ZyXEL Communications MAX200HW2 WiMAX Router User Manual UserMan I88MAX200HW2 revised

ZyXEL Communications Corporation WiMAX Router UserMan I88MAX200HW2 revised

User manual revised 3

Download: ZyXEL Communications MAX200HW2 WiMAX Router User Manual UserMan I88MAX200HW2 revised
Mirror Download [FCC.gov]ZyXEL Communications MAX200HW2 WiMAX Router User Manual UserMan I88MAX200HW2 revised
Document ID913211
Application IDqIu4CYLh3Cdk4ML7MCTJzw==
Document DescriptionUser manual revised 3
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize203.04kB (2537946 bits)
Date Submitted2008-03-12 00:00:00
Date Available2008-09-13 00:00:00
Creation Date2008-01-17 16:30:44
Producing SoftwarepdfFactory Pro 3.10 (Windows XP Professional Chinese)
Document Lastmod2008-01-17 16:51:31
Document TitleUserMan_I88MAX200HW2-revised.pdf
Document CreatorpdfFactory Pro www.ahasoft.com.tw/FinePrint
Document Author: claire

Chapter 22 Logs
Table 116 FSM Logs: Callee Side
LOG MESSAGE
DESCRIPTION
VoIP Call Start from
SIP[SIP Port Number]
A VoIP phone call came to the ZyXEL Device from the listed SIP
number.
VoIP Call Established
Ph[Phone Port]  Tools > Firmware.
Only use firmware for your ZyXEL Device’s specific model. Refer to the label
on the bottom of your ZyXEL Device.
MAX-200HW2 Series User’s Guide
255
Chapter 23 Tools
Figure 160 Maintenance > Tools > Firmware
Each field is described in the following table.
Table 118 Maintenance > Tools > Firmware
LABEL
DESCRIPTION
File Path
Enter the location of the .bin file you want to upload, or click Browse... to find it.
You must decompress compressed (.zip) files before you can upload them.
Browse...
Click this to find the .bin file you want to upload.
Upload
Click this to begin uploading the selected file. This may take up to two minutes.
See Section 23.2.2 on page 256 for more information about this process.
Note: Do not turn off the device while firmware upload is in
progress!
23.2.2 Firmware Upload Screens
Do not turn off the device while firmware upload is in progress!
When the ZyXEL Device starts to upload firmware, the Firmware Upload in Process screen
appears.
Figure 161 Firmware Upload In Process
256
MAX-200HW2 Series User’s Guide
Chapter 23 Tools
The process usually takes about two minutes. The device automatically restarts in this time.
This causes a temporary network disconnect. In some operating systems, you may see the
following icon on your desktop.
Figure 162 Network Temporarily Disconnected
After two minutes, log in again, and check your new firmware version in the Status screen.
You might have to open a new browser window to log in.
If the upload is not successful, the following screen appears.
Figure 163 Firmware Upload Error
Click Return to go back to the Firmware screen.
23.2.3 Configuration Screen
Use this screen to back up or restore the configuration of the ZyXEL Device. You can also use
this screen to reset the ZyXEL Device to the factory default settings. To access this screen,
click Maintenance > Tools > Configuration.
Figure 164 Maintenance > Tools > Configuration
MAX-200HW2 Series User’s Guide
257
Chapter 23 Tools
Each field is described in the following table.
Table 119 Maintenance > Tools > Configuration
LABEL
DESCRIPTION
Backup
Configuration
Backup
Click this to save the ZyXEL Device’s current configuration to a file on your
computer. Once your device is configured and functioning properly, it is highly
recommended that you back up your configuration file before making configuration
changes. The backup configuration file is useful if you need to return to your
previous settings.
Restore
Configuration
File Path
Enter the location of the file you want to upload, or click Browse... to find it.
Browse
Click this to find the file you want to upload.
Upload
Click this to restore the selected configuration file. See Section 23.2.4 on page
258 for more information about this.
Note: Do not turn off the device while configuration file upload is in
progress.
Back to Factory
Defaults
Reset
Click this to clear all user-entered configuration information and return the ZyXEL
Device to its factory defaults. There is no warning screen.
23.2.4 Restore Configuration Screens
Do not turn off the device while configuration file upload is in progress.
When the ZyXEL Device has finished restoring the selected configuration file, the following
screen appears.
Figure 165 Configuration Upload Successful
The device now automatically restarts. This causes a temporary network disconnect. In some
operating systems, you may see the following icon on your desktop.
258
MAX-200HW2 Series User’s Guide
Chapter 23 Tools
Figure 166 Network Temporarily Disconnected
If the ZyXEL Device’s IP address is different in the configuration file you selected, you may
need to change the IP address of your computer to be in the same subnet as that of the default
management IP address (192.168.5.1). See your Quick Start Guide or the appendices for
details on how to set up your computer’s IP address.
You might have to open a new browser to log in again.
If the upload was not successful, a Configuration Upload Error screen appears.
Figure 167 Configuration Upload Error
Click Return to go back to the Configuration screen.
23.2.5 Restart Screen
Use this screen to reboot the ZyXEL Device without turning the power off. To access this
screen, click Maintenance > Tools > Restart.
Figure 168 Maintenance > Tools > Restart
This does not affect the ZyXEL Device’s configuration. When you click Restart, the
following screen appears.
MAX-200HW2 Series User’s Guide
259
Chapter 23 Tools
Figure 169 Maintenance > Tools > Restart > In Progress
Wait one minute for the device to finish restarting. Then, you can log in again.
260
MAX-200HW2 Series User’s Guide
P ART IV
Troubleshooting
and Specifications
Troubleshooting (263)
Product Specifications (269)
261
262
CHAPTER
24
Troubleshooting
This chapter offers some suggestions to solve problems you might encounter. The potential
problems are divided into the following categories.
•
•
•
•
•
•
Power, Hardware Connections, and LEDs
ZyXEL Device Access and Login
Internet Access
Phone Calls and VoIP
Reset the ZyXEL Device to Its Factory Defaults
Wireless LAN Troubleshooting
24.1 Power, Hardware Connections, and LEDs
The ZyXEL Device does not turn on. None of the LEDs turn on.
1 Make sure you are using the power adaptor or cord included with the ZyXEL Device.
2 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in
to an appropriate power source. Make sure the power source is turned on.
3 Disconnect and re-connect the power adaptor or cord to the ZyXEL Device.
4 If the problem continues, contact the vendor.
One of the LEDs does not behave as expected.
1 Make sure you understand the normal behavior of the LED. See Section 1.2.1 on page
35.
2 Check the hardware connections. See the Quick Start Guide and Section 1.2 on page 35.
3 Inspect your cables for damage. Contact the vendor to replace any damaged cables.
4 Disconnect and re-connect the power adaptor to the ZyXEL Device.
5 If the problem continues, contact the vendor.
MAX-200HW2 Series User’s Guide
263
Chapter 24 Troubleshooting
24.2 ZyXEL Device Access and Login
I forgot the IP address for the ZyXEL Device.
1 The default IP address is 192.168.1.1.
2 If you changed the IP address and have forgotten it, you might get the IP address of the
ZyXEL Device by looking up the IP address of the default gateway for your computer.
To do this in most Windows computers, click Start > Run, enter cmd, and then enter
ipconfig. The IP address of the Default Gateway might be the IP address of the ZyXEL
Device (it depends on the network), so enter this IP address in your Internet browser.
3 If this does not work, you have to reset the ZyXEL Device to its factory defaults. See
Section 24.1 on page 263.
I forgot the password.
1 The default password is 1234.
2 If this does not work, you have to reset the ZyXEL Device to its factory defaults. See
Section 23.2.3 on page 257.
I cannot see or access the Login screen in the web configurator.
1 Make sure you are using the correct IP address.
• The default IP address is 192.168.1.1.
• If you changed the IP address (Section 9.2.1 on page 122), use the new IP address.
• If you changed the IP address and have forgotten it, see the troubleshooting
suggestions for I forgot the IP address for the ZyXEL Device.
2 Check the hardware connections, and make sure the LEDs are behaving as expected. See
the Quick Start Guide and Section 1.2.1 on page 35.
3 Make sure your Internet browser does not block pop-up windows and has JavaScripts
and Java enabled. See Appendix C on page 301.
4 If there is a DHCP server on your network, make sure your computer is using a dynamic
IP address. Your ZyXEL Device is a DHCP server by default.
If there is no DHCP server on your network, make sure your computer’s IP address is in
the same subnet as the ZyXEL Device. See Appendix D on page 309.
5 Reset the ZyXEL Device to its factory defaults, and try to access the ZyXEL Device
with the default IP address. See Section 23.2.3 on page 257.
6 If the problem continues, contact the network administrator or vendor, or try one of the
advanced suggestions.
264
MAX-200HW2 Series User’s Guide
Chapter 24 Troubleshooting
Advanced Suggestions
• Try to access the ZyXEL Device using another service, such as Telnet. If you can access
the ZyXEL Device, check the remote management settings and firewall rules to find out
why the ZyXEL Device does not respond to HTTP.
• If your computer is connected wirelessly, use a computer that is connected to a LAN/
ETHERNET port.
I can see the Login screen, but I cannot log in to the ZyXEL Device.
1 Make sure you have entered the user name and password correctly. The default user
name is admin, and the default password is 1234. These fields are case-sensitive, so
make sure [Caps Lock] is not on.
2 You cannot log in to the web configurator while someone is using Telnet to access the
ZyXEL Device. Log out of the ZyXEL Device in the other session, or ask the person
who is logged in to log out.
3 Disconnect and re-connect the power adaptor or cord to the ZyXEL Device.
4 If this does not work, you have to reset the ZyXEL Device to its factory defaults. See
Section 23.2.3 on page 257.
I cannot Telnet to the ZyXEL Device.
See the troubleshooting suggestions for I cannot see or access the Login screen in the web
configurator. Ignore the suggestions about your browser.
24.3 Internet Access
I cannot access the Internet.
1 Check the hardware connections, and make sure the LEDs are behaving as expected. See
the Quick Start Guide and Section 1.2.1 on page 35.
2 Make sure you entered your ISP account information correctly in the wizard. These
fields are case-sensitive, so make sure [Caps Lock] is not on.
3 Check your security settings. In the web configurator, go to the Status screen. Click the
Details... link next to Profile in the WiMAX Information box and make sure that you
are using the correct security settings for your Internet account.
4 Check your WiMAX settings. The ZyXEL Device may have been set to search the
wrong frequencies for a wireless connection. In the web configurator, go to the Status
screen. Click the Details... link next to Site Information in the WiMAX Information
MAX-200HW2 Series User’s Guide
265
Chapter 24 Troubleshooting
box and ensure that the values are correct. If the values are incorrect, enter the correct
frequency settings in the Network > WAN > WiMAX Frequency screen. If you are
unsure of the correct values, contact your service provider.
5 If you are trying to access the Internet wirelessly, make sure the wireless settings in the
wireless client are the same as the settings in the AP.
6 Disconnect all the cables from your ZyXEL Device, and follow the directions in the
Quick Start Guide again.
7 If the problem continues, contact your ISP.
I cannot access the Internet anymore. I had access to the Internet (with the
ZyXEL Device), but my Internet connection is not available anymore.
1 Check the hardware connections, and make sure the LEDs are behaving as expected. See
the Quick Start Guide and Section 1.2.1 on page 35.
2 Disconnect and re-connect the power adaptor to the ZyXEL Device.
3 If the problem continues, contact your ISP.
The Internet connection is slow or intermittent.
1 The quality of the ZyXEL Device’s wireless connection to the base station may be poor.
Poor signal reception may be improved by moving the ZyXEL Device away from thick
walls and other obstructions, or to a higher floor in your building.
2 There may be radio interference caused by nearby electrical devices such as microwave
ovens and radio transmitters. Move the ZyXEL Device away or switch the other devices
off. Weather conditions may also affect signal quality.
3 As well as having an external antenna connector, the MAX-210HW2 is equipped with an
internal directional antenna. If you know the location of the base station, orient the front
of the ZyXEL Device (the side with the LEDs) towards the base station. If you do not
know the location of the base station, experiment by moving the ZyXEL Device while
observing the SIGNAL LEDs for an increase in received signal strength. The MAX200HW2 and MAX-230HW2 do not have internal antennas.
4 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.2.1
on page 35. If the ZyXEL Device is sending or receiving a lot of information, try closing
some programs that use the Internet, especially peer-to-peer applications.
5 Disconnect and re-connect the power adaptor to the ZyXEL Device.
6 If the problem continues, contact the network administrator or vendor, or try one of the
advanced suggestions.
The Internet connection disconnects.
266
MAX-200HW2 Series User’s Guide
Chapter 24 Troubleshooting
Check your WiMAX link and signal strength using the LINK and SIGNAL LEDs on the device. See the
following section if signal strength is poor or the ZyXEL Device has no link to a base station.
Contact your ISP if the problem persists.
24.4 Phone Calls and VoIP
The telephone port won’t work or the telephone lacks a dial tone.
