ARRIS 4387WG Wireless Router User Manual Manual Pt5

Download:
Mirror Download [FCC.gov]
Document ID	617991
Application ID	YXncT6b4+c7K/aOEX0/UMQ==
Document Description	Manual Pt5
Short Term Confidential	No
Permanent Confidential	No
Supercede	No
Document Type	User Manual
Display Format	Adobe Acrobat PDF - pdf
Filesize	207.56kB (2594546 bits)
Date Submitted	2006-01-09 00:00:00
Date Available	2006-01-09 00:00:00
Creation Date	2006-01-08 22:41:49
Producing Software	Adobe Acrobat 7.0 Image Conversion Plug-in
Document Lastmod	2006-01-08 22:45:06
Document Title	Manual Pt5
Document Creator	Adobe Acrobat 7.0

5 Troubleshooting
I cannot access the Web-based configuration utility from the
Ethernet computer used to configure the router.
Check that the LAN LED is on. If the LED is not on, check
that the cable for the LAN connection is securely
connected
Check that your computer resides on the same subhet
With the router’s LAN IP address
If your computer act as a DHCP client. check that your
computer has been assigned an lP address from the
DHCP sewer. If not, you will need to renew the IP address.
See the check/renew lP address section under ‘3 2
Setting up TCP/lF’ for instructions
Use the ping command to ping the router’s LAN IP
address to verify the connection.
Make sure your browser is not configured to use a proxy
server
Check that the lP address you entered is correct. If the
routers LAN IP address has been changed, you should
enter the reassigned IP address instead
I can browse the router’s Web-based configuration but cannot
access the Internet.
Check the WAN LED is illuminated. lf not. checkthe
physical connection between the router and the
DSLICable modem is OK.
If WAN LED is illuminated, open the WAN page of the
Web configuration utility and check the status group to
see if the router’s WAN port has successfully obtained an
IP address.
Make sure you are use the correction method (DHCP
client, PPPoE client, PPTP client or Manual) as required
by your ISP. Also ensure you have entered correct
47
Wireless Broadband Router User Manual
settings provided by your ISP.
For cable users if you ISP required a fixed Ethernet card
MAC address, make sure you have cloned the network
adapter‘s MAC address to the WAN port of the router.
(See the MAC Address field in WAN page)
My wireless client cannot communicate with another Ethernet
com puter.
Ensure your wireless adapter functions properly You may
open the Device Manager in Windows to see if the
adapter is proper installed
Make sure your Wireless client is configured to use
Infrastructure mode. Also make sure the client uses the
same SSlD and security settings (if enabled) With the AP.
Ensure that the wireless adapter’s TCPIIP settings are
correct as required by your network administrator
Check that the wireless adapter’s MAC address is not in
the MAC address list if Access Control is enabled to use a
deny list. (See Wireless LAN page in Web configuration
utility.)
If you are using a 802 11bWireless adapter‘ check that the
Operational Mode item (in Wireless LAN page) is not
limited to use 802 119. On the other hal’ld‘ if you are using
an 802v’l’lg draft adapter, check the Operational Mode
item is not configured to use 80211b only
Use the ping command to verify the wireless clients
communication With the routers LAN port and with the
opposite computer If the Wireless client can successfully
ping the router’s LAN port but fails to ping the opposite
computer, then verify the TCPIIP settings of the opposite
computer
Afler I retrieved my saved configuration file, the retrieved
settings do not take effect.
43
After you retrieved the desired file, you must reboot the
router to have retrieved settings take effect
A Implemenling 802.1x
A.‘l Overview
in a typical 802 11-based Wireless network, the security is often
established by the proper settings of SSID broadcast, security
rnode, WEP keys and MAC-address-based access control.
However, for a network carrying sensitive information, a more
enhanced and effective security mechanism might be needed to
fuither protect the network against eavesdroppers. In this
circumstance 802 ‘lx would be a better choice to offer a
higher—level security solution
Compared with the WEP encryption as defined by IEEE 802.11,
802 1x function offers the followmg advantages
' Security: When a station requests access to a network, it
is required to be authenticated by a central authentication
server Only an authenticated user is granted the network
accoess and thererby unauthorized access is blocked.
