1121-NI Users Guide The following table shows IP address last octet values for each subnet. Appendix C IP Addresses and Subnetting Table 50 Eight Subnets SUBNET ADDRESS 0 SUBNET 1 2 3 4 5 6 7 8 32 64 96 128 160 192 224 Subnet Planning FIRST ADDRESS 1 33 65 97 129 161 193 225 LAST ADDRESS 30 BROADCAST ADDRESS 31 62 94 126 158 190 222 254 63 95 127 159 191 223 255 The following table is a summary for subnet planning on a network with a 24-bit network number. Table 51 24-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 255.255.255.128 (/25) SUBNET MASK NO. SUBNETS 2 4 8 16 32 64 NO. HOSTS PER SUBNET 126 62 30 14 6 2 1 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) 128 2 3 4 5 6 7 The following table is a summary for subnet planning on a network with a 16-bit network number. Table 52 16-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 SUBNET MASK 255.255.128.0 (/17) 2 3 4 5 6 7 8 9 10 11 12 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) NO. SUBNETS 2 4 8 16 32 64 128 256 512 1024 2048 4096 NO. HOSTS PER SUBNET 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 NWA1121-NI Users Guide 179 Appendix C IP Addresses and Subnetting Table 52 16-bit Network Number Subnet Planning (continued) NO. BORROWED HOST BITS 13 255.255.255.248 (/29) SUBNET MASK NO. SUBNETS 8192 NO. HOSTS PER SUBNET 6 14 15 255.255.255.252 (/30) 255.255.255.254 (/31) 16384 32768 2 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the NWA1121-NI. Once you have decided on the network number, pick an IP address for your NWA1121-NI that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your NWA1121-NI will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the NWA1121-NI unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:
10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 180 NWA1121-NI Users Guide APPENDIX D Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 95 Peer-to-Peer Communication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is NWA1121-NI Users Guide 181 Appendix D Wireless LANs disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 96 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. 182 NWA1121-NI Users Guide An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 97 Infrastructure WLAN Appendix D Wireless LANs Channel RTS/CTS A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they NWA1121-NI Users Guide 183 Appendix D Wireless LANs cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 98 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS
(Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS
(Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. 184 NWA1121-NI Users Guide If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Appendix D Wireless LANs Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the NWA1121-NI uses long preamble. Note: The wireless devices MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:
Table 53 IEEE 802.11g DATA RATE (MBPS) MODULATION 1 DBPSK (Differential Binary Phase Shift Keyed) 2 5.5 / 11 6/9/12/18/24/36/48/
54 DQPSK (Differential Quadrature Phase Shift Keying) CCK (Complementary Code Keying) OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the NWA1121-NI are data encryption, wireless client authentication, restricting access by device MAC address and hiding the NWA1121-NI identity. NWA1121-NI Users Guide 185 Appendix D Wireless LANs The following figure shows the relative effectiveness of these wireless security methods available on your NWA1121-NI. Table 54 Wireless Security Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure Note: You must enable the same wireless security settings on the NWA1121-NI and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:
User based identification that allows for roaming. Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:
Authentication Determines the identity of the users. Authorization Determines the network services available to authenticated users once they are connected to the network. Accounting Keeps track of the clients network activity. 186 NWA1121-NI Users Guide Appendix D Wireless LANs RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:
Access-Request Sent by an access point requesting authentication. Access-Reject Sent by a RADIUS server rejecting access. Access-Accept Sent by a RADIUS server allowing access. Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:
Accounting-Request Sent by the access point requesting accounting. Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. NWA1121-NI Users Guide 187 Appendix D Wireless LANs EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the senders identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-
side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. 188 NWA1121-NI Users Guide Appendix D Wireless LANs If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 55 Comparison of EAP Authentication Types EAP-TLS Yes EAP-MD5 No Mutual Authentication EAP-TTLS Yes PEAP Yes Optional Optional Yes Yes Yes Yes LEAP Yes No No Yes Yes Yes Yes Strong Strong Strong Moderate Hard No Moderate Moderate Moderate Yes Yes No Certificate Client Certificate Server Dynamic Key Exchange Credential Integrity Deployment Difficulty No No No None Easy Client Identity Protection No WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP). TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm NWA1121-NI Users Guide 189 Appendix D Wireless LANs called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check
(MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but its still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. 190 NWA1121-NI Users Guide Appendix D Wireless LANs WPA(2) with RADIUS Application Example To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. 1 2 3 4 The AP passes the wireless client's authentication request to the RADIUS server. The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 99 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 2 3 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). The AP checks each wireless client's password and allows it to join the network only if the password matches. The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. NWA1121-NI Users Guide 191 Appendix D Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 100 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 56 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL Open ENCRYPTIO N METHOD None No ENTER MANUAL KEY IEEE 802.1X Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Yes Enable without Dynamic WEP Key Disable Shared WEP No Enable with Dynamic WEP Key Yes Yes No Yes No Yes TKIP/AES TKIP/AES TKIP/AES TKIP/AES Enable without Dynamic WEP Key Disable Enable Disable Enable Disable WPA WPA-PSK WPA2 WPA2-PSK Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. 192 NWA1121-NI Users Guide Positioning the antennas properly increases the range and coverage area of a wireless LAN. Appendix D Wireless LANs Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz or 5GHz is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antennas coverage area. Antenna Gain Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-topoint application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. NWA1121-NI Users Guide 193 Appendix D Wireless LANs For directional antennas, point the antenna in the direction of the desired coverage area. 194 NWA1121-NI Users Guide APPENDIX E Legal Information Copyright Copyright 2012 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice. Your use of the NWA1121-NI is subject to the terms and conditions of any related service providers. Use with products that have NAT, and/or 3G. Do not use the NWA1121-NI for illegal purposes. Illegal downloading or sharing of files can result in severe civil and criminal penalties. You are subject to the restrictions of copyright laws and any other applicable laws, and will bear the consequences of any infringements thereof. ZyXEL bears NO responsibility or liability for your use of the download service feature. Use for products that have a download service. Make sure all data and programs on the NWA1121-NI are also stored elsewhere. ZyXEL is not responsible for any loss of or damage to any data, programs, or storage media resulting from the use, misuse, or disuse of this or any other ZyXEL product. Use for storage/backup devices. Trademarks Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners. Certifications Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
This device may not cause harmful interference. NWA1121-NI Users Guide 195 Appendix E Legal Information This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
1 2 3 4 Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. FCC Radiation Exposure Statement This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. IEEE 802.11b, 802.11g or 802.11n (20MHz) operation of this product in the U.S.A. is firmware-
limited to channels 1 through 11. IEEE 802.11n (40MHz) operation of this product in the U.S.A. is firmware-limited to channels 3 through 9. To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. Industry Canada Statement (For all products) This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions:
1) this device may not cause interference and 2) this device must accept any interference, including interference that may cause undesired operation of the device This device has been designed to operate with an antenna having a maximum gain of 2dBi. 196 NWA1121-NI Users Guide Appendix E Legal Information Antenna having a higher gain is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms. To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the EIRP is not more than required for successful communication. IMPORTANT NOTE Device for the band 5150-5250 MHz is only for indoor usage to reduce potential for harmful interference to co-channel mobile satellite systems; users should also be cautioned to take note that high-power radars are allocated as primary users (meaning they have priority) of the bands 5250-5350 MHz and 5650-5850 MHz and these radars could cause interference and/or damage to LE-LAN devices. IC Radiation Exposure Statement This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. End users must follow the specific operating instructions for satisfying RF exposure compliance.
Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This device is designed for the WLAN 2.4 GHz and/or 5 GHz networks throughout the EC region and Switzerland, with restrictions in France. Ce produit est conu pour les bandes de frquences 2,4 GHz et/ou 5 GHz conformment la lgislation Europenne. En France mtropolitaine, suivant les dcisions n03-908 et 03-909 de lARCEP, la puissance dmission ne devra pas dpasser 10 mW (10 dB) dans le cadre dune installation WiFi en extrieur pour les frquences comprises entre 2454 MHz et 2483,5 MHz. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numrique de la classe B est conforme la norme NMB-003 du Canada. CLASS 1 LASER PRODUCT APPAREIL A LASER DE CLASS 1 NWA1121-NI Users Guide 197 Appendix E Legal Information PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11. PRODUIT CONFORME SELON 21 CFR 1040.10 ET 1040.11. Viewing Certifications 1 Go to http://www.zyxel.com. 2 3 Select your product on the ZyXEL home page to go to that product's page. Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized ZyXEL local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/
support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. Open Source Licenses This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. To obtain the source code covered under those Licenses, please contact support@zyxel.com.tw to get it. 198 NWA1121-NI Users Guide Regulatory Information European Union Appendix E Legal Information The following information applies if you use the product within the European Union. Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance Information for 2.4GHz and 5GHz Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999/5/EC (R&TTE Directive)
[Czech]
[Danish]
[German]
[Estonian]
English
[Spanish]
[Greek]
[French]
[Italian]
[Latvian]
ZyXEL tmto prohlauje, e tento zazen je ve shod se zkladnmi poadavky a dalmi pslunmi ustanovenmi smrnice 1999/5/EC. Undertegnede ZyXEL erklrer herved, at flgende udstyr udstyr overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt ZyXEL, dass sich das Gert Ausstattung in bereinstimmung mit den grundlegenden Anforderungen und den brigen einschlgigen Bestimmungen der Richtlinie 1999/5/EU befindet. Kesolevaga kinnitab ZyXEL seadme seadmed vastavust direktiivi 1999/5/E phinuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele stetele. Hereby, ZyXEL declares that this equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Por medio de la presente ZyXEL declara que el equipo cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. ZyXEL 1999/5/C. Par la prsente ZyXEL dclare que l'appareil quipements est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/EC. Con la presente ZyXEL dichiara che questo attrezzatura conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Ar o ZyXEL deklar, ka iekrtas atbilst Direktvas 1999/5/EK btiskajm prasbm un citiem ar to saisttajiem noteikumiem.
[Lithuanian]
iuo ZyXEL deklaruoja, kad is ranga atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas.
[Dutch]
[Maltese]
[Hungarian]
[Polish]
[Portuguese]
[Slovenian]
[Slovak]
Hierbij verklaart ZyXEL dat het toestel uitrusting in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EC. Hawnhekk, ZyXEL, jiddikjara li dan tagmir jikkonforma mal-tiijiet essenzjali u ma provvedimenti orajn relevanti li hemm fid-Dirrettiva 1999/5/EC. Alulrott, ZyXEL nyilatkozom, hogy a berendezs megfelel a vonatkoz alapvet kvetelmnyeknek s az 1999/5/EK irnyelv egyb elrsainak. Niniejszym ZyXEL owiadcza, e sprzt jest zgodny z zasadniczymi wymogami oraz pozostaymi stosownymi postanowieniami Dyrektywy 1999/5/EC. ZyXEL declara que este equipamento est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/EC. ZyXEL izjavlja, da je ta oprema v skladu z bistvenimi zahtevami in ostalimi relevantnimi doloili direktive 1999/5/EC. ZyXEL tmto vyhlasuje, e zariadenia spa zkladn poiadavky a vetky prslun ustanovenia Smernice 1999/5/EC. NWA1121-NI Users Guide 199 Appendix E Legal Information
[Finnish]
[Swedish]
[Bulgarian]
[Icelandic]
[Norwegian]
[Romanian]
ZyXEL vakuuttaa tten ett laitteet tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hrmed intygar ZyXEL att denna utrustning str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EC. ZyXEL , 1999/5/C. Hr me lsir, ZyXEL v yfir a essi bnaur er samrmi vi grunnkrfur og nnur vieigandi kvi tilskipunar 1999/5/EC. Erklrer herved ZyXEL at dette utstyret er I samsvar med de grunnleggende kravene og andre relevante bestemmelser I direktiv 1999/5/EF. Prin prezenta, ZyXEL declar c acest echipament este n conformitate cu cerinele eseniale i alte prevederi relevante ale Directivei 1999/5/EC. National Restrictions This product may be used in all EU countries (and other countries following the EU directive 1999/
5/EC) without any limitation except for the countries mentioned below:
Ce produit peut tre utilis dans tous les pays de lUE (et dans tous les pays ayant transposs la directive 1999/5/CE) sans aucune limitation, except pour les pays mentionns ci-dessous:
Questo prodotto utilizzabile in tutte i paesi EU (ed in tutti gli altri paesi che seguono le direttive EU 1999/5/EC) senza nessuna limitazione, eccetto per i paesii menzionati di seguito:
Das Produkt kann in allen EU Staaten ohne Einschrnkungen eingesetzt werden (sowie in anderen Staaten die der EU Direktive 1995/5/CE folgen) mit Aunahme der folgenden aufgefhrten Staaten:
In the majority of the EU and other European countries, the 2, 4- and 5-GHz bands have been made available for the use of wireless local area networks (LANs). Later in this document you will find an overview of countries inwhich additional restrictions or requirements or both are applicable. The requirements for any country may evolve. ZyXEL recommends that you check with the local authorities for the latest status of their national regulations for both the 2,4- and 5-GHz wireless LANs. The following countries have restrictions and/or requirements in addition to those given in the table labeled Overview of Regulatory Requirements for Wireless LANs:. Overview of Regulatory Requirements for Wireless LANs Frequency Band (MHz) Max Power Level Indoor ONLY Indoor and Outdoor 2400-2483.5 5150-5350 5470-5725 Belgium 200
(EIRP)1 (mW) 100 200 1000 V V V NWA1121-NI Users Guide Appendix E Legal Information The Belgian Institute for Postal Services and Telecommunications (BIPT) must be notified of any outdoor wireless link having a range exceeding 300 meters. Please check http://www.bipt.be for more details. Draadloze verbindingen voor buitengebruik en met een reikwijdte van meer dan 300 meter dienen aangemeld te worden bij het Belgisch Instituut voor postdiensten en telecommunicatie (BIPT). Zie http://www.bipt.be voor meer gegevens. Les liaisons sans fil pour une utilisation en extrieur dune distance suprieure 300 mtres doivent tre notifies lInstitut Belge des services Postaux et des Tlcommunications (IBPT). Visitez http://www.ibpt.be pour de plus amples dtails. Denmark In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage. I Danmark m frekvensbndet 5150 - 5350 ogs anvendes udendrs. France For 2.4 GHz, the output power is restricted to 10 mW EIRP when the product is used outdoors in the band 2454 - 2483.5 MHz. There are no restrictions when used indoors or in other parts of the 2.4 GHz band. Check http://www.arcep.fr/ for more details. Pour la bande 2.4 GHz, la puissance est limite 10 mW en p.i.r.e. pour les quipements utiliss en extrieur dans la bande 2454 - 2483.5 MHz. Il n'y a pas de restrictions pour des utilisations en intrieur ou dans d'autres parties de la bande 2.4 GHz. Consultez http://www.arcep.fr/ pour de plus amples dtails. R&TTE 1999/5/EC WLAN 2.4 2.4835 GHz IEEE 802.11 b/g/n Location Frequency Range(GHz) Indoor (No restrictions) Outdoor 2.4 2.4835 2.4 2.454 2.454 2.4835 Power (EIRP) 100mW (20dBm) 100mW (20dBm) 10mW (10dBm) Italy This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this wireless LAN product is operating within the boundaries of the owner's property, its use requires a general authorization. Please check http://
www.sviluppoeconomico.gov.it/ for more details. Questo prodotto conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia. Se non viene installato all 'interno del proprio fondo, l'utilizzo di prodotti Wireless LAN richiede una Autorizzazione Generale. Consultare http://
www.sviluppoeconomico.gov.it/ per maggiori dettagli. Latvia The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http://www.esd.lv for more details. NWA1121-NI Users Guide 201 Appendix E Legal Information 2.4 GHz frekvenu joslas izmantoanai rpus telpm nepiecieama atauja no Elektronisko sakaru direkcijas. Vairk informcijas: http://www.esd.lv. Notes:
1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries. 2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm). 202 NWA1121-NI Users Guide Index Index Numbers 802.1x-Only 58 802.1x-Static128 58 802.1x-Static64 58 A access privileges 12 Accounting Server 88 Advanced Encryption Standard See AES. AES 189 Alerts 116 Alternative subnet mask notation 176 Antenna 92 antenna directional 193 gain 193 omni-directional 193 AP (access point) 183 Applications Access Point 14 AP + Bridge 14 applications MBSSID 12 Repeater 14 ATC 73 ATC+WMM 73 B Basic Service Set 56 see BSS Basic Service Set, See BSS 181 beacon 56 Beacon Interval 63, 65, 70 BSS 12, 56, 181 C CA 188 Certificate authentication 104 file format 104 Certificate Authority See CA. Certificates Fingerprint 113 MD5 113 public key 104 SHA1 113 Certification Authority 113 certifications 195 notices 197 viewing 198 Channel 56 channel 183 interference 183 command interface 15 Controlling network access, Ways of 11 copyright 195 CTS (Clear to Send) 184 D disclaimer 195 Distribution System 56 DNS 97, 119 Domain Name Server (DNS) 119 DS 56 DTIM Interval 63, 65, 70 dynamic WEP key exchange 188 NWA1121-NI Users Guide 203 Index E EAP 59 EAP Authentication 187 Encryption 59, 76, 80, 83, 85 encryption 14, 189 ESS 56, 182 Ethernet device 89 Extended Service Set 56 Extended Service Set, See ESS 182 Extensible Authentication Protocol 59 F Factory Defaults 126 restoring 21 FCC interference statement 195 Firmware 120 Fragmentation 63, 66, 68, 71 Fragmentation threshold 91 fragmentation threshold 184 FTP 103 restrictions 103 G Generic Token Card 59 GTC 59 H hidden node 183 I IANA 180 IBSS 181 IEEE 802.11g 185 IEEE 802.1x 57 204 Import Certificate 106 Independent Basic Service Set See IBSS 181 initialization vector (IV) 190 Internet Assigned Numbers Authority See IANA Internet Protocol version 6, see IPv6 Internet telephony 12 IP Address 94 Gateway IP address 94 IP Screen 94 DHCP 96 IPv6 95 addressing 95 global address 95 link-local address 95 Neighbor Discovery Protocol 95 ping 95 prefix 95 prefix length 95 K key 59, 77, 81, 83 L LEAP 59 LEDs 17, 129 Blinking 17 Flashing 17 Off 17 Lightweight Extensible Authentication Protocol 59 Log 49 Log Screens 115 Logs accessing logs 115 receiving logs via e-mail 116 Logs Screen Mail Server 117 Mail Subject 117 Send Log to 117 Syslog 118 Logs, Uses of 115 NWA1121-NI Users Guide M MAC Filter Allow Association 89 Deny Association 89 Maintenance 119 Association List 120 Backup 124 Restore 125 Management Information Base (MIB) 111 managing the device using Telnet. See command interface. using the command interface. See command interface. MBSSID 12 Media Access Control 89 Message Integrity Check (MIC) 189 message relay 60 Microsoft Challenge Handshake Authentication Protocol Version 2 59 MSCHAPv2 59 MSDU 63, 66, 71 N NAT 180 Network Time Protocol (NTP) 119 NTP 119 O Operating Mode 56 Output Power Management 63, 65, 68, 70 P Pairwise Master Key (PMK) 190, 191 Passphrase 59 Password 130 PEAP 59 Personal Information Exchange Syntax Standard 104 Index PFX PKCS#12 104 Preamble 91 preamble mode 185 Preamble Type 63, 66, 68, 71 Pre-Shared Key 59 priorities 92 product registration 198 Protected Extensible Authentication Protocol 59 PSK 59, 190 Q QoS 73 R Radio Frequency 92 RADIUS 59, 186 Accounting 60 Authentication 60 Authorization 60 message types 187 messages 187 shared secret key 187 RADIUS Screen Accounting Server 88 Accounting Server IP Address 88 RADIUS server 58 Backup 88 Primary 88 Rates Configuration 63, 66, 68, 71 registration product 198 Remote Authentication Dial In User Service 59 remote management 16 remote management limitations 102 Roaming 92 RootAP 14 RTS (Request To Send) 184 threshold 183, 184 RTS/CTS Threshold 63, 66, 68, 71, 91 NWA1121-NI Users Guide 205 Index S Security Mode, Choosing the 93 Security Modes 802.1x-Static64 58 IEEE 802.1x-Only 58 IEEE 802.1x-Static128 58 IEEE 802.1x-Static64 58 None 58 WEP 58 WPA 58 WPA2 58 WPA2-MIX 58 WPA2-PSK 58 Service Set IDentifier 56 Service Set Identifier see SSID Simple Mail Transfer Protocol 116 SMTP 116, 118 SNMP MIBs 111 traps 112 Spanning Tree Protocol 91 SSID 12, 56 SSID profile pre-configured 12 SSID profiles 12 Status Screens 25 802.11 Mode 50 Channel ID 50 Ethernet 25 FCS Error Count 50 Firmware Version 26 Interface Status 27 Poll Interval 50 Retry Count 50 Statistics 51 system statistics 25 WLAN 25 Subnet 173 Subnet Mask 94, 174 subnetting 176 Syslog Logging 116 System Screens General 120 Password 121 Time Time and Date Setup 122 Time Zone 122 system timeout 104 T telnet 106 Temporal Key Integrity Protocol 59 Temporal Key Integrity Protocol (TKIP) 189 TFTP restrictions 103 Thumbprint Algorithm 114 timeout 16 TKIP 59 TLS 59 trademarks 195 Transport Layer Security 59 Troubleshooting 129 connection is slow or intermittent 132 DHCP 130 factory defaults 131 firmware 131 Internet 131 LAN/ETHERNET port 131 QoS 132 Web Configurator 130 TTLS 59 Tunneled Transport Layer Security 59 Tutorial 29 U User Authentication 58 V Virtual Local Area Network 98 VLAN 98 introduction 98 VoIP 12, 73 206 NWA1121-NI Users Guide Index RTS/CTS Threshold 91 SSID 56 Wireless Client Mode 67 Wireless Mode 57 WMM QoS 91 WLAN interference 183 security parameters 192 WMM 73 WMM QoS 91 WPA 58, 189 key caching 190 pre-authentication 190 user authentication 190 vs WPA-PSK 190 wireless client supplicant 190 with RADIUS application example 191 WPA2 58, 189 user authentication 190 vs WPA2-PSK 190 wireless client supplicant 190 with RADIUS application example 191 WPA2-MIX 58 WPA2-Pre-Shared Key 189 WPA2-PSK 189, 190 application example 191 WPA2-PSK-MIX 58 WPA-PSK 189, 190 application example 191 Z ZyXEL Device Ethernet parameters 94 good habits 16 Introduction 11 managing 15 resetting 20, 126 Security Features 16 W warranty 198 note 198 WDS 14 Web Configurator 19 password 19 WEP 58 WEP key encrypting 93 Wi-Fi Multimedia QoS 92 Wi-Fi Protected Access 58, 189 Wired Equivalent Privacy 58 Wireless Client 42 wireless client WPA supplicants 190 Wireless Distribution System (WDS) 14 Wireless Mode 57 Wireless Mode, Choosing the Access Point 29 Bridge 29 Wireless Client 29 Wireless Security 16 how to improve 16 Levels 58 wireless security 12, 185 Wireless Security Screen 802.1x Only 77 Access Point 77, 80 Wireless Client 78, 82 802.1x Static 64-bit, 802.1x Static 128-bit 79 WEP 76 WPA 83 Access Point 84 Wireless Client 85 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX 86 Wireless Settings Screen 55 Access Point Mode 61 Antenna 92 AP + Bridge Mode 67 Bridge Mode 64 BSS 56 Channel 56 ESS 56 Fragmentation Threshold 91 Intra-BSS Traffic 91 Operating Mode 56 Preamble 91 Roaming 92 NWA1121-NI Users Guide 207 Index 208 NWA1121-NI Users Guide
1 2 | User Manual (Statements) | Users Manual | 11.93 KiB | June 08 2013 |
Federal Communication Commission Interference Statement This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
- Reorient or relocate the receiving antenna.
