Netgear W 102 Manual
Have a look at the manual Netgear W 102 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
2-1 v1.0, July 2008 Chapter 2 Configuring Security This chapter describes how to set up security features and advanced features of your NETGEAR WG102 ProSafe 802.11g Wireless Access Point. Wireless Data Security Options Your wireless data transmissions can be received well beyond your walls by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. The WG102 Access Point provides highly effective security features, which are covered in detail in this chapter. Deploy the security features appropriate to your needs. There are several ways you can enhance the security of your wireless network: •Use Multiple BSSIDs combined with VLANs. You can configure combinations of VLANS and BSSIDs with stronger or less restrictive access security according to your requirements. For example, visitors could be given wireless Internet access but be excluded from any access to your internal network. Figure 2-1 WG102
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual 2-2Configuring Security v1.0, July 2008 •Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the WG102. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. •Turn Off the Broadcast of the Wireless Network Name (SSID). If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network ‘discovery’ feature of some products such as Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers. •WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper. •WPA, WPA-PSK, WPA2, or WPA2-PSK. Wi-Fi Protected Access (WPA and WPA2) data encryption provides data security. The very strong authentication along with dynamic per frame rekeying of WPA make it virtually impossible to compromise. Because this is a new standard, wireless device driver and software availability may be limited. •WPA with Radius, WPA2 with Radius, or WPA and WPA2 with Radius. Wi-Fi Protected Access (WPA and WPA2) data encryption provides data security. The very strong authentication along with dynamic per frame rekeying of WPA make it virtually impossible to compromise. Because this is a new standard, wireless device driver and software availability may be limited. Security Profiles Security profiles let you configure unique security settings for each SSID. The WG102 Access Point supports up to eight SSIDs. The Security Profile Settings screen is shown in the following figure. To edit a security profile, select it from the list, and click Edit.
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual Configuring Security2-3 v1.0, July 2008 The Security Profile Configuration screen opens for that profile. Profile Definition •Security Profile Name. Use a name that makes it easy to recognize the profile, and to tell profiles apart. •Wireless Network Name (SSID). The SSID is also known as the wireless network name. The SSID separates network traffic from different wireless networks. To connect any wireless device to a wireless network, you need to use the SSID. The default SSID is: NETGEAR-0-0 for the first profile, NETGEAR-0-1 for the second, and so on. You can enter a value of up to 32 alphanumeric characters. Some concepts regarding the SSID are explained below: – Using the same SSID is essential. Devices with different SSIDs cannot communicate with each other. However, some access points allow connections from wireless stations that have their SSID set to “any” or whose SSID is blank (null). – A Basic Service Set (BSS) is a group of wireless stations and a single access point, all using the same SSID. – An Extended Service Set (ESS) is a group of wireless stations and multiple access points, all using the same ID (ESSID). Figure 2-2 Selected Security Profile New screen shot
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual 2-4Configuring Security v1.0, July 2008 – Different access points within an ESS can use different channels. To reduce interference, adjacent access points should use different channels. – Roaming is the ability of wireless stations to connect wirelessly when they physically move from one ESS to another. The wireless station automatically changes to the access point with the least interference or best performance. •Broadcast Wireless Network Name (SSID). This field lets you turn off the SSID broadcast. If you do so, then only stations that know the SSID can connect. Disabling the SSID broadcast somewhat hampers the wireless network ‘discovery’ feature of some products. The default is to enable SSID broadcast. Network Authentication The WG102 Access Point is set by default as an open system with no authentication. When setting up Network Authentication, bear in mind the following: • If you are using Access Point mode, then all options are available. In other modes such as Repeater or Bridge, some options may be unavailable. • Not all wireless adapters support WPA or WPA2. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA. However, client software is required on the client. Consult the product documentation for your wireless adapter and WPA or WPA2 client software for instructions on configuring WPA2 settings. You can configure the WG102 Access Point to use authentication types shown in the table below. Network Authentication Types Open SystemCan be used with WEP encryption, or no encryption. Shared KeyWEP must be used. At least one shared key must be entered. Legacy 802.1x: You must configure the Radius Server Settings to use this option. WPA-PSKYou must use TKIP encryption, and enter the WPA passphrase (Network key). WPA with RadiusYou must configure the Radius Server Settings to use this option. WPA2-PSKWPA2 is a newer version of WPA. Select this only if all clients support WPA2. With WPA2, you must use AES encryption, and enter the WPA passphrase (Network key). WPA-PSK and WPA2-PSKClients can use either WPA (with TKIP) or WPA2 (with AES). If selected, encryption must be TKIP + AES. The WPA passphrase (Network key) must also be entered. WPA2 with RadiusWPA2 is a later version of WPA. Only select this if all clients support WPA2. You must use AES encryption, and configure the Radius Server Settings screen. WPA and WPA2 with RadiusThis selection allows clients to use either WPA (with TKIP) or WPA2 (with AES). If selected, encryption must be TKIP + AES, and you must also configure the Radius Server Settings screen
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual Configuring Security2-5 v1.0, July 2008 Data Encryption Select the data encryption that you want to use. The available options depend on the Network Authentication setting above (otherwise, the default is None). The Data Encryption settings are explained in the table below: The Passphrases and Keys are explained below: •Passphrase. To use the Passphrase to generate the WEP keys, enter a passphrase and click the Generate Keys button. You can also enter the keys directly. These keys must match the other wireless stations. •Key 1, Key 2, Key 3, Key 4. If using WEP, select the key to be used as the default key. Data transmissions are always encrypted using the default key. The other keys can only be used to decrypt received data. •WPA Passphrase (Network Key). If using WPA-PSK, enter the passphrase here. All wireless stations must use the same passphrase (network key). The network key must be from 8 to 63 characters in length. Wireless Client Security Separation If enabled, the associated wireless clients will not be able to communicate with each other. This feature is used for hotspots and other public access situations. The default is Disabled. Data Encryption Settings NoneNo encryption is used. 64 bits WEPStandard WEP encryption, using 40/64 bit encryption. 128 bits WEPStandard WEP encryption, using 104/128 bit encryption. 152 bits WEPProprietary mode that only works with other wireless devices that support this mode. TKIP This is the standard encryption method used with WPA. AESThis is the standard encryption method for WPA2. Some clients may support AES with WPA, but this is not supported by this Access Point. TKIP + AESThis setting supports both WPA and WPA2. Broadcast packets use TKIP. For unicast (point-to-point) transmissions, WPA clients use TKIP, and WPA2 clients use AES.
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual 2-6Configuring Security v1.0, July 2008 Before You Change the SSID and WEP Settings For a new wireless network, print or copy this form and fill in the settings. For an existing wireless network, the person who set up or is responsible for the network can provide this information. Be sure to set the Regulatory Domain correctly as the first step. Store this information in a safe place. •SSID: The Service Set Identification (SSID) identifies the wireless local area network. You may customize it by using up to 32 alphanumeric characters. Write your SSID on the line. SSID: ___________________________________ Note: The SSID in the wireless access point is the SSID you configure in the wireless adapter card. All wireless nodes in the same network must be configured with the same SSID: •Authentication Circle one: Open System or Shared Key. Choose “Shared Key” for more security. Note: If you select shared key, the other devices in the network will not connect unless they are set to Shared Key and have the same keys in the same positions as those in the WG102. •WEP Encryption Keys For all four 802.11b keys, choose the Key Size. Circle one: 64, 128, or 152 bits Key 1: ___________________________________ Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________ •WPA-PSK (Pre-Shared Key)WPA2-PSK (Pre-Shared Key) Record the WPA-PSK key:Record the WPA2-PSK key: Key: ________________________________ Key: _______________________________ •WPA RADIUS Settings For WPA, record the following settings for the primary and secondary RADIUS servers: Server Name/IP Address: Primary _________________ Secondary __________________ Port: ___________________________________ Shared Secret: ___________________________________ •WPA2 RADIUS Settings For WPA2, record the following settings for the primary and secondary RADIUS servers: Server Name/IP Address: Primary _________________ Secondary __________________ Port: ___________________________________ Shared Secret: ___________________________________ Use the procedures described in the following sections to configure the WG102.
