ZyXEL ZyAIR G-2000 Plus 802.11g Wireless 4-port Router


Along with the Plus' other wireless security features (MAC address filtering and SSID broadcast disable), you have your choice of the following ways to secure your wireless LAN:

  • Static WEP
  • 802.1x and Dynamic WEP
  • 802.1x and Static WEP
  • 802.1x and no WEP
  • WPA-Enterprise

The main story of the Plus, however, is its built-in PEAP RADIUS server. PEAP stands for Protected EAP, and is one of several TLS-based (Transport Layer Security) protocols developed for use with EAP (Extensible Authentication Protocol) in wireless environments. (The IEEE 802.1x standard makes use of EAP to define an authentication framework for wireless communications.)

PEAP is a joint effort undertaken by Microsoft, Cisco, and RSA, supported on the client side by Microsoft in Windows XP, and Cisco (and compatibles) on the server side. PEAP (and other forms of EAP, which include EAP-TLS and TTLS) are important because they provide for strong encryption of ongoing traffic, secure exchange (and regular rotation) of keys, and strong authentication of user identity.

PEAP RADIUS is an implementation of PEAP that uses a RADIUS (Remote Authentication Dial-User Service) server to handle the authentication side of things, which essentially uses a challenge / response exchange with an authentication server (RADIUS) to perform that action. PEAP is a two-stage protocol, where security is established in stage by establishing a TLS tunnel and authenticating the (RADIUS) server to the client with a certificate. Client authentication exchanges then occur during stage two. The flavor of PEAP supported by the Plus uses MS-CHAP v2 for authentication and authorization.

RADIUS Server Trusted AP's

Figure 8: RADIUS Server Trusted AP's

Although the PEAP RADIUS features may sound complex, the web interface makes it easy to set those up. Basically, you set up trusted wireless access points (Figure 8) and trusted wireless users (Figure 9) using simple lists:

RADIUS Server Trusted Users

Figure 9: RADIUS Server Trusted Users

Using this feature, the system can authenticate not only individual users, but also other access points. It's easy to see how this ability could be daisy-chained together to serve users over a wide area. Unfortunately, you're limited to authenticating a maximum of 32 wireless users using the RADIUS server built into the G-2000 Plus, no matter how many access points you connect. That said, the Plus will forward authentication requests to an external IAS or RADIUS server you can designate to handle authentication requests for more users.