- Increase the separation between the equipment and receiver.
- Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
- Consult the dealer or an experienced radio/TV technician for help. FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FOR MOBILE DEVICE USAGE (>20cm/low power) Radiation Exposure Statement:
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body. FOR COUNTRY CODE SELECTION USAGE (WLAN DEVICES) Note: The country code selection is for non-US model only and is not available to all US model. Per FCC regulation, all WiFi product marketed in US must fixed to US operation channels only.
1 2 | User Manual | Users Manual | 5.04 MiB | June 08 2013 |
Contents Overview Contents Overview Users Guide .........................................................................................................................................9 Introducing the NWA1121-NI ................................................................................................................... 11 Introducing the Web Configurator ...........................................................................................................19 Dashboard ...............................................................................................................................................25 Tutorial ....................................................................................................................................................29 Technical Reference ..........................................................................................................................47 Monitor ....................................................................................................................................................49 Wireless LAN ..........................................................................................................................................55 LAN .........................................................................................................................................................94 VLAN .......................................................................................................................................................98 System ..................................................................................................................................................101 Log Settings .......................................................................................................................................... 115 Maintenance .......................................................................................................................................... 119 Troubleshooting ....................................................................................................................................129 NWA1121-NI Users Guide 3 Contents Overview 4 NWA1121-NI Users Guide Table of Contents Table of Contents Contents Overview ..............................................................................................................................3 Table of Contents .................................................................................................................................5 Part I: Users Guide ........................................................................................... 9 Chapter 1 Introducing the NWA1121-NI.............................................................................................................. 11 1.1 Introducing the NWA1121-NI ............................................................................................................. 11 1.2 Wireless Modes ................................................................................................................................. 11 1.2.1 MBSSID ...................................................................................................................................12 1.2.2 Wireless Client .........................................................................................................................13 1.2.3 Root AP ...................................................................................................................................14 1.2.4 Repeater ..................................................................................................................................14 1.3 Ways to Manage the NWA1121-NI ...................................................................................................15 1.4 Configuring Your NWA1121-NIs Security Features ..........................................................................16 1.4.1 Control Access to Your Device ................................................................................................16 1.4.2 Wireless Security .....................................................................................................................16 1.5 Good Habits for Managing the NWA1121-NI ....................................................................................16 1.6 Hardware Connections ......................................................................................................................17 1.7 LED ...................................................................................................................................................17 Chapter 2 Introducing the Web Configurator ....................................................................................................19 2.1 Accessing the Web Configurator .......................................................................................................19 2.2 Resetting the NWA1121-NI ...............................................................................................................20 2.2.1 Methods of Restoring Factory-Defaults ...................................................................................21 2.3 Navigating the Web Configurator ......................................................................................................22 2.3.1 Title Bar ...................................................................................................................................22 2.3.2 Navigation Panel .....................................................................................................................23 2.3.3 Main Window ...........................................................................................................................24 Chapter 3 Dashboard ...........................................................................................................................................25 3.1 The Dashboard Screen .....................................................................................................................25 Chapter 4 Tutorial.................................................................................................................................................29 NWA1121-NI Users Guide 5 Table of Contents 4.1 How to Configure the Wireless LAN ..................................................................................................29 4.1.1 Choosing the Wireless Mode ...................................................................................................29 4.1.2 Further Reading .......................................................................................................................29 4.2 How to Configure Multiple Wireless Networks ..................................................................................29 4.2.1 Configure the SSID Profiles .....................................................................................................31 4.2.2 Configure the Standard Network .............................................................................................33 4.2.3 Configure the VoIP Network ....................................................................................................34 4.2.4 Configure the Guest Network ..................................................................................................36 4.2.5 Testing the Wireless Networks ................................................................................................38 4.3 NWA1121-NI Setup in AP and Wireless Client Modes ......................................................................38 4.3.1 Scenario ..................................................................................................................................38 4.3.2 Configuring the NWA1121-NI in MBSSID or Root AP Mode ...................................................39 4.3.3 Configuring the NWA1121-NI in Wireless Client Mode ............................................................42 4.3.4 MAC Filter Setup .....................................................................................................................44 4.3.5 Testing the Connection and Troubleshooting ..........................................................................45 Part II: Technical Reference............................................................................ 47 Chapter 5 Monitor.................................................................................................................................................49 5.1 Overview ...........................................................................................................................................49 5.2 What You Can Do .............................................................................................................................49 5.3 View Logs .........................................................................................................................................49 5.4 Statistics ............................................................................................................................................50 5.5 Association List .................................................................................................................................51 5.6 Channel Usage .................................................................................................................................52 Chapter 6 Wireless LAN.......................................................................................................................................55 6.1 Overview ...........................................................................................................................................55 6.2 What You Can Do in this Chapter .....................................................................................................55 6.3 What You Need To Know ..................................................................................................................56 6.4 Wireless Settings Screen ..................................................................................................................60 6.4.1 Root AP Mode .........................................................................................................................61 6.4.2 Repeater Mode ........................................................................................................................64 6.4.3 Wireless Client Mode ...............................................................................................................67 6.4.4 MBSSID Mode .........................................................................................................................69 6.5 SSID Screen .....................................................................................................................................72 6.5.1 Configuring SSID .....................................................................................................................73 6.6 Wireless Security Screen ..................................................................................................................74 6.6.1 Security: WEP .........................................................................................................................76 6 NWA1121-NI Users Guide Table of Contents 6.6.2 Security: 802.1x Only ..............................................................................................................77 6.6.3 Security: 802.1x Static WEP ....................................................................................................79 6.6.4 Security: WPA, WPA2, WPA2-MIX ..........................................................................................83 6.6.5 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX .................................................................86 6.7 RADIUS Screen ................................................................................................................................87 6.8 MAC Filter Screen .............................................................................................................................89 6.9 Technical Reference ..........................................................................................................................91 6.9.1 Additional Wireless Terms .......................................................................................................91 6.9.2 WMM QoS ...............................................................................................................................92 6.9.3 Security Mode Guideline .........................................................................................................93 Chapter 7 LAN ......................................................................................................................................................94 7.1 Overview ...........................................................................................................................................94 7.2 What You Can Do in this Chapter .....................................................................................................94 7.3 What You Need to Know ...................................................................................................................94 7.4 LAN IP Screen ..................................................................................................................................96 Chapter 8 VLAN ....................................................................................................................................................98 8.1 Overview ...........................................................................................................................................98 8.1.1 What You Can Do in This Chapter ...........................................................................................98 8.2 What You Need to Know ...................................................................................................................98 8.3 VLAN Screen ....................................................................................................................................99 Chapter 9 System ...............................................................................................................................................101 9.1 Overview .........................................................................................................................................101 9.2 What You Can Do in this Chapter ...................................................................................................101 9.3 What You Need To Know ................................................................................................................102 9.4 WWW Screen ..................................................................................................................................104 9.5 Certificates Screen ..........................................................................................................................105 9.6 Telnet Screen ..................................................................................................................................106 9.7 SNMP Screen .................................................................................................................................107 9.8 FTP Screen ..................................................................................................................................... 110 9.9 Technical Reference ........................................................................................................................ 111 9.9.1 MIB ........................................................................................................................................ 111 9.9.2 Supported MIBs ..................................................................................................................... 111 9.9.3 SNMP Traps .......................................................................................................................... 112 9.9.4 Private-Public Certificates ..................................................................................................... 113 9.9.5 Certification Authorities .......................................................................................................... 113 9.9.6 Checking the Fingerprint of a Certificate on Your Computer ................................................. 113 NWA1121-NI Users Guide 7 Table of Contents Chapter 10 Log Settings ...................................................................................................................................... 115 10.1 Overview ....................................................................................................................................... 115 10.2 What You Can Do in this Chapter ................................................................................................. 115 10.3 What You Need To Know .............................................................................................................. 116 10.4 Log Settings Screen ...................................................................................................................... 116 Chapter 11 Maintenance ...................................................................................................................................... 119 11.1 Overview ....................................................................................................................................... 119 11.2 What You Can Do in this Chapter .................................................................................................. 119 11.3 What You Need To Know ...............................................................................................................120 11.4 General Screen .............................................................................................................................120 11.5 Password Screen ..........................................................................................................................121 11.6 Time Screen ..................................................................................................................................122 11.7 Firmware Upgrade Screen ............................................................................................................123 11.8 Configuration File Screen ..............................................................................................................124 11.8.1 Backup Configuration ...........................................................................................................124 11.8.2 Restore Configuration ..........................................................................................................125 11.8.3 Back to Factory Defaults ......................................................................................................126 11.9 Restart Screen ..............................................................................................................................126 Chapter 12 Troubleshooting................................................................................................................................129 12.1 Power, Hardware Connections, and LEDs ....................................................................................129 12.2 NWA1121-NI Access and Login ....................................................................................................130 12.3 Internet Access .............................................................................................................................131 Appendix A Setting Up Your Computers IP Address ......................................................................133 Appendix B Pop-up Windows, JavaScript and Java Permissions ...................................................161 Appendix C IP Addresses and Subnetting.......................................................................................173 Appendix D Wireless LANs..............................................................................................................181 Appendix E Legal Information..........................................................................................................195 Index ..................................................................................................................................................203 8 NWA1121-NI Users Guide PART I Users Guide 9 10 CHAPTER 1 Introducing the NWA1121-NI This chapter introduces the main applications and features of the NWA1121-NI. It also discusses the ways you can manage your NWA1121-NI. 1.1 Introducing the NWA1121-NI Your NWA1121-NI is an IPv6 wireless AP (Access Point) that can function in several wireless modes. It extends the range of your existing wired network without additional wiring, providing easy network access to mobile users. The NWA1121-NI controls network access with MAC address filtering and RADIUS server authentication. It also provides a high level of network traffic security, supporting IEEE 802.1x, Wi-
Fi Protected Access (WPA), WPA2 and WEP data encryption. Its Quality of Service (QoS) features allow you to prioritize time-sensitive or highly important applications such as VoIP. Your NWA1121-NI is easy to install, configure and use. The embedded Web-based configurator enables simple, straightforward management and maintenance. See the Quick Start Guide for instructions on how to make hardware connections. 1.2 Wireless Modes The NWA1121-NI can be configured to use the following WLAN operating modes:
UNIVERSAL REPEATER FUNCTION AP FUNCTION No No Yes Yes Yes No Yes Yes OPERATING MODE NUMBER OF SUPPORTED SSID 8 1 5 1 MBSSID Client Root AP Repeater 1 MBSSID 2 3 4 Client Root AP Repeater Applications for each operating mode are shown below. NWA1121-NI Users Guide 11 Chapter 1 Introducing the NWA1121-NI 1.2.1 MBSSID A Basic Service Set (BSS) is the set of devices forming a single wireless network (usually an access point and one or more wireless clients). The Service Set IDentifier (SSID) is the name of a BSS. In Multiple BSS (MBSSID) mode, the NWA1121-NI provides multiple virtual APs, each forming its own BSS and using its own individual SSID profile. You can configure up to eight multiple SSID profiles, and have all of them active at any one time. You can assign different wireless and security settings to each SSID profile. This allows you to compartmentalize groups of users, set varying access privileges, and prioritize network traffic to and from certain BSSs. To the wireless clients in the network, each SSID appears to be a different access point. As in any wireless network, clients can associate only with the SSIDs for which they have the correct security settings. For example, you might want to set up a wireless network in your office where Internet telephony
(VoIP) users have priority. You also want a regular wireless network for standard users, as well as a guest wireless network for visitors. In the following figure, VoIP_SSID users have QoS priority, SSID01 is the wireless network for standard users, and Guest_SSID is the wireless network for guest users. In this example, the guest user is forbidden access to the wired Land Area Network
(LAN) behind the AP and can access only the Internet. Figure 1 Multiple BSSs 12 NWA1121-NI Users Guide Chapter 1 Introducing the NWA1121-NI 1.2.2 Wireless Client The NWA1121-NI can be used as a wireless client to communicate with an existing network. In the figure below, the printer can receive requests from the wired computer clients A and B via the NWA1121-NI in Client mode (Z). Figure 2 Wireless Client Application NWA1121-NI Users Guide 13 Chapter 1 Introducing the NWA1121-NI 1.2.3 Root AP In Root AP mode, the NWA1121-NI (Z) can act as the root AP in a wireless network and also allow repeaters (X and Y) to extend the range of its wireless network at the same time. In the figure below, both clients A, B and C can access the wired network through the root AP. Figure 3 Root AP Application On the NWA1121-NI in Root AP mode, you can have up to four multiple SSIDs active for reqular wireless connections and one SSID for the connection with a repeater (universal repeater SSID). Wireless clients can use either SSID to associate with the NWA1121-NI in Root AP mode. A repeater must use the universal repeater SSID to connect to the NWA1121-NI in Root AP mode. When the NWA1121-NI is in Root AP mode, universal repeater security between the NWA1121-NI and other repeater is independent of the security between the wireless clients and the AP or repeater. If you do not enable universal repeater security, traffic between APs is not encrypted. When universal repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 6.6 on page 74 for more details. Unless specified, the term security settings refers to the traffic between the wireless clients and the AP. At the time of writing, universal repeater security is compatible with the NWA1121-NI only. 1.2.4 Repeater The NWA can act as a wireless network repeater to extend a root APs wireless network range, and also establish wireless connections with wireless clients. Using Repeater mode, your NWA1121-NI can extend the range of the WLAN. In the figure below, the NWA1121-NI in Repeater mode (Z) has a wireless connection to the NWA1121-NI in Root AP mode (X) which is connected to a wired network and also has a wireless connection to another NWA1121-NI in Repeater mode (Y) at the same time. Z and Y act as repeaters that forward traffic 14 NWA1121-NI Users Guide Chapter 1 Introducing the NWA1121-NI between associated wireless clients and the wired LAN. Clients A, B and C access the AP and the wired network behind the AP throught repeaters Z and Y. Figure 4 Repeater Application When the NWA1121-NI is in Repeater mode, universal repeater security between the NWA1121-NI and other repeater is independent of the security between the wireless clients and the AP or repeater. If you do not enable universal repeater security, traffic between APs is not encrypted. When universal repeater security is enabled, both APs and repeaters must use the same pre-shared key. See Section 6.6 on page 74 for more details. Once the security settings of peer sides match one another, the connection between devices is made. At the time of writing, universal repeater security is compatible with the NWA1121-NI only. 1.3 Ways to Manage the NWA1121-NI Use any of the following methods to manage the NWA1121-NI. Web Configurator. This is recommended for everyday management of the NWA1121-NI using a