0 Centralized user administration: The WEP key does not
need to be set at each station. Instead, centralized user
authentication, authorization and accounting are used in
802 ‘lx.
0 Dynamic keydistribution: 8021x can prowdes WEP
keys on a per-user, pensession basis It’s more secure in
that even an eavesdropper obtains a WEP key, it is no
longer valid after a user session terminates. It is also more
effective than fixed WEP keys since it spares system
administrators the tasks of updating the fixed WEP keys,
* Whether the WEP key can be dynamically distributed
depends on the authentication method used.
49
Wireless Broadband Router User Manual
50
A2 802.1x Function
This section explains the 802 ‘ix function more specifically to help
you better understand howthe 802 ‘ix operates
A.2.1 Required Components
The following oomponens are required to implement 802.1x on a
wireless network
' Access Point (the Authenticator) : It acts as a
intermediary between the authentication server and the
supplicant
0 802.1x station (the supplicant): A wireless station must
use 802 ix-oornpliant software such as Windows XP
built-in Wireless Zero Configuration utility
0 RADIUS Server (the authentication server): A server
providing Remote Authentication Dial In User Service It is
a central server for managing authenticatioatoin,
authorization and configuration for 802 ix stations.
5 Troubleshoonng
A.2.2 Authentication Procedure
This section briefly describes the authentication procedure in this
section. the abbreviation “STA“ is used to refer to the 802.1x
Wireless client.
When an unautnenticated STA attempts to connect to the AP,
the authentication starts In this initial stage, the STA sends an
EAP-start message to the AP
The AP asks the STA to start the authentication Then a series
of message exchange between the AP and the STA will start:
a. The AP replies With an EAP-requesflidentity message
requesting the STA ‘s identity.
b. The STA sends an EAP»response message containing its
identity.
c. The AP transfers ail authentication-related messages to
the authenticator server (the RADIUS server)
The STA and the RADIUS server keep changing EAP
messages to perform mutual authentication AP acts as the
intermediary only
While the authentication procedure is performed, only EAP
traffic is allowed to pass through the AP, all other traffic are
blocked That is. the STA cannot yet Join the network
The EAP authentication mechanisms can be MDS-challenge or
EAP-TLS as required.
When the STA passes the authentication, the RADIUS server
reports to the AP.
The AP in turn sends an EAP—success message to the STA.
At this point. the WEP key can be distributed. (Whether the
WEP key can be distributed depends on the authentication
type)
The AP changes the originally controlled port state to be
authorized so that other network traffic are allowed
between the STA and the network.
51
ereless Braadband Router User Manual
The followmg flgure deplcts a successfm authentlcallon procedure.
502 1x Sla'ion AP tRADqu (ll—wen!) RADIUS Server
0 STA assumes with AP
3 AP asks STA Io 51a" euthemmation
G) STA and RADIUS server perrorm mulual amhanhfimn
(usmg AP as Ihe mlermemary)
<—
0 RADIUS server mpms m AP Ihat
STA has passed the smhenhcalon.
<—
6 AP informs s'rA of successiw
authenl n
Q STA can JBH’! me nelwnk
52
5 Troubleshoonng
A.2.3 EAP and Authentication Type
The Extensible Authentication Protocol (EAP) IS a method of
conducting an authentication conversation between a client and an
authentication server. Intermediate devices (such as the AP) do not
take part in the conversation butjust relay EAP messages between
the parties performing the authentication 8021X employs the
Extensible Authentication Protocol (EAP) as an authentication
framework
The Wireless network and the RADIUS sever should use the same
method to perform the authentication procedure Two commonly
used EAP authentication mechanisms are MD5-chailenge and
EAP—TLS‘ which are described as below
O MUS-Challenge (Message Digest version 5)
Using this method‘ the user must provide the user name
and password to pass the authentication. In this type of
authentication, the WEP key cannot be distributed
0 EAP-TLS (Transport Layer Security).
Using this method‘ the Wireless client computer has to
obtain a valid digital certificate from a Central Authority
(CA) or Smart Card for authentication.