1 Check the telephone connections and telephone wire.
2 Make sure you have the VoIP SIP Settings screen properly configured.
I can access the Internet, but cannot make VoIP calls.
1 Make sure you have the VoIP SIP Settings screen properly configured.
2 The VoIP LED should come on. Make sure that your telephone is connected to the
LINE port.
3 You can also check the VoIP status in the Status screen.
4 If the VoIP settings are correct, use speed dial to make peer-to-peer calls. If you cannot
make a call using speed dial, there may be something wrong with the SIP server. Contact
your VoIP service provider.
Problems With Multiple SIP Accounts
You can set up two SIP accounts on your ZyXEL Device. By default your ZyXEL Device uses
SIP account 1 for outgoing calls, and it uses SIP accounts 1 and 2 for incoming calls. With this
setting, you always use SIP account 1 for your outgoing calls and you cannot distinguish
which SIP account the calls are coming in through. If you want to control the use of different
dialing plans for accounting purposes or other reasons, you need to configure your phone port
in order to control which SIP account you are using when placing or receiving calls.
24.5 Reset the ZyXEL Device to Its Factory Defaults
If you reset the ZyXEL Device, you lose all of the changes you have made. The ZyXEL
Device re-loads its default settings, and the password resets to 1234. You have to make all of
your changes again.
MAX-200HW2 Series User’s Guide
267
Chapter 24 Troubleshooting
You will lose all of your changes when you push the RESET button.
To reset the ZyXEL Device,
1 Make sure the PWR LED is on and not blinking.
2 Press and hold the RESET button for five to ten seconds. Release the RESET button
when the PWR LED begins to blink. The default settings have been restored.
If the ZyXEL Device restarts automatically, wait for the ZyXEL Device to finish restarting,
and log in to the web configurator. The password is “1234”.
If the ZyXEL Device does not restart automatically, disconnect and reconnect the ZyXEL
Device’s power. Then, follow the directions above again.
24.5.1 Pop-up Windows, JavaScripts and Java Permissions
Please see Section Appendix C on page 301.
24.6 Wireless LAN Troubleshooting
I cannot access the ZyXEL Device or ping any computer from the WLAN
1 Make sure the wireless LAN is enabled on the ZyXEL Device
2 Make sure the wireless adapter on the wireless station is working properly.
3 Make sure the wireless adapter (installed on your computer) is IEEE 802.11 compatible
and supports the same wireless standard as the ZyXEL Device.
4 Make sure your computer (with a wireless adapter installed) is within the transmission
range of the ZyXEL Device.
5 Check that both the ZyXEL Device and your wireless station are using the same wireless
and wireless security settings.
6 Make sure traffic between the WLAN and the LAN is not blocked by the firewall on the
ZyXEL Device.
7 Make sure you allow the ZyXEL Device to be remotely accessed through the WLAN
interface. Check your remote management settings.
268
MAX-200HW2 Series User’s Guide
CHAPTER
25
Product Specifications
This chapter gives details about your ZyXEL Device’s hardware and firmware features.
Table 120 Product Specifications
PHYSICAL AND ENVIRONMENTAL
Product Name
WIMAX-200HW2/WIMAX-210HW2/WIMAX-230HW2
Ethernet Interface
Four auto-negotiating, auto-MDI/MDI-X 10/100 Mbps RJ-45
Ethernet ports
WLAN Interface
WiFi (54 Mbps) interface (801.11g, 802.16b backward compatible)
Telephony Interface
Two analog interfaces for standard telephones through RJ-11
connectors
Standards
IEEE 802.16e-2005
Antenna
MAX-210HW2:
Built-in patch antenna (WiMAX): 6dBi, 70? azimuth, 30? elevation
WiMAX SMA antenna connector, equipped by default with 2dBi omni
antenna, 60
WiFi SMA antenna connector, equipped by default with 2dBi omni
antenna, 60
MAX-200HW2/MAX-230HW2:
WiFi SMA antenna connector, equipped by default with 2dBi omni
antenna, 60
Panel Directional Antenna
Operating Temperature
0蚓 to 45蚓
Storage Temperature
-25蚓 to 55蚓
Operating Humidity
10% ~ 90% (non-condensing)
Storage Humidity
10% to 95%
Power Supply
18 V DC 1A
Power consumption
Worst-case-scenario 10W, peak 15W
Weight
600g
Dimensions
216 x 164 x 52mm
RADIO SPECIFICATIONS
Media Access Protocol
IEEE 802.16e
WiMAX Bandwidth
MAX-200HW2: 2.5 - 2.7 GHz
MAX-210HW2: 3.4 ~ 3.6 GHz
MAX-230HW2: 2.3 ~ 2.4 GHz
Data Rate
Downlink:
Maximum 5 Mbps
Uplink:
Maximum 2 Mbps
MAX-200HW2 Series User’s Guide
269
Chapter 25 Product Specifications
Table 120 Product Specifications (continued)
Modulation
QPSK (uplink and downlink)
16-QAM (uplink and downlink)
64-QAM (downlink only)
Output Power
27dBm (+/- 1dB)
Duplex mode
Time Division Duplex (TDD)
SOFTWARE SPECIFICATIONS
Security
PKMv2
EAP
CCMP, 128-bit AES
Table 121 Physical Features
FEATURE
DESCRIPTION
Auto-crossover 10/100 Mbps
Ethernet Interface
This interface automatically adjusts to either a crossover or straightthrough Ethernet cable.
External Antenna
The MAX-210HW2 is equipped with WiFi and WiMAX omnidirectional
antennas.
The MAX-200HW2 and MAX-230HW2 are equippped with a WiFi
omnidirectional antenna and a WiMAX panel directional antenna.
Telephone Port
Connect analog telephones to the ZyXEL Device’s 2 LINE ports (RJ11 connector) to take advantage of its Voice over IP (VoIP) features.
Reset Button
The reset button is built into the rear panel. Use this button to restore
the factory default password to 1234; IP address to 192.168.1.1,
subnet mask to 255.255.255.0 and DHCP server enabled with a pool
of 32 IP addresses starting at 192.168.1.33.
Table 122 Non-Physical Features
270
FEATURE
DESCRIPTION
High Speed Wireless Internet
Access
The ZyXEL Device is ideal for high-speed wireless Internet browsing.
WiMAX (Worldwide Interoperability for Microwave Access) is a
wireless networking standard providing high-bandwidth, wide-range
secured wireless service. The ZyXEL Device is a WiMAX mobile
station (MS) compatible with the IEEE 802.16e standard.
WiFi Functionality
Allow the IEEE 802.11b and/or IEEE 802.11g wireless clients to
connect to the ZyXEL Device wirelessly. Enable wireless security
(WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your
wireless network.
Firewall
The ZyXEL Device is a stateful inspection firewall with DoS (Denial of
Service) protection. By default, when the firewall is activated, all
incoming traffic from the WAN to the LAN is blocked unless it is
initiated from the LAN. The ZyXEL Device’s firewall supports TCP/
UDP inspection, DoS detection and prevention, real time alerts,
reports and logs.
Content Filtering
The ZyXEL Device can block access to web sites containing specified
keywords. You can define time periods and days during which content
filtering is enabled and include or exclude a range of users on the LAN
from content filtering.
Auto Provisioning
Your Internet service provider can automatically update your device’s
configuration via an auto-provisioning server.
MAX-200HW2 Series User’s Guide
Chapter 25 Product Specifications
Table 122 Non-Physical Features
FEATURE
DESCRIPTION
Auto Firmware Upgrade
Your device gives you the option to upgrade to a newer firmware
version if it finds one during auto-provisioning. Your VoIP service
provider must have an auto-provisioning server and a server set up
with firmware in order for this feature to work.
Network Address Translation
(NAT)
Network Address Translation (NAT) allows the translation of an
Internet protocol address used within one network (for example a
private IP address used in a local network) to a different IP address
known within another network (for example a public IP address used
on the Internet).
Universal Plug and Play
(UPnP)
Your device and other UPnP enabled devices can use the standard
TCP/IP protocol to dynamically join a network, obtain an IP address
and convey their capabilities to each other.
Dynamic DNS Support
With Dynamic DNS support, you can have a static hostname alias for
a dynamic IP address, allowing the host to be more easily accessible
from various locations on the Internet. You must register for this
service with a Dynamic DNS service provider.
DHCP
DHCP (Dynamic Host Configuration Protocol) allows the individual
clients (computers) to obtain the TCP/IP configuration at start-up from
a centralized DHCP server. Your device has built-in DHCP server
capability enabled by default. It can assign IP addresses, an IP default
gateway and DNS servers to DHCP clients. Your device can also act
as a surrogate DHCP server (DHCP Relay) where it relays IP address
assignment from the actual real DHCP server to the clients.
Multiple PVC (Permanent
Virtual Circuits) Support
Your device supports up to 8 Permanent Virtual Circuits (PVCs).
IP Alias
IP alias allows you to partition a physical network into logical networks
over the same Ethernet interface. Your device supports three logical
LAN interfaces via its single physical Ethernet interface with the your
device itself as the gateway for each LAN network.
IP Policy Routing (IPPR)
Traditionally, routing is based on the destination address only and the
router takes the shortest path to forward a packet. IP Policy Routing
(IPPR) provides a mechanism to override the default routing behavior
and alter the packet forwarding based on the policy defined by the
network administrator.
REN
A Ringer Equivalence Number (REN) is used to determine the number
of devices (like telephones or fax machines) that may be connected to
the telephone line. Your device has a REN of three, so it can support
three devices per telephone port.
Multiple SIP Accounts
You can configure multiple voice (SIP) accounts.
SIP ALG
Your device is a SIP Application Layer Gateway (ALG). It allows VoIP
calls to pass through NAT for devices behind it (such as a SIP-based
VoIP software application on a computer).
Dynamic Jitter Buffer
The built-in adaptive buffer helps to smooth out the variations in delay
(jitter) for voice traffic. This helps ensure good voice quality for your
conversations.
Voice Activity Detection/
Silence Suppression
Voice Activity Detection (VAD) reduces the bandwidth that a call uses
by not transmitting when you are not speaking.
Comfort Noise Generation
Your device generates background noise to fill moments of silence
when the other device in a call stops transmitting because the other
party is not speaking (as total silence could easily be mistaken for a
lost connection).
MAX-200HW2 Series User’s Guide
271
Chapter 25 Product Specifications
Table 122 Non-Physical Features
272
FEATURE
DESCRIPTION
Echo Cancellation
You device supports G.168, an ITU-T standard for eliminating the echo
caused by the sound of your voice reverberating in the telephone
receiver while you talk.
QoS (Quality of Service)
Quality of Service (QoS) mechanisms help to provide better service on
a per-flow basis. Your device supports Type of Service (ToS) tagging.
This allows the device to tag voice frames so they can be prioritized
over the network.
Packet Filters
Your device’s packet filtering function allows added network security
and management.
MAX-200HW2 Series User’s Guide
P ART V
Appendices and
Index
WiMAX Security (275)
Setting up Your Computer’s IP Address (279)
Pop-up Windows, JavaScripts and Java Permissions (301)
IP Addresses and Subnetting (309)
Wireless LANs (319)
Common Services (333)
Legal Information (337)
Customer Support (341)
Index (347)
273
274
APPENDIX
WiMAX Security
Wireless security is vital to protect your wireless communications. Without it, information
transmitted over the wireless network would be accessible to any networking device within
range.
User Authentication and Data Encryption
The WiMAX (IEEE 802.16) standard employs user authentication and encryption to ensure
secured communication at all times.
User authentication is the process of confirming a user’s identity and level of authorization.
Data encryption is the process of encoding information so that it cannot be read by anyone
who does not know the code.
WiMAX uses PKMv2 (Privacy Key Management version 2) for authentication, and CCMP
(Counter Mode with Cipher Block Chaining Message Authentication Protocol) for data
encryption.
WiMAX supports EAP (Extensible Authentication Protocol, RFC 2486) which allows
additional authentication methods to be deployed with no changes to the base station or the
mobile or subscriber stations.
PKMv2
PKMv2 is a procedure that allows authentication of a mobile or subscriber station and
negotiation of a public key to encrypt traffic between the MS/SS and the base station. PKMv2
uses standard EAP methods such as Transport Layer Security (EAP-TLS) or Tunneled TLS
(EAP-TTLS) for secure communication.
In cryptography, a ‘key’ is a piece of information, typically a string of random numbers and
letters, that can be used to ‘lock’ (encrypt) or ‘unlock’ (decrypt) a message. Public key
encryption uses key pairs, which consist of a public (freely available) key and a private
(secret) key. The public key is used for encryption and the private key is used for decryption.
You can decrypt a message only if you have the private key. Public key certificates (or ‘digital
IDs’) allow users to verify each other’s identity.
RADIUS
RADIUS is based on a client-server model that supports authentication, authorization and
accounting. The base station is the client and the server is the RADIUS server. The RADIUS
server handles the following tasks:
MAX-200HW2 Series User’s Guide
275
Appendix A WiMAX Security
• Authentication
Determines the identity of the users.
