02-WLAN

HomeSupportResource CenterH3C Access Controllers Command References(E5208P03 E5215P01 R5215P01)-6W10202-WLAN
05-WLAN authentication commands
Title Size Download
05-WLAN authentication commands 92.09 KB

WLAN authentication commands

This chapter describes WLAN-specific authentication commands. For more information about 802.1X and MAC authentication commands, see Security Command Reference.

client-security authentication fail-vlan

Use client-security authentication fail-vlan to configure an Auth-Fail VLAN for a service template.

Use undo client-security authentication fail-vlan to restore the default.

Syntax

client-security authentication fail-vlan vlan-id

undo client-security authentication fail-vlan

Default

No Auth-Fail VLAN is configured for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the Auth-Fail VLAN, in the range of 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

A WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered wrong passwords. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the Auth-Fail VLAN on service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] client-security authentication fail-vlan 10

client-security authentication-location

Use client-security authentication-location to specify the authenticator for WLAN clients.

Use undo client-security authentication-location to restore the default.

Syntax

client-security authentication-location { ac | ap }

undo client-security authentication-location

Default

The AC acts as the authenticator to authenticate WLAN clients.

Views

Service template view

Predefined user roles

network-admin

Parameters

ac: Specifies the AC as the authenticator.

ap: Specifies the AP as the authenticator.

Usage guidelines

You cannot specify the AP as the authenticator if the AC is configured to forward client data traffic (by using the client forwarding-location command). For information about the client forwarding-location command, see "WLAN access commands."

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the AC as the authenticator for WLAN clients on service template s1.

<Sysname> system-view

[Sysname] wlan service-template s1

[Sysname-wlan-st-s1] client-security authentication-location ac

Related commands

client forwarding-location

client-security authentication-mode

Use client-security authentication-mode to set the authentication mode for WLAN clients.

Use undo client-security authentication-mode to restore the default.

Syntax

client-security authentication-mode { dot1x | dot1x-then-mac | mac | mac-then-dot1x | oui-then-dot1x }

undo client-security authentication-mode

Default

The WLAN authentication mode is Bypass. The device does not perform authentication for WLAN clients.

Views

Service template view

Predefined user roles

network-admin

Parameters

dot1x: Performs 802.1X authentication only.

dot1x-then-mac: Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed.

mac: Performs MAC authentication only.

mac-then-dot1x: Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed.

oui-then-dot1x: Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed.

Usage guidelines

A service template allows access of multiple authenticated clients in any authentication mode. To set the maximum number of 802.1X clients, use the dot1x max-user command. To set the maximum number of MAC authentication clients, use the mac-authentication max-user command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Set the authentication mode to mac for WLAN clients on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication-mode mac

client-security authorization-fail offline

Use client-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo client-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

client-security authorization-fail offline

undo client-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A WLAN client fails ACL or user profile authorization in the following situations:

·     The device or server fails to authorize the specified ACL or user profile to the client.

·     The authorized ACL or user profile does not exist.

If this feature is disabled, the device does not log off WLAN clients that fail ACL or user profile authorization. However, the device outputs logs to report the failure.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the authorization-fail-offline feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization-fail offline

client-security ignore-authentication

Use client-security ignore-authentication to configure the device to ignore the 802.1X or MAC authentication failures.

Use undo client-security ignore-authentication to restore the default.

Syntax

client-security ignore-authentication

undo client-security ignore-authentication

Default

The device does not ignore the authentication failures for wireless clients that perform 802.1X authentication or perform RADIUS-based MAC authentication.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command applies to the following clients:

·     Clients that perform 802.1X authentication.

This command enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.

·     Clients that perform both RADIUS-based MAC authentication and portal authentication.

Typically, a client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.

This command simplifies the authentication process for a client as follows:

¡     If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

¡     If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failures and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server. At the next authentication attempt, the client will pass MAC authentication and access network resources without performing portal authentication.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For RSN + 802.1X clients to roam to a new AP, do not use this command.

Examples

# Configure the device to ignore 802.1X or MAC authentication failures on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authentication

client-security ignore-authorization

Use client-security ignore-authorization to configure the device to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo client-security ignore-authorization to restore the default.

Syntax

client-security ignore-authorization

undo client-security ignore-authorization

Default

The device uses the authorization information from the server.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

After a client passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the device to use these authorization attributes for clients, configure this command to ignore the authorization information from the server.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the device to ignore the authorization information from the authentication server for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authorization

client-security intrusion-protection action

Use client-security intrusion-protection action to configure the intrusion protection action that the device takes when intrusion protection detects illegal frames.

Use undo client-security intrusion-protection action to restore the default.

Syntax

client-security intrusion-protection action { service-stop | temporary-block | temporary-service-stop }

undo client-security intrusion-protection action

Default

The intrusion protection action is temporary-block.