In this type of authentication‘ the WEP key can be
distributed and the WEP key is created at random by the
AP
53
Wireless Broadband Router User Manual
A.3 Configuration Example
This section gives a specific example to explain how to establish
an 802.1x environment. The foIIoWing components will be used in
our example network:
0 Windows 2000 Sewer
— Active Directory is installed
— RADIUS server is installed using “lnternet
Authentication Service.“
— Certificate Services is installed (due to EAP-TLS is be
used as the authentication method in our example.)
0 AP (Wireless Broadband Router)
— Connects to Windows 2000 Advanced Serverthrough
its LAN port
— The Wireless Broadband Router’s DHCP server is
used (192 1681 100~192 1681 150)
— 802.1x and WEP Key distribution is enabled
— The SSID is set to “STR”.
0 802.1x Station
— A WLAN card supporting 128—bitWEP is used
— Windows XP built-in Wireless Zero Configuration
Utility is used for 802 1x function.
0 Authentication Mechanism
— EAP-TLS is used so that a session key is
automatically generated for Wireless packets
encryption between the wireless client and the AP.
,:, K é um
302 ix Station AP (Wireless Broadband Rouiel) winzmo Sewer
19216811 192 168 | in
'°5 W‘“"" »s5ip srR 4mm Dimclory
.DHcP Server «mus Sari/Bums]
~saz ix Enabled  Add/Remove Programs > Add/Remove
Windows Components > Certificate Services and lhen follow
lhe ion-screen prompts lo proceed. For details on inslalling
Certificate Service, reler to the online help at Windows 2000.
As Ihis is lhe firsl CA in our example Active Directory domain, we
create an Enterprise Root CA named WirelessCA.
Steg 2: Create a Re us c em for the RADIUS server.
Install Inlernel Authenlication Service (IAS) in Windows 2000
Sewer. For details on IAS‘ refer lo the online Help of Windows
2000.
Then lake the following procedures In creale a RADISU client.
1. Stan Internet authentication service in Administrative
Tools.
55
Wireless Broadband Router User Manual
56
Right—click Client in the Tree window and select New Client
Irom the menu.
._- u-m-Fbfl
Set Friendly name. In this example. NetAP is set. Leave the
other items in the default setting and click Next.
_ xi
hm...
t.........._-I...m
i-n-w‘n—‘una-
in... re..—
an- [fin-m .
m fi
Set Client address. Enter the IP address at the AP. In this
example, 19116111 is set.
Set shared secret. Enter the password tor communication
between the AP and the RADIUS server. In this example,
secret is set.
Leave the other items in the default setting and click Finish.
_ a
swn—wum
duo-ruins:
[fi———' m
an»...
Wm—a
rp—uqawg...‘
m...- I—
an»...— [—
firm-
5. Troubleshooting
Steg 3: Create Remote Access Policies
1.
ln the Tree window, right-click Remote Access Policies and
select New Remote Access Policy from the menu
r-rn o-mmrlfi
Jam
Enter a friendly name for this policy an
new - a
mn—
5.1......_........
M...,.....l.....m.........m
_...._,,.,.
m M ., mmww
“mm, W arm-memmm
“Mmmmmm
huh-qr.-
[w—
m _lh-'
Click Add to add a condition. This exa
d click Next.
mple defines that this
policy should be used when CIient—Friendly—Name is NetAP.
Various conditions are available For d
2000 onllne Help Click Next
etails. refer to Windows
1m
Surnwdmh-fi-‘mufirfimhfin
n-
gmwflmm
_ y hw-w‘de-w-l
mam l, .. mums m m m
“ha—n..- l; a. mum rum
mm. x, m.“ MW “mm mm
Dam lmlmr lunar-linen 1 w Mm ”m.
n...“— MMX, lmmuaumq
r... wu- smamwmswmlmmu
mm“, lymmwmuwwmflm
mm,“- warmlmm “use,“
infirm rmusxénkm
WWW Wm M n mew.
IE M _l
57
Wireless Broadband Router User Manual
4 Select Grant remote access permission. Click Next.
Mm
memwmmmmmu mm
Yummnmmtmlmewmmmumem.
mm“.,>.,m...relmm.m Wmemrwm.
ll . mu mmmau mm
« Ersrérerelse'xfwemzqi
r Dewrmuteacmwumwn
5 Chckthe Edit Profile button and select the Authentication
tab
Place a check mark ln the Extensible Authentication
Protocol check box.