• Authorization
Determines the network services available to authenticated users once they are connected
to the network.
• Accounting
Keeps track of the client’s network activity.
RADIUS is a simple package exchange in which your base station acts as a message relay
between the MS/SS and the network RADIUS server.
Types of RADIUS Messages
The following types of RADIUS messages are exchanged between the base station and the
RADIUS server for user authentication:
• Access-Request
Sent by an base station requesting authentication.
• Access-Reject
Sent by a RADIUS server rejecting access.
• Access-Accept
Sent by a RADIUS server allowing access.
• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The base
station sends a proper response from the user and then sends another Access-Request
message.
The following types of RADIUS messages are exchanged between the base station and the
RADIUS server for user accounting:
• Accounting-Request
Sent by the base station requesting accounting.
• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a shared
secret key, which is a password they both know. The key is not sent over the network. In
addition to the shared key, password information exchanged is also encrypted to protect the
network from unauthorized access.
Diameter
Diameter (RFC 3588) is a type of AAA server that provides several improvements over
RADIUS in efficiency, security, and support for roaming.
Security Association
The set of information about user authentication and data encryption between two computers
is known as a security association (SA). In a WiMAX network, the process of security
association has three stages.
276
MAX-200HW2 Series User’s Guide
Appendix A WiMAX Security
• Authorization request and reply
The MS/SS presents its public certificate to the base station. The base station verifies the
certificate and sends an authentication key (AK) to the MS/SS.
• Key request and reply
The MS/SS requests a transport encryption key (TEK) which the base station generates
and encrypts using the authentication key.
• Encrypted traffic
The MS/SS decrypts the TEK (using the authentication key). Both stations can now
securely encrypt and decrypt the data flow.
CCMP
All traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced
Encryption Standard (AES) algorithm.
‘Counter mode’ refers to the encryption of each block of plain text with an arbitrary number,
known as the counter. This number changes each time a block of plain text is encrypted.
Counter mode avoids the security weakness of repeated identical blocks of encrypted text that
makes encrypted data vulnerable to pattern-spotting.
‘Cipher Block Chaining Message Authentication’ (also known as CBC-MAC) ensures
message integrity by encrypting each block of plain text in such a way that its encryption is
dependent on the block before it. This series of ‘chained’ blocks creates a message
authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered
with.
Authentication
The ZyXEL Device supports EAP-TTLS authentication.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the
server-side authentications to establish a secure connection (with EAP-TLS digital
certifications are needed by both the server and the wireless clients for mutual authentication).
Client authentication is then done by sending username and password through the secure
connection, thus client identity is protected. For client authentication, EAP-TTLS supports
EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MSCHAP v2.
MAX-200HW2 Series User’s Guide
277
Appendix A WiMAX Security
278
MAX-200HW2 Series User’s Guide
APPENDIX
Setting up Your Computer’s IP
Address
The purpose of this appendix is to show you how to configure an IP address
on your computer depending on what operating system you have. It does NOT
mean that your ZyXEL Device supports all these operating systems.
All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed.
Windows 95/98/Me/NT/2000/XP/Vista, Macintosh OS 7 and later operating systems and all
versions of UNIX/LINUX include the software components you need to install and use TCP/
IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application
package.
TCP/IP should already be installed on computers using Windows NT/2000/XP, Macintosh OS
7 and later operating systems.
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order
to "communicate" with your network.
If you manually assign IP information instead of using dynamic assignment, make sure that
your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s
LAN port.
Windows 95/98/Me
Click Start, Settings, Control Panel and double-click the Network icon to open the Network
window.
MAX-200HW2 Series User’s Guide
279
Appendix B Setting up Your Computer’s IP Address
Figure 170 WIndows 95/98/Me: Network: Configuration
Installing Components
The Network window Configuration tab displays a list of installed components. You need a
network adapter, the TCP/IP protocol and Client for Microsoft Networks.
If you need the adapter:
1 In the Network window, click Add.
2 Select Adapter and then click Add.
3 Select the manufacturer and model of your network adapter and then click OK.
If you need TCP/IP:
In the Network window, click Add.
Select Protocol and then click Add.
Select Microsoft from the list of manufacturers.
Select TCP/IP from the list of network protocols and then click OK.
If you need Client for Microsoft Networks:
Click Add.
Select Client and then click Add.
Select Microsoft from the list of manufacturers.
Select Client for Microsoft Networks from the list of network clients and then click
OK.
5 Restart your computer so the changes you made take effect.
280
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Configuring
1 In the Network window Configuration tab, select your network adapter's TCP/IP entry
and click Properties
2 Click the IP Address tab.
• If your IP address is dynamic, select Obtain an IP address automatically.
• If you have a static IP address, select Specify an IP address and type your
information into the IP Address and Subnet Mask fields.
Figure 171 Windows 95/98/Me: TCP/IP Properties: IP Address
3 Click the DNS Configuration tab.
• If you do not know your DNS information, select Disable DNS.
• If you know your DNS information, select Enable DNS and type the information in
the fields below (you may not need to fill them all in).
MAX-200HW2 Series User’s Guide
281
Appendix B Setting up Your Computer’s IP Address
Figure 172 Windows 95/98/Me: TCP/IP Properties: DNS Configuration
4 Click the Gateway tab.
• If you do not know your gateway’s IP address, remove previously installed gateways.
• If you have a gateway IP address, type it in the New gateway field and click Add.
5 Click OK to save and close the TCP/IP Properties window.
6 Click OK to close the Network window. Insert the Windows CD if prompted.
7 Turn on your ZyXEL Device and restart your computer when prompted.
Verifying Settings
1 Click Start and then Run.
2 In the Run window, type "winipcfg" and then click OK to open the IP Configuration
window.
3 Select your network adapter. You should see your computer's IP address, subnet mask
and default gateway.
Windows 2000/NT/XP
The following example figures use the default Windows XP GUI theme.
1 Click start (Start in Windows 2000/NT), Settings, Control Panel.
282
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Figure 173 Windows XP: Start Menu
2 In the Control Panel, double-click Network Connections (Network and Dial-up
Connections in Windows 2000/NT).
Figure 174 Windows XP: Control Panel
3 Right-click Local Area Connection and then click Properties.
MAX-200HW2 Series User’s Guide
283
Appendix B Setting up Your Computer’s IP Address
Figure 175 Windows XP: Control Panel: Network Connections: Properties
4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click
Properties.
Figure 176 Windows XP: Local Area Connection Properties
5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows
XP).
• If you have a dynamic IP address click Obtain an IP address automatically.
• If you have a static IP address click Use the following IP Address and fill in the IP
address, Subnet mask, and Default gateway fields.
• Click Advanced.
284
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Figure 177 Windows XP: Internet Protocol (TCP/IP) Properties
6 If you do not know your gateway's IP address, remove any previously installed
gateways in the IP Settings tab and click OK.
Do one or more of the following if you want to configure additional IP addresses:
• In the IP Settings tab, in IP addresses, click Add.
• In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet
mask, and then click Add.
• Repeat the above two steps for each IP address you want to add.
• Configure additional default gateways in the IP Settings tab by clicking Add in
Default gateways.
• In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway.
To manually configure a default metric (the number of transmission hops), clear the
Automatic metric check box and type a metric in Metric.
• Click Add.
• Repeat the previous three steps for each default gateway you want to add.
• Click OK when finished.
MAX-200HW2 Series User’s Guide
285
Appendix B Setting up Your Computer’s IP Address
Figure 178 Windows XP: Advanced TCP/IP Properties
7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows
XP):
• Click Obtain DNS server address automatically if you do not know your DNS
server IP address(es).
• If you know your DNS server IP address(es), click Use the following DNS server
addresses, and type them in the Preferred DNS server and Alternate DNS server
fields.
If you have previously configured DNS servers, click Advanced and then the DNS
tab to order them.
286
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Figure 179 Windows XP: Internet Protocol (TCP/IP) Properties
8 Click OK to close the Internet Protocol (TCP/IP) Properties window.
9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection
Properties window.
10 Close the Network Connections window (Network and Dial-up Connections in
Windows 2000/NT).
11 Turn on your ZyXEL Device and restart your computer (if prompted).
Verifying Settings
1 Click Start, All Programs, Accessories and then Command Prompt.
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can
also open Network Connections, right-click a network connection, click Status and
then click the Support tab.
Windows Vista
This section shows screens from Windows Vista Enterprise Version 6.0.
1 Click the Start icon, Control Panel.
MAX-200HW2 Series User’s Guide
287
Appendix B Setting up Your Computer’s IP Address
Figure 180 Windows Vista: Start Menu
2 In the Control Panel, double-click Network and Internet.
Figure 181 Windows Vista: Control Panel
3 Click Network and Sharing Center.
Figure 182 Windows Vista: Network And Internet
4 Click Manage network connections.
Figure 183 Windows Vista: Network and Sharing Center
288
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
5 Right-click Local Area Connection and then click Properties.
During this procedure, click Continue whenever Windows displays a screen
saying that it needs your permission to continue.
Figure 184 Windows Vista: Network and Sharing Center
6 Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Figure 185 Windows Vista: Local Area Connection Properties
MAX-200HW2 Series User’s Guide
289
Appendix B Setting up Your Computer’s IP Address
7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens (the General
tab).
• If you have a dynamic IP address click Obtain an IP address automatically.
• If you have a static IP address click Use the following IP address and fill in the IP
address, Subnet mask, and Default gateway fields.
• Click Advanced.
Figure 186 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties
8 If you do not know your gateway's IP address, remove any previously installed
gateways in the IP Settings tab and click OK.
Do one or more of the following if you want to configure additional IP addresses:
• In the IP Settings tab, in IP addresses, click Add.
• In TCP/IP Address, type an IP address in IP address and a subnet mask in Subnet
mask, and then click Add.
• Repeat the above two steps for each IP address you want to add.
• Configure additional default gateways in the IP Settings tab by clicking Add in
Default gateways.
• In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway.
To manually configure a default metric (the number of transmission hops), clear the
Automatic metric check box and type a metric in Metric.
• Click Add.
• Repeat the previous three steps for each default gateway you want to add.
• Click OK when finished.
290
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Figure 187 Windows Vista: Advanced TCP/IP Properties
9 In the Internet Protocol Version 4 (TCP/IPv4) Properties window, (the General tab):
• Click Obtain DNS server address automatically if you do not know your DNS
server IP address(es).
• If you know your DNS server IP address(es), click Use the following DNS server
addresses, and type them in the Preferred DNS server and Alternate DNS server
fields.
If you have previously configured DNS servers, click Advanced and then the DNS
tab to order them.
MAX-200HW2 Series User’s Guide
291
Appendix B Setting up Your Computer’s IP Address
Figure 188 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties
10 Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window.
11 Click Close to close the Local Area Connection Properties window.
12 Close the Network Connections window.
13 Turn on your ZyXEL Device and restart your computer (if prompted).
Verifying Settings
1 Click Start, All Programs, Accessories and then Command Prompt.
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can
also open Network Connections, right-click a network connection, click Status and
then click the Support tab.
Macintosh OS 8/9
1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP
Control Panel.
292
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Figure 189 Macintosh OS 8/9: Apple Menu
2 Select Ethernet built-in from the Connect via list.
Figure 190 Macintosh OS 8/9: TCP/IP
3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
4 For statically assigned settings, do the following:
• From the Configure box, select Manually.
MAX-200HW2 Series User’s Guide
293
Appendix B Setting up Your Computer’s IP Address
• Type your IP address in the IP Address box.
• Type your subnet mask in the Subnet mask box.
• Type the IP address of your ZyXEL Device in the Router address box.
5 Close the TCP/IP Control Panel.
6 Click Save if prompted, to save changes to your configuration.
7 Turn on your ZyXEL Device and restart your computer (if prompted).
Verifying Settings
Check your TCP/IP properties in the TCP/IP Control Panel window.
Macintosh OS X
1 Click the Apple menu, and click System Preferences to open the System Preferences
window.
Figure 191 Macintosh OS X: Apple Menu
2 Click Network in the icon bar.
• Select Automatic from the Location list.
• Select Built-in Ethernet from the Show list.
• Click the TCP/IP tab.
3 For dynamically assigned settings, select Using DHCP from the Configure list.
294
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Figure 192 Macintosh OS X: Network
4 For statically assigned settings, do the following:
• From the Configure box, select Manually.
• Type your IP address in the IP Address box.
• Type your subnet mask in the Subnet mask box.
• Type the IP address of your ZyXEL Device in the Router address box.
5 Click Apply Now and close the window.
6 Turn on your ZyXEL Device and restart your computer (if prompted).
Verifying Settings
Check your TCP/IP properties in the Network window.
Linux
This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux
9.0. Procedure, screens and file location may vary depending on your Linux distribution and
release version.
MAX-200HW2 Series User’s Guide
295
Appendix B Setting up Your Computer’s IP Address
Make sure you are logged in as the root administrator.
