02-WLAN

HomeSupportResource CenterH3C Access Controllers Command References(E5208P03 E5215P01 R5215P01)-6W10202-WLAN
06-WIPS commands
Title Size Download
06-WIPS commands 410.64 KB

Contents

WIPS commands· 1

ap-channel-change· 1

ap-classification rule· 1

ap-flood· 2

ap-impersonation· 2

apply ap-classification rule· 3

apply classification policy· 4

apply countermeasure policy· 4

apply detect policy· 5

apply signature policy· 5

apply signature rule· 6

ap-rate-limit 7

ap-spoofing· 7

ap-timer 8

association-table-overflow·· 8

authentication· 9

block mac-address· 10

classification policy· 10

client-online· 11

client-proximity-sensor ap-timer 11

client-proximity-sensor ap-udp-server 12

client-proximity-sensor client-timer 13

client-proximity-sensor coordinates· 13

client-proximity-sensor enable· 14

client-proximity-sensor filter-list 15

client-proximity-sensor random-mac-report enable· 15

client-proximity-sensor report-ac· 16

client-proximity-sensor report-ac-interval 16

client-proximity-sensor report-ap enable· 17

client-proximity-sensor rssi-change-threshold· 17

client-proximity-sensor rssi-threshold· 18

client-proximity-sensor rt-report enable· 18

client-proximity-sensor server 19

client-proximity-sensor udp-server 20

client-rate-limit 20

client-spoofing· 21

client-timer 22

countermeasure adhoc· 22

countermeasure attack all 23

countermeasure attack deauth-broadcast 23

countermeasure attack disassoc-broadcast 24

countermeasure attack honeypot-ap· 24

countermeasure attack hotspot-attack· 25

countermeasure attack ht-40-mhz-intolerance· 25

countermeasure attack malformed-packet 26

countermeasure attack man-in-the-middle· 26

countermeasure attack omerta· 27

countermeasure attack power-save· 27

countermeasure attack soft-ap· 28

countermeasure attack unencrypted-trust-client 28

countermeasure attack weak-iv· 29

countermeasure attack windows-bridge· 29

countermeasure external-ap· 30

countermeasure mac-address· 30

countermeasure misassociation-client 31

countermeasure misconfigured-ap· 31

countermeasure policy· 32

countermeasure potential-authorized-ap· 32

countermeasure potential-external-ap· 33

countermeasure potential-rogue-ap· 33

countermeasure rogue-ap· 34

countermeasure unauthorized-client 34

countermeasure uncategorized-ap· 35

countermeasure uncategorized-client 35

deauthentication-broadcast 36

detect policy· 37

detect signature· 37

disassociation-broadcast 38

discovered-ap· 39

display client-proximity-sensor device· 39

display client-proximity-sensor sensor 42

display client-proximity-sensor statistics receive· 43

display wips sensor 43

display wips statistics· 44

display wips virtual-security-domain countermeasure record· 48

display wips virtual-security-domain device· 49

display wlan nat-detect 54

flood association-request 55

flood authentication· 56

flood beacon· 56

flood block-ack· 57

flood cts· 58

flood deauthentication· 58

flood disassociation· 59

flood eap-failure· 60

flood eapol-logoff 61

flood eapol-start 61

flood eap-success· 62

flood null-data· 63

flood probe-request 63

flood reassociation-request 64

flood rts· 65

frame-type· 66

honeypot-ap· 66

hotspot-attack· 67

ht-40mhz-intolerance· 68

ht-greenfield· 68

ignorelist 69

import hotspot 70

import oui 70

invalid-oui-classify illegal 71

mac-address· 71

malformed duplicated-ie· 72

malformed fata-jack· 73

malformed illegal-ibss-ess· 73

malformed invalid-address-combination· 74

malformed invalid-assoc-req· 75

malformed invalid-auth· 76

malformed invalid-deauth-code· 76

malformed invalid-disassoc-code· 77

malformed invalid-ht-ie· 78

malformed invalid-ie-length· 78

malformed invalid-pkt-length· 79

malformed large-duration· 80

malformed null-probe-resp· 81

malformed overflow-eapol-key· 81

malformed overflow-ssid· 82

malformed redundant-ie· 83

man-in-the-middle· 83

manual-classify mac-address· 84

omerta· 85

oui 85

pattern· 86

permit-channel 87

power-save· 87

prohibited-channel 88

reset client-proximity-sensor device· 89

reset client-proximity-sensor statistics· 89

reset wips statistics· 90

reset wips virtual-security-domain· 90

reset wips virtual-security-domain countermeasure record· 91

reset wlan nat-detect 91

rssi 92

security· 92

select sensor all 93

seq-number 93

signature policy· 94

signature rule· 94

soft-ap· 95

ssid (AP classification rule view) 96

ssid (signature view) 96

ssid-length· 97

trust mac-address· 97

trust oui 98

trust ssid· 99

unencrypted-authorized-ap· 99

unencrypted-trust-client 100

up-duration· 100

virtual-security-domain· 101

weak-iv· 101

windows-bridge· 102

wips· 103

wips enable· 103

wips virtual-security-domain· 104

wireless-bridge· 104

wlan nat-detect 105

 