(supported) web browser. Command Line Interface. Line commands are mostly used for troubleshooting by service engineers. FTP (File Transfer Protocol) for firmware upgrades. SNMP (Simple Network Management Protocol). The device can be monitored by an SNMP manager. NWA1121-NI Users Guide 15 Chapter 1 Introducing the NWA1121-NI 1.4 Configuring Your NWA1121-NIs Security Features Your NWA1121-NI comes with a variety of security features. This section summarizes these features and provides links to sections in the Users Guide to configure security settings on your NWA1121-NI. Follow the suggestions below to improve security on your NWA1121-NI and network. 1.4.1 Control Access to Your Device Ensure only people with permission can access your NWA1121-NI. Control physical access by locating devices in secure areas, such as locked rooms. Most NWA1121-NIs have a reset button. If an unauthorized person has access to the reset button, they can then reset the devices password to its default password, log in and reconfigure its settings. Change any default passwords on the NWA1121-NI, such as the password used for accessing the NWA1121-NIs web configurator (if it has a web configurator). Use a password with a combination of letters and numbers and change your password regularly. Write down the password and put it in a safe place. Avoid setting a long timeout period before the NWA1121-NIs web configurator automatically times out. A short timeout reduces the risk of unauthorized person accessing the web configurator while it is left idle. See Section 11.5 on page 121 for instructions on changing your password and setting the timeout period. Configure remote management to control who can manage your NWA1121-NI. See Chapter 9 on page 101 for more information. If you enable remote management, ensure you have enabled remote management only on the IP addresses, services or interfaces you intended and that other remote management settings are disabled. 1.4.2 Wireless Security Wireless devices are especially vulnerable to attack. If your NWA1121-NI has a wireless function, take the following measures to improve wireless security. Enable wireless security on your NWA1121-NI. Choose the most secure encryption method that all devices on your network support. See Section 6.6 on page 74 for directions on configuring encryption. If you have a RADIUS server, enable IEEE 802.1x or WPA(2) user identification on your network so users must log in. This method is more common in business environments. Hide your wireless network name (SSID). The SSID can be regularly broadcast and unauthorized users may use this information to access your network. See Section 6.5 on page 72 for directions on using the web configurator to hide the SSID. Enable the MAC filter to allow only trusted users to access your wireless network or deny unwanted users access based on their MAC address. See Section 6.8 on page 89 for directions on configuring the MAC filter. 1.5 Good Habits for Managing the NWA1121-NI Do the following things regularly to make the NWA1121-NI more secure and to manage it more effectively. 16 NWA1121-NI Users Guide 1.6 Hardware Connections See your Quick Start Guide for information on making hardware connections. Chapter 1 Introducing the NWA1121-NI 1.7 LED Figure 5 LED Table 1 LED COLOR Amber Green STATUS On Flashing Off Blinking Off DESCRIPTION There is system error and the NWA1121-NI cannot boot up, or the NWA1121-NI doesnt have an Ethernet connection with the LAN. The NWA1121-NI is starting up. The NWA1121-NI is receiving power and ready for use. The WLAN is active, and transmitting or receiving data. The WLAN is not active. NWA1121-NI Users Guide 17 Chapter 1 Introducing the NWA1121-NI 18 NWA1121-NI Users Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the NWA1121-NIs web configurator and provides an overview of its screens. 2.1 Accessing the Web Configurator 1 Make sure your hardware is properly connected and prepare your computer or computer network to connect to the NWA1121-NI (refer to the Quick Start Guide). 2 3 4 5 Launch your web browser. Type "192.168.1.2" as the URL (default). The login screen appears. Figure 6 The Login Screen Type admin as the (default) username and 1234 as the (default) password. Click Login. You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) then click Apply. Alternatively, click Ignore. NWA1121-NI Users Guide 19 Chapter 2 Introducing the Web Configurator Note: If you do not change the password, the following screen appears every time you login. Figure 7 Change Password Screen You should now see the Dashboard screen. See Chapter 2 on page 19 for details about the Dashboard screen. Note: For security reasons, the NWA1121-NI automatically logs you out if you do not use the web configurator for five minutes (default). Simply log back into the NWA1121-
NI if this happens. 2.2 Resetting the NWA1121-NI If you forget your password or cannot access the web configurator, you will need to use the RESET button at the rear panel of the NWA1121-NI. This replaces the current configuration file with the 20 NWA1121-NI Users Guide Chapter 2 Introducing the Web Configurator factory-default configuration file. This means that you will lose all the settings you previously configured. The password will be reset to 1234. Figure 8 The RESET Button 2.2.1 Methods of Restoring Factory-Defaults You can erase the current configuration and restore factory defaults in two ways:
Use the RESET button to upload the default configuration file. Hold this button in for about 3 seconds (the light will begin to blink). Use this method for cases when the password or IP address of the NWA1121-NI is not known. Use the web configurator to restore defaults (refer to Section 11.8 on page 124). NWA1121-NI Users Guide 21 Chapter 2 Introducing the Web Configurator 2.3 Navigating the Web Configurator The following summarizes how to navigate the web configurator from the Dashboard screen. Figure 9 Status Screen of the Web Configurator B A C As illustrated above, the Web Configurator screen is divided into these parts:
A - title bar B - navigation panel C - main window 2.3.1 Title Bar Click Logout at any time to exit the Web Configurator. Click ZAbout to open the about window, which provides information of the boot module and driver versions. 22 NWA1121-NI Users Guide Chapter 2 Introducing the Web Configurator 2.3.2 Navigation Panel Use the menu items on the navigation panel to open screens to configure NWA1121-NI features. The following tables describe each menu item. Table 2 Navigation Panel Summary LINK Dashboard TAB FUNCTION This screen shows the NWA1121-NIs general device and network status information. Use this screen to access the statistics and client list. View Log Use this screen to view the logs for the categories that you selected. Use this screen to view port status, packet specific statistics, the
"system up time" and so on. Use this screen to view the wireless stations that are currently associated to the NWA1121-NI. Use this screen to know whether a channel is used by another wireless network or not. Monitor Logs Statistics Association List Channel Usage Configuration Network Wireless LAN Wireless Settings SSID Security RADIUS MAC Filter Use this screen to configure the wireless LAN settings and NWA1121-
NIs operation mode. Use this screen to configure up to eight SSID profiles for your NWA1121-NI. Use this screen to configure wireless security profiles on the NWA1121-NI. Use this screen to configure up to four RADIUS profiles. Use this screen to configure MAC filtering profiles. Use this screen to configure the NWA1121-NIs LAN IP address. Use this screen to configure the NWA1121-NIs VLAN settings. Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTP to manage the NWA1121-
NI. LAN VLAN System WWW Certificates Use this screen to import or remove a certificate from the NWA1121-
NI. Telent SNMP FTP Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the NWA1121-
NI. Use this screen to configure the NWA1121-NI for SNMP management. Use this screen to configure through which interface(s) and from which IP address(es) users can use FTP to access the NWA1121-NI. Use this screen to change your log settings. Use this screen to configure your devices name. Use this screen to configure your devices password. Use this screen to change your NWA1121-NIs time and date. Log Settings Maintenance General Password Time Firmware Upgrade Use this screen to upload firmware to your device. NWA1121-NI Users Guide 23 Chapter 2 Introducing the Web Configurator Table 2 Navigation Panel Summary LINK Configuration File TAB Restart FUNCTION Use this screen to backup and restore your devices configuration
(settings) or reset the factory default settings. Use this screen to reboot the NWA1121-NI without turning the power off. 2.3.3 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. 24 NWA1121-NI Users Guide CHAPTER 3 Dashboard The Dashboard screens display when you log into the NWA1121-NI, or click Dashboard in the navigation menu. Use the Dashboard screen to look at the current status of the device, system resources, and interfaces. The Dashboard screens also provide detailed information about system statistics, associated wireless clients, and logs. 3.1 The Dashboard Screen Use this screen to get a quick view of system, Ethernet, WLAN and other information regarding your NWA1121-NI. Click Dashboard. The following screen displays. Figure 10 The Dashboard Screen NWA1121-NI Users Guide 25 Chapter 3 Dashboard The following table describes the labels in this screen. Table 3 The Dashboard Screen LABEL Refresh Interval DESCRIPTION Select how often you want the NWA1121-NI to update this screen. Refresh Now Click this to update this screen immediately. System Information System Name WLAN Operating Mode Firmware Version This field displays the NWA1121-NI system name. It is used for identification. You can change this in the Maintenance > General screens System Name field. This field displays the current operating mode of the first wireless module
(RootAP, Repeater, Client, or MBSSID). You can change the operating mode in the Configuration > Wireless LAN > Wireless Settings screen. This field displays the current version of the firmware inside the device. It also shows the date the firmware version was created. You can change the firmware version by uploading new firmware in Maintenance > Firmware Upgrade. Serial Number This field displays the serial number of the NWA1121-NI. Ethernet Information LAN MAC Address IPv4 Address Subnet Mask Gateway IP Address IPv6 Address Link Local Global WLAN Information SSID Channel Status This displays the MAC (Media Access Control) address of the NWA1121-NI on the LAN. Every network device has a unique MAC address which identifies it across the network. This field displays the current IPv4 address of the NWA1121-NI on the network. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the device's LAN port. The gateway helps forward packets to their destinations. This field displays the current IPv6 address(es) of the NWA1121-NI on the network. This is the IPv6 link-local address that the NWA1121-NI generates automatically. This is the NWA1121-NIs IPv6 global address that you specify manually in the Configuration > LAN screen. This field displays the SSID (Service Set Identifier). This is available only when the WLAN operation mode is Client. The channel or frequency used by the NWA1121-NI to send and receive information. This shows the current status of the wireless LAN. This is available only when the WLAN operation mode is Client. Security Mode This displays the security mode the NWA1121-NI is using. This is available only when the WLAN operation mode is Client. Summary Statistics Click this link to view port status and packet specific statistics. See Section 5.4 on page 50. Association List Click this to see a list of wireless clients currently associated to each of the NWA1121-NIs wireless modules. See Section 5.5 on page 51. View Log System Status Click this to see a list of logs produced by the NWA1121-NI. See Section 5.3 on page 49. System Up Time This field displays the elapsed time since the NWA1121-NI was turned on. 26 NWA1121-NI Users Guide Table 3 The Dashboard Screen (continued) LABEL DESCRIPTION This field displays the date and time configured on the NWA1121-NI. You can change this in the Maintenance > Time screen. Chapter 3 Dashboard Current Date/Time System Resource CPU Usage Memory Usage Interface Status Interface Status Channel Rate This field displays what percentage of the NWA1121-NIs processing ability is currently being used. The higher the CPU usage, the more likely the NWA1121-NI is to slow down. This field displays what percentage of the NWA1121-NIs volatile memory is currently in use. The higher the memory usage, the more likely the NWA1121-NI is to slow down. Some memory is required just to start the NWA1121-NI and to run the web configurator. This column displays each interface of the NWA1121-NI. This field indicates whether or not the NWA1121-NI is using the interface. For each interface, this field displays Up when the NWA1121-NI is using the interface and Down when the NWA1121-NI is not using the interface. This shows the channel number which the NWA1121-NI is currently using over the wireless LAN. For the LAN port this displays the port speed and duplex setting. For the WLAN interface, it displays the downstream and upstream transmission rate or N/A if the interface is not in use. SSID Status This section is not available when the WLAN operation mode is Client. Interface SSID BSSID Security VLAN This column displays each of the NWA1121-NIs wireless interfaces. This field displays the SSID(s) currently used by each wireless module. This field displays the MAC address of the wireless module. This field displays the type of wireless security used by each SSID. This field displays the VLAN ID of each SSID in use, or Disabled if the SSID does not use VLAN. NWA1121-NI Users Guide 27 Chapter 3 Dashboard 28 NWA1121-NI Users Guide CHAPTER 4 Tutorial This chapter first provides an overview of how to configure the wireless LAN on your NWA1121-NI, and then gives step-by-step guidelines showing how to configure your NWA1121-NI for some example scenarios. 4.1 How to Configure the Wireless LAN This section illustrates how to choose which wireless operating mode to use on the NWA1121-NI and how to set up the wireless LAN in each wireless mode. See Section 4.1.2 on page 29 for links to more information on each step. 4.1.1 Choosing the Wireless Mode Use MBSSID (Multiple Basic Service Set Identifier) operating mode if you want to use the NWA1121-NI as an access point with some groups of users having different security or QoS settings from other groups of users. See Section 1.2.1 on page 12 for details. Use Client operating mode if you want to use the NWA1121-NI to access a wireless network. See Section 1.2.2 on page 13 for details. Use Root AP operating mode if you want to allow wireless clients to access your wired network through the NWA1121-NI and also have repeaters communicate with the NWA1121-NI to expand wireleass coverage. See Section 1.2.3 on page 14 for details. Use Repeater operating mode if you want to use the NWA1121-NI to communicate with the root AP or other repeaters. See Section 1.2.4 on page 14 for details. 4.1.2 Further Reading Use these links to find more information on the steps:
Choosing 802.11 Mode: see Section 6.4 on page 60. Choosing a wireless Channel ID: see Section 6.4 on page 60. Choosing a Security mode: see Section 6.6 on page 74. Configuring an external RADIUS server: see Section 6.7 on page 87. Configuring MAC Filtering: see Section 6.8 on page 89. 4.2 How to Configure Multiple Wireless Networks In this example, you have been using your NWA1121-NI as an access point for your office network. Now your network is expanding and you want to make use of the MBSSID feature (see Section NWA1121-NI Users Guide 29 Chapter 4 Tutorial 6.4.4 on page 69) to provide multiple wireless networks. Each wireless network will cater to a different type of user. You want to make three wireless networks: one standard office wireless network with all the same settings you already have, another wireless network with high priority QoS settings for Voice over IP (VoIP) users, and a guest network that allows visitors to access only the Internet and the network printer. To do this, you will take the following steps:
Edit the SSID profiles. Change the operating mode from Root AP to MBSSID and reactivate the standard network. Configure different security modes for the networks. Configure a wireless network for standard office use. Configure a wireless network for VoIP users. Configure a wireless network for guests to your office. 1 2 3 4 5 6 The following figure shows the multiple networks you want to set up. Your NWA1121-NI is marked Z, the main network router is marked A, and your network printer is marked B. B A Z The standard network (SSID01) has access to all resources. The VoIP network (VoIP_SSID) has access to all resources and a high QoS priority. The guest network (Guest_SSID) has access to the Internet and the network printer only, and a low QoS priority. 30 NWA1121-NI Users Guide To configure these settings, you need to know the Media Access Control (MAC) addresses of the devices you want to allow users of the guest network to access. The following table shows the addresses used in this example. Chapter 4 Tutorial Table 4 Tutorial: Example Information Network router (A) MAC address 00:AA:00:AA:00:AA Network printer (B) MAC address AA:00:AA:00:AA:00 4.2.1 Configure the SSID Profiles 1 2 Log in to the NWA1121-NI (see Section 2.1 on page 19). Click Wireless LAN > SSID. The SSID screen appears. Click the Edit icon next to the Profile1. 3 Rename the Profile Name and SSID as SSID01. Click Apply. 4 Repeat Step 2 and 3 to change Profile2 and Profile3 to VoIP_SSID and Guest_SSID. NWA1121-NI Users Guide 31 Chapter 4 Tutorial 4.2.1.1 MBSSID 1 Go to Wireless LAN > Wireless Settings. Select MBSSID from the Operation Mode drop-down list box. 2 3 4 SSID01 is the standard network, so select SSID01 as the first profile. It is always active. Select VoIP_SSID as the second profile, and Guest_SSID as the third profile. Select the corresponding Active check-boxes. Click Apply to save your settings. Now the three SSIDs are activated. 32 NWA1121-NI Users Guide 4.2.2 Configure the Standard Network 1 Click Wireless LAN > SSID. Click the Edit icon next to SSID01. Chapter 4 Tutorial 2 Select SecProfile1 as SSID01s security profile. Select the Hidden SSID checkbox as you want only authorized company employees to use this network, so there is no need to broadcast the SSID to wireless clients scanning the area. Also, the clients on SSID01 might need to access other clients on the same wireless network. Do not select the Intra-BSS Traffic blocking check-box. Click Apply. NWA1121-NI Users Guide 33 Chapter 4 Tutorial 3 Next, click Wireless LAN > Security. Click the Edit icon next to SecProfile1. 4 Since SSID01 is the standard network that has access to all resources, assign a more secure security mode. Select WPA2-PSK-MIX as the Security Mode, and enter the Pre-Shared Key. In this example, use ThisisSSID01PreSharedKey. Click Apply. 5 You have finished configuring the standard network, SSID01. 4.2.3 Configure the VoIP Network 1 Go to Wireless LAN > SSID. Click the Edit icon next to VoIP_SSID. 2 Select SecProfile2 as the Security Profile for the VoIP network. Select the Hidden SSID check-
box. 34 NWA1121-NI Users Guide 3 Select WMM_VOICE in the QoS field to give VoIP the highest priority in the wireless network. Click Apply. Chapter 4 Tutorial 4 Next, click Wireless LAN > Security. Click the Edit icon next to SecProfile2. NWA1121-NI Users Guide 35 Chapter 4 Tutorial 5 6 Select WPA2-PSK as the Security Mode, and enter the Pre-Shared Key. In this example, use ThisisVoIPPreSharedKey. Click Apply. Your VoIP wireless network is now ready to use. Any traffic using the VoIP_SSID profile will be given the highest priority across the wireless network. 4.2.4 Configure the Guest Network When you are setting up the wireless network for guests to your office, your primary concern is to keep your network secure while allowing access to certain resources (such as a network printer, or the Internet). For this reason, the pre-configured Guest_SSID profile has intra-BSS traffic blocking enabled by default. Intra-BSS traffic blocking means that the client cannot access other clients on the same wireless network. 1 Click Wireless LAN > SSID. Click the Edit icon next to Guest_SSID. 2 3 36 Select SecProfile3 in the Security field. Do not select the Hidden SSID check-box so the guests can easily find the wireless network. Select WMM_BESTEFFORT in the QoS field to give the guest a lower QoS priority. NWA1121-NI Users Guide 4 Select the check-box of Intra-BSS Traffic blocking Enabled. Click Apply. Chapter 4 Tutorial 5 Next, click Wireless LAN > Security. Click the Edit icon next to SecProfile3. 6 Select WPA-PSK in the Security Mode field. WPA-PSK provides strong security that is supported by most wireless clients. Even though your Guest_SSID clients do not have access to sensitive information on the network, you should not leave the network without security. An attacker could still cause damage to the network or intercept unsecured communications or use your Internet access for illegal activities. NWA1121-NI Users Guide 37 Chapter 4 Tutorial 7 Enter the PSK you want to use in your network in the Pre Shared Key field. In this example, the PSK is ThisismyGuestWPApre-sharedkey. Click Apply. 8 Your guest wireless network is now ready to use. 4.2.5 Testing the Wireless Networks To make sure that the three networks are correctly configured, do the following. On a computer with a wireless client, scan for access points. You should see the Guest_SSID network, but not the SSID01 and VoIP_SSID networks. If you can see the SSID01 and VoIP_SSID networks, go to its SSID Edit screen and make sure to select the Hidden SSID check-box and click Apply. Try to access each network using the correct security settings, and then using incorrect security settings, such as the WPA-PSK for another active network. If the behavior is different from expected (for example, if you can access the SSID01 or VoIP_SSID wireless network using the security settings for the Guest_SSID wireless network) check that the SSID profile is set to use the correct security profile, and that the settings of the security profile are correct. 4.3 NWA1121-NI Setup in AP and Wireless Client Modes This example shows you how to restrict wireless access to your NWA1121-NI. 4.3.1 Scenario In the figure below, there are two NWA1121-NIs (A and B) in the network. A is in MBSSID or root AP mode while station B is in wireless client mode. Station B is connected to a File Transfer Protocol
(FTP) server. You want only specified wireless clients to be able to access station B. You also want 38 NWA1121-NI Users Guide to allow wireless traffic between B and wireless clients connected to A (W, Y and Z). Other wireless devices (X) must not be able to connect to the FTP server. Figure 11 FTP Server Connected to a Wireless Client Chapter 4 Tutorial 4.3.2 Configuring the NWA1121-NI in MBSSID or Root AP Mode Before setting up the NWA1121-NI as a wireless client (B), you need to make sure there is an access point to connect to. Use the Ethernet port on NWA1121-NI (A) to configure it via a wired connection. NWA1121-NI Users Guide 39 Chapter 4 Tutorial Log into the Web Configurator on NWA1121-NI (A) and go to the Wireless LAN > Wireless Settings screen. Set the Operation Mode to Root AP. Select the Wireless Mode. In this example, select 802.11b/g/n. Select Profile1 as the SSID Profile. Choose the Channel you want NWA1121-NI (A) to use. Click Apply. 1 2 3 4 5 40 NWA1121-NI Users Guide 6 Go to Wireless LAN > SSID. Click the Edit icon next to Profile1. Chapter 4 Tutorial 7 8 9 Change the SSID to AP-A. Select SecProfile1 in the Security field. Select the check-box for Intra-BSS Traffic blocking Enabled so the client cannot access other clients on the same wireless network. 10 Click Apply. NWA1121-NI Users Guide 41 Chapter 4 Tutorial 11 Go to Wireless LAN > Security. Click the Edit icon next to SecProfile1. 12 Configure WPA-PSK as the Security Mode and enter ThisisMyPreSharedKey in the Pre-
Shared Key field. 13 Click Apply to finish configuration for NWA1121-NI (A). 4.3.3 Configuring the NWA1121-NI in Wireless Client Mode The NWA1121-NI (B) should have a wired connection before it can be set to wireless client operating mode. Connect your NWA1121-NI to the FTP server. Login to NWA1121-NI (B)s Web Configurator and go to the Wireless LAN > Wireless Settings screen. Follow these steps to configure station B. 42 NWA1121-NI Users Guide 1 Select Client as Operation Mode. Click Apply. Chapter 4 Tutorial 2 3 Click on the Site Survey button. A window should pop up which contains a list of all available wireless devices within your NWA1121-NIs range. Find and select NWA1121-NI (A)s SSID: AP-A. NWA1121-NI Users Guide 43 Chapter 4 Tutorial 4 Go to Wireless LAN > Security to configure the NWA1121-NI to use the same security mode and Pre-Shared Key as NWA1121-NI (A): WPA-PSK/ThisisMyPreSharedKey. Click Apply. Figure 12 4.3.4 MAC Filter Setup One way to ensure that only specified wireless clients can access the FTP server is by enabling MAC filtering on NWA1121-NI (B) (See Section 6.8 on page 89 for more information on MAC Filter). 1 Go to Wireless LAN > MAC Filter. Click the Edit icon next to MacProfile1. 2 Select Allow in the Access Control Mode field. Enter the MAC addresses of the wireless clients
(W, Y and Z) you want to associate with the NWA1121-NI. Click Apply. Now, only the authorized wireless clients (W, Y and Z) can access the FTP server. 44 NWA1121-NI Users Guide Chapter 4 Tutorial 4.3.5 Testing the Connection and Troubleshooting This section discusses how you can check if you have correctly configured your network setup as described in this tutorial. Try accessing the FTP server from wireless clients W, Y or Z. Test if you can send or retrieve a file. If you cannot establish a connection with the FTP server, do the following steps. 1 Make sure W, Y and Z use the same wireless security settings as A and can access A. 2 Make sure B uses the same wireless and wireless security settings as A and can access A. 3 Make sure intra-BSS traffic is enabled on A. Try accessing the FTP server from X. If you are able to access the FTP server, do the following. 1 Make sure MAC filtering is enabled. 2 Make sure Xs MAC address is not entered in the list of allowed devices. NWA1121-NI Users Guide 45 Chapter 4 Tutorial 46 NWA1121-NI Users Guide PART II Technical Reference The appendices provide general information. Some details may not apply to your NWA1121-NI. 47 48 CHAPTER 5 Monitor 5.1 Overview This chapter discusses read-only information related to the device state of the NWA1121-NI. Note: To access the Monitor screens, you can also click the links in the Summary table of the Dashboard screen to view the wireless packets sent/received as well as the status of clients connected to the NWA1121-NI. 5.2 What You Can Do Use the Logs screen to see the logs for the categories that you selected in the Configuration >