Using the K Desktop Environment (KDE)
Follow the steps below to configure your computer IP address using the KDE.
1 Click the Red Hat button (located on the bottom left corner), select System Setting and
click Network.
Figure 193 Red Hat 9.0: KDE: Network Configuration: Devices
2 Double-click on the profile of the network card you wish to configure. The Ethernet
Device General screen displays as shown.
Figure 194 Red Hat 9.0: KDE: Ethernet Device: General
296
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
• If you have a dynamic IP address, click Automatically obtain IP address settings
with and select dhcp from the drop down list.
• If you have a static IP address, click Statically set IP Addresses and fill in the
Address, Subnet mask, and Default Gateway Address fields.
3 Click OK to save the changes and close the Ethernet Device General screen.
4 If you know your DNS server IP address(es), click the DNS tab in the Network
Configuration screen. Enter the DNS server information in the fields provided.
Figure 195 Red Hat 9.0: KDE: Network Configuration: DNS
5 Click the Devices tab.
6 Click the Activate button to apply the changes. The following screen displays. Click Yes
to save the changes in all screens.
Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate
7 After the network card restart process is complete, make sure the Status is Active in the
Network Configuration screen.
Using Configuration Files
Follow the steps below to edit the network configuration files and set your computer IP
address.
1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the
configuration file with any plain text editor.
• If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The
following figure shows an example.
MAX-200HW2 Series User’s Guide
297
Appendix B Setting up Your Computer’s IP Address
Figure 197 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
USERCTL=no
PEERDNS=yes
TYPE=Ethernet
• If you have a static IP address, enter static in the BOOTPROTO= field. Type
IPADDR= followed by the IP address (in dotted decimal notation) and type NETMASK=
followed by the subnet mask. The following example shows an example where the
static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0.
Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.10
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=yes
TYPE=Ethernet
2 If you know your DNS server IP address(es), enter the DNS server information in the
resolv.conf file in the /etc directory. The following figure shows an example where
two DNS server IP addresses are specified.
Figure 199 Red Hat 9.0: DNS Settings in resolv.conf
nameserver 172.23.5.1
nameserver 172.23.5.2
3 After you edit and save the configuration files, you must restart the network card. Enter
./network restart in the /etc/rc.d/init.d directory. The following figure
shows an example.
Figure 200 Red Hat 9.0: Restart Ethernet Card
[root@localhost init.d]# network restart
Shutting down interface eth0:
Shutting down loopback interface:
Setting network parameters:
Bringing up loopback interface:
Bringing up interface eth0:
298
[OK]
[OK]
[OK]
[OK]
[OK]
MAX-200HW2 Series User’s Guide
Appendix B Setting up Your Computer’s IP Address
Verifying Settings
Enter ifconfig in a terminal screen to check your TCP/IP properties.
Figure 201 Red Hat 9.0: Checking TCP/IP Properties
[root@localhost]# ifconfig
eth0
Link encap:Ethernet HWaddr 00:50:BA:72:5B:44
inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:717 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb)
Interrupt:10 Base address:0x1000
[root@localhost]#
MAX-200HW2 Series User’s Guide
299
Appendix B Setting up Your Computer’s IP Address
300
MAX-200HW2 Series User’s Guide
APPENDIX
Pop-up Windows, JavaScripts
and Java Permissions
In order to use the web configurator you need to allow:
• Web browser pop-up windows from your device.
• JavaScripts (enabled by default).
• Java permissions (enabled by default).
Internet Explorer 6 screens are used here. Screens for other Internet Explorer
versions may vary.
Internet Explorer Pop-up Blockers
You may have to disable pop-up blocking to log into your device.
Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or
allow pop-up blocking and create an exception for your device’s IP address.
Disable Pop-up Blockers
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up
Blocker.
Figure 202 Pop-up Blocker
You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the
Privacy tab.
1 In Internet Explorer, select Tools, Internet Options, Privacy.
MAX-200HW2 Series User’s Guide
301
Appendix C Pop-up Windows, JavaScripts and Java Permissions
2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This
disables any web pop-up blockers you may have enabled.
Figure 203 Internet Options: Privacy
3 Click Apply to save this setting.
Enable Pop-up Blockers with Exceptions
Alternatively, if you only want to allow pop-up windows from your device, see the following
steps.
1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
2 Select Settings to open the Pop-up Blocker Settings screen.
302
MAX-200HW2 Series User’s Guide
Appendix C Pop-up Windows, JavaScripts and Java Permissions
Figure 204 Internet Options: Privacy
3 Type the IP address of your device (the web page that you do not want to have blocked)
with the prefix “http://”. For example, http://192.168.167.1.
4 Click Add to move the IP address to the list of Allowed sites.
Figure 205 Pop-up Blocker Settings
MAX-200HW2 Series User’s Guide
303
Appendix C Pop-up Windows, JavaScripts and Java Permissions
5 Click Close to return to the Privacy screen.
6 Click Apply to save this setting.
JavaScripts
If pages of the web configurator do not display properly in Internet Explorer, check that
JavaScripts are allowed.
1 In Internet Explorer, click Tools, Internet Options and then the Security tab.
Figure 206 Internet Options: Security
304
Click the Custom Level... button.
Scroll down to Scripting.
Under Active scripting make sure that Enable is selected (the default).
Under Scripting of Java applets make sure that Enable is selected (the default).
Click OK to close the window.
MAX-200HW2 Series User’s Guide
Appendix C Pop-up Windows, JavaScripts and Java Permissions
Figure 207 Security Settings - Java Scripting
Java Permissions
From Internet Explorer, click Tools, Internet Options and then the Security tab.
Click the Custom Level... button.
Scroll down to Microsoft VM.
Under Java permissions make sure that a safety level is selected.
Click OK to close the window.
Figure 208 Security Settings - Java
MAX-200HW2 Series User’s Guide
305
Appendix C Pop-up Windows, JavaScripts and Java Permissions
JAVA (Sun)
1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab.
2 Make sure that Use Java 2 for  under Java (Sun) is selected.
3 Click OK to close the window.
Figure 209 Java (Sun)
Mozilla Firefox
Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary.
You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in
the screen that appears.
306
MAX-200HW2 Series User’s Guide
Appendix C Pop-up Windows, JavaScripts and Java Permissions
Figure 210 Mozilla Firefox: Tools > Options
Click Content.to show the screen below. Select the check boxes as shown in the following
screen.
Figure 211 Mozilla Firefox Content Security
MAX-200HW2 Series User’s Guide
307
Appendix C Pop-up Windows, JavaScripts and Java Permissions
308
MAX-200HW2 Series User’s Guide
APPENDIX
IP Addresses and Subnetting
This appendix introduces IP addresses and subnet masks.
IP addresses identify individual devices on a network. Every networking device (including
computers, servers, routers, printers, etc.) needs an IP address to communicate across the
network. These networking devices are also known as hosts.
Subnet masks determine the maximum number of possible hosts on a network. You can also
use subnet masks to divide one network into multiple sub-networks.
Introduction to IP Addresses
One part of the IP address is the network number, and the other part is the host ID. In the same
way that houses on a street share a common street name, the hosts on a network share a
common network number. Similarly, as each house has its own house number, each host on the
network has its own unique identifying number - the host ID. Routers use the network number
to send packets to the correct network, while the host ID determines to which host on the
network the packets are delivered.
Structure
An IP address is made up of four parts, written in dotted decimal notation (for example,
192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary
number (for example 11000000, which is 192 in decimal notation).
Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in
decimal.
The following figure shows an example IP address in which the first three octets (192.168.1)
are the network number, and the fourth octet (16) is the host ID.
MAX-200HW2 Series User’s Guide
309
Appendix D IP Addresses and Subnetting
Figure 212 Network Number and Host ID
How much of the IP address is the network number and how much is the host ID varies
according to the subnet mask.
Subnet Masks
A subnet mask is used to determine which bits are part of the network number, and which bits
are part of the host ID (using a logical AND operation). The term “subnet” is short for “subnetwork”.
A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the
IP address is part of the network number. If a bit in the subnet mask is “0” then the
corresponding bit in the IP address is part of the host ID.
The following example shows a subnet mask identifying the network number (in bold text)
and host ID of an IP address (192.168.1.2 in decimal).
Table 123 IP Address Network Number and Host ID Example
1ST OCTET: 2ND
OCTET:
(192)
(168)
3RD
OCTET:
(1)
4TH OCTET
(2)
IP Address (Binary)
11000000
10101000
00000001
00000010
Subnet Mask (Binary)
11111111
11111111
11111111
00000000
Network Number
11000000
10101000
00000001
Host ID
00000010
By convention, subnet masks always consist of a continuous sequence of ones beginning from
the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of
32 bits.
Subnet masks can be referred to by the size of the network number part (the bits with a “1”
value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the
remaining 24 bits are zeroes.
310
MAX-200HW2 Series User’s Guide
Appendix D IP Addresses and Subnetting
Subnet masks are expressed in dotted decimal notation just like IP addresses. The following
examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet
masks.
Table 124 Subnet Masks
BINARY
DECIMAL
1ST
OCTET
2ND
OCTET
3RD
OCTET
4TH OCTET
8-bit mask
11111111
00000000
00000000
00000000
255.0.0.0
16-bit mask
11111111
11111111
00000000
00000000
255.255.0.0
24-bit mask
11111111
11111111
11111111
00000000
255.255.255.0
29-bit mask
11111111
11111111
11111111
11111000
255.255.255.248
Network Size
The size of the network number determines the maximum number of possible hosts you can
have on your network. The larger the number of network number bits, the smaller the number
of remaining host ID bits.
An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 with a
24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast
address for that network (192.168.1.255 with a 24-bit subnet mask, for example).
As these two IP addresses cannot be used for individual hosts, calculate the maximum number
of possible hosts in a network as follows:
Table 125 Maximum Host Numbers
SUBNET MASK
8 bits
HOST ID SIZE
255.0.0.0
MAXIMUM NUMBER OF HOSTS
24 bits
224
–2
16777214
16
–2
65534
16 bits
255.255.0.0
16 bits
24 bits
255.255.255.0
8 bits
28 – 2
29 bits
255.255.255.248
254
3 bits
2 –2
Notation
Since the mask is always a continuous number of ones beginning from the left, followed by a
continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the
number of ones instead of writing the value of each octet. This is usually specified by writing
a “/” followed by the number of bits in the mask after the address.
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask
255.255.255.128.
The following table shows some possible subnet masks using both notations.
Table 126 Alternative Subnet Mask Notation
SUBNET MASK
ALTERNATIVE
NOTATION
LAST OCTET
(BINARY)
LAST OCTET
(DECIMAL)
255.255.255.0
/24
0000 0000
255.255.255.128
/25
1000 0000
128
MAX-200HW2 Series User’s Guide
311
Appendix D IP Addresses and Subnetting
Table 126 Alternative Subnet Mask Notation (continued)
SUBNET MASK
ALTERNATIVE
NOTATION
LAST OCTET
(BINARY)
LAST OCTET
(DECIMAL)
255.255.255.192
/26
1100 0000
192
255.255.255.224
/27
1110 0000
224
255.255.255.240
/28
1111 0000
240
255.255.255.248
/29
1111 1000
248
255.255.255.252
/30
1111 1100
252
Subnetting
You can use subnetting to divide one network into multiple sub-networks. In the following
example a network administrator creates two sub-networks to isolate a group of servers from
the rest of the company network for security reasons.
In this example, the company network address is 192.168.1.0. The first three octets of the
address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a
maximum of 28 – 2 or 254 possible hosts.
The following figure shows the company network before subnetting.
Figure 213 Subnetting Example: Before Subnetting
You can “borrow” one of the host ID bits to divide the network 192.168.1.0 into two separate
sub-networks. The subnet mask is now 25 bits (255.255.255.128 or /25).
The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets;
192.168.1.0 /25 and 192.168.1.128 /25.
The following figure shows the company network after subnetting. There are now two subnetworks, A and B.
312
MAX-200HW2 Series User’s Guide
Appendix D IP Addresses and Subnetting
Figure 214 Subnetting Example: After Subnetting
In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 – 2 or 126
possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s
broadcast address).
192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.1.127 with mask
255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned
to an actual host for subnet A is 192.168.1.1 and the highest is 192.168.1.126.
Similarly, the host ID range for subnet B is 192.168.1.129 to 192.168.1.254.
Example: Four Subnets
The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two
subnets. Similarly, to divide a 24-bit address into four subnets, you need to “borrow” two host
ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits
(11111111.11111111.11111111.11000000) or 255.255.255.192.
Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all
zeroes is the subnet itself, all ones is the subnet’s broadcast address).
Table 127 Subnet 1
IP/SUBNET MASK
NETWORK NUMBER
LAST OCTET BIT
VALUE
IP Address (Decimal)
192.168.1.
IP Address (Binary)
11000000.10101000.00000001.
