H3C Access Controllers
WIPS Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring WIPS·· 1

Network configuration· 1

Restrictions and guidelines· 2

Procedures· 2

Configuring the AC· 2

Configuring the switch· 5

Verifying the configuration· 5

Configuration files· 6

Related documentation· 8

 

Introduction

The following information provides examples for configuring WIPS.

Prerequisites

The following information applies to Comware-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of WIPS.

Example: Configuring WIPS

Network configuration

As shown in Figure 1, AP 1 and AP 2 provide wireless services for clients through SSID service.

Enable WIPS on the sensor to take countermeasures against the rogue AP that uses the same SSID as AP 1 and AP 2.

Figure 1 Network diagram

 

Restrictions and guidelines

Use the serial ID labeled on the AP's rear panel to specify an AP.

Procedures

Configuring the AC

1.     Configure interfaces on the AC:

# Configure VLAN-interface 100 and assign it an IP address. The AC will use this IP address to establish CAPWAP tunnels with APs.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 112.12.1.25 16

[AC-Vlan-interface100] quit

# Configure VLAN-interface 200 and assign it an IP address. The AC will use VLAN 200 for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 112.13.1.25 16

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 that connects the AC to the switch as a trunk port.

[AC] interface gigabitethernet1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

# Remove the trunk port from VLAN 1, and assign the port to VLANs 100 and 200.

[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure DHCP:

# Enable DHCP on the AC.

[AC] dhcp enable

# Create DHCP address pool vlan100 to assign IP addresses for APs, and specify the IP address range for the DHCP address pool.

[AC] dhcp server ip-pool vlan100

[AC-dhcp-pool-vlan100] network 112.12.0.0 mask 255.255.0.0

# Specify gateway IP address 112.12.1.25 in the DHCP address pool.

[AC-dhcp-pool-vlan100] gateway-list 112.12.1.25

[AC-dhcp-pool-vlan100] quit

# Create DHCP address pool vlan200 to assign IP addresses for clients, and specify the IP address range for the DHCP address pool.

[AC] dhcp server ip-pool vlan200

[AC-dhcp-pool-vlan200] network 112.13.0.0 mask 255.255.0.0

# Specify gateway IP address 112.13.1.25 in the DHCP address pool.

[AC-dhcp-pool-vlan200] gateway-list 112.13.1.25

# Configure the DNS server according to the actual network plan. In this example, the gateway is specified as the DNS server.

[AC-dhcp-pool-vlan200] dns-list 112.13.1.25

[AC-dhcp-pool-vlan200] quit

3.     Configure WIPS:

# Enter WIPS view.

[AC] wips

# Create AP classification rule 1 and configure the rule to match APs that use SSID service.

[AC-wips] ap-classification rule 1

[AC-wips-cls-rule-1] ssid equal service

[AC-wips-cls-rule-1] quit

# Create classification policy class1.

[AC-wips] classification policy class1

# Bind AP classification rule 1 to classification policy class1, and specify APs that match AP classification rule 1 as rogue APs.

[AC-wips-cls-class1] apply ap-classification rule 1 rogue-ap

[AC-wips-cls-class1] quit

# Create virtual security domain (VSD) vsd1, and apply classification policy class1 to the VSD.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-1] apply classification policy class1

[AC-wips-vsd-1] quit

# Create countermeasure policy 1 and enable WIPS to take countermeasures against rogue APs.

[AC-wips] countermeasure policy 1

[AC-wips-cms-1] countermeasure rogue-ap

[AC-wips-cms-1] quit

# Apply countermeasure policy 1 to VSD vsd1.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply countermeasure policy 1

[AC-wips-vsd-vsd1] quit

[AC-wips] quit

4.     Configure the APs:

 

NOTE: In large-scale networks, configure AP groups instead of single APs as a best practice.

 

# Create service template service and set its SSID to service.

[AC] wlan service-template service

[AC-wlan-st-service] ssid service

# Assign clients that come online through service template service to VLAN 200.

[AC-wlan-st-service] vlan 200

# Specify the AKM mode as PSK, and specify plaintext string 12345678 as the preshared key.

[AC-wlan-st-service] akm mode psk

[AC-wlan-st-service] preshared-key pass-phrase simple 12345678

# Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-service] cipher-suite ccmp

[AC-wlan-st-service] security-ie rsn

# Configure the AC to forward client data traffic. You can skip this step if the AC is the client traffic forwarder by default.

[AC-wlan-st-service] client forwarding-location ac

# Enable service template service.

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create AP ap1 and specify its model and serial ID.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap1] quit

# Create AP ap2 and specify its model and serial ID.

[AC] wlan ap ap2 model WA6320

[AC-wlan-ap-ap2] serial-id 219801A28N819CE0003T

[AC-wlan-ap-ap2] quit

# Create AP group group1 and add the AP to the AP group.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1 ap2

# Bind service template service to radio 1 in AP group group1.

[AC-wlan-ap-group-group1] ap-model WA6320

[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template service

# Enable radio 1.

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable

[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit

[AC-wlan-ap-group-group1-ap-model-WA6320] quit

[AC-wlan-ap-group-group1] quit

# Create AP sensor and specify its model and serial ID.

[AC] wlan ap sensor model WA6320

[AC-wlan-ap-sensor] serial-id 219801A28N819CE0004T

[AC-wlan-ap-sensor] quit

# Create AP group group2 and add the AP to the AP group.

[AC] wlan ap-group group2

[AC-wlan-ap-group-group2] ap sensor

# Bind service template service to radio 1 in AP group group2.

[AC-wlan-ap-group-group2] ap-model WA6320

[AC-wlan-ap-group-group2-ap-model-WA6320] radio 1

# Enable radio 1.

[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] radio enable

# Enable WIPS for the radio and add AP sensor to VSD vsd1.

[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] wips enable

[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] quit

[AC-wlan-ap-group-group2-ap-model-WA6320] quit

[AC-wlan-ap-group-group2] wips virtual-security-domain vsd1

[AC-wlan-ap-group-group2] quit

Configuring the switch

# Create VLANs 100 and 200. The switch will use VLAN 100 to forward the traffic on CAPWAP tunnels between the AC and APs, and use VLAN 200 to forward client traffic.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] vlan 200