Log Settings screen (see Section 5.3 on page 49). You can view logs in this page. Once the log entries are all used, the log will wrap around and the old logs will be deleted. use the Statistics screen to view 802.11 mode, channel number, wireless packet specific statistics and so on (see Section 5.4 on page 50). Use the Association List screen to view the wireless devices that are currently associated to the NWA1121-NI (see Section 5.5 on page 51). Use the Channel Usage screen to view whether a channel is used by another wireless network or not. If a channel is being used, you should select a channel removed from it by five channels to completely avoid overlap (see Section 5.6 on page 52). 5.3 View Logs Use the Logs screen to see the logged messages for the NWA1121-NI. Log entries in red indicate system error logs. The log wraps around and deletes the old entries after it fills. NWA1121-NI Users Guide 49 Chapter 5 Monitor Click Monitor > Logs. Figure 13 Logs The following table describes the labels in this screen. Table 5 Logs LABEL Display E-Mail Log Now Refresh Clear Log
Time Message Source DESCRIPTION Select a category of logs to view. Select All Log to view logs from all of the log categories that you selected in the Configuration > Log Settings screen. Click E-Mail Log Now to send the log screen to the e-mail address specified in the Log Settings page (make sure that you have first filled in the E-mail Log Settings fields in Configuration > Log Settings). Click Refresh to renew the log screen. Click Clear Log to delete all the logs. This field is a sequential value and is not associated with a specific entry. This field displays the time the log was recorded. This field states the reason for the log. This field lists the source IP address and the port number of the incoming packet. 5.4 Statistics Use this screen to view read-only information, including 802.11 Mode, Channel ID, Retry Count and FCS Error Count. Also provided is the "poll interval". The Poll Interval field is configurable and is used for refreshing the screen. 50 NWA1121-NI Users Guide Click Monitor > Statistics. The following screen pops up. Figure 14 Statistics Chapter 5 Monitor The following table describes the labels in this screen. Table 6 Statistics LABEL Description 802.11 Mode Channel ID DESCRIPTION This is the wireless interface on the NWA1121-NI. This field shows which 802.11 mode the NWA1121-NI is using. This shows the channel number which the NWA1121-NI is currently using over the wireless LAN. RX Pkts TX Pkts This is the number of received packets on this port. This is the number of transmitted packets on this port. Retry Count This is the total number of retries for transmitted packets (TX). FCS Error Count This is the ratio percentage showing the total number of checksum error of received packets (RX) over total RX. Poll Interval Set Interval Stop Enter the time interval for refreshing statistics. Click this button to apply the new poll interval you entered above. Click this button to stop refreshing statistics. 5.5 Association List View the wireless devices that are currently associated with the NWA1121-NI in the Association List screen. Association means that a wireless client (for example, your network or computer with a wireless network card) has connected successfully to the AP (or wireless router) using the same SSID, channel and security settings. NWA1121-NI Users Guide 51 Chapter 5 Monitor Click Monitor > Association List to display the screen as shown next. Figure 15 Association List The following table describes the labels in this screen. Table 7 Association List LABEL
DESCRIPTION This is the index number of an associated wireless device. MAC Address This field displays the MAC address of an associated wireless device. SSID This field displays the SSID to which the wireless device is associated. Association Time Signal Strength This field displays the time a wireless device first associated with the NWA1121-NIs wireless network. This field displays the RSSI (Received Signal Strength Indicator) of the wireless connection. Refresh Click Refresh to reload the list. 5.6 Channel Usage Use this screen to know whether a channel is used by another wireless network or not. If a channel is being used, you should select a channel removed from it by five channels to completely avoid overlap. Click Monitor > Channel Usage to display the screen shown next. 52 NWA1121-NI Users Guide Wait a moment while the NWA1121-NI compiles the information. Figure 16 Channel Usage Chapter 5 Monitor The following table describes the labels in this screen. Table 8 Channel Usage LABEL SSID DESCRIPTION This is the Service Set IDentification (SSID) name of the AP in an Infrastructure wireless network or wireless station in an Ad-Hoc wireless network. For our purposes, we define an Infrastructure network as a wireless network that uses an AP and an Ad-
Hoc network (also known as Independent Basic Service Set (IBSS)) as one that doesnt. See the chapter on wireless configuration for more information on basic service sets (BSS) and extended service sets (ESS). Channel MAC Address This is the index number of the channel currently used by the associated AP in an Infrastructure wireless network or wireless station in an Ad-Hoc wireless network. This field displays the MAC address of the AP in an Infrastructure wireless network. It is randomly generated (so ignore it) in an Ad-Hoc wireless network. Wireless Mode This is the IEEE 802.1x standard used by the wireless network. Signal Strength This field displays the strength of the APs signal. If you must choose a channel that is currently in use, choose one with low signal strength for minimum interference. Security Refresh This is the wireless security method used by the wireless network to protect wireless communication between wireless stations, access points and the wired network. Click Refresh to reload the screen. NWA1121-NI Users Guide 53 Chapter 5 Monitor 54 NWA1121-NI Users Guide CHAPTER 6 Wireless LAN 6.1 Overview This chapter discusses the steps to configure the Wireless Settings screen on the NWA1121-NI. It also introduces the wireless LAN (WLAN) and some basic scenarios. Figure 17 Wireless Mode In the figure above, the NWA1121-NI allows access to another bridge device (A) and a notebook computer (B) upon verifying their settings and credentials. It denies access to other devices (C and D) with configurations that do not match those specified in your NWA1121-NI. 6.2 What You Can Do in this Chapter Use the Wireless Settings screen to configure the NWA1121-NIs operation mode (see Section 6.4 on page 60). Uee the SSID screen to configure up to eight SSID profiles for your NWA1121-NI (see Section 6.5 on page 72). Use the Security screen to choose the wireless security mode for your NWA1121-NI (see Section 6.6 on page 74). Use the RADIUS screen if you want to authenticate wireless users using a RADIUS Server and/or accounting server (see Section 6.7 on page 87). Use the MAC Filter screen to specify which wireless station is allowed or denied access to the NWA1121-NI (see Section 6.8 on page 89). NWA1121-NI Users Guide 55 Chapter 6 Wireless LAN 6.3 What You Need To Know BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). Operating Mode The NWA1121-NI can run in four operating modes as follows:
Root AP. The NWA1121-NI is a wireless access point that allows wireless communication to other devices in the network. Repeater. The NWA1121-NI acts as a wireless repeater and increase a root APs wireless coverage area. Client. The NWA1121-NI acts as a wireless client to access a wireless network. MBSSID. The Multiple Basic Service Set Identifier (MBSSID) mode allows you to use one access point to provide several BSSs simultaneously. Refer to Chapter 1 on page 11 for illustrations of these wireless applications. SSID The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it. Normally, the NWA1121-NI acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the NWA1121-NI does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess. This type of security is fairly weak, however, because there are ways for unauthorized wireless devices to get the SSID. In addition, unauthorized wireless devices can still see the information that is sent in the wireless network. Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. 56 NWA1121-NI Users Guide Chapter 6 Wireless LAN Wireless Mode The IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. Your NWA1121-NI can support 802.11b/g, 802.11n and 802.11b/g/n. MBSSID Traditionally, you needed to use different APs to configure different Basic Service Sets (BSSs). As well as the cost of buying extra APs, there was also the possibility of channel interference. The NWA1121-NIs MBSSID (Multiple Basic Service Set IDentifier) function allows you to use one access point to provide several BSSs simultaneously. You can then assign varying levels of privilege to different SSIDs. Wireless stations can use different BSSIDs to associate with the same AP. The following are some notes on multiple BSS. A maximum of four BSSs are allowed on one AP simultaneously. You must use different WEP keys for different BSSs. If two stations have different BSSIDs (they are in different BSSs), but have the same WEP keys, they may hear each others communications
(but not communicate with each other). MBSSID should not replace but rather be used in conjunction with 802.1x security. Wireless Security Wireless security is vital to your network. It protects communications between wireless stations, access points and the wired network. Figure 18 Securing the Wireless Network In the figure above, the NWA1121-NI checks the identity of devices before giving them access to the network. In this scenario, Computer A is denied access to the network, while Computer B is granted connectivity. The NWA1121-NI secure communications via data encryption, wireless client authentication and MAC address filtering. It can also hide its identity in the network. NWA1121-NI Users Guide 57 Chapter 6 Wireless LAN User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it. However, every device in the wireless network has to support IEEE 802.1x to do this. For wireless networks, you can store the user names and passwords for each user in a RADIUS server. This is a server used in businesses more than in homes. If you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network. The following table shows the relative effectiveness of wireless security methods:. Table 9 Wireless Security Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) Most Secure WPA2 The available security modes in your NWA1121-NI are as follows:
None. No data encryption. WEP. Wired Equivalent Privacy (WEP) encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. 802.1x-Only. This is a standard that extends the features of IEEE 802.11 to support extended authentication. It provides additional accounting and control features. This option does not support data encryption. 802.1x-Static WEP. This provides 802.1x-Only authentication with a static 64bit or 128bit WEP key and an authentication server. WPA. Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. WPA2-MIX. This commands the NWA1121-NI to use either WPA2 or WPA depending on which security mode the wireless client uses. WPA2-PSK. This adds a pre-shared key on top of WPA2 standard. WPA2-PSK-MIX. This commands the NWA1121-NI to use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses. Note: To guarantee 802.11n wireless speed, please only use WPA2 or WPA2-PSK security mode. Other security modes may degrate the wireless speed performance to 802.11g. 58 NWA1121-NI Users Guide Chapter 6 Wireless LAN Passphrase A passphrase functions like a password. In WEP security mode, it is further converted by the NWA1121-NI into a complicated string that is referred to as the key. This key is requested from all devices wishing to connect to a wireless network. PSK The Pre-Shared Key (PSK) is a password shared by a wireless access point and a client during a previous secure connection. The key can then be used to establish a connection between the two parties. Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message. Encryption is the process of converting data into unreadable text. This secures information in network communications. The intended recipient of the data can unlock it with a pre-assigned key, making the information readable only to him. The NWA1121-NI when used as a wireless client employs Temporal Key Integrity Protocol (TKIP) data encryption. EAP Extensible Authentication Protocol (EAP) is a protocol used by a wireless client, an access point and an authentication server to negotiate a connection. The EAP methods employed by the NWA1121-NI when in Wireless Client operating mode are Transport Layer Security (TLS), Protected Extensible Authentication Protocol (PEAP), Lightweight Extensible Authentication Protocol (LEAP) and Tunneled Transport Layer Security (TTLS). The authentication protocol may either be Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAPv2) or Generic Token Card (GTC). Further information on these terms can be found in Appendix D on page 181. RADIUS Remote Authentication Dial In User Service (RADIUS) is a protocol that can be used to manage user access to large networks. It is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. Figure 19 RADIUS Server Setup NWA1121-NI Users Guide 59 Chapter 6 Wireless LAN In the figure above, wireless clients A and B are trying to access the Internet via the NWA1121-NI. The NWA1121-NI in turn queries the RADIUS server if the identity of clients A and U are allowed access to the Internet. In this scenario, only client Us identity is verified by the RADIUS server and allowed access to the Internet. The RADIUS server handles the following tasks:
Authentication which determines the identity of the users. Authorization which determines the network services available to authenticated users once they are connected to the network. Accounting which keeps track of the clients network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. You should know the IP addresses, ports and share secrets of the external RADIUS server and/or the external RADIUS accounting server you want to use with your NWA1121-NI. You can configure a primary and backup RADIUS and RADIUS accounting server for your NWA1121-NI. 6.4 Wireless Settings Screen Use this screen to choose the operating mode for your NWA1121-NI. Click Network > Wireless LAN > Wireless Settings. The screen varies depending upon the operating mode you select. 60 NWA1121-NI Users Guide 6.4.1 Root AP Mode Use this screen to use your NWA1121-NI as an access point. Select Root AP as the Operation Mode. The following screen displays. Figure 20 Wireless LAN > Wireless Settings: Root AP Chapter 6 Wireless LAN NWA1121-NI Users Guide 61 Chapter 6 Wireless LAN The following table describes the general wireless LAN labels in this screen. Table 10 Wireless LAN > Wireless Settings: Root AP LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select Root AP from the drop-down list. Wireless Mode Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of your NWA1121-NI might be reduced. Select 802.11b/g/n to allow IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of the NWA1121-
NI might be reduced. Select 802.11n to allow only IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. Channel Select the operating frequency/channel depending on your particular region from the drop-down list box. Channel Width This field displays only when you select 802.11n or 802.11b/g/n in the Wireless Mode field. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. It is recommended that you select 20/40MHz. This allows the NWA1121-NI to adjust the channel bandwidth depending on network conditions. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Select SSID Profile The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. You can have up to four SSIDs active at the same time. Note: If you are configuring the NWA1121-NI from a computer connected to the wireless LAN and you change the NWA1121-NIs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA1121-NIs new settings.
Activve Profile This is the index number of each SSID profile. Select the check box to enable an SSID profile. Otherwise, clear the check box. Select an SSID Profile from the drop-down list box. Universal Repeater Settings The Universal repeater function allows the NWA1121-NI in root AP or repeater mode to set up a wireless connection between it and another NWA1121-NI in root AP or repeater mode. Note: Universal repeater security is independent of the security settings between the NWA1121-NI and any wireless clients. Local MAC Address Universal Repeater SSID Profile Local MAC Address is the MAC address of your NWA1121-NI. Select the SSID profile you want to use for universal repeater connections. Note: You can only configure None, WPA-PSK or WPA2-PSK security mode for the SSID used by a universal repeater connection. 62 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 10 Wireless LAN > Wireless Settings: Root AP (continued) LABEL Advanced Settings DESCRIPTION Beacon Interval DTIM Interval Output Power When a wirelessly network device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in lowpower mode before waking up to handle the beacon. A high value helps save current consumption of the access point. Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25%, or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. Preamble Type Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. RTS/CTS Threshold Select Long if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Fragmentation The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Extension Channel Protection Mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Short GI This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. MCS Rate The MCS Rate table is available only when 802.11 b/g/n is selected in the Wireless Mode field. IEEE 802.11n supports many different data rates which are called MCS rates. MCS stands for Modulation and Coding Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enabled to have the NWA1121-NI use the data rate. Clear the Enabled check box if you do not want the NWA1121-NI to use the data rate. Turn on the Auto option to have the NWA1121-NI set the data rates automatically to optimize the throughput. Apply Cancel Note: You can set the NWA1121-NI to use up to four MCS rates at a time. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 63 Chapter 6 Wireless LAN 6.4.2 Repeater Mode Use this screen to have the NWA1121-NI act as a wireless repeater. You need to know the MAC address of the peer device, which also must be in Repeater or Root AP mode. Figure 21 Wireless LAN > Wireless Settings: Repeater The following table describes the bridge labels in this screen. Table 11 Wireless LAN > Wireless Settings: Repeater LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select Repeater from the drop-down list. 64 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 11 Wireless LAN > Wireless Settings: Repeater (continued) LABEL Wireless Mode DESCRIPTION Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of your NWA1121-NI might be reduced. Select 802.11b/g/n to allow IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of the NWA1121-
NI might be reduced. Select 802.11n to allow only IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. Channel Select the operating frequency/channel depending on your particular region from the drop-down list box. Channel Width This field displays only when you select 802.11n or 802.11b/g/n in the Wireless Mode field. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. It is recommended that you select 20/40MHz. This allows the NWA1121-NI to adjust the channel bandwidth depending on network conditions. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Universal Repeater Settings The Universal repeater function allows the NWA1121-NI in root AP or repeater mode to set up a wireless connection between it and another NWA1121-NI in root AP or repeater mode. Note: Universal repeater security is independent of the security settings between the NWA1121-NI and any wireless clients. Local MAC Address Universal Repeater SSID Profile Local MAC Address is the MAC address of your NWA1121-NI. Select the SSID profile you want to use for universal repeater connections with an AP or repeater or regular wireless connections with wireless clients. Note: You can only configure None, WPA-PSK or WPA2-PSK security mode for the SSID used by a universal repeater connection. Root MAC Address Specify the peer devices MAC address. The peer device can be a NWA1121-NI in either root AP mode or repeater mode. Advanced Settings Beacon Interval DTIM Interval Output Power When a wirelessly network device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in lowpower mode before waking up to handle the beacon. A high value helps save current consumption of the access point. Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25% or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. NWA1121-NI Users Guide 65 Chapter 6 Wireless LAN Table 11 Wireless LAN > Wireless Settings: Repeater (continued) LABEL Preamble Type DESCRIPTION Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. RTS/CTS Threshold Select Long if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Fragmentation The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Extension Channel Protection Mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Short GI This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. MCS Rate The MCS Rate table is available only when 802.11 b/g/n is selected in the Wireless Mode field. IEEE 802.11n supports many different data rates which are called MCS rates. MCS stands for Modulation and Coding Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enabled to have the NWA1121-NI use the data rate. Clear the Enabled check box if you do not want the NWA1121-NI to use the data rate. Turn on the Auto option to have the NWA1121-NI set the data rates automatically to optimize the throughput. Apply Cancel Note: You can set the NWA1121-NI to use up to four MCS rates at a time. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 66 NWA1121-NI Users Guide 6.4.3 Wireless Client Mode Use this screen to turn your NWA1121-NI into a wireless client. Select Client as the Operation Mode. The following screen displays. Figure 22 Wireless LAN > Wireless Settings: Wireless Client Chapter 6 Wireless LAN The following table describes the general wireless LAN labels in this screen. Table 12 Wireless LAN > Wireless Settings: Wireless Client LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select Client in this field. Site Survey Click this to view a list of available wireless access points within the range. Select the AP you want to use. Note: After selecting Client as the Operation Mode in the Basic Settings section, you must click Apply to be able to select from the AP list. NWA1121-NI Users Guide 67 Chapter 6 Wireless LAN Table 12 Wireless LAN > Wireless Settings: Wireless Client (continued) LABEL SSID Profile DESCRIPTION The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In this field, select the SSID profile of the AP you want to use. Click Apply. The SSID used in the selected SSID profile automatically changes to be the one you select in the Site Survey screen. Set the security configuration for this operating mode in the Wireless LAN > Security screen. Check the Dashboard screen to check if the settings you set show in the WLAN information. Note: If you are configuring the NWA1121-NI from a computer connected to the wireless LAN and you change the NWA1121-NIs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA1121-NIs new settings. Channel This shows the operating frequency/channel in use. This field is read-only when you select Client as your operation mode. Channel Width A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. It is recommended that you select 20/40MHz. This allows the NWA1121-NI to adjust the channel bandwidth depending on network conditions. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the AP do not support channel bonding. Advanced Settings Output Power Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25% or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. Preamble Type Select Dynamic to have the NWA1121-NI automatically use short preamble when the wireless network your NWA1121-NI is connected to supports it, otherwise the NWA1121-NI uses long preamble. RTS/CTS Threshold Select Long preamble if you are unsure what preamble mode the wireless device your NWA1121-NI is connected to supports, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Fragmentation The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent. Extension channel protection mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. 68 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 12 Wireless LAN > Wireless Settings: Wireless Client (continued) LABEL Short GI DESCRIPTION Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. Apply Cancel Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.4.4 MBSSID Mode Use this screen to have the NWA1121-NI function in MBSSID mode. Select MBSSID as the Operation Mode. The following screen diplays. Figure 23 Wireless LAN > Wireless Settings: MBSSID NWA1121-NI Users Guide 69 Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 13 Wireless LAN > Wireless Settings: MBSSID LABEL Basic Settings DESCRIPTION Wireless LAN Interface Select the check box to turn on the wireless LAN on the NWA1121-NI. Operation Mode Select MBSSID from the drop-down list. Wireless Mode Select 802.11b/g to allow both IEEE802.11b and IEEE802.11g compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of your NWA1121-NI might be reduced. Select 802.11b/g/n to allow IEEE802.11b, IEEE802.11g and IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. The transmission rate of the NWA1121-
NI might be reduced. Select 802.11n to allow only IEEE802.11n compliant WLAN devices to associate with the NWA1121-NI. Channel Select the operating frequency/channel depending on your particular region from the drop-down list box. Channel Width This field displays only when you select 802.11n or 802.11b/g/n in the Wireless Mode field. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps. However, not all devices support 40MHz channels. Select the channel bandwidth you want to use for your wireless network. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Select SSID Profile The SSID (Service Set IDentifier) identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. You can have up to eight SSIDs active at the same time.
Activve Profile Advanced Settings Beacon Interval DTIM Interval Output Power Note: If you are configuring the NWA1121-NI from a computer connected to the wireless LAN and you change the NWA1121-NIs SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the NWA1121-NIs new settings. This is the index number of each SSID profile. Select the check box to enable an SSID profile. Otherwise, clear the check box. Select an SSID Profile from the drop-down list box. When a wirelessly network device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in lowpower mode before waking up to handle the beacon. A high value helps save current consumption of the access point. Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. Set the output power of the NWA1121-NI in this field. If there is a high density of APs in an area, decrease the output power of the NWA1121-NI to reduce interference with other APs. Select one of the following Full (Full Power), 50%, 25% or 12.5%. See the product specifications for more information on your NWA1121-NIs output power. 70 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 13 Wireless LAN > Wireless Settings: MBSSID (continued) LABEL Preamble Type DESCRIPTION Select Dynamic to have the AP automatically use short preamble when wireless adapters support it, otherwise the AP uses long preamble. RTS/CTS Threshold Select Long if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks.