Select Smart Card or other Certificate for the EAP type.
Click OK and then Finish.
mamm— flfl
an m comm, l lP | mm |
“mm | mm l mm
mm m. auln-nhcalmm-lmm whm as am m m: mum
w Emma; nmnmmm
5m We as? w m.» u “mum; r." m- wltl
r MlcmfllEanl—dAuh-mcillmvnmeIMSEHAPvfl
r mmmwmrmcalmlmsmfl
r Enwpbd nmrmmm
r unemyphdamhnulull’nhsmfl
, Umrlmlwumt—
F New m pwmrt a mecl Aw mmm
1m inlhemmhm rv-find
a; a...” w
Step 4: Enable remote access login for the user.
1 Go to Active Directory Users and Computers and double-
click on the user (“Iar1" in our example) to bring up its
propertles wmdovv.
58
5 Troubleshooting
2. Select the Dial-in tab and select Allow access. Click OK.
flzl
amimmi i “magmas”; l
Emual i Mi.“ i Mimi Pm“. | mm" l nigmm l
Marmara) Dnlin l mm” | 5mm l
RzmzAm PamiuuwlDialrvmVPNi
r: New”
r Mm.»
r .
r i m,» ii i—
Edbackflnliw
a mum
r SetwEdiulflnuhngandRmale/Accmsuvu My]
r Amlyitzlhzcktn [—
r » ”am i—
r)
mimwm mhlnmrmhwtm wt ,.
MR .
cm tit .
Part 2: Access Point
The following is the setting procedure for the AP
Step 1: Setting the 802.1x lunction at the AP.
The followmg procedure IS to enablethe 802 1xturictmn The other
settings oftrie wireless LAN page are omitted
1. Enter the Web-Based Configuration Utility of the VWreIess
Broadband Router and go to the Wireless LAN Security
page.
2. In 802.1xgroup:
502.1x: Select Used
WEP Key Distribution: Select Enable
If WEP key distribution is disabled, you Will need to manually
set the WEP Keys instead.
Re-authentication: Select Enable, This enables periodic
802.1x client re-authentication, When authentication times out,
the authenticator (AP) will request the stations to be reinitiate
the authentication process.
59
Wireless Broadband Router User Manual
60
Interval: Specify how olten the rte-authentication occurs.
Key Length: Set 5byte in this example.
3 In RADIUS group“
RADIUS Server1: Select Enable.
IP Address: Enter the IP address at the RADIUS sewer. In
this example, set 192.158.1141.
Port: Use the delault 1812. The RADISU sewer uses this port
for authentication.
shared Secret: This is a password shared between the AF
and the RADIUS server In this example, set secret.
Time-out: Enter a response time-out value. In this example,
set 5.
RADIUS Serverz: Select Disabled unless you have a backup
RADIUS server.
mm...“ W "l mm mm“. "1" m mm
Mkpull.mlfiiiumItalWlullnlhkhcwtmmflm
mm nnx n .
m My mm.“ m
munmm n
Int-ml
limlih;
mm... “Emmet... n m. . mu (0,
um.“- I7 I7 I7
I7 7 I7
5. Troubleshooting
Part 3: 802.1x Station
The following provides the setting procedure for the 802.1x station.
$1921. Install Certificate.
1. Temporarily, have the station join the wired network. Then
open the Web browser and connect to the followrng URL:
Imp://lcertsrv
In this example, type http:ll192.168.1.10/certsrv in the URL
field.
MW in Mtg maz m4 lulcwwl
2, Log on to the domain using the user account “Ian” that has
been allowed remote access dial-in.
him- m
( h-nrmrmclmnnxmwwrma-mmmm
61
Wireless Broadband Router User Manual
4, Seleci User certificate request: User Certificate and click
Next
emu-q mgu m
mxgwmwummmmnm
o wAv‘mhum-uvv
o mam-ms.
A unmesmxmwmmmmsumhaum server of the Wireless Broadband Router
3 mikwnnedwnx
s. e. l» we ram mm m 4-
“. k) gr her» r m, E
rimmenw‘ . gm
mmmwm ~ “new
a Mum“.