[Switch-vlan200] quit

# Configure GigabitEthernet 1/0/1 that connects the switch to the AC as a trunk port.

[Switch] interface gigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

# Remove the trunk port from VLAN 1, and assign the port to VLAN 100.

[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100

# Configure GigabitEthernet 1/0/2 that connects the switch to AP sensor as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 that connects the switch to AP ap1 as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet1/0/3

[Switch-GigabitEthernet1/0/3] port link-type access

[Switch-GigabitEthernet1/0/3] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/3] poe enable

[Switch-GigabitEthernet1/0/3] quit

# Configure GigabitEthernet 1/0/4 that connects the switch to AP ap2 as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet1/0/4

[Switch-GigabitEthernet1/0/4] port link-type access

[Switch-GigabitEthernet1/0/4] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/4] poe enable

[Switch-GigabitEthernet1/0/4] quit

Verifying the configuration

1.     Verify that WIPS has classified the AP that uses SSID service as a rogue AP and the service APs as authorized APs.

<AC> display wips virtual-security-domain vsd1 device

Total 3 detected devices in virtual-security-domain vsd1

 

Class: Auth - authorization; Ext - external; Mis - mistake;

Unauth - unauthorized; Uncate - uncategorized;

(A) - associate; (C) - config; (P) - potential

 

MAC address    Type   Class    Duration    Sensors Channel Status

000f-1111-0101 AP     Auth     00h 05m 24s 1       161     Active

000f-1111-0111 AP     Auth     00h 05m 26s 1       13      Active

000f-e200-1202 AP     Rogue    00h 05m 26s 1       161     Active

2.     Verify that WIPS has taken countermeasures against the rogue AP.

<AC> display wips virtual-security-domain vsd1 countermeasure record

 

Total 1 times countermeasure, current 1 countermeasure record in virtual-security-domain vsd1

 

Class: Auth - authorization; Ext - external; Mis - mistake;

Unauth - unauthorized; Uncate - uncategorized;

(A) - associate; (C) - config; (P) - potential

 

MAC address    Type   Class    Sensor name            Radio ID   Time

000f-e200-1202 AP     Rogue    sensor                 1          2015-11-27/15:52:53

Configuration files

·     AC:

#

dhcp enable

#

vlan 100

#

vlan 200

#

dhcp server ip-pool vlan100

 gateway-list 112.12.1.25

 network 112.12.0.0 mask 255.255.0.0

#

dhcp server ip-pool vlan200

 gateway-list 112.13.1.25

 network 112.13.0.0 mask 255.255.0.0

 dns-list 112.13.1.25

#

wlan service-template service                                                  

 ssid service                                                                  

 vlan 200                                                                      

 client forwarding-location ac                                                 

 akm mode psk                                                                  

 preshared-key pass-phrase cipher $c$3$j4R+Ff8S4XNa/uaUjAgwUO5fbtdy+yVXzC+Z    

 cipher-suite ccmp                                                              

 security-ie rsn                                                               

 service-template enable

#

interface Vlan-interface100

 ip address 112.12.1.25 255.255.0.0

#

interface Vlan-interface200

 ip address 112.13.1.25 255.255.0.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 100 200

#

wlan ap-group group1                                                           

 vlan 1                                                                        

 ap ap1                                                                        

 ap ap2

 ap-model WA6320                                                               

  radio 1                                                                      

   radio enable                                                                

   service-template service                                                    

  radio 2                                                                       

  gigabitethernet 1                                                            

#

wlan ap-group group2                                                           

 vlan 1                                                                         

 ap sensor                                                                     

 wips virtual-security-domain vsd1                                             

 ap-model WA6320                                                                

  radio 1                                                                      

   radio enable                                                                

   wips enable                                                                  

  radio 2                                                                      

  gigabitethernet 1                                                            

#

wlan ap ap1 model WA6320

 serial-id 219801A2N819CE0002T

#

wlan ap ap2 model WA6320

 serial-id 219801A2N819CE0004T

#

wlan ap sensor model WA6320

 serial-id 219801A2N819CE0004T

#

wips

 #

 ap-classification rule 1

  ssid equal service

 #

 classification policy class1

  apply ap-classification rule 1 rogue-ap

 #

 countermeasure policy 1

  countermeasure rogue-ap

 #

 virtual-security-domain vsd1

  apply classification policy class1

  apply countermeasure policy 1

#

·     Switch:

#

vlan 100

#

vlan 200

#

interface GigabitEthernet1/0/1

 port link-type trunk

undo port trunk permit vlan 1

 port trunk permit vlan 100

#

interface GigabitEthernet1/0/2

 port access vlan 100

poe enable

#

interface GigabitEthernet1/0/3

 port access vlan 100

poe enable

#

interface GigabitEthernet1/0/4

 port access vlan 100

poe enable

#

Related documentation

·     WLAN Security Command Reference in H3C Access Controllers Command References

·     WLAN Security Configuration Guide in H3C Access Controllers Configuration Guides