07-WLAN Security Command Reference

HomeSupportResource CenterH3C FAT AP Command References(R5436)-6W10107-WLAN Security Command Reference
01-WLAN security commands
Title Size Download
01-WLAN security commands 109.00 KB

WLAN security commands

akm mode

Use akm mode to set an authentication and key management (AKM) mode.

Use undo akm mode to restore the default.

Syntax

akm mode { dot1x | private-psk | psk }

undo akm mode

Default

No AKM mode is set.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

dot1x: Specifies 802.1X as the AKM mode.

private-psk: Specifies private PSK as the AKM mode.

psk: Specifies PSK as the AKM mode.

Usage guidelines

You must set the AKM mode for 802.11i (RSNA) networks.

Each WLAN service template supports only one AKM mode. Set the AKM mode only when the WLAN service template is disabled.

Each of the following AKM modes must be used with a specific authentication mode:

·     802.1X AKM—802.1X authentication mode.

·     Private PSK AKM—MAC authentication mode.

·     PSK AKM—MAC or bypass authentication mode.

For more information about the authentication mode, see User Access and Authentication Configuration Guide.

Examples

# Set the PSK AKM mode.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] akm mode psk

Related commands

cipher-suite

security-ie

cipher-suite

Use cipher-suite to specify the cipher suite used for frame encryption.

Use undo cipher-suite to remove the cipher suite configuration.

Syntax

cipher-suite { ccmp | gcmp | tkip | wep40 | wep104 | wep128 }

undo cipher-suite { ccmp | gcmp | tkip | wep40 | wep104 | wep128 }

Default

No cipher suite is specified.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

ccmp: Specifies the AES-CCMP cipher suite.

gcmp: Specifies the AES-GCMP cipher suite.

tkip: Specifies the TKIP cipher suite.

wep40: Specifies the WEP40 cipher suite.

wep104: Specifies the WEP104 cipher suite.

wep128: Specifies the WEP128 cipher suite.

Usage guidelines

You must set the cipher suite for 802.11i networks. Set a cipher suite only when the WLAN service template is disabled.

Set the TKIP, GCMP, or CCMP cipher suite when you configure the RSN IE or WPA IE.

The WEP cipher suite includes three types, WEP40, WEP104, and WEP128. Each WLAN service template supports only one type of WEP cipher suite. After you set a type of WEP cipher suite, you must create and apply a key of the same type.

As a best practice to avoid client association failures, do not set WEP40 or WEP104 together with CCMP, GCMP, or TKIP.

When WEP128 is configured, you cannot set the CCMP, GCMP, or TKIP cipher suite.

Examples

# Set the TKIP cipher suite for frame encryption.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] cipher-suite tkip

Related commands

security-ie

wep key

wep key-id

enhanced-open enable

Use enhanced-open enable to enable enhanced open system authentication.

Use undo enhanced-open enable to disable enhanced open system authentication.

Syntax

enhanced-open enable

undo enhanced-open enable

Default

Enhanced open system authentication is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

Enhanced open system authentication uses Opportunistic Wireless Encryption (OWE) to negotiate keys for encrypting data packets of OWE-capable clients, providing open system authentication with enhanced security performance.

Before enabling this feature, make sure the WPA3 security mode, FT, management frame protection, security IE, cipher suite, and KDF, if any, are in their default settings.

After you enable this feature, the system performs the following operations:

·     Specifies the security IE as RSN.

·     Specifies the cipher suite as CCMP.

·     Enables management frame protection.

·     Specifies the HMAC-SHA256 and HMAC-384 algorithms as the KDFs.

Examples

# Enable enhanced open system authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] enhanced-open enable

Related commands

enhanced-open transition-mode service-template

enhanced-open transition-mode service-template

Use enhanced-open transition-mode service-template to specify a recommended service template in transition mode.

Use undo enhanced-open transition-mode service-template to restore the default.