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual Configuring Security2-7 v1.0, July 2008 Configuring the Radius Server Settings You can view or change the Radius Server Settings from the Security menu. Follow the steps below: 1.Connect to the WG102 Access Point. In address field of your Web browser, enter the default LAN address of http://192.168.0.229. Log in with the user name of admin and default password of password, or using the LAN address and password that you set up. 2.In the Security menu, click Radius Server Settings. 3.Enter the settings, and click Apply. The Radius Server Settings are explained below: Figure 2-3
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual 2-8Configuring Security v1.0, July 2008 •Authentication/Access Control Radius Server Configuration. This configuration is required for authentication using Radius. IP Address, Port No. and Shared Secret is required for communication with Radius Server. A Secondary Radius Server can be configured which is used on failure on Primary Radius Server •IP Address. The IP address of the Radius Server. The default is 0.0.0.0. •Port Number. Port number of the Radius Server. The default is 1812. •Shared Secret. This is shared between the Wireless Access Point and the Radius Server while authenticating the supplicant. •Re-authentication Time. The time interval in seconds after which the supplicant will be authenticated again with the Radius Server. The default is 3600 seconds. •Global-key Re-Key Time. Check on this option to enable Re-keying of Global Key. The Global Key Re-Key can be done based on time interval in seconds or number of packets exchanged using the global key. The default is 3600 seconds. •Update if any station disassociates. Check on this option to refresh global key when any stations disassociated with wireless Access Point. •Accounting Radius Server Configuration. This configuration is required for accounting using Radius Server. IP Address, Port No. and Shared Secret is required for communication with Radius Server. A Secondary Radius Server can be configured which is used on failure on Primary Radius Server. •IP Address. The IP address of the Radius Server. The default is 0.0.0.0. •Port Number. Port number of the Radius Server. The default is 1813. •Shared Secret. This is shared between the Wireless Access Point and the Radius Server while authenticating the supplicant. Configuring Network Authentication Follow the steps below: 1.Connect to the WG102 Access Point. Log in at the default LAN address of http://192.168.0.229 with the user name of admin and default password of password, or using the LAN address and password that you set up. 2.If you are using Radius Server Settings, set them up first, as described in “Configuring the Radius Server Settings” on page 2-7.
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual Configuring Security2-9 v1.0, July 2008 3. Set the Network Authentication that you want to use. a. On the Security menu, click Security Profiles Settings. b. Select the profile that you want. c. Click Edit to view the Security Profiles Configuration menu. d. Choose the type of Network Authentication that you want from the list. e. Click Apply to save your settings. Figure 2-4 Note: WEP can be used with Open System or Shared Key. Choose the encryption strength, and then enter the Keys as explained in “Entering WEP Data Encryption Keys” on page 2-10 Note: If you use a wireless computer to configure WEP settings, you will be disconnected when you click Apply. Reconfigure your wireless adapter to match the new settings or access the wireless access point from a wired computer to make any further changes.
NETGEAR ProSafe 802.11g Wireless Access Point WG102 Reference Manual 2-10Configuring Security v1.0, July 2008 Entering WEP Data Encryption Keys You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network. •Automatic. Enter a word or group of printable characters in the Passphrase field, and click the Generate button. The four key fields will be automatically populated with key values. •Manual. Enter ten hexadecimal digits (any combination of 0-9, a-f, or A-F). Select which of the four keys will be the default. See the link to the online document “Wireless Data Security Options” in Appendix 2 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. Restricting Wireless Access by MAC Address To restrict access based on MAC addresses, follow these steps: 1.Connect to the WG102 Access Point. Log in at the default LAN address of http://192.168.0.229 with the user name of admin and default password of password, or using the LAN address and password that you set up. Note: When configuring the WG102 Access Point from a wireless computer whose MAC address is not in the access control list, if you select Turn Access Control On, you will lose your wireless connection when you click Apply. You must then access the wireless access point from a wired computer or from a wireless computer which is on the access control list to make any further changes.