00000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address:
192.168.1.0
Lowest Host ID: 192.168.1.1
Broadcast Address:
192.168.1.63
Highest Host ID: 192.168.1.62
MAX-200HW2 Series User’s Guide
313
Appendix D IP Addresses and Subnetting
Table 128 Subnet 2
IP/SUBNET MASK
NETWORK NUMBER
LAST OCTET BIT
VALUE
IP Address
192.168.1.
64
IP Address (Binary)
11000000.10101000.00000001.
01000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address:
192.168.1.64
Lowest Host ID: 192.168.1.65
Broadcast Address:
192.168.1.127
Highest Host ID: 192.168.1.126
Table 129 Subnet 3
IP/SUBNET MASK
NETWORK NUMBER
LAST OCTET BIT
VALUE
IP Address
192.168.1.
128
IP Address (Binary)
11000000.10101000.00000001.
10000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address:
192.168.1.128
Lowest Host ID: 192.168.1.129
Broadcast Address:
192.168.1.191
Highest Host ID: 192.168.1.190
Table 130 Subnet 4
IP/SUBNET MASK
NETWORK NUMBER
LAST OCTET BIT
VALUE
IP Address
192.168.1.
192
IP Address (Binary)
11000000.10101000.00000001.
11000000
Subnet Mask (Binary)
11111111.11111111.11111111.
11000000
Subnet Address:
192.168.1.192
Lowest Host ID: 192.168.1.193
Broadcast Address:
192.168.1.255
Highest Host ID: 192.168.1.254
Example: Eight Subnets
Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and
111).
The following table shows IP address last octet values for each subnet.
Table 131 Eight Subnets
314
SUBNET
SUBNET
ADDRESS
FIRST ADDRESS
LAST
ADDRESS
BROADCAST
ADDRESS
30
31
32
33
62
63
64
65
94
95
96
97
126
127
MAX-200HW2 Series User’s Guide
Appendix D IP Addresses and Subnetting
Table 131 Eight Subnets (continued)
SUBNET
SUBNET
ADDRESS
FIRST ADDRESS
LAST
ADDRESS
BROADCAST
ADDRESS
128
129
158
159
160
161
190
191
192
193
222
223
224
225
254
255
Subnet Planning
The following table is a summary for subnet planning on a network with a 24-bit network
number.
Table 132 24-bit Network Number Subnet Planning
NO. “BORROWED”
HOST BITS
SUBNET MASK
NO. SUBNETS
NO. HOSTS PER
SUBNET
255.255.255.128 (/25)
126
255.255.255.192 (/26)
62
255.255.255.224 (/27)
30
255.255.255.240 (/28)
16
14
255.255.255.248 (/29)
32
255.255.255.252 (/30)
64
255.255.255.254 (/31)
128
The following table is a summary for subnet planning on a network with a 16-bit network
number.
Table 133 16-bit Network Number Subnet Planning
NO. “BORROWED”
HOST BITS
SUBNET MASK
NO. SUBNETS
NO. HOSTS PER
SUBNET
255.255.128.0 (/17)
32766
255.255.192.0 (/18)
16382
255.255.224.0 (/19)
8190
255.255.240.0 (/20)
16
4094
255.255.248.0 (/21)
32
2046
255.255.252.0 (/22)
64
1022
255.255.254.0 (/23)
128
510
255.255.255.0 (/24)
256
254
255.255.255.128 (/25)
512
126
10
255.255.255.192 (/26)
1024
62
11
255.255.255.224 (/27)
2048
30
12
255.255.255.240 (/28)
4096
14
13
255.255.255.248 (/29)
8192
MAX-200HW2 Series User’s Guide
315
Appendix D IP Addresses and Subnetting
Table 133 16-bit Network Number Subnet Planning (continued)
NO. “BORROWED”
HOST BITS
SUBNET MASK
NO. SUBNETS
NO. HOSTS PER
SUBNET
14
255.255.255.252 (/30)
16384
15
255.255.255.254 (/31)
32768
Configuring IP Addresses
Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. If this is the case, it is recommended that you select a network number from
192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this
block of addresses specifically for private use; please do not use any other number unless you
are told otherwise. You must also enable Network Address Translation (NAT) on the ZyXEL
Device.
Once you have decided on the network number, pick an IP address for your ZyXEL Device
that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your
network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device
will compute the subnet mask automatically based on the IP address that you entered. You
don't need to change the subnet mask computed by the ZyXEL Device unless you are
instructed to do otherwise.
Private IP Addresses
Every machine on the Internet must have a unique address. If your networks are isolated from
the Internet (running only between two branch offices, for example) you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks:
• 10.0.0.0 — 10.255.255.255
• 172.16.0.0 — 172.31.255.255
• 192.168.0.0 — 192.168.255.255
You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a
private network. If you belong to a small organization and your Internet access is through an
ISP, the ISP can provide you with the Internet addresses for your local networks. On the other
hand, if you are part of a much larger organization, you should consult your network
administrator for the appropriate IP addresses.
Regardless of your particular situation, do not create an arbitrary IP address; always follow the
guidelines above. For more information on address assignment, please refer to RFC 1597,
Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP
Address Space.
316
MAX-200HW2 Series User’s Guide
Appendix D IP Addresses and Subnetting
IP Address Conflicts
Each device on a network must have a unique IP address. Devices with duplicate IP addresses
on the same network will not be able to access the Internet or other resources. The devices may
also be unreachable through the network.
Conflicting Computer IP Addresses Example
More than one device can not use the same IP address. In the following example computer A
has a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns
to computer B which is a DHCP client. Neither can access the Internet. This problem can be
solved by assigning a different static IP address to computer A or setting computer A to obtain
an IP address automatically.
Figure 215 Conflicting Computer IP Addresses Example
Conflicting Router IP Addresses Example
Since a router connects different networks, it must have interfaces using different network
numbers. For example, if a router is set between a LAN and the Internet (WAN), the router’s
LAN and WAN addresses must be on different subnets. In the following example, the LAN
and WAN are on the same subnet. The LAN computers cannot access the Internet because the
router cannot route between networks.
Figure 216 Conflicting Computer IP Addresses Example
MAX-200HW2 Series User’s Guide
317
Appendix D IP Addresses and Subnetting
Conflicting Computer and Router IP Addresses Example
More than one device can not use the same IP address. In the following example, the computer
and the router’s LAN port both use 192.168.1.1 as the IP address. The computer cannot access
the Internet. This problem can be solved by assigning a different IP address to the computer or
the router’s LAN port.
Figure 217 Conflicting Computer and Router IP Addresses Example
318
MAX-200HW2 Series User’s Guide
APPENDIX
Wireless LANs
Wireless LAN Topologies
This section discusses ad-hoc and infrastructure wireless LAN topologies.
Ad-hoc Wireless LAN Configuration
The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of
computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within
range of each other, they can set up an independent network, which is commonly referred to as
an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an
example of notebook computers using wireless adapters to form an ad-hoc wireless LAN.
Figure 218 Peer-to-Peer Communication in an Ad-hoc Network
BSS
A Basic Service Set (BSS) exists when all communications between wireless clients or
between a wireless client and a wired network client go through one access point (AP).
Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled,
wireless client A and B can access the wired network and communicate with each other. When
Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot
communicate with each other.
MAX-200HW2 Series User’s Guide
319
Appendix E Wireless LANs
Figure 219 Basic Service Set
ESS
An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an
access point, with each access point connected together by a wired network. This wired
connection between APs is called a Distribution System (DS).
This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not
only provide communication with the wired network but also mediate wireless network traffic
in the immediate neighborhood.
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their
associated wireless clients within the same ESS must have the same ESSID in order to
communicate.
320
MAX-200HW2 Series User’s Guide
Appendix E Wireless LANs
Figure 220 Infrastructure WLAN
Channel
A channel is the radio frequency(ies) used by wireless devices to transmit and receive data.
Channels available depend on your geographical area. You may have a choice of channels (for
your region) so you should use a channel different from an adjacent AP (access point) to
reduce interference. Interference occurs when radio signals from different access points
overlap causing interference and degrading performance.
Adjacent channels partially overlap however. To avoid interference due to overlap, your AP
should be on a channel at least five channels away from a channel that an adjacent AP is using.
For example, if your region has 11 channels and an adjacent AP is using channel 1, then you
need to select a channel between 6 or 11.
RTS/CTS
A hidden node occurs when two stations are within range of the same access point, but are not
within range of each other. The following figure illustrates a hidden node. Both stations (STA)
are within range of the access point (AP) or wireless gateway, but out-of-range of each other,
so they cannot "hear" each other, that is they do not know if the channel is currently being
used. Therefore, they are considered hidden from each other.
MAX-200HW2 Series User’s Guide
321
Appendix E Wireless LANs
Figure 221
RTS/CTS
When station A sends data to the AP, it might not know that the station B is already using the
channel. If these two stations send data at the same time, collisions may occur when both sets
of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the
biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send)
handshake is invoked.
When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station
that wants to transmit this frame must first send an RTS (Request To Send) message to the AP
for permission to send it. The AP then responds with a CTS (Clear to Send) message to all
other stations within its range to notify them to defer their transmission. It also reserves and
confirms with the requesting station the time frame for the requested transmission.
Stations can send frames smaller than the specified RTS/CTS directly to the AP without the
RTS (Request To Send)/CTS (Clear to Send) handshake.
You should only configure RTS/CTS if the possibility of hidden nodes exists on your network
and the "cost" of resending large frames is more than the extra network overhead involved in
the RTS (Request To Send)/CTS (Clear to Send) handshake.
If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the
RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will
be fragmented before they reach RTS/CTS size.
Enabling the RTS Threshold causes redundant network overhead that could
negatively affect the throughput performance instead of providing a remedy.
Fragmentation Threshold
A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432
bytes) that can be sent in the wireless network before the AP will fragment the packet into
smaller data frames.
A large Fragmentation Threshold is recommended for networks not prone to interference
while you should set a smaller threshold for busy networks or networks that are prone to
interference.
322
MAX-200HW2 Series User’s Guide
Appendix E Wireless LANs
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously)
you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as
data frames will be fragmented before they reach RTS/CTS size.
Preamble Type
Preamble is used to signal that data is coming to the receiver. Short and long refer to the length
of the synchronization field in a packet.
Short preamble increases performance as less time sending preamble means more time for
sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all
support short preamble.
Use long preamble if you are unsure what preamble mode other wireless devices on the
network support, and to provide more reliable communications in busy wireless networks.
Use short preamble if you are sure all wireless devices on the network support it, and to
provide more efficient communications.
Use the dynamic setting to automatically use short preamble when all wireless devices on the
network support it, otherwise the ZyXEL Device uses long preamble.
The wireless devices MUST use the same preamble mode in order to
communicate.
IEEE 802.11g Wireless LAN
IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE
802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at
11 Mbps or lower depending on range. IEEE 802.11g has several intermediate rate steps
between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation
are as follows:
Table 134 IEEE 802.11g
DATA RATE (MBPS)
MODULATION
DBPSK (Differential Binary Phase Shift Keyed)
DQPSK (Differential Quadrature Phase Shift Keying)
5.5 / 11
CCK (Complementary Code Keying)
6/9/12/18/24/36/48/54
OFDM (Orthogonal Frequency Division Multiplexing)
Wireless Security Overview
Wireless security is vital to your network to protect wireless communication between wireless
clients, access points and the wired network.
MAX-200HW2 Series User’s Guide
323
Appendix E Wireless LANs
Wireless security methods available on the ZyXEL Device are data encryption, wireless client
authentication, restricting access by device MAC address and hiding the ZyXEL Device
identity.
The following figure shows the relative effectiveness of these wireless security methods
available on your ZyXEL Device.
Table 135 Wireless Security Levels
SECURITY
LEVEL
Least
Secure
SECURITY TYPE
Unique SSID (Default)
Unique SSID with Hide SSID Enabled
MAC Address Filtering
WEP Encryption
IEEE802.1x EAP with RADIUS Server Authentication
Wi-Fi Protected Access (WPA)
Most Secure
WPA2
You must enable the same wireless security settings on the ZyXEL Device and
on all wireless clients that you want to associate with it.
IEEE 802.1x
In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to
support extended authentication as well as providing additional accounting and control
features. It is supported by Windows XP and a number of network devices. Some advantages
of IEEE 802.1x are:
• User based identification that allows for roaming.
• Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for
centralized user profile and accounting management on a network RADIUS server.
• Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional
authentication methods to be deployed with no changes to the access point or the wireless
clients.
RADIUS
RADIUS is based on a client-server model that supports authentication, authorization and
accounting. The access point is the client and the server is the RADIUS server. The RADIUS
server handles the following tasks:
• Authentication
Determines the identity of the users.
• Authorization
324
MAX-200HW2 Series User’s Guide
Appendix E Wireless LANs
Determines the network services available to authenticated users once they are connected
to the network.
• Accounting
Keeps track of the client’s network activity.
RADIUS is a simple package exchange in which your AP acts as a message relay between the
wireless client and the network RADIUS server.