Syntax

enhanced-open transition-mode service-template service-template-name

undo enhanced-open transition-mode service-template

Default

No recommended service template is specified in transition mode.

Views

Service template view

Predefined user roles

network-admin

Parameters

service-template-name: Specifies the name of a service template, a case-insensitive string of 1 to 63 characters.

Usage guidelines

During the transition from open WLANs to enhanced open WLANs, WLANs of both types might exist to accommodate OWE-incapable and OWE-capable clients. In this case, if an OWE-capable client attempts to access an open WLAN or if an OWE-incapable client attempts to access an enhanced open WLAN, the corresponding AP will reject the access request.

This feature allows clients to fast access an appropriate WLAN that matches its capability.

Configure this feature in both an open service template and an enhanced open service template, and specify them as the recommended template of each other.

Bind a service template and its recommended service template to the same radio.

Enable SSID hidden for the enhanced open service template.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify service template service2 as the recommended template for service template service1 in transition mode.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] enhanced-open transition-mode service-template service2

Related commands

beacon ssid-hide (WLAN Access Command Reference)

enhanced-open enable

gtk-rekey client-offline enable

Use gtk-rekey client-offline enable to enable offline-triggered GTK update.

Use undo gtk-rekey client-offline to restore the default.

Syntax

gtk-rekey client-offline enable

undo gtk-rekey client-offline enable

Default

Offline-triggered GTK update is disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

Enable offline-triggered GTK update only when GTK update is enabled.

Examples

# Enable offline-triggered GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey client-offline enable

Related commands

gtk-rekey enable

gtk-rekey enable

Use gtk-rekey enable to enable GTK update.

Use undo gtk-rekey enable to disable GTK update.

Syntax

gtk-rekey enable

undo gtk-rekey enable

Default

GTK update is enabled.

Views

WLAN service template view

Predefined user roles

network-admin

Examples

# Enable GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey enable

gtk-rekey method

Use gtk-rekey method to set a GTK update method.

Use undo gtk-rekey method to restore the default.

Syntax

gtk-rekey method { packet-based [ packet ] | time-based [ time ] }

undo gtk-rekey method

Default

The GTK is updated at an interval of 86400 seconds.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

packet-based packet: Specifies the number of packets (including multicasts and broadcasts) that are transmitted before the GTK is updated. The value range for the packet argument is 5000 to 4294967295 and the default is 10000000.

time-based time: Specifies the interval at which the GTK is updated. The value range for the time argument is 180 to 604800 seconds and the default is 86400 seconds.

Usage guidelines

Set the GTK update method only when GTK update is enabled.

The most recent configuration overwrites the previous one. For example, if you set the packet-based method and then set the time-based method, the time-based method takes effect.

If you set the GTK update method after the service template is enabled, the change takes effect when the following conditions exist:

·     If you change the GTK update interval, the new interval takes effect when the old timer times out.

·     If you change the packet number threshold, the new threshold takes effect immediately.

·     If you change the GTK update method to packet-based, the new method takes effect when the timer is deleted and the packet number threshold is reached.

·     If you change the GTK update method to time-based, the configuration takes effect immediately.

Examples

# Enable time-based GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey method time-based 3600

# Enable packet-based GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey method packet-based 600000

Related commands

gtk-rekey enable

key-derivation

Use key-derivation to set the key derivation function (KDF).

Use undo key-derivation to restore the default.

Syntax

key-derivation { sha1 | sha1-and-sha256 | sha256 }

undo key-derivation

Default

The KDF is the HMAC-SHA1 algorithm.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

sha1: Specifies the HMAC-SHA1 algorithm as the KDF.

sha256: Specifies the HMAC-SHA256 algorithm as the KDF.

sha1-and-sha256: Specifies the HMAC-SHA1 algorithm and the HMAC-SHA256 algorithm as the KDFs.

Usage guidelines

KDFs take effect only for a network that uses the 802.11i mechanism.