Views

Service template view

Predefined user roles

network-admin

Parameters

service-stop: Stops the BSS where an illegal frame is received until the BSS is enabled manually on the radio interface.

temporary-block: Adds the source MAC address of an illegal frame to the blocked MAC address list for a period. To set the period, use the client-security intrusion-protection timer temporary-block command.

temporary-service-stop: Stops the BSS where an illegal frame is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For this command to take effect, you must also use the client-security intrusion-protection enable command to enable the intrusion protection feature.

Examples

# Configure the device to stop the BSS where intrusion protection detects illegal frames for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action service-stop

Related commands

·     client-security intrusion-protection enable

·     client-security intrusion-protection timer temporary-block

·     client-security intrusion-protection timer temporary-service-stop

client-security intrusion-protection enable

Use client-security intrusion-protection enable to enable the intrusion protection feature.

Use undo client-security intrusion-protection enable to disable the intrusion protection feature.

Syntax

client-security intrusion-protection enable

undo client-security intrusion-protection enable

Default

The intrusion protection feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

When the device receives an association request from an illegal client, the device takes the predefined protection action on the BSS where the request is received. A client is illegal if its MAC address fails WLAN authentication. To set the protection action, use the client-security intrusion-protection action command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the intrusion protection feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

Related commands

client-security intrusion-protection action

client-security intrusion-protection timer temporary-block

Use client-security intrusion-protection timer temporary-block to set the period during which a MAC address is blocked by intrusion protection.

Use undo client-security intrusion-protection timer temporary-block to restore the default.

Syntax

client-security intrusion-protection timer temporary-block time

undo client-security intrusion-protection timer temporary-block

Default

An illegal MAC address is blocked for 180 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Sets the period during which a MAC address is blocked. The value range is 60 to 300 seconds.

Usage guidelines

This command takes effect only when the intrusion protection action is temporary-block.

If you change the blocking period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.

Examples

# Configure service template service1 to block illegal MAC addresses for 120 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-block

[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-block 120

Related commands

·     client-security intrusion-protection action

·     client-security intrusion-protection enable

client-security intrusion-protection timer temporary-service-stop

Use client-security intrusion-protection timer temporary-service-stop to set the BSS silence period for intrusion protection.

Use undo client-security intrusion-protection timer temporary-service-stop to restore the default.

Syntax

client-security intrusion-protection timer temporary-service-stop time

undo client-security intrusion-protection timer temporary-service-stop

Default

The BSS silence period is 20 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Sets the period during which a BSS is disabled. The value range is 10 to 300 seconds.

Usage guidelines

This command takes effect only when the intrusion protection action is temporary-service-stop.

If you change the BSS silence period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.

Examples

# Set the BSS silence period to 30 seconds for intrusion protection on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-service-stop

[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-service-stop 30

Related commands

·     client-security intrusion-protection action

·     client-security intrusion-protection enable

display wlan client-security block-mac

Use display wlan client-security block-mac to display blocked MAC address information for WLAN clients.

Syntax

display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-). If you do not specify this option, the command displays information about all blocked MAC addresses.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify this option, the command displays blocked MAC address information for all radios on the specified AP.

Usage guidelines

A MAC address that fails authentication is added to the blocked MAC address list when the intrusion protection action is temporary-block.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display wlan client-security block-mac

MAC address         AP ID       RADIO ID     BSSID

0002-0002-0002      1           1            00ab-0de1-0001

000d-88f8-0577      1           1            0ef1-0001-02c1

 

Total entries: 2

Table 1 Command output

Field

Description

MAC address

Blocked MAC address, in the format of H-H-H.

AP ID

AP ID of the blocked MAC address.

RADIO ID

Radio ID of the blocked MAC address.

BSSID

BSS ID of the blocked MAC address, in the format of H-H-H.

Total entries

Number of blocked MAC addresses.

 

Related commands:

·     client-security intrusion-protection action

·     client-security intrusion-protection timer temporary-block

dot1x domain

Use dot1x domain to specify an authentication domain for 802.1X clients on a service template.

Use undo dot1x domain to restore the default.

Syntax

dot1x domain domain-name

undo dot1x domain

Default

No authentication domain is specified for 802.1X clients on a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

802.1X chooses an authentication domain for WLAN clients in the following order:

1.     Authentication domain specified on the service template.

2.     Domain specified by username.

3.     Default authentication domain.

Examples

# Specify domain my-domain as the authentication domain for 802.1X clients on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x domain my-domain

dot1x eap

Use dot1x eap to specify an EAP mode for 802.1X authentication.

Use undo dot1x eap to restore the default.