(Request To Send) The threshold (number of bytes) for enabling RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake. Setting this attribute to be larger than the maximum MSDU (MAC service data unit) size turns off the RTS/CTS handshake. Setting this attribute to its smallest value (1) turns on the RTS/CTS handshake. Extension Channel Protection Mode You can use CTS to self or RTS-CTS protection mechanism to reduce conflicts with other wireless networks or hidden wireless clients. The throughput of RTS-CTS is much lower than CTS to self. Using this mode may decrease your wireless performance. A-MPDU Aggregation Short GI This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select to enable A-MPDU aggregation. Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. This field is available only when 802.11 b/g/n is selected as the Wireless Mode. Select Enabled to use Short GI (Guard Interval). The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the GI increases data transfer rates but also increases interference. Increasing the GI reduces data transfer rates but also reduces interference. MCS Rate The MCS Rate table is available only when 802.11 b/g/n is selected in the Wireless Mode field. IEEE 802.11n supports many different data rates which are called MCS rates. MCS stands for Modulation and Coding Scheme. This is an 802.11n feature that increases the wireless network performance in terms of throughput. For each MCS Rate (0-15), select either Enabled to have the NWA1121-NI use the data rate. Clear the Enabled check box if you do not want the NWA1121-NI to use the data rate. Turn on the Auto option to have the NWA1121-NI set the data rates automatically to optimize the throughput. Apply Cancel Note: You can set the NWA1121-NI to use up to four MCS rates at a time. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 71 Chapter 6 Wireless LAN 6.5 SSID Screen Use this screen to view and modify the settings of the SSID profiles on the NWA1121-NI. Click Wireless LAN > SSID to display the screen as shown. Figure 24 Wireless LAN > SSID The following table describes the labels in this screen. Figure 25 Wireless LAN > SSID LABEL DESCRIPTION Profile Settings
This field displays the index number of each SSID profile. Profile Name This field displays the identification name of each SSID profile on the NWA1121-NI. SSID Security RADIUS QoS MAC Filter Modify This field displays the name of the wireless profile on the network. When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. This field indicates which security profile is currently associated with each SSID profile. See Section 6.6 on page 74 for more information. This field displays which RADIUS profile is currently associated with each SSID profile, if you have a RADIUS server configured. This field displays the Quality of Service setting for this profile or NONE if QoS is not configured on a profile. This field displays which MAC filter profile is currently associated with each SSID profile, or Disable if MAC filtering is not configured on an SSID profile. Click Edit to go to the SSID configuration screen where you can modify settings in an SSID profile. 72 NWA1121-NI Users Guide 6.5.1 Configuring SSID Use this screen to configure an SSID profile. In the Wireless LAN > SSID screen, click Edit next to the SSID profile you want to configure to display the following screen. Figure 26 SSID: Edit Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 14 SSID: Edit LABEL DESCRIPTION Profile Name This is the name that identifying this profile. SSID Security RADIUS When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility. Select a security profile to use with this SSID profile. See Section 6.6 on page 74 for more information. If you do not want this profile to use wireless security, select Disabled. Select a RADIUS profile from the drop-down list box, if you have a RADIUS server configured. If you do not need to use RADIUS authentication, ignore this field. See Section 6.7 on page 87 for more information. MAC Filtering Select a MAC filter profile from the drop-down list box. If you do not want to use MAC filtering on this profile, select Disabled. QoS Select the Quality of Service priority for this BSSs traffic. If you select WMM from the QoS list, the priority of a data packet depends on the packets IEEE 802.1q or DSCP header. If a packet has no WMM value assigned to it, it is assigned the default priority. If you select WMM_VOICE, WMM_VIDEO, WMM_BESTEFFORT or WMM_BACKGROUND, the NWA1121-NI applies that QoS setting to all of that SSIDs traffic. If you select None, the NWA1121-NI applies no priority to traffic on this SSID. Note: When you configure an SSID profiles QoS settings, the NWA1121-NI applies the same QoS setting to all of the profiles traffic. NWA1121-NI Users Guide 73 Chapter 6 Wireless LAN Table 14 SSID: Edit (continued) LABEL DESCRIPTION BSSID VLAN ID Enter a VLAN ID for the SSID profile. Number of Wireless Stations Allowed to Associate Hidden SSID Packets coming from the WLAN using this SSID profile are tagged with the VLAN ID number by the NWA1121-NI. Use this field to set a maximum number of wireless stations that may connect to the device. If you do not select the checkbox, the NWA1121-NI broadcasts this SSID (a wireless client scanning for an AP will find this SSID). Alternatively, if you select the checkbox, the NWA1121-NI hides this SSID (a wireless client scanning for an AP will not find this SSID). Intra-BSS Traffic Blocking Select the check box to prevent wireless clients in this profiles BSS from communicating with one another. Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6 Wireless Security Screen Use this screen to choose the security mode for your NWA1121-NI. Click Wireless LAN > Security. Select the profile that you want to configure and click Edit. Figure 27 Wireless > Security 74 NWA1121-NI Users Guide The Security Settings screen varies depending upon the security mode you select. Figure 28 Security: None Chapter 6 Wireless LAN Note that some screens display differently depending on the operating mode selected in the Wireless LAN > Wireless Settings screen. Note: You must enable the same wireless security settings on the NWA1121-NI and on all wireless clients that you want to associate with it. NWA1121-NI Users Guide 75 Chapter 6 Wireless LAN 6.6.1 Security: WEP Use this screen to use WEP as the security mode for your NWA1121-NI. Select WEP in the Security Mode field to display the following screen. Figure 29 Security: WEP The following table describes the labels in this screen. Table 15 Security: WEP LABEL Profile Name DESCRIPTION This is the name that identifying this profile. Security Mode Choose WEP in this field. Authentication Type Select Open or Shared from the drop-down list box. Data Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption. Passphrase Enter the passphrase or string of text used for automatic WEP key generation on wireless client adapters. Generate Click this to get the keys from the Passphrase you entered. 76 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 15 Security: WEP (continued) LABEL Key 1 to DESCRIPTION The WEP keys are used to encrypt data. Both the NWA1121-NI and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters
("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. Key 4 Back Apply Cancel 6.6.2 Security: 802.1x Only This screen varies depending on the operating mode you select in the Wireless LAN > Wireless Settings screen. 6.6.2.1 Access Point Use this screen to use 802.1x-Only security mode for your NWA1121-NI that is in root AP, MBSSID or repeater operating mode. Select 802.1x-Only in the Security Mode field to display the following screen. Figure 30 Security: 802.1x Only for Access Point The following table describes the labels in this screen. Table 16 Security: 802.1x Only for Access Point LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose 802.1x-Only in this field. Rekey Options NWA1121-NI Users Guide 77 Chapter 6 Wireless LAN Table 16 Security: 802.1x Only for Access Point (continued) LABEL Reauthentication Time DESCRIPTION Specify how often wireless stations have to resend user names and passwords in order to stay connected. Enter a time interval between 100 and 3600 seconds. Alternatively, enter 0 to turn reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Enable Group-Key Update Select this option to have the NWA1121-NI automatically disconnect a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. Back Apply Cancel Enter a time interval between 100 and 3600 seconds. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.2.2 Wireless Client Use this screen to use 802.1x-Only security mode for your NWA1121-NI that is in wireless client operating mode. Select 802.1x-Only in the Security Mode field to display the following screen. Figure 31 Security: 802.1x Only for Wireless Client The following table describes the labels in this screen. Table 17 Security: 802.1x Only for Wireless Client LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. 78 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 17 Security: 802.1x Only for Wireless Client (continued) LABEL Security Mode DESCRIPTION Choose the same security mode used by the AP. IEEE802.1x Authentication Eap Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or TTLS. If you select TTLS or PEAP, the options on the right refer to authentication protocols. You can choose between PAP, CHAP, MSCHAP, MSCHAPv2 and/or GTC. User Information Username Login Name Password Certificate Supply the user name of the account created in the RADIUS server. Supply the password of the account created in the RADIUS server. User Certificate If you select TLS, enter the name of the certificate used to to verify the identity of clients. Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.3 Security: 802.1x Static WEP This screen varies depending on the operating mode you select in the Wireless LAN > Wireless Settings screen. NWA1121-NI Users Guide 79 Chapter 6 Wireless LAN 6.6.3.1 Access Point Use this screen to use 802.1x static WEP security mode for your NWA1121-NI that is in root AP, MBSSID or repeater operating mode. Select 802.1X-Static WEP in the Security Mode field to display the following screen. Figure 32 Security: 802.1X-Static WEP for Access Point The following table describes the labels in this screen. Table 18 Security: 802.1X-Static WEP for Access Point LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose 802.1X-Static WEP in this field. Data Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption. Passphrase Enter the passphrase or string of text used for automatic WEP key generation on wireless client adapters. Generate Click this to get the keys from the Passphrase you entered. 80 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 18 Security: 802.1X-Static WEP for Access Point (continued) LABEL Key 1 to DESCRIPTION The WEP keys are used to encrypt data. Both the NWA1121-NI and the wireless stations must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters
("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time. Key 4 Rekey Options Reauthentication Time Specify how often wireless stations have to resend user names and passwords in order to stay connected. Enter a time interval between 100 and 3600 seconds. Alternatively, enter 0 to turn reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Enable Group-Key Update Select this option to have the NWA1121-NI automatically disconnect a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. Back Apply Cancel Enter a time interval between 100 and 3600 seconds. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 81 Chapter 6 Wireless LAN 6.6.3.2 Wireless Client Use this screen to use 802.1x-Only security mode for your NWA1121-NI that is in wireless client operating mode. Select 802.1X-Static WEP in the Security Mode field to display the following screen. Figure 33 Security: 802.1X-Static WEP for Wireless Client The following table describes the labels in this screen. Table 19 Security: 802.1X-Static WEP for Wireless Client LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose the same security mode used by the AP. 82 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 19 Security: 802.1X-Static WEP for Wireless Client (continued) LABEL Data Encryption DESCRIPTION Select 64-bit WEP or 128-bit WEP to enable data encryption. Passphrase Enter the passphrase or string of text used for automatic WEP key generation. Generate Key 1 to Key 4 Click this to get the keys from the Passphrase you entered. The WEP keys are used to encrypt data. Both the NWA1121-NI and the AP must use the same WEP key for data transmission. If you chose 64-bit WEP, then enter any 5 ASCII characters or 10 hexadecimal characters ("0-9", "A-F"). If you chose 128-bit WEP, then enter 13 ASCII characters or 26 hexadecimal characters ("0-9", "A-F"). You must configure all four keys, but only one key can be activated at any one time. IEEE802.1x Authentication Eap Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or TTLS. If you select TTLS or PEAP, the options on the right refer to authentication protocols. You can choose between PAP, CHAP, MSCHAP, MSCHAPv2 and/or GTC. User Information Username Login Name Password Certificate Supply the user name of the account created in the RADIUS server. Supply the password of the account created in the RADIUS server. User Certificate If you select TLS, enter the name of the certificate used to to verify the identity of clients. Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.4 Security: WPA, WPA2, WPA2-MIX This screen varies depending on the operating mode you select in the Wireless LAN > Wireless Settings screen. NWA1121-NI Users Guide 83 Chapter 6 Wireless LAN 6.6.4.1 Access Point Use this screen to employ WPA or WPA2 as the security mode for your NWA1121-NI that is in root AP, MBSSID or repeater operating mode. Select WPA, WPA2 or WPA2-MIX in the Security Mode field to display the following screen. Figure 34 Security: WPA/WPA2 for Access Point The following table describes the labels in this screen. Table 20 Security: WPA/WPA2 for Access Point LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose WPA, WPA2 or WPA-MIX in this field. Rekey Options Reauthentication Time Specify how often wireless stations have to resend user names and passwords in order to stay connected. Enter a time interval between 100 and 3600 seconds. Alternatively, enter 0 to turn reauthentication off. Note: If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has priority. Enable Group-Key Update Select this option to have the NWA1121-NI automatically disconnect a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the user name and password again before access to the wired network is allowed. Back Apply Cancel Enter a time interval between 100 and 3600 seconds. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 84 NWA1121-NI Users Guide Chapter 6 Wireless LAN 6.6.4.2 Wireless Client Use this screen to employ WPA or WPA2 as the security mode for your NWA1121-NI that is in wireless client operating mode. Select WPA or WPA2 in the Security Mode field to display the following screen. Figure 35 Security: WPA for Wireless Client The following table describes the labels in this screen. Table 21 Security: WPA/WPA2 for Wireless Client LABEL Security Settings DESCRIPTION Profile Name This is the name that identifying this profile. Security Mode Choose the same security mode used by the AP. Data Encryption This shows the encryption method used by the NWA1121-NI. IEEE802.1x Authentication Eap Type The options on the left refer to EAP methods. You can choose either TLS, LEAP, PEAP or TTLS. If you select TTLS or PEAP, the options on the right refer to authentication protocols. You can choose between PAP, CHAP, MSCHAP, MSCHAPv2 and/or GTC. User Information Username Supply the user name of the account created in the RADIUS server. Login Name Password Certificate Supply the password of the account created in the RADIUS server. User Certificate If you select TLS, enter the name of the certificate used to to verify the identity of clients. NWA1121-NI Users Guide 85 Chapter 6 Wireless LAN Table 21 Security: WPA/WPA2 for Wireless Client (continued) LABEL Back DESCRIPTION Click Back to return to the previous screen. Apply Cancel Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 6.6.5 Security: WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Use this screen to employ WPA-PSK, WPA2-PSK or WPA2-PSK-MIX as the security mode of your NWA1121-NI. Select WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in the Security Mode field to display the following screen. Figure 36 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX The following table describes the labels not previously discussed Table 22 Security: WPA-PSK, WPA2-PSK or WPA2-PSK-MIX LABEL Profile Name DESCRIPTION This is the name that identifying this profile. Security Mode Choose WPA-PSK, WPA2-PSK or WPA2-PSK-MIX in this field. Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols). Back Apply Cancel Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. 86 NWA1121-NI Users Guide 6.7 RADIUS Screen Use this screen to set up your NWA1121-NIs RADIUS server settings. Click Wireless LAN >
RADIUS. The screen appears as shown. Figure 37 Wireless LAN > RADIUS Chapter 6 Wireless LAN Select a profile you want to configure and click Edit. Figure 38 Wireless LAN > RADIUS NWA1121-NI Users Guide 87 Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 23 Wireless LAN > RADIUS LABEL Profile Name DESCRIPTION This is the name that identifying this RADIUS profile. Primary RADIUS Server Select the check box to enable user authentication through an external authentication server. Primary Server IP Address Primary Server Port Primary Share Secret Enter the IP address of the RADIUS server to be used for authentication. Enter the port number of the RADIUS server to be used for authentication. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external authentication server and the NWA1121-NI. The key must be the same on the external authentication server and your NWA1121-NI. The key is not sent over the network. Backup RADIUS Server If the NWA1121-NI cannot communicate with the primary RADIUS server, you can have the NWA1121-NI use a backup RADIUS server. Make sure the check boxe is selected if you want to use the backup server. The NWA1121-NI will attempt to communicate three times before using the backup server. Requests can be issued from the client interface to use the backup server. The length of time for each authentication is decided by the wireless client or based on the configuration of the Reauthentication Time field in the Wireless LAN >
Security screen. Enter the IP address of the RADIUS server to be used for authentication. Enter the port number of the RADIUS server to be used for authentication. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external authentication server and the NWA1121-NI. The key must be the same on the external authentication server and your NWA1121-NI. The key is not sent over the network. Backup Server IP Address Backup Server Port Backup Share Secret Primary Accounting Server Select the check box to enable user accounting through an external authentication server. Primary Server IP Address Primary Server Port Primary Share Secret Enter the IP address of the external accounting server in dotted decimal notation. Enter the port number of the external accounting server. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the NWA1121-NI. The key must be the same on the external accounting server and your NWA1121-NI. The key is not sent over the network. Backup Accounting Server If the NWA1121-NI cannot communicate with the primary accounting server, you can have the NWA1121-NI use a backup accounting server. Make sure the check boxe is selected if you want to use the backup server. Backup Server IP Address Backup Server Port Backup Share Secret The NWA1121-NI will attempt to communicate three times before using the backup server. Enter the IP address of the external accounting server in dotted decimal notation. Enter the port number of the external accounting server. Enter a password (up to 128 alphanumeric characters) as the key to be shared between the external accounting server and the NWA1121-NI. The key must be the same on the external accounting and your NWA1121-NI. The key is not sent over the network. Back Click Back to return to the previous screen. 88 NWA1121-NI Users Guide Chapter 6 Wireless LAN Table 23 Wireless LAN > RADIUS (continued) LABEL Apply DESCRIPTION Click Apply to save your changes. Cancel Click Cancel to begin configuring this screen afresh. 6.8 MAC Filter Screen Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC address of each device to configure MAC filtering on the NWA1121-NI. The MAC filter function allows you to configure the NWA1121-NI to grant access to the NWA1121-
NI from other wireless devices (Allow Association) or exclude devices from accessing the NWA1121-
NI (Deny Association). Figure 39 MAC Filtering In the figure above, wireless client U is able to connect to the Internet because its MAC address is in the allowed association list specified in the NWA1121-NI. The MAC address of client A is either denied association or is not in the list of allowed wireless clients specified in the NWA1121-NI. NWA1121-NI Users Guide 89 Chapter 6 Wireless LAN Use this screen to enable MAC address filtering in your NWA1121-NI. You can specify MAC addresses to either allow or deny association with your NWA1121-NI. Click Wireless LAN > MAC Filter. The screen displays as shown. Figure 40 Wireless LAN > MAC Filter Select a profile you want to configure and click Edit. Figure 41 MAC Filter: Edit 90 NWA1121-NI Users Guide Chapter 6 Wireless LAN The following table describes the labels in this screen. Table 24 Wireless LAN > MAC Filter LABEL DESCRIPTION This is the name that identifying this profile. Profile Name Access Control Mode Select Disabled if you do not want to use this feature. Select Allow to permit access to the NWA1121-NI. MAC addresses not listed will be denied access to the NWA1121-NI. Select Deny to block access to theNWA1121-NI. MAC addresses not listed will be allowed to access the NWA1121-NI. This is the index number of the MAC address listed. Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the wireless station to be allowed or denied access to the NWA1121-NI. Click Back to return to the previous screen. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh.
MAC Address Back Apply Cancel 6.9 Technical Reference This section provides technical background information about the topics covered in this chapter. Refer to Appendix D on page 181 for further readings on Wireless LAN. 6.9.1 Additional Wireless Terms Table 25 Additional Wireless Terms TERM Intra-BSS Traffic DESCRIPTION This describes direct communication (not through the NWA1121-NI) between two wireless devices within a wireless network. You might disable this kind of communication to enhance security within your wireless network. RTS/CTS Threshold In a wireless network which covers a large area, wireless devices are sometimes not aware of each others presence. This may cause them to send information to the AP at the same time and result in information colliding and not getting through. By setting this value lower than the default value, the wireless devices must sometimes get permission to send information to the NWA1121-NI. The lower the value, the more often the devices must get permission. If this value is greater than the fragmentation threshold value (see below), then wireless devices never have to get permission to send information to the NWA1121-
NI. A preamble affects the timing in your wireless network. There are two preamble modes: long and short. If a device uses a different preamble mode than the NWA1121-NI does, it cannot communicate with the NWA1121-NI. Preamble Fragmentation Threshold A small fragmentation threshold is recommended for busy networks, while a larger threshold provides faster performance if the network is not very busy. NWA1121-NI Users Guide 91 Chapter 6 Wireless LAN TERM Roaming Antenna 6.9.2 WMM QoS DESCRIPTION If you have two or more NWA1121-NIs (or other wireless access points) on your wireless network, you can enable this option so that wireless devices can change locations without having to log in again. This is useful for devices, such as notebooks, that move around a lot. An antenna couples Radio Frequency (RF) signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. WMM (Wi-Fi MultiMedia) QoS (Quality of Service) ensures quality of service in wireless networks. It controls WLAN transmission priority on packets to be transmitted over the wireless network. WMM QoS prioritizes wireless traffic according to the delivery requirements of the individual and applications. WMM QoS is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks. On APs without WMM QoS, all traffic streams are given the same access priority to the wireless network. If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity, then the new traffic stream reduces the throughput of the other traffic streams. The NWA1121-NI uses WMM QoS to prioritize traffic streams according to the IEEE 802.1q or DSCP information in each packets header. The NWA1121-NI automatically determines the priority to use for an individual traffic stream. This prevents reductions in data transmission for applications that are sensitive to latency and jitter (variations in delay). 6.9.2.1 WMM QoS Priorities The following table describes the WMM QoS priority levels that the NWA1121-NI uses. Table 26 WMM QoS Priorities Priority Level description voice
(WMM_VOICE) video
(WMM_VIDEO) best effort
(WMM_BESTEFFORT) background
(WMM_BACKGROUND) Typically used for traffic that is especially sensitive to jitter. Use this priority to reduce latency for improved voice quality. Typically used for traffic which has some tolerance for jitter but needs to be prioritized over other data traffic. Typically used for traffic from applications or devices that lack QoS capabilities. Use best effort priority for traffic that is less sensitive to latency, but is affected by long delays, such as Internet surfing. This is typically used for non-critical traffic such as bulk transfers and print jobs that are allowed but that should not affect other applications and users. Use background priority for applications that do not have strict latency and throughput requirements. 92 NWA1121-NI Users Guide Chapter 6 Wireless LAN 6.9.3 Security Mode Guideline The following is a general guideline in choosing the security mode for your NWA1121-NI. Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server. Use WPA(2) security if you have WPA(2)-aware wireless clients and a RADIUS server. WPA has user authentication and improved data encryption over WEP. Use WPA(2)-PSK if you have WPA(2)-aware wireless clients but no RADIUS server. If you dont have WPA(2)-aware wireless clients, then use WEP key encrypting. A higher bit key offers better security. You can manually enter 64-bit or 128-bit WEP keys. More information on Wireless Security can be found in Appendix D on page 181. NWA1121-NI Users Guide 93 CHAPTER 7 LAN 7.1 Overview This chapter describes how you can configure the IP address of your NWA1121-NI. The Internet Protocol (IP) address identifies a device on a network. Every networking device
(including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Figure 42 IPv4 Setup The figure above illustrates one possible setup of your NWA1121-NI. The gateway IPv4 address is 192.168.1.1 and the IPv4 address of the NWA1121-NI is 192.168.1.2 (default). The gateway and the device must belong in the same subnet mask to be able to communicate with each other. 7.2 What You Can Do in this Chapter Use the LAN IP screen to configure the IP address of your NWA1121-NI (see Section 7.4 on page 96). 7.3 What You Need to Know The Ethernet parameters of the NWA1121-NI are preset in the factory with the following values:
1 2 IP address of 192.168.1.2 Subnet mask of 255.255.255.0 (24 bits) NWA1121-NI Users Guide 94 Chapter 7 LAN IPv6 IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses. IPv6 Addressing The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways:
Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15. Prefix and Prefix Length Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address. An IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as /x where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) is the subnet prefix. Link-local Address A link-local address uniquely identifies a device on the local network (the LAN). It is similar to a private IP address in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows. Table 27 Link-local Unicast Address Format 1111 1110 10 0 Interface ID 10 bits 54 bits 64 bits Global Address A global address uniquely identifies a device on the Internet. It is similar to a public IP address in IPv4. A global unicast address starts with a 2 or 3. NWA1121-NI Users Guide 95 Chapter 7 LAN 7.4 LAN IP Screen Use this screen to configure the IP address for your NWA1121-NI. Click Network > LAN to display the following screen. Figure 43 LAN IP The following table describes the labels in this screen. Table 28 LAN IP LABEL IPv4 Address Assignment DESCRIPTION Obtain IP Address Automatically Select this option if your NWA1121-NI is using a dynamically assigned IPv4 address from a DHCP server each time. Note: You must know the IP address assigned to the NWA1121-NI (by the DHCP server) to access the NWA1121-NI again. Use Fixed IP Address Select this option if your NWA1121-NI is using a static IPv4 address. When you select this option, fill in the fields below. IP Address Enter the IP address of your NWA1121-NI in dotted decimal notation. Subnet Mask Gateway IP Address Note: If you change the NWA1121-NI's IP address, you must use the new IP address if you want to access the web configurator again. Type the subnet mask. Type the IPv4 address of the gateway. The gateway is an immediate neighbor of your NWA1121-NI that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your NWA1121-NI; over the WAN, the gateway must be the IP address of one of the remote nodes. 96 NWA1121-NI Users Guide Chapter 7 LAN Table 28 LAN IP (continued) LABEL IPv6 Address Assignment DESCRIPTION Enable Stateful Address Auto-