"no,” sea mm.
a when
g m "mt-W
u u. mt.“
g MW-
new
Auhnkatmsumnfid
A.“ mm
mm mm”
9.3mm mt“ “Wm-mmmm
news.“
We
Rte-authentication
When re-authentication interval passes (15 minute is set in our
example), the re-authentication WI|| be performed
Wireless Network Connection
Attempting to aurhenritate
\_ 1’ Wireless an: 11g Nenwmkfl
B Specification
31 Hardware
125MHZ MIPS CPU
16MB SDRAM
4MB Flash Memory
Wireless 802119 draft MiniPCl module
One external and one built-in antennas forwireless
technology
Interface
One 10/100 Base-TX RJ»45 auto sensing and crossover
Ethernet WAN port for Broadband connection (Cable/DEL
or direct Ethernet)
Four RJ-45 LAN ports for 10/1 OOBase-TX auto sensing &
crossover Ethernet SW|tch LAN cohnectlon
802119 draft Wireless LAN
One external and one built-in antennas forvvlreless
technology
Physical
Front Panel 7 LEDstPowerx1, LAN x 4, WAN x 1,
Wireless x 1)
Back Panel: Reset/Load Default button, Power Jack,
RJ-45 LAN Portx 4, RJ-45 WAN Port><1
Dimensions
170mm (L) x 135mm (W)x 45mm (H)
Case types
Stand up / Lay down
67
WHEICSS Broadband Router User Manual
58
Power Adapter and Environmental Requirement
C Power Adapter
Input AC110V, Output 12VAC, 1A
0 Temperature 0 to 40°C (operatlon), -20 to 70 “C (storage)
C Relative Humidity: 5% to 90% (non—condensing)
Electromagnetic Compliance
0 FCC Part 15 Class B
' CE
0 EMI/Immumty’ VCCI class B
C PTT: JATE
8.2 Software
WAN Port Features
’ PPPOE (PPP over Ethernet) Client with Keep
Alive/Connect On Demand Support
' PAP and CHAP Authentication
0 DHCP Cllent
' MAC Address Clonlng
' Settable and Changeable IP Address
LAN Port Features
' DHCP Sewer
0 Settable and Changeable IP Address
Router Features
’ NAT
0 F|rewa|| Support
' Bridge Mode Support
O 802 ‘lD Spanning Tree Bridglng
C IP Flltering, IP Forwarding
5 Troubleshoonng
O DMZ Hosting
C DNS Forwarding
' UPNP Support
0 Microsoft NetMeeting Passthrough Support
0 Microsoft XP Messenger Passthrough Support
Security Featu res
C PAP and CHAP Authentication
' ASCII/HEX Format 64/128 Bit WEP Key for Wireless LAN
0 Allow/Deny List for Wireless LAN
' 802 ix Security for Wireless LAN
' Supports IP packets filtering based on IP address, port
number, and protocol
C VPN Support (lPSec Passthrough, and PPTP
Passthrough)
Wireless LAN Features
' Fully compatible to 802.119 draft standard
0 Direct Sequence Spread Spectrum (DSSS) technology
exploitation
O Seamless roaming Witnin wireless LAN infrastructure
C Low power consumption via efficient power management
Configuration and Management Features
' Configurable through Web Browser via WAN/LAN
C Software Upgrade
' DHCP Sewer function for IP distribution to local network
users
C NTPIManual System Clock
' Configuration Saving/Retrieving
0 Event Log
69

---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : No
Encryption                      : Standard V2.3 (128-bit)
User Access                     : Print, Copy, Extract, Print high-res
XMP Toolkit                     : 3.1-702
Modify Date                     : 2006:01:08 22:45:06-08:00
Create Date                     : 2006:01:08 22:41:49-08:00
Metadata Date                   : 2006:01:08 22:45:06-08:00
Creator Tool                    : Adobe Acrobat 7.0
Format                          : application/pdf
Document ID                     : uuid:6f0f49a5-55b0-42bb-a086-da92b0814f12
Instance ID                     : uuid:fb00cb1a-c793-4130-970b-03818cea2b29
Producer                        : Adobe Acrobat 7.0 Image Conversion Plug-in
Has XFA                         : No
Page Count                      : 23
Creator                         : Adobe Acrobat 7.0

EXIF Metadata provided by EXIF.tools