Types of RADIUS Messages
The following types of RADIUS messages are exchanged between the access point and the
RADIUS server for user authentication:
• Access-Request
Sent by an access point requesting authentication.
• Access-Reject
Sent by a RADIUS server rejecting access.
• Access-Accept
Sent by a RADIUS server allowing access.
• Access-Challenge
Sent by a RADIUS server requesting more information in order to allow access. The
access point sends a proper response from the user and then sends another Access-Request
message.
The following types of RADIUS messages are exchanged between the access point and the
RADIUS server for user accounting:
• Accounting-Request
Sent by the access point requesting accounting.
• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a shared
secret key, which is a password, they both know. The key is not sent over the network. In
addition to the shared key, password information exchanged is also encrypted to protect the
network from unauthorized access.
Types of EAP Authentication
This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS,
PEAP and LEAP. Your wireless LAN device may not support all authentication types.
EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the
IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By
using EAP to interact with an EAP-compatible RADIUS server, an access point helps a
wireless station and a RADIUS server perform authentication.
The type of authentication you use depends on the RADIUS server and an intermediary AP(s)
that supports IEEE 802.1x. .
MAX-200HW2 Series User’s Guide
325
Appendix E Wireless LANs
For EAP-TLS authentication type, you must first have a wired connection to the network and
obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs)
can be used to authenticate users and a CA issues certificates and guarantees the identity of
each certificate owner.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The authentication server
sends a challenge to the wireless client. The wireless client ‘proves’ that it knows the password
by encrypting the password with the challenge and sends back the information. Password is
not sent in plain text.
However, MD5 authentication has some weaknesses. Since the authentication server needs to
get the plaintext passwords, the passwords must be stored. Thus someone other than the
authentication server may access the password file. In addition, it is possible to impersonate an
authentication server as MD5 authentication method does not perform mutual authentication.
Finally, MD5 authentication method does not support data encryption with dynamic session
key. You must configure WEP encryption keys for data encryption.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wireless clients for
mutual authentication. The server presents a certificate to the client. After validating the
identity of the server, the client sends a different certificate to the server. The exchange of
certificates is done in the open before a secured tunnel is created. This makes user identity
vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the
sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to
handle certificates, which imposes a management overhead.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the
server-side authentications to establish a secure connection. Client authentication is then done
by sending username and password through the secure connection, thus client identity is
protected. For client authentication, EAP-TTLS supports EAP methods and legacy
authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection,
then use simple username and password methods through the secured connection to
authenticate the clients, thus hiding client identity. However, PEAP only supports EAP
methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card),
for client authentication. EAP-GTC is implemented only by Cisco.
LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE
802.1x.
326
MAX-200HW2 Series User’s Guide
Appendix E Wireless LANs
Dynamic WEP Key Exchange
The AP maps a unique key that is generated with the RADIUS server. This key expires when
the wireless connection times out, disconnects or reauthentication times out. A new WEP key
is generated each time reauthentication is performed.
If this feature is enabled, it is not necessary to configure a default encryption key in the
wireless security configuration screen. You may still configure and store keys, but they will
not be used while dynamic WEP is enabled.
EAP-MD5 cannot be used with Dynamic WEP Key Exchange
For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use
dynamic keys for data encryption. They are often deployed in corporate environments, but for
public deployment, a simple user name and password pair is more practical. The following
table is a comparison of the features of authentication types.
Table 136 Comparison of EAP Authentication Types
EAP-MD5
EAP-TLS
EAP-TTLS
PEAP
LEAP
Mutual Authentication
No
Yes
Yes
Yes
Yes
Certificate – Client
No
Yes
Optional
Optional
No
Certificate – Server
No
Yes
Yes
Yes
No
Dynamic Key Exchange
No
Yes
Yes
Yes
Yes
Credential Integrity
None
Strong
Strong
Strong
Moderate
Deployment Difficulty
Easy
Hard
Moderate
Moderate
Moderate
Client Identity Protection
No
No
Yes
Yes
No
WPA and WPA2
WPA is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security
standard that defines stronger encryption, authentication and key management than WPA.
Key differences between WPA or WPA2 and WEP are improved data encryption and user
authentication.
If both an AP and the wireless clients support WPA2 and you have an external RADIUS
server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server,
you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical)
password entered into each access point, wireless gateway and wireless client. As long as the
passwords match, a wireless client will be granted access to a WLAN.
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending
on whether you have an external RADIUS server or not.
Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is
less secure than WPA or WPA2.
MAX-200HW2 Series User’s Guide
327
Appendix E Wireless LANs
Encryption
Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol
(TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced
Encryption Standard (AES) in the Counter mode with Cipher block chaining Message
authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication
server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit
mathematical algorithm called Rijndael. They both include a per-packet key mixing function,
a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with
sequencing rules, and a re-keying mechanism.
WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption
key is never used twice.
The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up
a key hierarchy and management system, using the PMK to dynamically generate unique data
encryption keys to encrypt every data packet that is wirelessly communicated between the AP
and the wireless clients. This all happens in the background automatically.
The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data
packets, altering them and resending them. The MIC provides a strong mathematical function
in which the receiver and the transmitter each compute and then compare the MIC. If they do
not match, it is assumed that the data has been tampered with and the packet is dropped.
By generating unique data encryption keys for every data packet and by creating an integrity
checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi
network than WEP and difficult for an intruder to break into the network.
The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only
difference between the two is that WPA(2)-PSK uses a simple common password, instead of
user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to
brute-force password-guessing attacks but it’s still an improvement over WEP as it employs a
consistent, single, alphanumeric password to derive a PMK which is used to generate unique
temporal encryption keys. This prevent all wireless devices sharing the same encryption keys.
(a weakness of WEP)
User Authentication
WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to
authenticate wireless clients using an external RADIUS database. WPA2 reduces the number
of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time
required to connect to a network. Other WPA2 authentication features that are different from
WPA include key caching and pre-authentication. These two features are optional and may not
be supported in all wireless devices.
Key caching allows a wireless client to store the PMK it derived through a successful
authentication with an AP. The wireless client uses the PMK when it tries to connect to the
same AP and does not need to go with the authentication process again.
Pre-authentication enables fast roaming by allowing the wireless client (already connecting to
an AP) to perform IEEE 802.1x authentication with another AP before connecting to it.
328
MAX-200HW2 Series User’s Guide
Appendix E Wireless LANs
Wireless Client WPA Supplicants
A wireless client supplicant is the software that runs on an operating system instructing the
wireless client how to use WPA. At the time of writing, the most widely available supplicant is
the WPA patch for Windows XP, Funk Software's Odyssey client.
The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in
"Zero Configuration" wireless client. However, you must run Windows XP to use it.
WPA(2) with RADIUS Application Example
To set up WPA(2), you need the IP address of the RADIUS server, its port number (default is
1812), and the RADIUS shared secret. A WPA(2) application example with an external
RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system.
1 The AP passes the wireless client's authentication request to the RADIUS server.
2 The RADIUS server then checks the user's identification against its database and grants
or denies network access accordingly.
3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the
RADIUS server and the client.
4 The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy
and management system, using the PMK to dynamically generate unique data encryption
keys. The keys are used to encrypt every data packet that is wirelessly communicated
between the AP and the wireless clients.
Figure 222 WPA(2) with RADIUS Application Example
WPA(2)-PSK Application Example
A WPA(2)-PSK application looks as follows.
1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key
(PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters
(including spaces and symbols).
2 The AP checks each wireless client's password and allows it to join the network only if
the password matches.
MAX-200HW2 Series User’s Guide
329
Appendix E Wireless LANs
3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key
itself is not sent over the network, but is derived from the PSK and the SSID.
4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and
information exchanged in a handshake to create temporal encryption keys. They use
these keys to encrypt data exchanged between them.
Figure 223 WPA(2)-PSK Authentication
Security Parameters Summary
Refer to this table to see what other security parameters you should configure for each
authentication method or key management protocol type. MAC address filters are not
dependent on how you configure these security features.
Table 137 Wireless Security Relational Matrix
AUTHENTICATION
ENCRYPTIO
METHOD/ KEY
N METHOD
MANAGEMENT PROTOCOL
ENTER
MANUAL KEY
IEEE 802.1X
Open
No
Disable
None
Enable without Dynamic WEP Key
Open
Shared
330
WEP
WEP
No
Enable with Dynamic WEP Key
Yes
Enable without Dynamic WEP Key
Yes
Disable
No
Enable with Dynamic WEP Key
Yes
Enable without Dynamic WEP Key
Yes
Disable
WPA
TKIP/AES
No
Enable
WPA-PSK
TKIP/AES
Yes
Disable
WPA2
TKIP/AES
No
Enable
WPA2-PSK
TKIP/AES
Yes
Disable
MAX-200HW2 Series User’s Guide
Appendix E Wireless LANs
Antenna Overview
An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF
signal to the antenna, which propagates the signal through the air. The antenna also operates in
reverse by capturing RF signals from the air.
Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Antenna Characteristics
Frequency
An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz (IEEE
802.11a) is needed to communicate efficiently in a wireless LAN
Radiation Pattern
A radiation pattern is a diagram that allows you to visualize the shape of the antenna’s
coverage area.
Antenna Gain
Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width.
Higher antenna gain improves the range of the signal for better communications.
For an indoor site, each 1 dB increase in antenna gain results in a range increase of
approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a
range increase of approximately 5%. Actual results may vary depending on the network
environment.
Antenna gain is sometimes specified in dBi, which is how much the antenna increases the
signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical
perfect antenna that sends out radio signals equally well in all directions. dBi represents the
true gain that the antenna provides.
Types of Antennas for WLAN
There are two types of antennas used for wireless LAN applications.
• Omni-directional antennas send the RF signal out in all directions on a horizontal plane.
The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a
room environment. With a wide coverage area, it is possible to make circular overlapping
coverage areas with multiple access points.
• Directional antennas concentrate the RF signal in a beam, like a flashlight does with the
light from its bulb. The angle of the beam determines the width of the coverage pattern.
Angles typically range from 20 degrees (very directional) to 120 degrees (less directional).
Directional antennas are ideal for hallways and outdoor point-to-point applications.
MAX-200HW2 Series User’s Guide
331
Appendix E Wireless LANs
Positioning Antennas
In general, antennas should be mounted as high as practically possible and free of
obstructions. In point-to–point application, position both antennas at the same height and in a
direct line of sight to each other to attain the best performance.
For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For
omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single
AP application, place omni-directional antennas as close to the center of the coverage area as
possible.
For directional antennas, point the antenna in the direction of the desired coverage area.
332
MAX-200HW2 Series User’s Guide
APPENDIX
Common Services
The following table lists some commonly-used services and their associated protocols and port
numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services,
visit the IANA (Internet Assigned Number Authority) web site.
• Name: This is a short, descriptive name for the service. You can use this one or create a
different one, if you like.
• Protocol: This is the type of IP protocol used by the service. If this is TCP/UDP, then the
service uses the same port number with TCP and UDP. If this is USER-DEFINED, the
Port(s) is the IP protocol number, not the port number.
• Port(s): This value depends on the Protocol. Please refer to RFC 1700 for further
information about port numbers.
• If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number.
• If the Protocol is USER, this is the IP protocol number.
• Description: This is a brief explanation of the applications that use this service or the
situations in which this service is used.
Table 138 Commonly Used Services
NAME
PROTOCOL
PORT(S)
DESCRIPTION
AH
(IPSEC_TUNNEL)
User-Defined
51
The IPSEC AH (Authentication Header)
tunneling protocol uses this service.
AIM/New-ICQ
TCP
5190
AOL’s Internet Messenger service. It is also
used as a listening port by ICQ.
AUTH
TCP
113
Authentication protocol used by some
servers.
BGP
TCP
179
Border Gateway Protocol.
BOOTP_CLIENT
UDP
68
DHCP Client.
BOOTP_SERVER
UDP
67
DHCP Server.
CU-SEEME
TCP
UDP
7648
24032
A popular videoconferencing solution from
White Pines Software.
DNS
TCP/UDP
53
Domain Name Server, a service that
matches web names (for example
www.zyxel.com) to IP numbers.
ESP
(IPSEC_TUNNEL)
User-Defined
50
The IPSEC ESP (Encapsulation Security
Protocol) tunneling protocol uses this
service.
FINGER
TCP
79
Finger is a UNIX or Internet related
command that can be used to find out if a
user is logged on.
MAX-200HW2 Series User’s Guide
333
Appendix F Common Services
Table 138 Commonly Used Services (continued)
334
NAME
PROTOCOL
PORT(S)
DESCRIPTION
FTP
TCP
TCP
20
21
File Transfer Program, a program to enable
fast transfer of files, including large files
that may not be possible by e-mail.
H.323
TCP
1720
NetMeeting uses this protocol.
HTTP
TCP
80
Hyper Text Transfer Protocol - a client/
server protocol for the world wide web.
HTTPS
TCP
443
HTTPS is a secured http session often
used in e-commerce.