The HMAC-SHA256 algorithm is recommended if mandatory management frame protection is enabled.

Make sure the service template is disabled before you execute this command.

Examples

# Configure the HMAC-SHA256 algorithm as the KDF.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] key-derivation sha256

Related commands

akm mode

cipher-suite

security-ie

pmf

Use pmf to enable management frame protection.

Use undo pmf to restore the default.

Syntax

pmf { mandatory | optional }

undo pmf

Default

Management frame protection is disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

mandatory: Specifies the mandatory mode. Only clients that support management frame protection can access the WLAN.

optional: Specifies the optional mode. All clients can access the WLAN.

Usage guidelines

Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security information element.

Examples

# Enable management frame protection in optional mode.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf optional

Related commands

cipher-suite

security-ie

pmf association-comeback

Use pmf association-comeback to set the association comeback time.

Use undo pmf association-comeback to restore the default.

Syntax

pmf association-comeback time

undo pmf association-comeback

Default

The association comeback time is 1 second.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

time: Specifies the association comeback time in the range of 1 to 20 seconds.

Usage guidelines

If an AP rejects the current association or reassociation request from a client, it returns an association/reassociation response that carries the association comeback time. The AP starts to receive the association or reassociation request from the client when the association comeback time times out.

Examples

# Set the association comeback time to 2 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf association-comeback 2

pmf saquery retrycount

Use pmf saquery retrycount to maximum retransmission attempts for SA query requests.

Use undo pmf saquery retrycount to restore the default.

Syntax

pmf saquery retrycount count

undo pmf saquery retrycount

Default

The maximum retransmission attempt number is 4 for SA query requests.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum retransmission attempts for SA query requests, in the range of 1 to 16.

Usage guidelines

If an AP does not receive an acknowledgment for the SA query request after retransmission attempts reach the maximum number, the AP determines that the client is offline.

Examples

# Set the number of maximum retransmission attempt to 3 for SA query requests.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf saquery retrycount 3

Related commands

pmf

pmf saquery retrycount

pmf saquery retrytimeout

Use pmf saquery retrytimeout to set the interval for sending SA query requests.

Use undo pmf saquery retrytimeout to restore the default.

Syntax

pmf saquery retrytimeout timeout

undo pmf saquery retrytimeout

Default

The interval for sending SA query requests is 200 milliseconds.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

timeout: Specifies the interval for an AP to send SA query requests, in the range of 100 to 500 milliseconds.

Examples

# Set the interval for sending SA query requests to 300 milliseconds.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf saquery retrytimeout 300

Related commands

pmf

pmf saquery retrytimeout

preshared-key

Use preshared-key to set the PSK.

Use undo preshared-key to restore the default.

Syntax

preshared-key { pass-phrase | raw-key } { cipher | simple } string

undo preshared-key

Default

No PSK is set.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

pass-phrase: Sets a PSK, a character string.

raw-key: Sets a PSK, a hexadecimal number.

cipher: Sets a key in encrypted form.

simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies a key string. This argument is case sensitive. Key length varies by key type:

·     pass-phrase—Its plaintext form is 8 to 63 characters. Its encrypted form is 8 to 117 characters.

·     raw-key—Its plaintext form is 64 hexadecimal digits. Its encrypted form is 8 to 117 characters.

Usage guidelines

Set the PSK only when the WLAN service template is disabled and the AKM mode is PSK. If you set the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.

You can set only one PSK for a WLAN service template.

Examples

# Configure simple character string 12345678 as the PSK.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] akm mode psk

[Sysname-wlan-st-security] preshared-key pass-phrase simple 12345678

Related commands

akm mode

ptk-lifetime

Use ptk-lifetime to set the PTK lifetime.

Use undo ptk-lifetime to restore the default.

Syntax

ptk-lifetime time

undo ptk-lifetime

Default

The PTK lifetime is 43200 seconds.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

time: Specifies the lifetime of the PSK, in the range of 180 to 604800 seconds.