configuration IPv6 Address/Prefix Length System DNS Servers Select this to turn on IPv6 stateful autoconfiguration to have the NWA1121-NI obtain an IPv6 global address from a DHCPv6 server in your network. Enter your IPv6 address and prefix manually. Primary DNS Server Enter the IPv4 address of the first DNS (Domain Name Service) server, if provided. Secondary DNS Server Enter the IPv4 address of the second DNS (Domain Name Service) server address, if Apply Cancel provided. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 97 CHAPTER 8 VLAN 8.1 Overview This chapter discusses how to configure the NWA1121-NIs VLAN settings. Figure 44 Management VLAN Setup B A In the figure above, to access and manage the NWA1121-NI from computer A, the NWA1121-NI and switch Bs ports to which computer A and the NWA1121-NI are connected should be in the same VLAN. 8.1.1 What You Can Do in This Chapter The VLAN screens let you set up the NWA1121-NIs mangement VLAN (Section 8.3 on page 99). 8.2 What You Need to Know Introduction to VLANs A Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same group(s); the traffic must first go through a router. In Multi-Tenant Unit (MTU) applications, VLAN is vital in providing isolation and security among the subscribers. When properly configured, VLAN prevents one subscriber from accessing the network resources of another on the same LAN, thus a user will not see the printers and hard disks of another user in the same building. NWA1121-NI Users Guide 98 Chapter 8 VLAN VLAN also increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. In traditional switched environments, all broadcast packets go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast domain. IEEE 802.1Q Tag The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges. A VLAN tag includes the 12-bit VLAN ID and 3-bit user priority. The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network. 8.3 VLAN Screen Use this screen to set up the VLAN for managing the NWA1121-NI. Click Network > VLAN to display the screen as shown. Figure 45 Network > VLAN The following table describes the labels in this screen. Figure 46 Network > VLAN LABEL DESCRIPTION 802.1Q VLAN Select this to enable VLAN tagging on the NWA1121-NI. Management VLAN Select this to enable VLAN management. Only traffic tagged with the management VLAN ID can access the NWA1121-NI. At least one device in your network must belong to the VLAN specified below in order to manage the NWA1121-NI. Management VLAN ID Enter a number from 1 to 4094 to define the NWA1121-NIs management VLAN Apply Cancel group. Click Apply to save your changes. Click Cancel to begin configuring this screen afresh. NWA1121-NI Users Guide 99 Chapter 8 VLAN 100 NWA1121-NI Users Guide CHAPTER 9 System 9.1 Overview This chapter shows you how to enable remote management of your NWA1121-NI. It provides information on determining which services or protocols can access which of the NWA1121-NIs interfaces. Remote Management allows a user to administrate the device over the network. You can manage your NWA1121-NI from a remote location via the following interfaces:
WLAN LAN Both WLAN and LAN Neither (Disable) Figure 47 Remote Management Example In the figure above, the NWA1121-NI (A) is being managed by a desktop computer (B) connected via LAN (Land Area Network). It is also being accessed by a notebook (C) connected via WLAN
(Wireless LAN). 9.2 What You Can Do in this Chapter Use the WWW screen to configure through which interface(s) and from which IP address(es) you can use the Web Browser to manage the NWA1121-NI (see Section 9.4 on page 104). Use the Certificates screen to delete and import certificates (seen Section 9.5 on page 105). NWA1121-NI Users Guide 101 Chapter 9 System Use the Telnet screen to configure through which interface(s) and from which IP address(es) you can use Telnet to manage the NWA1121-NI. A Telnet connection is prioritized by the NWA1121-NI over other remote management sessions (see Section 9.6 on page 106). Use the SNMP screen to configure through which interface(s) and from which IP address(es) a network systems manager can access the NWA1121-NI (see Section 9.7 on page 107). Use the FTP screen to configure through which interface(s) and from which IP address(es) you can use File Transfer Protocol (FTP) to manage the NWA1121-NI. You can use FTP to upload the latest firmware for example (see Section 9.8 on page 110). 9.3 What You Need To Know WWW The World Wide Web allows you to access files hosted in a remote server. For example, you can view text files (usually referred to as pages) using your web browser via HyperText Transfer Protocol (HTTP). Telnet Telnet is short for Telecommunications Network, which is a client-side protocol that enables you to access a device over the network. FTP File Transfer Protocol (FTP) allows you to upload or download a file or several files to and from a remote location using a client or the command console. SNMP Simple Network Management Protocol (SNMP) is a member of the TCP/IP protocol suite used for exchanging management information between network devices. Your NWA1121-NI supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA1121-NI through the network. The NWA1121-NI supports SNMP version one
(SNMPv1), version two (SNMPv2c) and version three (SNMPv3). 102 NWA1121-NI Users Guide The next figure illustrates an SNMP management operation. Figure 48 SNMP Management Mode Chapter 9 System An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the NWA1121-NI). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. SNMP allows a manager and agents to communicate for the purpose of accessing information such as packets received, node port status, etc. SNMP v3 and Security SNMP v3 enhances security for SNMP management. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions. Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. Remote Management Limitations Remote management over LAN or WLAN will not work when:
You have disabled that service in one of the remote management screens. The IP address in the Secured Client IP Address field does not match the client IP address. If it does not match, the NWA1121-NI will disconnect the session immediately. NWA1121-NI Users Guide 103 Chapter 9 System You may only have one remote management session running at one time. The NWA1121-NI automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows:
1 Telnet 2 HTTP System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The NWA1121-NI automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the SYSTEM screen. Certificate A certificate contains the certificate owners identity and public key. Certificates provide a way to exchange public keys for use in authentication. Figure 49 Certificates Example In the figure above, the NWA1121-NI (Z) checks the identity of the notebook (A) using a certificate before granting access to the network. The certification authority certificate that you can import to your NWA1121-NI should be in PFX PKCS#12 file format. This format referred to as the Personal Information Exchange Syntax Standard is comprised of a private key-public certificate pair that is further encrypted with a password. Before you import a certificate into the NWA1121-NI, you should verify that you have the correct certificate. Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. 9.4 WWW Screen Use this screen to configure your NWA1121-NI via the World Wide Web (WWW) using a Web browser. This lets you specify which IP addresses or computers are able to communicate with and access the NWA1121-NI. 104 NWA1121-NI Users Guide To change your NWA1121-NIs WWW settings, click System > WWW. The following screen shows. Figure 50 System > WWW Chapter 9 System The following table describes the labels in this screen. Table 29 System > WWW LABEL WWW DESCRIPTION HTTP Port HTTPS Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. The HTTPS proxy server listens on port 443 by default. If you change the HTTPS proxy server port to a different number on the NWA1121-NI, for example 8443, then you must notify people who need to access the NWA1121-NI web configurator to use https://
NWA1121-NI IP Address:8443 as the URL. Server Access Select the interface(s) through which a computer may access the NWA1121-NI using this service. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NI using this service. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.5 Certificates Screen Use this screen to delete or import certificates. NWA1121-NI Users Guide 105 Chapter 9 System Click System > Certificates. The following screen shows. Figure 51 System > Certificates The following table describes the labels in this screen. Table 30 System > Certificates LABEL Import Certificate DESCRIPTION Import Certificate Browse Import Enter the location of a previously-saved certificate to upload to the NWA1121-NI. Alternatively, click the Browse button to locate a list. Click this button to locate a previously-saved certificate to upload to the NWA1121-NI. Click this button to upload the previously-saved certificate displayed in the Import Certificate field to the NWA1121-NI. Delete Certificate You can delete a certificate Select the certificate from the list that you want to delete. Delete Click this to delete the selected certificate. 9.6 Telnet Screen Use this screen to configure your NWA1121-NI for remote Telnet access. You can use Telnet to access the NWA1121-NIs Command Line Interface (CLI). Click System > Telnet. The following screen displays. Figure 52 System > Telnet 106 NWA1121-NI Users Guide Chapter 9 System The following table describes the labels in this screen. Table 31 System > Telnet LABEL TELNET DESCRIPTION Port You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the NWA1121-NI using Telnet. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NI using this service. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.7 SNMP Screen Use this screen to have a manager station administrate your NWA1121-NI over the network and configure SNMP accounts on the SNMP v3 manager. An SNMP administrator/user is an SNMP NWA1121-NI Users Guide 107 Chapter 9 System manager. To change your NWA1121-NIs SNMP settings, click System > SNMP. The following screen displays. Figure 53 System > SNMP The following table describes the labels in this screen. Table 32 System > SNMP LABEL SNMP DESCRIPTION Port You can change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. 108 NWA1121-NI Users Guide Chapter 9 System Table 32 System > SNMP (continued) LABEL Server Access DESCRIPTION Select the interface(s) through which a computer may access the NWA1121-NI using Telnet. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address SNMP Configuration Protocol Version Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NI using this service. Select the SNMP version for the NWA1121-NI, which you allow the SNMP manager to use to access the NWA1121-NI. The SNMP version on the NWA1121-NI must match the version on the SNMP manager. Get Community Set Community Note: SNMP version 2c is backwards compatible with SNMP version 1. Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. Enter the Set community, which is the password for incoming Set requests from the management station. Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager. Trap Destination Type the IP address of the station to send your SNMP traps to. SNMPv3 Admin Settings SNMPv3 Admin Select the check box to enable the SNMP administrator account for authentication with SNMP managers using SNMP v3. User Name Password Specify the user name of the SNMP administrator account. Enter the password for SNMP administrator authentication. Confirm Password Retype the password for confirmation. Access Type Specify the SNMP administrators access rights to MIBs. Read/Write - The SNMP administrator has read and write rights, meaning that the user can create and edit the MIBs on the NWA1121-NI. Read Only - The SNMP administrator has read rights only, meaning the user can collect information from the NWA1121-NI. Authentication Protocol Select an authentication algorithm used for SNMP communication with the SNMP administrator. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. Privacy Protocol Specify the encryption method used for SNMP communication with the SNMP administrator. DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. NWA1121-NI Users Guide 109 Chapter 9 System Table 32 System > SNMP (continued) LABEL SNMPv3 User Settings DESCRIPTION SNMPv3 User User Name Password Select the check box to enable the SNMP user account for authentication with SNMP managers using SNMP v3. Specify the user name of the SNMP user account. Enter the password for SNMP user authentication. Confirm Password Retype the password for confirmation. Access Type Specify the SNMP users access rights to MIBs. Authentication Protocol Read Only - The SNMP user has read rights only, meaning the user can collect information from the NWA1121-NI. Read/Write - The SNMP user has read and write rights, meaning that the user can create and edit the MIBs on the NWA1121-NI. Select an authentication algorithm used for SNMP communication with the SNMP user. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. Privacy Protocol Specify the encryption method used for SNMP communication with the SNMP user. DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data. AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.8 FTP Screen Use this screen to upload and download the NWA1121-NIs firmware using FTP. To use this feature, your computer must have an FTP client. To change your NWA1121-NIs FTP settings, click System > FTP. The following screen displays. Figure 54 System > FTP 110 NWA1121-NI Users Guide Chapter 9 System The following table describes the labels in this screen. Table 33 System > FTP LABEL FTP DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the NWA1121-NI using this service. Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the NWA1121-NI using this service. Secured Client MAC Address Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the IP address that you specify to access the NWA1121-NI using this service. Select All to allow any computer to access the NWA1121-NI using this service. Choose Selected to just allow the computer with the MAC address that you specify to access the NWA1121-NIe using this service. Apply Cancel Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 9.9 Technical Reference This section provides some technical background information about the topics covered in this chapter. 9.9.1 MIB Managed devices in an SMNP managed network contain object variables or managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects.SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:
Get - Allows the manager to retrieve an object variable from the agent. GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. Set - Allows the manager to set values for object variables within an agent. Trap - Used by the agent to inform the manager of some events. 9.9.2 Supported MIBs The NWA1121-NI supports MIB II that is defined in RFC-1213 and RFC-1215 as well as the proprietary ZyXEL private MIB. The purpose of the MIBs is to let administrators collect statistical data and monitor status and performance. NWA1121-NI Users Guide 111 Chapter 9 System 9.9.3 SNMP Traps SNMP traps are messages sent by the agents of each managed device to the SNMP manager. These messages inform the administrator of events in data networks handled by the device. The NWA1121-NI can send the following traps to the SNMP manager. Table 34 SNMP Traps TRAP NAME Generic Traps coldStart OBJECT IDENTIFIER #
(OID) DESCRIPTION 1.3.6.1.6.3.1.1.5.1 warmStart 1.3.6.1.6.3.1.1.5.2 This trap is sent after booting (power on). This trap is defined in RFC-1215. This trap is sent after booting (software reboot). This trap is defined in RFC-1215. linkDown linkUp 1.3.6.1.6.3.1.1.5.3 This trap is sent when the Ethernet link is down. 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. authenticationFailure
(defined in RFC-1215) 1.3.6.1.6.3.1.1.5.5 The device sends this trap when it receives any SNMP get or set requirements with the wrong community
(password). Note: snmpEnableAuthenTraps, OID 1.3.6.1.2.1.11.30
(defined in RFC 1214 and RFC 1907) must be enabled on in order for the device to send authenticationFailure traps. Use a MIB browser to enable or disable snmpEnableAuthenTraps. Traps defined in the ZyXEL Private MIB. whyReboot 1.3.6.1.4.1.890.1.5.13.0. 1 This trap is sent with the reason for restarting before the system reboots (warm start).
"System reboot by user!" is added for an intentional reboot (for example, download new files, CI command
"sys reboot"). If the system reboots because of fatal errors, a code for the error is listed. pwTFTPStatus 1.3.6.1.4.1.890.1.9.2.3.3
.1 This trap is sent to indicate the status and result of a TFTP client session that has ended. Some traps include an SNMP interface index. The following table maps the SNMP interface indexes to the NWA1121-NIs physical and virtual ports. Table 35 SNMP Interface Index to Physical and Virtual Port Mapping TYPE Physical PORT Wireless LAN adaptor WLAN1 INTERFACE enet0 enet1 enet2 Virtual enet3 ~ enet9 enet10 ~ enet16 enet17 ~ enet21 enet22 ~ enet26 Ethernet port (LAN) Wireless LAN adaptor WLAN2 WLAN1 in MBSSID mode WLAN2 in MBSSID mode WLAN1 in WDS mode WLAN2 in WDS mode 112 NWA1121-NI Users Guide Chapter 9 System 9.9.4 Private-Public Certificates When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as digital signatures). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key writes your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows. 1 2 3 4 5 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. Tim uses his private key to sign the message and sends it to Jenny. Jenny receives the message and uses Tims public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tims private key). Additionally, Jenny uses her own private key to sign a message and Tim uses Jennys public key to verify the message. 9.9.5 Certification Authorities A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the NWA1121-NI to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. 9.9.6 Checking the Fingerprint of a Certificate on Your Computer A certificates fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificates fingerprint to verify that you have the actual certificate. 1 Browse to where you have the certificate saved on your computer. 2 Make sure that the certificate has a .cer or .crt file name extension. Figure 55 Certificates on Your Computer NWA1121-NI Users Guide 113 Chapter 9 System 3 Double-click the certificates icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 56 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary according to your situation. Possible examples would be over the telephone or through an HTTPS connection. 114 NWA1121-NI Users Guide CHAPTER 10 Log Settings 10.1 Overview This chapter provides information on viewing and generating logs on your NWA1121-NI. Logs are files that contain recorded network activity over a set period. They are used by administrators to monitor the health of the system(s) they are managing. Logs enable administrators to effectively monitor events, errors, progress, etc. so that when network problems or system failures occur, the cause or origin can be traced. Logs are also essential for auditing and keeping track of changes made by users. Figure 57 Accessing Logs in the Network The figure above illustrates three ways to access logs. The user (U) can access logs directly from the NWA1121-NI (A) via the Web configurator. Logs can also be located in an external log server
(B). An email server (C) can also send harvested logs to the users email account. 10.2 What You Can Do in this Chapter Use the Log Settings screen to configure where and when the NWA1121-NI will send the logs, and which logs and/or immediate alerts it will send (Section 10.4 on page 116). Use the Monitor >
Logs screen to display all logs or logs for a certain category. NWA1121-NI Users Guide 115 Chapter 10 Log Settings 10.3 What You Need To Know Alerts and Logs An alert is a type of log that warrants more serious attention. Some categories such as System Error consist of both logs and alerts. You can differentiate them by their color in the Monitor >
Logs screen. Alerts are displayed in red and logs are displayed in black. Receiving Logs via E-mail If you want to receive logs in your e-mail account, you need to have the necessary details ready, such as the Server Name or Simple Mail Transfer Protocol (SMTP) Address of your e-mail account. Ensure that you have a valid e-mail address. Enabling Syslog Logging To enable Syslog Logging, obtain your Syslog servers IP address (or server name). 10.4 Log Settings Screen Use this screen to configure to where and when the NWA1121-NI is to send the logs and which logs and/or immediate alerts it is to send. 116 NWA1121-NI Users Guide To change your NWA1121-NIs log settings, click Configuration > Log Settings. The screen appears as shown. Figure 58 Log Settings Chapter 10 Log Settings The following table describes the labels in this screen. Table 36 Log Settings LABEL E-mail Log Settings Mail Server Mail Subject Send Log to DESCRIPTION Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Type a title that you want to be in the subject line of the log e-mail message that the NWA1121-NI sends. Logs are sent to the e-mail address specified in this field. If this field is left blank, logs will not be sent via e-mail. NWA1121-NI Users Guide 117 Chapter 10 Log Settings Table 36 Log Settings (continued) LABEL SMTP Authentication DESCRIPTION SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Internet. Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs. User Name Password If you use SMTP authentication, the mail receiver should be the owner of the SMTP account. If your e-mail account requires SMTP authentication, enter the username here. Enter the password associated with the above username. Syslog Logging Syslog logging sends a log to an external syslog server used to store logs. Syslog Logging Select the check box to enable syslog logging. Syslog Server IP Address Syslog Port Number Send Log Log Schedule Enter the IP address of the syslog server that will log the selected categories of logs. Enter the port number of the syslog server that will log the selected categories of logs. This drop-down menu is used to configure the frequency of log messages being sent as E-mail:
When Log is Full Hourly Daily Weekly None. If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent. This field is only available when you select Weekly in the Log Schedule field. Use the drop down list box to select which day of the week to send the logs. Day for Sending Log Time for Sending Log Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Clear log after sending mail Select the check box to clear all logs after logs and alert messages are sent via e-
mail. Log Category System Maintenance Click this to receive logs related to system maintenance. System Error Click this to receive logs related to system errors. 802.1x Wireless Email Log Now Apply Cancel Click this to receive logs related to the 802.1x mode. Click this to receive logs related to the wireless function. Select the categories of alerts for which you want the NWA1121-NI to immediately send e-mail alerts. Click Apply to save your customized settings. Click Cancel to begin configuring this screen afresh. 118 NWA1121-NI Users Guide CHAPTER 11 Maintenance 11.1 Overview This chapter describes the maintenance screens. It discusses how you can upload new firmware, manage configuration and restart your NWA1121-NI without turning it off and on. This chapter provides information and instructions on how to identify and manage your NWA1121-
NI over the network. Figure 59 NWA1121-NI Setup In the figure above, the NWA1121-NI connects to a Domain Name Server (DNS) server to avail of a domain name. It also connects to an Network Time Protocol (NTP) server to set the time on the device. 11.2 What You Can Do in this Chapter Use the General screen to specify the system name (see Section 11.4 on page 120). Use the Password screen to manage the password for your NWA1121-NI (see Section 11.5 on page 121). Use the Time screen to change your NWA1121-NIs time and date. This screen allows you to configure the NWA1121-NIs time based on your local time zone (see Section 11.6 on page 122). Use the Firmware Upload screen to upload the latest firmware for your NWA1121-NI (see Section 11.7 on page 123). Use the Backup/Restore screen to view information related to factory defaults, backup configuration, and restoring configuration (see Section 11.8 on page 124). NWA1121-NI Users Guide 119 Chapter 11 Maintenance Use Restart screen to reboot the NWA1121-NI without turning the power off (see Section 11.9 on page 126). 11.3 What You Need To Know You can find the firmware for your device at www.zyxel.com. It is a file that (usually) uses the system model name with a "*.bin" extension, for example "[Model #].bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. 11.4 General Screen Use the General screen to identify your NWA1121-NI over the network. Click Maintenance >
General. The following screen displays. Figure 60 Maintenance > General The following table describes the labels in this screen. Table 37 Maintenance > General LABEL System Settings DESCRIPTION System Name Type a descriptive name to identify the NWA1121-NI in the Ethernet network. This name can be up to 15 alphanumeric characters long. Spaces are not allowed, but dashes "-" are accepted. Apply Cancel Click Apply to save your changes. Click Cancel to reload the previous configuration for this screen. 120 NWA1121-NI Users Guide Chapter 11 Maintenance 11.5 Password Screen Use this screen to control access to your NWA1121-NI by assigning a password to it. Click Maintenance > Password. The following screen displays. Figure 61 Maintenance > Password The following table describes the labels in this screen. Table 38 Maintenance > Password LABEL Current Password DESCRIPTIONS Type in your existing system password. New Password Type your new system password. Note that as you type a password, the screen displays a dot (.) for each character you type. Retype to Confirm Retype your new system password for confirmation. Apply Cancel Click Apply to save your changes. Click Cancel to reload the previous configuration for this screen. NWA1121-NI Users Guide 121 Chapter 11 Maintenance 11.6 Time Screen Use this screen to change your NWA1121-NIs time and date, click Maintenance > Time. The following screen displays. Figure 62 Maintenance > Time The following table describes the labels in this screen. Table 39 Maintenance > Time LABEL Current Time and Date DESCRIPTION Current Time This field displays the time of your NWA1121-NI. Each time you reload this page, the NWA1121-NI synchronizes the time with the time server (if configured). When you disable NTP Client Update, you can manually enter the new time in this field and then click Apply. Current Date This field displays the last updated date from the time server. When you disable NTP Client Update, you can manually enter the new date in this field and then click Apply. Time and Date Setup NTP Client Update NTP server Manual IP Time Zone Setup Time Zone Apply Cancel Select this to have the NWA1121-NI get the time and date from the time server you specified below. Select this option to use the predefined list of Network Time Protocol (NTP) servers. Select an NTP server from the drop-list box. Select this option to enter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information. Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Click Apply to save your changes. Click Cancel to reload the previous configuration for this screen. 122 NWA1121-NI Users Guide Chapter 11 Maintenance 11.7 Firmware Upgrade Screen Use this screen to upload a firmware to your NWA1121-NI. Click Maintenance > Firmware Upgrade. Follow the instructions in this section to upload firmware to your NWA1121-NI. Figure 63 Maintenance > Firmware Upgrade The following table describes the labels in this screen. Table 40 Maintenance > Firmware Upgrade LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. Do not turn off the NWA1121-NI while firmware upload is in progress!