ICMP
User-Defined
Internet Control Message Protocol is often
used for diagnostic or routing purposes.
ICQ
UDP
4000
This is a popular Internet chat program.
IGMP (MULTICAST) User-Defined
Internet Group Management Protocol is
used when sending packets to a specific
group of hosts.
IKE
UDP
500
The Internet Key Exchange algorithm is
used for key distribution and management.
IRC
TCP/UDP
6667
This is another popular Internet chat
program.
MSN Messenger
TCP
1863
Microsoft Networks’ messenger service
uses this protocol.
NEW-ICQ
TCP
5190
An Internet chat program.
NEWS
TCP
144
A protocol for news groups.
NFS
UDP
2049
Network File System - NFS is a client/
server distributed file service that provides
transparent file sharing for network
environments.
NNTP
TCP
119
Network News Transport Protocol is the
delivery mechanism for the USENET
newsgroup service.
PING
User-Defined
Packet INternet Groper is a protocol that
sends out ICMP echo requests to test
whether or not a remote host is reachable.
POP3
TCP
110
Post Office Protocol version 3 lets a client
computer get e-mail from a POP3 server
through a temporary connection (TCP/IP or
other).
PPTP
TCP
1723
Point-to-Point Tunneling Protocol enables
secure transfer of data over public
networks. This is the control channel.
PPTP_TUNNEL
(GRE)
User-Defined
47
PPTP (Point-to-Point Tunneling Protocol)
enables secure transfer of data over public
networks. This is the data channel.
RCMD
TCP
512
Remote Command Service.
REAL_AUDIO
TCP
7070
A streaming audio service that enables real
time sound over the web.
REXEC
TCP
514
Remote Execution Daemon.
RLOGIN
TCP
513
Remote Login.
RTELNET
TCP
107
Remote Telnet.
MAX-200HW2 Series User’s Guide
Appendix F Common Services
Table 138 Commonly Used Services (continued)
NAME
PROTOCOL
PORT(S)
DESCRIPTION
RTSP
TCP/UDP
554
The Real Time Streaming (media control)
Protocol (RTSP) is a remote control for
multimedia on the Internet.
SFTP
TCP
115
Simple File Transfer Protocol.
SMTP
TCP
25
Simple Mail Transfer Protocol is the
message-exchange standard for the
Internet. SMTP enables you to move
messages from one e-mail server to
another.
SNMP
TCP/UDP
161
Simple Network Management Program.
SNMP-TRAPS
TCP/UDP
162
Traps for use with the SNMP (RFC:1215).
SQL-NET
TCP
1521
Structured Query Language is an interface
to access data on many different types of
database systems, including mainframes,
midrange systems, UNIX systems and
network servers.
SSH
TCP/UDP
22
Secure Shell Remote Login Program.
STRM WORKS
UDP
1558
Stream Works Protocol.
SYSLOG
UDP
514
Syslog allows you to send system logs to a
UNIX server.
TACACS
UDP
49
Login Host Protocol used for (Terminal
Access Controller Access Control System).
TELNET
TCP
23
Telnet is the login and terminal emulation
protocol common on the Internet and in
UNIX environments. It operates over TCP/
IP networks. Its primary function is to allow
users to log into remote host systems.
TFTP
UDP
69
Trivial File Transfer Protocol is an Internet
file transfer protocol similar to FTP, but
uses the UDP (User Datagram Protocol)
rather than TCP (Transmission Control
Protocol).
VDOLIVE
TCP
7000
Another videoconferencing solution.
MAX-200HW2 Series User’s Guide
335
Appendix F Common Services
336
MAX-200HW2 Series User’s Guide
APPENDIX
Legal Information
Copyright
Copyright ? 2007 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimers
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Certifications
Federal Communications Commission (FCC) Interference Statement
The device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
This device has been tested and found to comply with the limits for a Class B digital device
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This device generates,
uses, and can radiate radio frequency energy, and if not installed and used in accordance with
the instructions, may cause harmful interference to radio communications. However, there is
no guarantee that interference will not occur in a particular installation.
MAX-200HW2 Series User’s Guide
337
Appendix G Legal Information
If this device does cause harmful interference to radio/television reception, which can be
determined by turning the device off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
1 Reorient or relocate the receiving antenna.
2 Increase the separation between the equipment and the receiver.
3 Connect the equipment into an outlet on a circuit different from that to which the
receiver is connected.
4 Consult the dealer or an experienced radio/TV technician for help.
FCC Radiation Exposure Statement
• The device complies with FCC RF radiation exposure limits set forth for an uncontrolled
environment, under 47 CFR 2.1093 paragraph (d)(2). End users must follow the specific
operating instructions for satisfying RF exposure compliance. To maintain compliance
with FCC RF exposure compliance requirements, please follow operation instruction as
documented in this manual.
• This transmitter must not be co-located or operating in conjunction with any other antenna
or transmitter.
• To comply with FCC RF exposure compliance requirements, a separation distance of at
least 20 cm must be maintained between the antenna of this device and all persons.
Notices
Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
Viewing Certifications
1 Go to http://www.zyxel.com.
2 Select your product from the drop-down list box on the ZyXEL home page to go to that
product's page.
3 Select the certification you wish to view from this page.
338
MAX-200HW2 Series User’s Guide
Appendix G Legal Information
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty
shall not apply if the product has been modified, misused, tampered with, damaged by an act
of God, or subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
Registration
Register your product online to receive e-mail notices of firmware upgrades and information
at www.zyxel.com.
MAX-200HW2 Series User’s Guide
339
Appendix G Legal Information
340
MAX-200HW2 Series User’s Guide
APPENDIX
Customer Support
Please have the following information ready when you contact customer support.
Required Information
•
•
•
•
Product model and serial number.
Warranty Information.
Date that you received your device.
Brief description of the problem and the steps you took to solve it.
“+” is the (prefix) number you dial to make an international telephone call.
Corporate Headquarters (Worldwide)
•
•
•
•
•
•
•
Support E-mail: support@zyxel.com.tw
Sales E-mail: sales@zyxel.com.tw
Telephone: +886-3-578-3942
Fax: +886-3-578-2439
Web: www.zyxel.com, www.europe.zyxel.com
FTP: ftp.zyxel.com, ftp.europe.zyxel.com
Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park,
Hsinchu 300, Taiwan
Costa Rica
•
•
•
•
•
•
•
Support E-mail: soporte@zyxel.co.cr
Sales E-mail: sales@zyxel.co.cr
Telephone: +506-2017878
Fax: +506-2015098
Web: www.zyxel.co.cr
FTP: ftp.zyxel.co.cr
Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San
Jos? Costa Rica
Czech Republic
•
•
•
•
E-mail: info@cz.zyxel.com
Telephone: +420-241-091-350
Fax: +420-241-091-359
Web: www.zyxel.cz
MAX-200HW2 Series User’s Guide
341
Appendix H Customer Support
• Regular Mail: ZyXEL Communications, Czech s.r.o., Modransk? 621, 143 01 Praha 4 Modrany, Cesk? Republika
Denmark
•
•
•
•
•
•
Support E-mail: support@zyxel.dk
Sales E-mail: sales@zyxel.dk
Telephone: +45-39-55-07-00
Fax: +45-39-55-07-07
Web: www.zyxel.dk
Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark
Finland
•
•
•
•
•
•
Support E-mail: support@zyxel.fi
Sales E-mail: sales@zyxel.fi
Telephone: +358-9-4780-8411
Fax: +358-9-4780-8448
Web: www.zyxel.fi
Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Finland
France
•
•
•
•
•
E-mail: info@zyxel.fr
Telephone: +33-4-72-52-97-97
Fax: +33-4-72-52-19-20
Web: www.zyxel.fr
Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France
Germany
•
•
•
•
•
•
Support E-mail: support@zyxel.de
Sales E-mail: sales@zyxel.de
Telephone: +49-2405-6909-69
Fax: +49-2405-6909-99
Web: www.zyxel.de
Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Wuerselen,
Germany
Hungary
•
•
•
•
•
•
342
Support E-mail: support@zyxel.hu
Sales E-mail: info@zyxel.hu
Telephone: +36-1-3361649
Fax: +36-1-3259100
Web: www.zyxel.hu
Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, Hungary
MAX-200HW2 Series User’s Guide
Appendix H Customer Support
India
•
•
•
•
•
•
Support E-mail: support@zyxel.in
Sales E-mail: sales@zyxel.in
Telephone: +91-11-30888144 to +91-11-30888153
Fax: +91-11-30888149, +91-11-26810715
Web: http://www.zyxel.in
Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1,
New Delhi 110020, India
Japan
•
•
•
•
•
•
Support E-mail: support@zyxel.co.jp
Sales E-mail: zyp@zyxel.co.jp
Telephone: +81-3-6847-3700
Fax: +81-3-6847-3705
Web: www.zyxel.co.jp
Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Shinagawa-ku,
Tokyo 141-0022, Japan
Kazakhstan
•
•
•
•
•
•
Support: http://zyxel.kz/support
Sales E-mail: sales@zyxel.kz
Telephone: +7-3272-590-698
Fax: +7-3272-590-689
Web: www.zyxel.kz
Regular Mail: ZyXEL Kazakhstan, 43 Dostyk Ave., Office 414, Dostyk Business Centre,
050010 Almaty, Republic of Kazakhstan
Malaysia
•
•
•
•
•
•
Support E-mail: support@zyxel.com.my
Sales E-mail: sales@zyxel.com.my
Telephone: +603-8076-9933
Fax: +603-8076-9833
Web: http://www.zyxel.com.my
Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar
Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia
North America
•
•
•
•
•
•
Support E-mail: support@zyxel.com
Support Telephone: +1-800-978-7222
Sales E-mail: sales@zyxel.com
Sales Telephone: +1-714-632-0882
Fax: +1-714-632-0858
Web: www.zyxel.com
MAX-200HW2 Series User’s Guide
343
Appendix H Customer Support
• Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 928062001, U.S.A.
Norway
•
•
•
•
•
•
Support E-mail: support@zyxel.no
Sales E-mail: sales@zyxel.no
Telephone: +47-22-80-61-80
Fax: +47-22-80-61-81
Web: www.zyxel.no
Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway
Poland
•
•
•
•
•
E-mail: info@pl.zyxel.com
Telephone: +48-22-333 8250
Fax: +48-22-333 8251
Web: www.pl.zyxel.com
Regular Mail: ZyXEL Communications, ul. Okrzei 1A, 03-715 Warszawa, Poland
Russia
•
•
•
•
•
•
Support: http://zyxel.ru/support
Sales E-mail: sales@zyxel.ru
Telephone: +7-095-542-89-29
Fax: +7-095-542-89-25
Web: www.zyxel.ru
Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, Russia
Singapore
•
•
•
•
•
•
Support E-mail: support@zyxel.com.sg
Sales E-mail: sales@zyxel.com.sg
Telephone: +65-6899-6678
Fax: +65-6899-8887
Web: http://www.zyxel.com.sg
Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Strategy
#03-28, Singapore 609930
Spain
•
•
•
•
•
•
344
Support E-mail: support@zyxel.es
Sales E-mail: sales@zyxel.es
Telephone: +34-902-195-420
Fax: +34-913-005-345
Web: www.zyxel.es
Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain
MAX-200HW2 Series User’s Guide
Appendix H Customer Support
Sweden
•
•
•
•
•
•
Support E-mail: support@zyxel.se
Sales E-mail: sales@zyxel.se
Telephone: +46-31-744-7700
Fax: +46-31-744-7701
Web: www.zyxel.se
Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden
Thailand
•
•
•
•
•
•
Support E-mail: support@zyxel.co.th
Sales E-mail: sales@zyxel.co.th
Telephone: +662-831-5315
Fax: +662-831-5395
Web: http://www.zyxel.co.th
Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi,
Muang, Nonthaburi 11000, Thailand.
Ukraine
•
•
•
•
•
•
Support E-mail: support@ua.zyxel.com
Sales E-mail: sales@ua.zyxel.com
Telephone: +380-44-247-69-78
Fax: +380-44-494-49-32
Web: www.ua.zyxel.com
Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev 04050, Ukraine
United Kingdom
•
•
•
•
•
•
•
Support E-mail: support@zyxel.co.uk
Sales E-mail: sales@zyxel.co.uk
Telephone: +44-1344-303044, 08707-555779 (UK only)
Fax: +44-1344-303034
Web: www.zyxel.co.uk
FTP: ftp.zyxel.co.uk
Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road,
Bracknell, Berkshire RG12 2XB, United Kingdom (UK)
MAX-200HW2 Series User’s Guide
345
Appendix H Customer Support
346
MAX-200HW2 Series User’s Guide
Index
Index
Numerics
802.11 Mode 106
AAA 108
AbS 154
Access point 91
See also AP.
accounting server
see AAA
ACK message 150
activity 108
Advanced Encryption Standard
See AES.
advanced encryption standard
see AES
AES 277, 328
AK 277
ALG 131, 271
alternative subnet mask notation 311
analysis-by-synthesis 154
Antenna 36, 117
antenna 269
directional 331
gain 331
omni-directional 331
Antenna selection 117
AP 91
See also access point.