Usage guidelines

If you configure the PTK lifetime when the service template is enabled, the configuration takes effect after the old timer times out.

Examples

# Set the PTK lifetime to 200 seconds.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ptk-lifetime 200

ptk-rekey enable

Use ptk-rekey enable to enable PTK update.

Use undo ptk-rekey enable to disable PTK update.

Syntax

ptk-rekey enable

undo ptk-rekey enable

Default

PTK update is enabled.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to update the PTK after the PTK lifetime expires.

Examples

# Enable PTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ptk-rekey enable

Related commands

ptk-lifetime

security-ie

Use security-ie to enable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.

Use undo security-ie to disable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.

Syntax

security-ie { rsn | wpa }

undo security-ie { rsn | wpa }

Default

RSN IE and WPA IE are disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

rsn: Enables the RSN IE in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.

wpa: Enables the WPA IE in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.

Usage guidelines

You must set the security IE for 802.11i networks. Set a security IE only when the WLAN service template is disabled and the CCMP or TKIP cipher suite is configured.

Examples

# Enable the RSN IE in beacon and probe responses.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] security-ie rsn

Related commands

akm mode

cipher-suite

snmp-agent trap enable wlan usersec

Use snmp-agent trap enable wlan usersec to enable SNMP notifications for WLAN security.

Use undo snmp-agent trap enable wlan usersec to disable SNMP notifications for WLAN security.

Syntax

snmp-agent trap enable wlan usersec

undo snmp-agent trap enable wlan usersec

Default

SNMP notifications are disabled for WLAN security.

Views

System view

Predefined user roles

network-admin

Usage guidelines

To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for WLAN security.

<Sysname> system-view

[Sysname] snmp-agent trap enable wlan usersec

tkip-cm-time

Use tkip-cm-time to set the TKIP MIC failure hold time.

Use undo tkip-cm-time to restore the default.

Syntax

tkip-cm-time time

undo tkip-cm-time

Default

The TKIP MIC failure hold time is 0 seconds. The AP does not take any countermeasures.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

time: Sets the TKIP MIC failure hold time in the range of 0 to 3600 seconds.

Usage guidelines

Set the TKIP MIC failure hold time only when the TKIP cipher suite is configured.

If you configure the MIC failure hold time when the service template is enabled, the configuration takes effect after the old timer times out.

If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.

Examples

# Set the TKIP MIC failure hold time to 180 seconds.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] tkip-cm-time 180

Related commands

cipher-suite

wep key

Use wep key to set a WEP key.

Use undo wep key to delete the configured WEP key.

Syntax

wep key key-id { wep40 | wep104 | wep128 } { pass-phrase | raw-key } { cipher | simple } string

undo wep key key-id

Default

No WEP key is set.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

key-id: Sets the key ID in the range of 1 to 4.

wep40: Sets the WEP40 key.

wep104: Sets the WEP104 key.

wep128: Sets the WEP128 key.

pass-phrase: Sets a WEP key, a character string.

raw-key: Sets a WEP key, a hexadecimal number.

cipher: Sets a key in encrypted form.

simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

key: Specifies a key string. This argument is case sensitive. The cipher key length is in the range of 37 to 73 characters. The plaintext key length varies by key type:

·     wep40 pass-phrase—Its plaintext form is 5 characters.

·     wep104 pass-phrase—Its plaintext form is 13 characters.

·     wep128 pass-phrase—Its plaintext form is 16 characters.

·     wep40 raw-key—Its plaintext form is 10 hexadecimal digits.

·     wep104 raw-key—Its plaintext form is 26 hexadecimal digits.

·     wep128 raw-key—Its plaintext form is 32 hexadecimal digits.

Usage guidelines

Set a WEP key only when the WLAN service template is disabled and the cipher suite WEP is configured. You can set a maximum of four WEP keys.