After you see the Firmware Upload in Process screen, wait two minutes before logging into the NWA1121-NI again. Figure 64 Firmware Upload In Process The NWA1121-NI automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 65 Network Temporarily Disconnected NWA1121-NI Users Guide 123 Chapter 11 Maintenance After the upload was finished, log in again and check your new firmware version in the Dashboard screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/
W Upload screen. Figure 66 Firmware Upload Error 11.8 Configuration File Screen Use this screen to backup, restore and reset the configuration of your NWA1121-NI. Click Maintenance > Configuration File. The screen appears as shown next. Figure 67 Maintenance > Configuration File 11.8.1 Backup Configuration Backup configuration allows you to back up (save) the NWA1121-NIs current configuration to a file on your computer. Once your NWA1121-NI is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the NWA1121-NIs current configuration to your computer. 124 NWA1121-NI Users Guide 11.8.2 Restore Configuration Chapter 11 Maintenance Restore configuration allows you to upload a new or previously saved configuration file from your computer to your NWA1121-NI. Table 41 Restore Configuration LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. Do not turn off the NWA1121-NI while configuration file upload is in progress. After you see a restore configuration successful screen, you must then wait one minute before logging into the NWA1121-NI again. Figure 68 Configuration Upload Successful The NWA1121-NI automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 69 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default NWA1121-NI IP address (192.168.1.2). See Appendix A on page 133 for details on how to set up your computers IP address. NWA1121-NI Users Guide 125 Chapter 11 Maintenance If the upload was not successful, the following screen will appear. Click Return to go back to the Backup/Restore screen. Figure 70 Configuration Upload Error 11.8.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the NWA1121-NI to its factory defaults as shown on the screen. The following warning screen will appear. Figure 71 Reset Message You can also press the RESET button to reset your NWA1121-NI to its factory default settings. Refer to Section 2.2 on page 20 for more information. 11.9 Restart Screen Use this screen to reboot the NWA1121-NI without turning the power off. Click Maintenance > Restart. The following screen displays. Figure 72 Maintenance > Restart Click Restart to have the NWA1121-NI reboot. This does not affect the NWA1121-NI's configuration. 126 NWA1121-NI Users Guide Chapter 11 Maintenance NWA1121-NI Users Guide 127 Chapter 11 Maintenance 128 NWA1121-NI Users Guide CHAPTER 12 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. Power, Hardware Connections, and LEDs NWA1121-NI Access and Login Internet Access 12.1 Power, Hardware Connections, and LEDs The NWA1121-NI does not turn on. None of the LEDs turn on. 1 Make sure you are using the power adaptor or cord included with the NWA1121-NI. 2 Make sure the power adaptor or cord is connected to the NWA1121-NI and plugged in to an appropriate power source. Make sure the power source is turned on. 3 Disconnect and re-connect the power adaptor or cord to the NWA1121-NI. 4 If the problem continues, contact the vendor. One of the LEDs does not behave as expected. 1 Make sure you understand the normal behavior of the LED. See Section 1.7 on page 17. 2 3 Check the hardware connections. See the Quick Start Guide. Inspect your cables for damage. Contact the vendor to replace any damaged cables. 4 Disconnect and re-connect the power adaptor to the NWA1121-NI. 5 If the problem continues, contact the vendor. NWA1121-NI Users Guide 129 Chapter 12 Troubleshooting 12.2 NWA1121-NI Access and Login I forgot the IP address for the NWA1121-NI. 1 2 3 The default IP address is 192.168.1.2. If you changed the IP address and have forgotten it, you might get the IP address of the NWA1121-
NI by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the NWA1121-NI (it depends on the network), so enter this IP address in your Internet browser. If this does not work, you have to reset the device to its factory defaults. See Section 2.2 on page 20. I forgot the password. 1 2 The default password is 1234. If this does not work, you have to reset the device to its factory defaults. See Section 2.2 on page 20. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. The default IP address is 192.168.1.2. If you changed the IP address (Section 7.4 on page 96), use the new IP address. If you changed the IP address and have forgotten it, see the troubleshooting suggestions for I forgot the IP address for the NWA1121-NI. 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page 17. 3 Make sure your Internet browser does not block pop-up windows and has JavaScript and Java enabled. See Section 12.1 on page 129. 4 Make sure your computer is in the same subnet as the NWA1121-NI. (If you know that there are routers between your computer and the NWA1121-NI, skip this step.) If there is no DHCP server on your network, make sure your computers IP address is in the same subnet as the NWA1121-NI. 5 Reset the device to its factory defaults, and try to access the NWA1121-NI with the default IP address. See Chapter 2 on page 20. 130 NWA1121-NI Users Guide Chapter 12 Troubleshooting 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions Try to access the NWA1121-NI using another service, such as Telnet. If you can access the NWA1121-NI, check the remote management settings to find out why the NWA1121-NI does not respond to HTTP. If your computer is connected wirelessly, use a computer that is connected to a LAN/Ethernet port. I can see the Login screen, but I cannot log in to the NWA1121-NI. 1 Make sure you have entered the user name and password correctly. The default password is 1234. This fields are case-sensitive, so make sure [Caps Lock] is not on. 2 You cannot log in to the web configurator while someone is using the Telnet to access the NWA1121-NI. Log out of the NWA1121-NI in the other session, or ask the person who is logged in to log out. 3 Disconnect and re-connect the power adaptor or cord to the NWA1121-NI. 4 If this does not work, you have to reset the device to its factory defaults. See Section 2.2 on page 20. I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. 12.3 Internet Access I cannot access the Internet. 1 2 3 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 12.1 on page 129. 2. Make sure your NWA1121-NI is connected to a networking device that provides Internet access. If you are trying to access the Internet wirelessly, make sure the wireless settings on the wireless client are the same as the settings on the AP. 4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. NWA1121-NI Users Guide 131 Chapter 12 Troubleshooting 5 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the NWA1121-NI), but my Internet connection is not available anymore. 1 2 3 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.7 on page 17. Reboot the NWA1121-NI. If the problem continues, contact your ISP or network administrator. The Internet connection is slow or intermittent. 1 2 3 4 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.7 on page 17. If the NWA1121-NI is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. Check the signal strength. If the signal is weak, try moving the NWA1121-NI (in wireless client mode) closer to the AP (if possible), and look around to see if there are any devices that might be interfering with the wireless network (microwaves, other wireless networks, and so on). Reboot the NWA1121-NI. If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions Check the settings for QoS. If it is disabled, you might consider activating it. 132 NWA1121-NI Users Guide APPENDIX A Setting Up Your Computers IP Address Note: Your specific NWA1121-NI may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported. This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network. Windows Vista/XP/2000, Mac OS 9/
OS X, and all versions of UNIX/LINUX include the software components you need to use TCP/IP on your computer. If you manually assign IP information instead of using a dynamic IP, make sure that your networks computers have IP addresses that place them in the same subnet. In this appendix, you can set up an IP address for:
Windows XP/NT/2000 on page 133 Windows Vista on page 137 Windows 7 on page 141 Mac OS X: 10.3 and 10.4 on page 145 Mac OS X: 10.5 and 10.6 on page 148 Linux: Ubuntu 8 (GNOME) on page 151 Linux: openSUSE 10.3 (KDE) on page 155 Windows XP/NT/2000 The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT. NWA1121-NI Users Guide 133 Appendix A Setting Up Your Computers IP Address 1 Click Start > Control Panel. 2 In the Control Panel, click the Network Connections icon. 3 Right-click Local Area Connection and then select Properties. 134 NWA1121-NI Users Guide 4 On the General tab, select Internet Protocol (TCP/IP) and then click Properties. Appendix A Setting Up Your Computers IP Address NWA1121-NI Users Guide 135 Appendix A Setting Up Your Computers IP Address 5 The Internet Protocol TCP/IP Properties window opens. 6 7 8 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided. Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. Verifying Settings 1 2 136 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Windows Vista This section shows screens from Windows Vista Professional. 1 Click Start > Control Panel. 2 In the Control Panel, click the Network and Internet icon. 3 Click the Network and Sharing Center icon. NWA1121-NI Users Guide 137 Appendix A Setting Up Your Computers IP Address 4 Click Manage network connections. 5 Right-click Local Area Connection and then select Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 138 NWA1121-NI Users Guide 6 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Appendix A Setting Up Your Computers IP Address NWA1121-NI Users Guide 139 Appendix A Setting Up Your Computers IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. 8 9 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided.Click Advanced. Click OK to close the Internet Protocol (TCP/IP) Properties window. 10 Click OK to close the Local Area Connection Properties window. Verifying Settings 1 2 140 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Windows 7 This section shows screens from Windows 7 Enterprise. 1 Click Start > Control Panel. 2 In the Control Panel, click View network status and tasks under the Network and Internet category. 3 Click Change adapter settings. NWA1121-NI Users Guide 141 Appendix A Setting Up Your Computers IP Address 4 Double click Local Area Connection and then select Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 142 NWA1121-NI Users Guide 5 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Appendix A Setting Up Your Computers IP Address NWA1121-NI Users Guide 143 Appendix A Setting Up Your Computers IP Address 6 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. 7 8 9 Select Obtain an IP address automatically if your network administrator or ISP assigns your IP address dynamically. Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an Alternate DNS server, if that information was provided. Click Advanced if you want to configure advanced settings for IP, DNS and WINS. Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. Verifying Settings 1 2 144 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. NWA1121-NI Users Guide 3 The IP settings are displayed as follows. Appendix A Setting Up Your Computers IP Address Mac OS X: 10.3 and 10.4 The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. 1 Click Apple > System Preferences. NWA1121-NI Users Guide 145 Appendix A Setting Up Your Computers IP Address 2 In the System Preferences window, click the Network icon. 3 When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure. 146 NWA1121-NI Users Guide 4 For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab. Appendix A Setting Up Your Computers IP Address 5 For statically assigned settings, do the following:
From the Configure IPv4 list, select Manually. In the IP Address field, type your IP address. In the Subnet Mask field, type your subnet mask. In the Router field, type the IP address of your device. 6 Click Apply Now and close the window. NWA1121-NI Users Guide 147 Appendix A Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab. Figure 73 Mac OS X 10.4: Network Utility Mac OS X: 10.5 and 10.6 The screens in this section are from Mac OS X 10.5 but can also apply to 10.6. 1 Click Apple > System Preferences. 148 NWA1121-NI Users Guide 2 In System Preferences, click the Network icon. Appendix A Setting Up Your Computers IP Address 3 When the Network preferences pane opens, select Ethernet from the list of available connection types. 4 5 From the Configure list, select Using DHCP for dynamically assigned settings. For statically assigned settings, do the following:
NWA1121-NI Users Guide 149 Appendix A Setting Up Your Computers IP Address From the Configure list, select Manually. In the IP Address field, enter your IP address. In the Subnet Mask field, enter your subnet mask. In the Router field, enter the IP address of your NWA1121-NI. 6 Click Apply and close the window. 150 NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab. Figure 74 Mac OS X 10.5: Network Utility Linux: Ubuntu 8 (GNOME) This section shows you how to configure your computers TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default Ubuntu 8 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in GNOME:
1 Click System > Administration > Network. NWA1121-NI Users Guide 151 Appendix A Setting Up Your Computers IP Address 2 When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password. 3 In the Authenticate window, enter your admin account name and password then click the Authenticate button. 152 NWA1121-NI Users Guide 4 In the Network Settings window, select the connection that you want to configure, then click Properties. Appendix A Setting Up Your Computers IP Address 5 The Properties dialog box opens. In the Configuration list, select Automatic Configuration (DHCP) if you have a dynamic IP address. In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. 6 Click OK to save the changes and close the Properties dialog box and return to the Network Settings screen. NWA1121-NI Users Guide 153 Appendix A Setting Up Your Computers IP Address 7 If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. 8 Click the Close button to apply the changes. 154 NWA1121-NI Users Guide Appendix A Setting Up Your Computers IP Address Verifying Settings Check your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices tab. The Interface Statistics column shows data if your connection is working properly. Figure 75 Ubuntu 8: Network Tools Linux: openSUSE 10.3 (KDE) This section shows you how to configure your computers TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default openSUSE 10.3 installation. Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE:
NWA1121-NI Users Guide 155 Appendix A Setting Up Your Computers IP Address 1 Click K Menu > Computer > Administrator Settings (YaST). 2 When the Run as Root - KDE su dialog opens, enter the admin password and click OK. 156 NWA1121-NI Users Guide 3 When the YaST Control Center window opens, select Network Devices and then click the Network Card icon. Appendix A Setting Up Your Computers IP Address 4 When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. NWA1121-NI Users Guide 157 Appendix A Setting Up Your Computers IP Address 5 When the Network Card Setup window opens, click the Address tab Figure 76 openSUSE 10.3: Network Card Setup 6 7 Select Dynamic Address (DHCP) if you have a dynamic IP address. Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields. Click Next to save the changes and close the Network Card Setup window. 158 NWA1121-NI Users Guide 8 If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Appendix A Setting Up Your Computers IP Address 9 Click Finish to save your settings and close the window. Verifying Settings Click the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information. Figure 77 openSUSE 10.3: KNetwork Manager NWA1121-NI Users Guide 159 Appendix A Setting Up Your Computers IP Address When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly. Figure 78 openSUSE: Connection Status - KNetwork Manager 160 NWA1121-NI Users Guide APPENDIX B Pop-up Windows, JavaScript and Java Permissions In order to use the web configurator you need to allow:
Web browser pop-up windows from your device. JavaScript (enabled by default). Java permissions (enabled by default). Note: The screens used below belong to Internet Explorer version 6, 7 and 8. Screens for other Internet Explorer versions may vary. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device. Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your devices IP address. Disable Pop-up Blockers 1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 79 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. NWA1121-NI Users Guide 161 Appendix B Pop-up Windows, JavaScript and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 80 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 162 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions 2 Select Settingsto open the Pop-up Blocker Settings screen. Figure 81 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.167.1. NWA1121-NI Users Guide 163 Appendix B Pop-up Windows, JavaScript and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites. Figure 82 Pop-up Blocker Settings 5 6 Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScript If pages of the web configurator do not display properly in Internet Explorer, check that JavaScript are allowed. 164 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 83 Internet Options: Security 2 3 Click the Custom Level... button. Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). NWA1121-NI Users Guide 165 Appendix B Pop-up Windows, JavaScript and Java Permissions 6 Click OK to close the window. Figure 84 Security Settings - Java Scripting Java Permissions 1 2 3 From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 166 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions 5 Click OK to close the window. Figure 85 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. NWA1121-NI Users Guide 167 Appendix B Pop-up Windows, JavaScript and Java Permissions 3 Click OK to close the window. Figure 86 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary slightly. The steps below apply to Mozilla Firefox 3.0 as well. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears. Figure 87 Mozilla Firefox: TOOLS > Options 168 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions Click Content to show the screen below. Select the check boxes as shown in the following screen. Figure 88 Mozilla Firefox Content Security Opera Opera 10 screens are used here. Screens for other versions may vary slightly. NWA1121-NI Users Guide 169 Appendix B Pop-up Windows, JavaScript and Java Permissions Allowing Pop-Ups From Opera, click Tools, then Preferences. In the General tab, go to Choose how you prefer to handle pop-ups and select Open all pop-ups. Figure 89 Opera: Allowing Pop-Ups Enabling Java From Opera, click Tools, then Preferences. In the Advanced tab, select Content from the left-
side menu. Select the check boxes as shown in the following screen. Figure 90 Opera: Enabling Java 170 NWA1121-NI Users Guide Appendix B Pop-up Windows, JavaScript and Java Permissions To customize JavaScript behavior in the Opera browser, click JavaScript Options. Figure 91 Opera: JavaScript Options Select the items you want Operas JavaScript to apply. NWA1121-NI Users Guide 171 Appendix B Pop-up Windows, JavaScript and Java Permissions 172 NWA1121-NI Users Guide APPENDIX C IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. Introduction to IP Addresses One part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered. Structure An IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. NWA1121-NI Users Guide 173 Appendix C IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. Figure 92 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term subnet is short for sub-network. A subnet mask has 32 bits. If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal). Table 42 Subnet Masks 1ST OCTET:
(192) IP Address (Binary) 11000000 2ND OCTET:
(168) 10101000 3RD OCTET:
(1) 00000001 4TH OCTET
(2) 00000010 Subnet Mask (Binary) 11111111 11111111 11111111 00000000 Network Number 11000000 10101000 00000001 Host ID 00000010 By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. 174 NWA1121-NI Users Guide Appendix C IP Addresses and Subnetting Subnet masks can be referred to by the size of the network number part (the bits with a 1 value). For example, an 8-bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 43 Subnet Masks BINARY 1ST OCTET 11111111 8-bit mask 2ND OCTET 00000000 3RD OCTET 00000000 4TH OCTET DECIMAL 00000000 255.0.0.0 16-bit mask 11111111 11111111 00000000 00000000 255.255.0.0 24-bit mask 11111111 11111111 11111111 00000000 255.255.255.0 29-bit mask 11111111 11111111 11111111 11111000 255.255.255.248 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:
Table 44 Maximum Host Numbers SUBNET MASK 8 bits HOST ID SIZE 24 bits 255.0.0.0 16 bits 255.255.0.0 16 bits 24 bits 255.255.255.0 29 bits 255.255.255.24 8 8 bits 3 bits Notation 224 2 216 2 28 2 23 2 MAXIMUM NUMBER OF HOSTS 16777214 65534 254 6 Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a /
followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. NWA1121-NI Users Guide 175 Appendix C IP Addresses and Subnetting The following table shows some possible subnet masks using both notations. Table 45 Alternative Subnet Mask Notation SUBNET MASK 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 ALTERNATIVE NOTATION
/24 LAST OCTET
(BINARY) 0000 0000 LAST OCTET
(DECIMAL) 0
/25
/26
/27
/28
/29
/30 1000 0000 1100 0000 1110 0000 1111 0000 1111 1000 1111 1100 128 192 224 240 248 252 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0. The first three octets of the address
(192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 2 or 254 possible hosts. The following figure shows the company network before subnetting. Figure 93 Subnetting Example: Before Subnetting You can borrow one of the host ID bits to divide the network 192.168.1.0 into two separate sub-
networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The borrowed host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. 176 NWA1121-NI Users Guide Appendix C IP Addresses and Subnetting The following figure shows the company network after subnetting. There are now two sub-
networks, A and B. Figure 94 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 2 or 126 possible hosts (a host ID of all zeroes is the subnets address itself, all ones is the subnets broadcast address). 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126. Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to borrow two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits
(11111111.11111111.11111111.11000000) or 255.255.255.192. Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnets broadcast address). Table 46 Subnet 1 IP/SUBNET MASK NETWORK NUMBER IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111. LAST OCTET BIT VALUE 0 00000000 11000000 NWA1121-NI Users Guide 177 Appendix C IP Addresses and Subnetting Table 46 Subnet 1 (continued) IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address:
192.168.1.0 Broadcast Address:
192.168.1.63 Table 47 Subnet 2 Lowest Host ID: 192.168.1.1 Highest Host ID: 192.168.1.62 IP/SUBNET MASK NETWORK NUMBER IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111. LAST OCTET BIT VALUE 64 01000000 11000000 Subnet Address:
192.168.1.64 Broadcast Address:
192.168.1.127 Table 48 Subnet 3 Lowest Host ID: 192.168.1.65 Highest Host ID: 192.168.1.126 IP/SUBNET MASK NETWORK NUMBER IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. Subnet Mask (Binary) 11111111.11111111.11111111. LAST OCTET BIT VALUE 128 10000000 11000000 Subnet Address:
192.168.1.128 Broadcast Address:
192.168.1.191 Table 49 Subnet 4 Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 IP/SUBNET MASK NETWORK NUMBER IP Address 192.168.1. LAST OCTET BIT VALUE 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address:
192.168.1.192 Broadcast Address:
192.168.1.255 Lowest Host ID: 192.168.1.193 Highest Host ID: 192.168.1.254 Example: Eight Subnets Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). 178 NWA1121-NI Users Guide The following table shows IP address last octet values for each subnet. Appendix C IP Addresses and Subnetting Table 50 Eight Subnets SUBNET ADDRESS 0 SUBNET 1 2 3 4 5 6 7 8 32 64 96 128 160 192 224 Subnet Planning FIRST ADDRESS 1 33 65 97 129 161 193 225 LAST ADDRESS 30 BROADCAST ADDRESS 31 62 94 126 158 190 222 254 63 95 127 159 191 223 255 The following table is a summary for subnet planning on a network with a 24-bit network number. Table 51 24-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 255.255.255.128 (/25) SUBNET MASK NO. SUBNETS 2 4 8 16 32 64 NO. HOSTS PER SUBNET 126 62 30 14 6 2 1 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) 128 2 3 4 5 6 7 The following table is a summary for subnet planning on a network with a 16-bit network number. Table 52 16-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 SUBNET MASK 255.255.128.0 (/17) 2 3 4 5 6 7 8 9 10 11 12 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) NO. SUBNETS 2 4 8 16 32 64 128 256 512 1024 2048 4096 NO. HOSTS PER SUBNET 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 NWA1121-NI Users Guide 179 Appendix C IP Addresses and Subnetting Table 52 16-bit Network Number Subnet Planning (continued) NO. BORROWED HOST BITS 13 255.255.255.248 (/29) SUBNET MASK NO. SUBNETS 8192 NO. HOSTS PER SUBNET 6 14 15 255.255.255.252 (/30) 255.255.255.254 (/31) 16384 32768 2 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the NWA1121-NI. Once you have decided on the network number, pick an IP address for your NWA1121-NI that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your NWA1121-NI will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the NWA1121-NI unless you are instructed to do otherwise. Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:
10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 180 NWA1121-NI Users Guide APPENDIX D Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Figure 95 Peer-to-Peer Communication in an Ad-hoc Network BSS A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is NWA1121-NI Users Guide 181 Appendix D Wireless LANs disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 96 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. 182 NWA1121-NI Users Guide An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 97 Infrastructure WLAN Appendix D Wireless LANs Channel RTS/CTS A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they NWA1121-NI Users Guide 183 Appendix D Wireless LANs cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. Figure 98 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS (Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS
(Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS
(Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. 184 NWA1121-NI Users Guide If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Appendix D Wireless LANs Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the NWA1121-NI uses long preamble. Note: The wireless devices MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:
Table 53 IEEE 802.11g DATA RATE (MBPS) MODULATION 1 DBPSK (Differential Binary Phase Shift Keyed) 2 5.5 / 11 6/9/12/18/24/36/48/
54 DQPSK (Differential Quadrature Phase Shift Keying) CCK (Complementary Code Keying) OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the NWA1121-NI are data encryption, wireless client authentication, restricting access by device MAC address and hiding the NWA1121-NI identity. NWA1121-NI Users Guide 185 Appendix D Wireless LANs The following figure shows the relative effectiveness of these wireless security methods available on your NWA1121-NI. Table 54 Wireless Security Levels SECURITY LEVEL Least Secure SECURITY TYPE Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure Note: You must enable the same wireless security settings on the NWA1121-NI and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:
User based identification that allows for roaming. Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:
Authentication Determines the identity of the users. Authorization Determines the network services available to authenticated users once they are connected to the network. Accounting Keeps track of the clients network activity. 186 NWA1121-NI Users Guide Appendix D Wireless LANs RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:
Access-Request Sent by an access point requesting authentication. Access-Reject Sent by a RADIUS server rejecting access. Access-Accept Sent by a RADIUS server allowing access. Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:
Accounting-Request Sent by the access point requesting accounting. Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Types of EAP Authentication This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. NWA1121-NI Users Guide 187 Appendix D Wireless LANs EAP-MD5 (Message-Digest Algorithm 5) MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the senders identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-
side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. 188 NWA1121-NI Users Guide Appendix D Wireless LANs If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 55 Comparison of EAP Authentication Types EAP-TLS Yes EAP-MD5 No Mutual Authentication EAP-TTLS Yes PEAP Yes Optional Optional Yes Yes Yes Yes LEAP Yes No No Yes Yes Yes Yes Strong Strong Strong Moderate Hard No Moderate Moderate Moderate Yes Yes No Certificate Client Certificate Server Dynamic Key Exchange Credential Integrity Deployment Difficulty No No No None Easy Client Identity Protection No WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP). TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm NWA1121-NI Users Guide 189 Appendix D Wireless LANs called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check
(MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but its still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. 190 NWA1121-NI Users Guide Appendix D Wireless LANs WPA(2) with RADIUS Application Example To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. 1 2 3 4 The AP passes the wireless client's authentication request to the RADIUS server. The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 99 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 2 3 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). The AP checks each wireless client's password and allows it to join the network only if the password matches. The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. NWA1121-NI Users Guide 191 Appendix D Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 100 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 56 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL Open ENCRYPTIO N METHOD None No ENTER MANUAL KEY IEEE 802.1X Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Yes Enable without Dynamic WEP Key Disable Shared WEP No Enable with Dynamic WEP Key Yes Yes No Yes No Yes TKIP/AES TKIP/AES TKIP/AES TKIP/AES Enable without Dynamic WEP Key Disable Enable Disable Enable Disable WPA WPA-PSK WPA2 WPA2-PSK Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. 192 NWA1121-NI Users Guide Positioning the antennas properly increases the range and coverage area of a wireless LAN. Appendix D Wireless LANs Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz or 5GHz is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antennas coverage area. Antenna Gain Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications. Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-topoint application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. NWA1121-NI Users Guide 193 Appendix D Wireless LANs For directional antennas, point the antenna in the direction of the desired coverage area. 194 NWA1121-NI Users Guide APPENDIX E Legal Information Copyright Copyright 2012 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice. Your use of the NWA1121-NI is subject to the terms and conditions of any related service providers. Use with products that have NAT, and/or 3G. Do not use the NWA1121-NI for illegal purposes. Illegal downloading or sharing of files can result in severe civil and criminal penalties. You are subject to the restrictions of copyright laws and any other applicable laws, and will bear the consequences of any infringements thereof. ZyXEL bears NO responsibility or liability for your use of the download service feature. Use for products that have a download service. Make sure all data and programs on the NWA1121-NI are also stored elsewhere. ZyXEL is not responsible for any loss of or damage to any data, programs, or storage media resulting from the use, misuse, or disuse of this or any other ZyXEL product. Use for storage/backup devices. Trademarks Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners. Certifications Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
This device may not cause harmful interference. NWA1121-NI Users Guide 195 Appendix E Legal Information This device must accept any interference received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
1 2 3 4 Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. FCC Radiation Exposure Statement This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. IEEE 802.11b, 802.11g or 802.11n (20MHz) operation of this product in the U.S.A. is firmware-
limited to channels 1 through 11. IEEE 802.11n (40MHz) operation of this product in the U.S.A. is firmware-limited to channels 3 through 9. To comply with FCC RF exposure compliance requirements, a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons. Industry Canada Statement (For all products) This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions:
1) this device may not cause interference and 2) this device must accept any interference, including interference that may cause undesired operation of the device This device has been designed to operate with an antenna having a maximum gain of 2dBi. 196 NWA1121-NI Users Guide Appendix E Legal Information Antenna having a higher gain is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms. To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the EIRP is not more than required for successful communication. IMPORTANT NOTE Device for the band 5150-5250 MHz is only for indoor usage to reduce potential for harmful interference to co-channel mobile satellite systems; users should also be cautioned to take note that high-power radars are allocated as primary users (meaning they have priority) of the bands 5250-5350 MHz and 5650-5850 MHz and these radars could cause interference and/or damage to LE-LAN devices. IC Radiation Exposure Statement This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. End users must follow the specific operating instructions for satisfying RF exposure compliance.
Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This device is designed for the WLAN 2.4 GHz and/or 5 GHz networks throughout the EC region and Switzerland, with restrictions in France. Ce produit est conu pour les bandes de frquences 2,4 GHz et/ou 5 GHz conformment la lgislation Europenne. En France mtropolitaine, suivant les dcisions n03-908 et 03-909 de lARCEP, la puissance dmission ne devra pas dpasser 10 mW (10 dB) dans le cadre dune installation WiFi en extrieur pour les frquences comprises entre 2454 MHz et 2483,5 MHz. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numrique de la classe B est conforme la norme NMB-003 du Canada. CLASS 1 LASER PRODUCT APPAREIL A LASER DE CLASS 1 NWA1121-NI Users Guide 197 Appendix E Legal Information PRODUCT COMPLIES WITH 21 CFR 1040.10 AND 1040.11. PRODUIT CONFORME SELON 21 CFR 1040.10 ET 1040.11. Viewing Certifications 1 Go to http://www.zyxel.com. 2 3 Select your product on the ZyXEL home page to go to that product's page. Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in material or workmanship for a specific period (the Warranty Period) from the date of purchase. The Warranty Period varies by region. Check with your vendor and/or the authorized ZyXEL local distributor for details about the Warranty Period of this product. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. Note Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://www.zyxel.com/web/
support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. Open Source Licenses This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com. To obtain the source code covered under those Licenses, please contact support@zyxel.com.tw to get it. 198 NWA1121-NI Users Guide Regulatory Information European Union Appendix E Legal Information The following information applies if you use the product within the European Union. Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance Information for 2.4GHz and 5GHz Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999/5/EC (R&TTE Directive)
[Czech]
[Danish]
[German]
[Estonian]
English
[Spanish]
[Greek]
[French]
[Italian]
[Latvian]
ZyXEL tmto prohlauje, e tento zazen je ve shod se zkladnmi poadavky a dalmi pslunmi ustanovenmi smrnice 1999/5/EC. Undertegnede ZyXEL erklrer herved, at flgende udstyr udstyr overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt ZyXEL, dass sich das Gert Ausstattung in bereinstimmung mit den grundlegenden Anforderungen und den brigen einschlgigen Bestimmungen der Richtlinie 1999/5/EU befindet. Kesolevaga kinnitab ZyXEL seadme seadmed vastavust direktiivi 1999/5/E phinuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele stetele. Hereby, ZyXEL declares that this equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Por medio de la presente ZyXEL declara que el equipo cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. ZyXEL 1999/5/C. Par la prsente ZyXEL dclare que l'appareil quipements est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/EC. Con la presente ZyXEL dichiara che questo attrezzatura conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Ar o ZyXEL deklar, ka iekrtas atbilst Direktvas 1999/5/EK btiskajm prasbm un citiem ar to saisttajiem noteikumiem.
[Lithuanian]
iuo ZyXEL deklaruoja, kad is ranga atitinka esminius reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas.
[Dutch]
[Maltese]
[Hungarian]
[Polish]
[Portuguese]
[Slovenian]
[Slovak]
Hierbij verklaart ZyXEL dat het toestel uitrusting in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EC. Hawnhekk, ZyXEL, jiddikjara li dan tagmir jikkonforma mal-tiijiet essenzjali u ma provvedimenti orajn relevanti li hemm fid-Dirrettiva 1999/5/EC. Alulrott, ZyXEL nyilatkozom, hogy a berendezs megfelel a vonatkoz alapvet kvetelmnyeknek s az 1999/5/EK irnyelv egyb elrsainak. Niniejszym ZyXEL owiadcza, e sprzt jest zgodny z zasadniczymi wymogami oraz pozostaymi stosownymi postanowieniami Dyrektywy 1999/5/EC. ZyXEL declara que este equipamento est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/EC. ZyXEL izjavlja, da je ta oprema v skladu z bistvenimi zahtevami in ostalimi relevantnimi doloili direktive 1999/5/EC. ZyXEL tmto vyhlasuje, e zariadenia spa zkladn poiadavky a vetky prslun ustanovenia Smernice 1999/5/EC. NWA1121-NI Users Guide 199 Appendix E Legal Information
[Finnish]
[Swedish]
[Bulgarian]
[Icelandic]
[Norwegian]
[Romanian]
ZyXEL vakuuttaa tten ett laitteet tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hrmed intygar ZyXEL att denna utrustning str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EC. ZyXEL , 1999/5/C. Hr me lsir, ZyXEL v yfir a essi bnaur er samrmi vi grunnkrfur og nnur vieigandi kvi tilskipunar 1999/5/EC. Erklrer herved ZyXEL at dette utstyret er I samsvar med de grunnleggende kravene og andre relevante bestemmelser I direktiv 1999/5/EF. Prin prezenta, ZyXEL declar c acest echipament este n conformitate cu cerinele eseniale i alte prevederi relevante ale Directivei 1999/5/EC. National Restrictions This product may be used in all EU countries (and other countries following the EU directive 1999/
5/EC) without any limitation except for the countries mentioned below:
Ce produit peut tre utilis dans tous les pays de lUE (et dans tous les pays ayant transposs la directive 1999/5/CE) sans aucune limitation, except pour les pays mentionns ci-dessous:
Questo prodotto utilizzabile in tutte i paesi EU (ed in tutti gli altri paesi che seguono le direttive EU 1999/5/EC) senza nessuna limitazione, eccetto per i paesii menzionati di seguito:
Das Produkt kann in allen EU Staaten ohne Einschrnkungen eingesetzt werden (sowie in anderen Staaten die der EU Direktive 1995/5/CE folgen) mit Aunahme der folgenden aufgefhrten Staaten:
In the majority of the EU and other European countries, the 2, 4- and 5-GHz bands have been made available for the use of wireless local area networks (LANs). Later in this document you will find an overview of countries inwhich additional restrictions or requirements or both are applicable. The requirements for any country may evolve. ZyXEL recommends that you check with the local authorities for the latest status of their national regulations for both the 2,4- and 5-GHz wireless LANs. The following countries have restrictions and/or requirements in addition to those given in the table labeled Overview of Regulatory Requirements for Wireless LANs:. Overview of Regulatory Requirements for Wireless LANs Frequency Band (MHz) Max Power Level Indoor ONLY Indoor and Outdoor 2400-2483.5 5150-5350 5470-5725 Belgium 200
(EIRP)1 (mW) 100 200 1000 V V V NWA1121-NI Users Guide Appendix E Legal Information The Belgian Institute for Postal Services and Telecommunications (BIPT) must be notified of any outdoor wireless link having a range exceeding 300 meters. Please check http://www.bipt.be for more details. Draadloze verbindingen voor buitengebruik en met een reikwijdte van meer dan 300 meter dienen aangemeld te worden bij het Belgisch Instituut voor postdiensten en telecommunicatie (BIPT). Zie http://www.bipt.be voor meer gegevens. Les liaisons sans fil pour une utilisation en extrieur dune distance suprieure 300 mtres doivent tre notifies lInstitut Belge des services Postaux et des Tlcommunications (IBPT). Visitez http://www.ibpt.be pour de plus amples dtails. Denmark In Denmark, the band 5150 - 5350 MHz is also allowed for outdoor usage. I Danmark m frekvensbndet 5150 - 5350 ogs anvendes udendrs. France For 2.4 GHz, the output power is restricted to 10 mW EIRP when the product is used outdoors in the band 2454 - 2483.5 MHz. There are no restrictions when used indoors or in other parts of the 2.4 GHz band. Check http://www.arcep.fr/ for more details. Pour la bande 2.4 GHz, la puissance est limite 10 mW en p.i.r.e. pour les quipements utiliss en extrieur dans la bande 2454 - 2483.5 MHz. Il n'y a pas de restrictions pour des utilisations en intrieur ou dans d'autres parties de la bande 2.4 GHz. Consultez http://www.arcep.fr/ pour de plus amples dtails. R&TTE 1999/5/EC WLAN 2.4 2.4835 GHz IEEE 802.11 b/g/n Location Frequency Range(GHz) Indoor (No restrictions) Outdoor 2.4 2.4835 2.4 2.454 2.454 2.4835 Power (EIRP) 100mW (20dBm) 100mW (20dBm) 10mW (10dBm) Italy This product meets the National Radio Interface and the requirements specified in the National Frequency Allocation Table for Italy. Unless this wireless LAN product is operating within the boundaries of the owner's property, its use requires a general authorization. Please check http://
www.sviluppoeconomico.gov.it/ for more details. Questo prodotto conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia. Se non viene installato all 'interno del proprio fondo, l'utilizzo di prodotti Wireless LAN richiede una Autorizzazione Generale. Consultare http://
www.sviluppoeconomico.gov.it/ per maggiori dettagli. Latvia The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http://www.esd.lv for more details. NWA1121-NI Users Guide 201 Appendix E Legal Information 2.4 GHz frekvenu joslas izmantoanai rpus telpm nepiecieama atauja no Elektronisko sakaru direkcijas. Vairk informcijas: http://www.esd.lv. Notes:
1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries. 2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm). 202 NWA1121-NI Users Guide Index Index Numbers 802.1x-Only 58 802.1x-Static128 58 802.1x-Static64 58 A access privileges 12 Accounting Server 88 Advanced Encryption Standard See AES. AES 189 Alerts 116 Alternative subnet mask notation 176 Antenna 92 antenna directional 193 gain 193 omni-directional 193 AP (access point) 183 Applications Access Point 14 AP + Bridge 14 applications MBSSID 12 Repeater 14 ATC 73 ATC+WMM 73 B Basic Service Set 56 see BSS Basic Service Set, See BSS 181 beacon 56 Beacon Interval 63, 65, 70 BSS 12, 56, 181 C CA 188 Certificate authentication 104 file format 104 Certificate Authority See CA. Certificates Fingerprint 113 MD5 113 public key 104 SHA1 113 Certification Authority 113 certifications 195 notices 197 viewing 198 Channel 56 channel 183 interference 183 command interface 15 Controlling network access, Ways of 11 copyright 195 CTS (Clear to Send) 184 D disclaimer 195 Distribution System 56 DNS 97, 119 Domain Name Server (DNS) 119 DS 56 DTIM Interval 63, 65, 70 dynamic WEP key exchange 188 NWA1121-NI Users Guide 203 Index E EAP 59 EAP Authentication 187 Encryption 59, 76, 80, 83, 85 encryption 14, 189 ESS 56, 182 Ethernet device 89 Extended Service Set 56 Extended Service Set, See ESS 182 Extensible Authentication Protocol 59 F Factory Defaults 126 restoring 21 FCC interference statement 195 Firmware 120 Fragmentation 63, 66, 68, 71 Fragmentation threshold 91 fragmentation threshold 184 FTP 103 restrictions 103 G Generic Token Card 59 GTC 59 H hidden node 183 I IANA 180 IBSS 181 IEEE 802.11g 185 IEEE 802.1x 57 204 Import Certificate 106 Independent Basic Service Set See IBSS 181 initialization vector (IV) 190 Internet Assigned Numbers Authority See IANA Internet Protocol version 6, see IPv6 Internet telephony 12 IP Address 94 Gateway IP address 94 IP Screen 94 DHCP 96 IPv6 95 addressing 95 global address 95 link-local address 95 Neighbor Discovery Protocol 95 ping 95 prefix 95 prefix length 95 K key 59, 77, 81, 83 L LEAP 59 LEDs 17, 129 Blinking 17 Flashing 17 Off 17 Lightweight Extensible Authentication Protocol 59 Log 49 Log Screens 115 Logs accessing logs 115 receiving logs via e-mail 116 Logs Screen Mail Server 117 Mail Subject 117 Send Log to 117 Syslog 118 Logs, Uses of 115 NWA1121-NI Users Guide M MAC Filter Allow Association 89 Deny Association 89 Maintenance 119 Association List 120 Backup 124 Restore 125 Management Information Base (MIB) 111 managing the device using Telnet. See command interface. using the command interface. See command interface. MBSSID 12 Media Access Control 89 Message Integrity Check (MIC) 189 message relay 60 Microsoft Challenge Handshake Authentication Protocol Version 2 59 MSCHAPv2 59 MSDU 63, 66, 71 N NAT 180 Network Time Protocol (NTP) 119 NTP 119 O Operating Mode 56 Output Power Management 63, 65, 68, 70 P Pairwise Master Key (PMK) 190, 191 Passphrase 59 Password 130 PEAP 59 Personal Information Exchange Syntax Standard 104 Index PFX PKCS#12 104 Preamble 91 preamble mode 185 Preamble Type 63, 66, 68, 71 Pre-Shared Key 59 priorities 92 product registration 198 Protected Extensible Authentication Protocol 59 PSK 59, 190 Q QoS 73 R Radio Frequency 92 RADIUS 59, 186 Accounting 60 Authentication 60 Authorization 60 message types 187 messages 187 shared secret key 187 RADIUS Screen Accounting Server 88 Accounting Server IP Address 88 RADIUS server 58 Backup 88 Primary 88 Rates Configuration 63, 66, 68, 71 registration product 198 Remote Authentication Dial In User Service 59 remote management 16 remote management limitations 102 Roaming 92 RootAP 14 RTS (Request To Send) 184 threshold 183, 184 RTS/CTS Threshold 63, 66, 68, 71, 91 NWA1121-NI Users Guide 205 Index S Security Mode, Choosing the 93 Security Modes 802.1x-Static64 58 IEEE 802.1x-Only 58 IEEE 802.1x-Static128 58 IEEE 802.1x-Static64 58 None 58 WEP 58 WPA 58 WPA2 58 WPA2-MIX 58 WPA2-PSK 58 Service Set IDentifier 56 Service Set Identifier see SSID Simple Mail Transfer Protocol 116 SMTP 116, 118 SNMP MIBs 111 traps 112 Spanning Tree Protocol 91 SSID 12, 56 SSID profile pre-configured 12 SSID profiles 12 Status Screens 25 802.11 Mode 50 Channel ID 50 Ethernet 25 FCS Error Count 50 Firmware Version 26 Interface Status 27 Poll Interval 50 Retry Count 50 Statistics 51 system statistics 25 WLAN 25 Subnet 173 Subnet Mask 94, 174 subnetting 176 Syslog Logging 116 System Screens General 120 Password 121 Time 206 Time and Date Setup 122 Time Zone 122 system timeout 104 T telnet 106 Temporal Key Integrity Protocol 59 Temporal Key Integrity Protocol (TKIP) 189 TFTP restrictions 103 Thumbprint Algorithm 114 timeout 16 TKIP 59 TLS 59 trademarks 195 Transport Layer Security 59 Troubleshooting 129 connection is slow or intermittent 132 DHCP 130 factory defaults 131 firmware 131 Internet 131 LAN/ETHERNET port 131 QoS 132 Web Configurator 130 TTLS 59 Tunneled Transport Layer Security 59 Tutorial 29 U User Authentication 58 V Virtual Local Area Network 98 VLAN 98 introduction 98 VoIP 12, 73 NWA1121-NI Users Guide Index RTS/CTS Threshold 91 SSID 56 Wireless Client Mode 67 Wireless Mode 57 WMM QoS 91 WLAN interference 183 security parameters 192 WMM 73 WMM QoS 91 WPA 58, 189 key caching 190 pre-authentication 190 user authentication 190 vs WPA-PSK 190 wireless client supplicant 190 with RADIUS application example 191 WPA2 58, 189 user authentication 190 vs WPA2-PSK 190 wireless client supplicant 190 with RADIUS application example 191 WPA2-MIX 58 WPA2-Pre-Shared Key 189 WPA2-PSK 189, 190 application example 191 WPA2-PSK-MIX 58 WPA-PSK 189, 190 application example 191 Z ZyXEL Device Ethernet parameters 94 good habits 16 Introduction 11 managing 15 resetting 20, 126 Security Features 16 W warranty 198 note 198 WDS 14 Web Configurator 19 password 19 WEP 58 WEP key encrypting 93 Wi-Fi Multimedia QoS 92 Wi-Fi Protected Access 58, 189 Wired Equivalent Privacy 58 Wireless Client 42 wireless client WPA supplicants 190 Wireless Distribution System (WDS) 14 Wireless Mode 57 Wireless Mode, Choosing the Access Point 29 Bridge 29 Wireless Client 29 Wireless Security 16 how to improve 16 Levels 58 wireless security 12, 185 Wireless Security Screen 802.1x Only 77 Access Point 77, 80 Wireless Client 78, 82 802.1x Static 64-bit, 802.1x Static 128-bit 79 WEP 76 WPA 83 Access Point 84 Wireless Client 85 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX 86 Wireless Settings Screen 55 Access Point Mode 61 Antenna 92 AP + Bridge Mode 67 Bridge Mode 64 BSS 56 Channel 56 ESS 56 Fragmentation Threshold 91 Intra-BSS Traffic 91 Operating Mode 56 Preamble 91 Roaming 92 NWA1121-NI Users Guide 207 Index 208 NWA1121-NI Users Guide
frequency | equipment class | purpose | ||
---|---|---|---|---|
1 | 2013-08-06 | 2412 ~ 2462 | DTS - Digital Transmission System | Class II permissive change or modification of presently authorized equipment |
2 | 2012-03-13 | 2412 ~ 2462 | DTS - Digital Transmission System | Original Equipment |
app s | Applicant Information | |||||
---|---|---|---|---|---|---|
1 2 | Effective |
2013-08-06
|
||||
1 2 |
2012-03-13
|
|||||
1 2 | Applicant's complete, legal business name |
ZyXEL Communications Corporation
|
||||
1 2 | FCC Registration Number (FRN) |
0021059092
|
||||
1 2 | Physical Address |
No.2, Industry East Road IX, Science Park
|
||||
1 2 |
Hsinchu, N/A
|
|||||
1 2 |
Taiwan
|
|||||
app s | TCB Information | |||||
1 2 | TCB Application Email Address |
c******@curtis-straus.com
|
||||
1 2 | TCB Scope |
A4: UNII devices & low power transmitters using spread spectrum techniques
|
||||
app s | FCC ID | |||||
1 2 | Grantee Code |
I88
|
||||
1 2 | Equipment Product Code |
NWA1121NI
|
||||
app s | Person at the applicant's address to receive grant or for contact | |||||
1 2 | Name |
E****** B******
|
||||
1 2 | Title |
Section Manager
|
||||
1 2 | Telephone Number |
886 3******** Extension:
|
||||
1 2 | Fax Number |
886 3********
|
||||
1 2 |
E******@zyxel.com.tw
|
|||||
app s | Technical Contact | |||||
1 2 | Firm Name |
Bureau Veritas CPS (H.K.) Ltd. Taoyuan Branch
|
||||
1 2 | Name |
G**** C****
|
||||
1 2 | Physical Address |
No. 19, Hwa Ya 2nd Rd., Kwei Shan Hsiang
|
||||
1 2 |
Taoyuan Hsien, 333
|
|||||
1 2 |
Taiwan
|
|||||
1 2 | Telephone Number |
886-3******** Extension:
|
||||
1 2 | Fax Number |
886-3********
|
||||
1 2 |
g******@tw.bureauveritas.com
|
|||||
app s | Non Technical Contact | |||||
1 2 | Firm Name |
Bureau Veritas CPS (H.K.) Ltd. Taoyuan Branch
|
||||
1 2 | Name |
N****** C******
|
||||
1 2 | Physical Address |
No. 19, Hwa Ya 2nd Rd., Kwei Shan Hsiang
|
||||
1 2 |
Taoyuan Hsien, 333
|
|||||
1 2 |
Taiwan
|
|||||
1 2 | Telephone Number |
886-3******** Extension:
|
||||
1 2 | Fax Number |
886-3********
|
||||
1 2 |
n******@tw.bureauveritas.com
|
|||||
app s | Confidentiality (long or short term) | |||||
1 2 | Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
1 2 | Yes | |||||
1 2 | Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
if no date is supplied, the release date will be set to 45 calendar days past the date of grant. | ||||||
app s | Cognitive Radio & Software Defined Radio, Class, etc | |||||
1 2 | Is this application for software defined/cognitive radio authorization? | No | ||||
1 2 | Equipment Class | DTS - Digital Transmission System | ||||
1 2 | Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant) | 802.11 b/g/n PoE Access Point, 802.11 b/g/n Managed Access Point | ||||
1 2 | 802.11 b/g/n PoE Access Point | |||||
1 2 | Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application? | No | ||||
1 2 | Modular Equipment Type | Does not apply | ||||
1 2 | Purpose / Application is for | Class II permissive change or modification of presently authorized equipment | ||||
1 2 | Original Equipment | |||||
1 2 | Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization? | No | ||||
1 2 | Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization? | No | ||||
1 2 | Grant Comments | Class II Permissive Change as described in this filing. Power listed is the maximum combined conducted output power. End-users and responsible parties must be provided with operating and installation instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. | ||||
1 2 | Power listed is the maximum combined conducted output power. End-users and responsible parties must be provided with operating and installation instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. | |||||
1 2 | Is there an equipment authorization waiver associated with this application? | No | ||||
1 2 | If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded? | No | ||||
app s | Test Firm Name and Contact Information | |||||
1 2 | Firm Name |
Bureau Veritas CPS (H.K.) Ltd., Taoyuan Branch
|
||||
1 2 |
Bureau Veritas CPS (H.K.) Ltd. Taoyuan Branch
|
|||||
1 2 | Name |
R**** C******
|
||||
1 2 | Telephone Number |
+886-******** Extension:
|
||||
1 2 |
886-3******** Extension:
|
|||||
1 2 | Fax Number |
+886-********
|
||||
1 2 |
886-3********
|
|||||
1 2 |
r******@tw.bureauveritas.com
|
|||||
Equipment Specifications | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
1 | 1 | 15C | MO | 2412.00000000 | 2462.00000000 | 0.2710000 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
2 | 1 | 15C | MO | 2412.00000000 | 2462.00000000 | 0.2710000 |
some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details
This product uses the FCC Data API but is not endorsed or certified by the FCC