AP (access point) 321
application layer gateway 131, 152, 271
Application Layer Gateway. See ALG.
authentication 68, 84, 108, 110, 275
inner 277
types 277
authentication key
see AK
authentication server
see AAA
authorization 275
authorization request and reply 277
authorization server
MAX-200HW2 Series User’s Guide
see AAA
auto firmware upgrade 271
auto-discovering UPnP-enabled network devices 225
automatic log out 41
auto-provisioning 270
base station
see BS
Basic Service Set, See BSS 319
Basic wireless security 64
BS 107
links 107
BSS 319
BYE request 150
CA 187, 188, 326
and certificates 188
call hold 166, 168
call service mode 166, 167
call transfer 167, 168
call waiting 167, 168
CBC-MAC 277
CCMP 275, 277
cell 107
certificate 275
verification 277
Certificate Authority
See CA.
Certificate Management Protocol (CMP) 194
Certificate Revocation List (CRL) 188
certificates 187
advantages 188
and CA 188
certification path 188, 196
expired 188
factory-default 188
file formats 188
fingerprints 197
347
Index
importing 192
not used for encryption 188
revoked 188
self-signed 194
serial number 197
storage space 191
thumbprint algorithms 190
thumbprints 190
used for authentication 188
verifying fingerprints 189
Certification Authority. See CA.
certification requests 187, 194
certifications 337
notices 338
viewing 338
chaining 277
chaining message authentication
see CCMP
change password at login 40
channel 91, 321
interference 321
circuit-switched telephone networks 149
Class of Service (CoS) 156
clicks 154
client server
SIP 150
client-server protocol 150
CMAC
see MAC
code 275
codec 153
coder/decoder 153
comfort noise 165
comfort noise generation 271
computer name 233
configuration upload successful 258, 259
connections 35
contact information 341
copyright 337
CoS 156
counter mode
see CCMP
coverage area 107
cryptography 275
CTS (Clear to Send) 322
customer support 341
data encryption 275, 276
348
data flow 277
data rate 269
daytime RFC 867 238
decoder 153
decryption 275, 277
default LAN IP address 39
device name 231
DHCP 233, 234, 271
DHCP client 271
DHCP clients 233
DHCP relay 271
DHCP server 271
DIAMETER 108
differentiated services 156
DiffServ 156
DiffServ Code Point (DSCP) 156
DiffServ code point (DSCP) 156
DiffServ marking rule 156
digital ID 275
dimensions 269
disclaimer 337
DL frequency 113
domain name 233
download frequency
see DL frequency
DS field 156
DSCPs 156
DTMF 154
dual-tone multi-frequency
see DTMF
duplex 270
dynamic DNS 234, 271
dynamic host configuration protocol 271
dynamic jitter buffer 271
dynamic WEP key exchange 327
EAP 108
EAP Authentication 325
echo cancellation 165, 272
encoding 275
encrypted traffic 277
encryption 93, 275, 276, 277, 328
and local (user) database 93
key 94
WPA compatible 94
environmental specifications 269
ESS 320
MAX-200HW2 Series User’s Guide
Index
ESSID 268
ethernet 269
ethernet encapsulation 129
europe type call service mode 166
Extended Service Set, See ESS 320
Extended wireless security 65
extensible authorization protocol
see EAP
External Antenna 270
FCC interference statement 337
firewall 179, 180
firmware upload 256
firmware upload error 257
flash key 166
flashing 166
Fragmentation Threshold 106
fragmentation threshold 322
frequency band 114
scanning 114
frequency pairs 154
frequency ranges 113
FTP 213, 234
FTP restrictions 213
G.168 165, 272
G.711 153
G.729 154
General wireless LAN screen 94
Graphical User Interface (GUI) 33
hardware 35
hidden node 321
hide SSID 92
HTTP 255
humidity 269
hybrid waveform codec 154
hypertext transfer protocol 255
MAX-200HW2 Series User’s Guide
IANA 316
IBSS 319
identity 108, 275
idle timeout 214
IEEE 802.11g 323
IEEE 802.16 107, 275
IEEE 802.16e 3, 107
IEEE 802.1Q VLAN 156
IGD 1.0 222
Independent Basic Service Set
See IBSS 319
initialization vector (IV) 328
inner authentication 277
install UPnP 222
Windows Me 222
Windows XP 223
installation 35
interface 269
Internet access 108, 270
Internet access wizard setup 61
Internet Assigned Numbers Authority
See IANA 316
Internet gateway device 222
Internet service provider
see ISP
Internet Telephony Service Provider 34
Internet telephony service provider 149
interoperability 107
introduction 33
IP alias 271
IP policy routing (IPPR) 271
IP-PBX 149
ISP 49
ITSP 149
ITU-T 165
jitter buffer 271
key 68, 84, 110, 275
key request and reply 277
349
Index
listening port 161
local (user) database 92
and encryption 93
log out 41
network address translation (NAT) 271
network address translators 153
network disconnect 257, 259
network services 108
NTP RFC 1305 238
NTP time servers 234
MAC 104, 277
MAC address 92
MAC address filter 92
MAC address filtering 104
MAC filter 104
MAN 107
management information base (MIB) 217
managing the device
good habits 37
manual site survey 113
Media access control 104
media access protocol 269
message authentication code
see MAC
message integrity 277
Message Integrity Check (MIC) 328
message waiting indication 154
Metropolitan Area Network
see MAN
microwave 107
mobile station
see MS
modulation 270
MS 107
multimedia 149
multiple PVC support 271
multiple SIP accounts 271
MWI 154
My Certificates. See also certificates. 190
OK response 150
operating humidity 269
operating temperature 269
outbound proxy 152, 153
SIP 153
outbound proxy server 153
NAT 316
and remote management 213
server sets 129
NAT routers 153
NAT traversal 221
network activity 108
350
Pairwise Master Key (PMK) 328, 330
pattern-spotting 277
PBX services 149
PCM 153
peer-to-peer calls 173
per-hop behavior 156
PHB (per-hop behavior) 156
phone book 173
phone services 165
physical specifications 269
PKMv2 68, 84, 108, 110, 275, 277
plain text encryption 277
port forwarding 129
port numbers 129
services 129
port numbers 129
power 269
output 270
power supply 269
preamble mode 323
pre-defined NTP time servers list 234
preparation 33
privacy key management
see PKM
private key 275
product registration 339
proxy server
SIP 151
PSK 328
MAX-200HW2 Series User’s Guide
Index
PSTN 154
public certificate 277
public key 68, 84, 110, 275
Public Switched Telephone Network 154
Public-Key Infrastructure (PKI) 188
public-private key pairs 187
pulse code modulation 153
pulse dialing 154
RFC 3489 153
RFC 3842 154
RFC 867 238
RFC 868 238
ringer equivalence number 271
Roaming 105
RTP 152
RTS (Request To Send) 322
threshold 321, 322
RTS/CTS Threshold 106
QoS 155, 272
quality of service
see QoS
Quality of Service (QoS) 106
Quick Start Guide 35, 39
radio specifications 269
RADIUS 108, 275, 324
message types 325
messages 325
Shared Secret Key 276
shared secret key 325
RADIUS Message Types 276
RADIUS Messages 276
RADIUS server 92
real-time transport protocol 152
redirect server
SIP 151
register server
SIP 152
registration
product 339
related documentation 3
remote management 213
remote management and NAT 213
remote management limitations 213
REN 271
required bandwidth 154
reset button 41, 258
resetting the time 235
resetting your device 41
RFC 1305 238
RFC 1889 152
RFC 2510. See Certificate Management Protocol.
MAX-200HW2 Series User’s Guide
safety warnings 6
secure communication 68, 84, 110, 275
secure connection 108
security 270, 275
security association 276
see SA
see QoS
see WAN
server, outbound proxy 153
Service Set 95
Service Set IDentification 95
Service Set IDentity. See SSID.
services 108, 129
session initiation protocol
see SIP
silence suppression 165, 271
silent packets 165
Simple Certificate Enrollment Protocol (SCEP) 194
SIP 149
ALG 131
authentication 74
authentication password 74
SIP account 149, 271
SIP ACK message 150
SIP ALG 131, 152, 271
SIP application layer gateway 131, 271
SIP BYE request 150
SIP call progression 150
SIP client 150
SIP client server 150
SIP identities 149
SIP INVITE request 150
SIP number 74, 149
SIP OK response 150
SIP outbound proxy 153
SIP proxy server 151
351
Index
SIP redirect server 151
SIP register server 152
SIP server address 74
SIP servers 150
SIP service domain 74, 150
SIP URI 149
SIP user agent 150
SNMP 216
manager 216
MIBs 217
sound quality 154
specifications
physical and environmental 269
radio 269
speed dial 173
SS 107
SSID 91, 95
hide 92
standards 269
stateful inspection 179
storage humidity 269
storage temperature 269
STUN 152, 153
subnet 309
subnet mask 310
subnetting 312
subscriber station
see SS
supplementary phone services 165
syntax conventions 4
system name 233
system timeout 214
tampering
TDD 270
TEK 277
telephone keys 154
temperature 269
Temporal Key Integrity Protocol (TKIP) 328
TFTP restrictions 213
three-way conference 167, 168
time
resetting 235
time RFC 868 238
TLS 68, 84, 110, 275
ToS 156
Touch Tone 154
352
trademarks 337
transport encryption key
see TEK
transport layer security
see TLS
triangle 181
triangle route
solutions 182
trigger port forwarding 130
process 130
TTLS 68, 84, 110, 275, 277
tunneled TLS
see TTLS
Type of Service 156
UIC 222
unauthorized device 275
uniform resource identifier 149
Universal Plug and Play 221
application 221
security issues 221
Universal Plug and Play (UPnP) 271
Universal Plug and Play Forum 222
UPnP 221, 231
auto-discovery 225
installing example 222
UPnP certification 222
USA type call service mode 167
use NAT 152, 153
user agent, SIP 150
user authentication 92, 275
local (user) database 92
RADIUS server 92
weaknesses 93
user ID 74
user name 237
VAD 165, 271
verification 277
virtual local area network
see VLAN
VLAN 156
VLAN group 156
VLAN ID 156
MAX-200HW2 Series User’s Guide
Index
VLAN ID tags 156
VLAN tags 156
voice activity detection 165, 271
voice coding 153
voice mail 149
voice over IP
see VoIP
VoIP 3, 149
standards compliance 271
WAN 107
WAN setup 107
warranty 339
note 339
waveform codec 153
web configurator 39
weight 269
WEP Encryption 97
WEP encryption 96
WEP key 96
wide area network
WiMAX 3, 107, 269
security 276
WiMAX Forum 107
WiMAX bandwidth 269
wireless channel 268
wireless client 91
wireless client WPA supplicants 329
Wireless Interoperability for Microwave Access
see WiMAX
Wireless LAN 91
wireless LAN 268
wireless Metropolitan Area Network
see MAN
Wireless network
basic guidelines 91
channel 91
encryption 93
example 91
MAC address filter 92
overview 91
security 92
SSID 91
wireless network 3
access 107
standard 107
Wireless security 92
overview 92
type 92
MAX-200HW2 Series User’s Guide
wireless security 268, 270, 275, 323
wizard setup 61
WLAN 91
interference 321
security parameters 330
WPA 327
key caching 328
pre-authentication 328
user authentication 328
vs WPA-PSK 328
wireless client supplicant 329
with RADIUS application example 329
WPA compatible 94
WPA2 327
user authentication 328
vs WPA2-PSK 328
wireless client supplicant 329
with RADIUS application example 329
WPA2-Pre-Shared Key 327
WPA2-PSK 327, 328
application example 329
WPA-PSK 327, 328
application example 329
ZyXEL utility 33, 35
353
Index
354
MAX-200HW2 Series User’s Guide
Index
MAX-200HW2 Series User’s Guide
355
Index
356
MAX-200HW2 Series User’s Guide

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : No
Encryption                      : Standard V2.3 (128-bit)
User Access                     : Print, Copy, Extract, Print high-res
XMP Toolkit                     : 3.1-702
Create Date                     : 2008:01:17 16:30:44+08:00
Creator Tool                    : pdfFactory Pro www.ahasoft.com.tw/FinePrint
Modify Date                     : 2008:01:17 16:51:31+08:00
Metadata Date                   : 2008:01:17 16:51:31+08:00
Format                          : application/pdf
Creator                         : claire
Title                           : UserMan_I88MAX200HW2-revised.pdf
Producer                        : pdfFactory Pro 3.10 (Windows XP Professional Chinese)
Document ID                     : uuid:2a9616e1-9d98-4ae2-be58-7db539848442
Instance ID                     : uuid:06633c78-639e-4562-9a64-46613ef2d304
Has XFA                         : No
Page Count                      : 104
Author                          : claire
EXIF Metadata provided by EXIF.tools
FCC ID Filing: I88MAX200HW2

Navigation menu