Examples

# Configure the cipher suite WEP40 and configure plain text 12345 as WEP key 1.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] cipher-suite wep40

[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345

Related commands

cipher-suite

wep key-id

wep key-id

Use wep key-id to apply a WEP key.

Use undo wep key-id to restore the default.

Syntax

wep key-id { 1 | 2 | 3 | 4 }

undo wep key-id

Default

Key 1 is applied.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

1: Specifies the WEP key whose ID is 1.

2: Specifies the WEP key whose ID is 2.

3: Specifies the WEP key whose ID is 3.

4: Specifies the WEP key whose ID is 4.

Usage guidelines

Apply a WEP key only when the WLAN service template is disabled.

In the 802.11i mechanism, key 1 is the negotiated key. To apply a WEP key, specify a WEP key whose ID is not 1.

You can only apply an existing WEP key.

Examples

# Configure the cipher suite WEP40, configure plain text 12345 as WEP key 1, and apply WEP key 1.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] cipher-suite wep40

[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345

[Sysname-wlan-st-security] wep key-id 1

Related commands

wep key

wep mode dynamic

Use the wep mode dynamic command to enable the dynamic WEP mechanism.

Use the undo wep mode dynamic command to disable the dynamic WEP mechanism.

Syntax

wep mode dynamic

undo wep mode dynamic

Default

The dynamic WEP mechanism is disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

Enable the dynamic WEP mechanism only when the WLAN service template is disabled.

The dynamic WEP mechanism requires 802.1X authentication for user access authentication.

Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.

Examples

# Enable the dynamic WEP mechanism.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] wep mode dynamic

Related commands

cipher-suite

client-security authentication-mode (See User Access and Authentication Command Reference)

wep key

wep key-id

wlan password-failure-limit enable

Use wlan password-failure-limit enable to enable password failure limit.

Use undo wlan password-failure-limit enable to disable password failure limit.

Syntax

wlan password-failure-limit enable [ detection-period detection-period ] [ failure-threshold failure-threshold ]

undo wlan password-failure-limit enable

Default

Password failure limit is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

detection-period detection-period: Specifies the detection period in the range of 5 to 600 seconds. The default value is 100.

failure-threshold failure-threshold: Specifies the failure threshold in the range of 1 to 100. The default value is 20.

Usage guidelines

This feature enables the system to add a client to the dynamic blacklist if the number of the client's password failures reach the failure threshold within the specified detection period. For more information about the dynamic blacklist, see WLAN Access Configuration Guide.

When you configure this feature, follow these restrictions and guidelines:

·     This feature takes effect only when the AKM mode is PSK or private PSK.

·     This feature takes effect only on clients coming online after the feature is enabled.

·     The system restarts failure calculation if the STAMGR process restarts.

·     This feature does not take effect on APs coming online from a subordinate AC in an IRF fabric.

Examples

# Enable password failure limit, set the detection period to 300 seconds, and set the failure threshold to 50.

<Sysname> system-view

[Sysname] wlan password-failure-limit enable detection-period 300 failure-threshold 50

wpa3

Use wpa3 to enable WPA3 and set the WPA3 security mode.

Use undo wpa3 to disable WPA3.

Syntax

wpa3 { enterprise | personal { mandatory | optional } }

undo wpa3

Default

WPA3 is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

enterprise: Specifies WPA3-Enterprise.

personal: Specifies WPA3-SAE.

mandatory: Specifies the mandatory security mode. In this mode, clients that do not support WPA3 cannot access the WLAN.

optional: Specifies the optional security mode. In this mode, clients that do not support WPA3 can access the WLAN.

Usage guidelines

To use WPA3-Enterprise, set the cipher suite to GCMP, and the security IE to RSN.

To use WPA3-SAE, set the cipher suite to CCMP, and the security IE to RSN.

As a best practice, enable management frame protection if you specify a WPA3 security mode.

Examples

# Set the WPA3 security mode to personal.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] wpa3 personal mandatory

Related commands

cipher-suite

security-ie