Syntax

dot1x eap { extended | standard }

undo dot1x eap

Default

The EAP mode is standard.

Views

Service template view

Predefined user roles

network-admin

Parameters

extended: Specifies the extended EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the proprietary EAP protocol.

standard: Specifies the standard EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

When you configure this command, specify the extended keyword for iNode clients and the standard keyword for other clients.

This command is required only when an IMC server is used as the RADIUS server.

Examples

# Set the EAP mode for 802.1X authentication to extended on service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] dot1x eap extended

dot1x handshake enable

Use dot1x handshake enable to enable the 802.1X online user handshake feature.

Use undo dot1x handshake enable to disable the 802.1X online user handshake feature.

Syntax

dot1x handshake enable

undo dot1x handshake enable

Default

The 802.1X online user handshake feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature checks the connection status of online 802.1X clients by periodically sending handshake messages to the clients. The device sets a client to the offline state if it does not receive responses from the client after making the maximum handshake attempts within the handshake timer. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the online user handshake feature for 802.1X clients on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

Related commands

·     dot1x handshake secure enable

·     dot1x retry (Security Command Reference)

·     dot1x timer handshake-period (Security Command Reference)

dot1x handshake secure enable

Use dot1x handshake secure enable to enable the 802.1X online user handshake security feature.

Use undo dot1x handshake secure enable to disable the 802.1X online user handshake security feature.

Syntax

dot1x handshake secure enable

undo dot1x handshake secure enable

Default

The online user handshake security feature is disabled for 802.1X clients.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For the online user handshake security feature to take effect, you must enable online user handshake.

The online user handshake security feature protects only authenticated online 802.1X clients.

Examples

# Enable the online user handshake security feature for 802.1X clients on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

[Sysname-wlan-st-service1] dot1x handshake secure enable

Related commands

dot1x handshake enable

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X clients on a service template.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user count

undo dot1x max-user

Default

A maximum of 4096 concurrent 802.1X clients are allowed on a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Sets the maximum number of concurrent 802.1X clients. The value range is 1 to 4096.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

When the maximum number is reached, the service template denies subsequent 802.1X clients.

Examples

# Set the maximum number of concurrent 802.1X clients to 32 on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x max-user 500

dot1x re-authenticate enable

Use dot1x re-authenticate enable to enable the 802.1X periodic online user reauthentication feature on a service template.

Use undo dot1x re-authenticate enable to disable the feature on a service template.

Syntax

dot1x re-authenticate enable

undo dot1x re-authenticate enable

Default

The 802.1X periodic online user reauthentication feature is disabled on a service template.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Periodic reauthentication enables the device to periodically authenticate online 802.1X clients on a service template. This feature checks the connection status of online clients and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.

You can use the dot1x timer reauth-period command to configure the interval for reauthentication.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) together can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

·     If the termination action is Default (logoff), periodic online user reauthentication on the template takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

·     If the termination action is Radius-request, the periodic online user reauthentication configuration on the template does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.

Examples

# Enable the 802.1X periodic online user reauthentication feature on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x re-authenticate enable

Related commands

dot1x timer (Security Command Reference)

mac-authentication domain

Use mac-authentication domain to specify an authentication domain for MAC authentication clients on a service template.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

No authentication domain is specified for MAC authentication clients on a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

MAC authentication chooses an authentication domain for WLAN clients in the following order:

1.     Authentication domain specified on the service template.

2.     Global authentication domain specified in system view.

3.     Default authentication domain.

Examples

# Specify the domain my-domain as the authentication domain for MAC authentication clients on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication domain my-domain

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication clients on a service template.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user count

undo mac-authentication max-user

Default

A maximum of 4096 concurrent MAC authentication clients are allowed on a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Sets the maximum number of concurrent MAC authentication clients. The value range for this argument is 1 to 4096.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

When the maximum number is reached, the service template denies subsequent MAC authentication clients.

Examples

# Configure service template service1 to support a maximum of 32 concurrent MAC authentication clients.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication max-user 32

port-security oui

Use port-security oui to configure an OUI value for OUI authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui index index-value mac-address oui-value

undo port-security oui index index-value

Default

No OUI values are configured.

Views

System view

Predefined user roles

network-admin

Parameters

index-value: Sets the OUI index in the range of 1 to 16.

oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

Usage guidelines

You can configure a maximum of 16 OUI values.

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to specify the OUI of vendor A.

The OUI values configured by using this command apply only when the authentication mode is oui-or-dot1x. A port in oui-or-dot1x mode permits frames from one 802.1X authenticated user and one user whose MAC address contains a specific OUI.

Examples

# Configure an OUI value of 000d2a, and set the index to 4.

<Sysname> system-view

[Sysname] port-security oui index 4 mac-address 000d-2a10-003