WIPS commands

ap-channel-change

Use ap-channel-change to configure channel change detection.

Use undo ap-channel-change to disable channel change detection.

Syntax

ap-channel-change [ quiet quiet-value ]

undo ap-channel-change

Default

Channel change detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a channel change. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a channel change within the quiet time.

Examples

# Enable channel change detection and set the quiet time to 5 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-channel-change quiet 5

ap-classification rule

Use ap-classification rule to create an AP classification rule and enter its view. If the AP classification rule already exists, the command enters AP classification rule view.

Use undo ap-classification rule to remove an AP classification rule.

Syntax

ap-classification rule rule-id

undo ap-classification rule rule-id

Default

No AP classification rule is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an AP classification rule by its ID in the range of 1 to 65535.

Examples

# Create AP classification rule 1 and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

ap-flood

Use ap-flood to configure AP flood attack detection.

Use undo ap-flood to disable AP flood attack detection.

Syntax

ap-flood [ apnum apnum-value | exceed exceed-value | quiet quiet-value ] *

undo ap-flood

Default

AP flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

apnum apnum-value: Specifies the AP number threshold in the range of 10 to 200. The default AP number threshold is 80.

exceed exceed-value: Specifies the maximum number of excessive APs allowed. The value range for the exceed-value argument is 10 to 200 and the default value is 80. If the number of APs exceeds the sum of the AP number threshold and the maximum number of excessive APs allowed, WIPS triggers an AP flood attack alarm.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP flood attack within the quiet time.

Examples

# Enable AP flood attack detection, and set the apnum-value, exceed-value, and quiet-value arguments to 50, 50, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-flood apnum 50 exceed 50 quiet 100

ap-impersonation

Use ap-impersonation to configure AP impersonation attack detection.

Use undo ap-impersonation to restore the default.

Syntax

ap-impersonation [ quiet quiet-value ]

undo ap-impersonation

Default

AP impersonation attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP impersonation attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP impersonation attack within the quiet time.

Examples

# Enable AP impersonation attack detection, and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-impersonation quiet 360

apply ap-classification rule

Use apply ap-classification rule to bind an AP classification rule to a classification policy.

Use undo apply ap-classification rule to restore the default.

Syntax

apply ap-classification rule rule-id { authorized-ap | { { external-ap | misconfigured-ap | rogue-ap } [ severity-level level ] } }

undo apply ap-classification rule rule-id

Default

No AP classification rule is bound to a classification policy.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an AP classification rule by its ID in the range of 1 to 65535.

authorized-ap: Specifies APs that match the AP classification rule as authorized APs.

external-ap: Specifies APs that match the AP classification rule as external APs.

misconfigured-ap: Specifies APs that match the AP classification rule as misconfigured APs.

rogue-ap: Specifies APs that match the AP classification rule as rogue APs.

level: Specifies a severity level for the AP that matches the AP classification rule, in the range of 1 to 100. The default severity level is 50.

Examples

# Bind AP classification rule 1 to the classification policy home, specify APs that match AP classification rule 1 as rogue APs, and set the severity level to 80.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] apply ap-classification rule 1 rogue-ap severity-level 80

Related commands

ap-classification rule

apply classification policy

Use apply classification policy to apply a classification policy to a virtual security domain (VSD).

Use undo apply classification policy to remove a classification policy from a VSD.

Syntax

apply classification policy policy-name

undo apply classification policy policy-name

Default

No classification policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a classification policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply the classification policy policy1 to the VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply classification policy policy1

apply countermeasure policy

Use apply countermeasure policy to apply a countermeasure policy to a VSD.

Use undo apply countermeasure policy to remove a countermeasure policy from a VSD.

Syntax

apply countermeasure policy policy-name

undo apply countermeasure policy policy-name

Default

No countermeasure policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a countermeasure policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply the countermeasure policy policy2 to the VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply countermeasure policy policy2

apply detect policy

Use apply detect policy to apply an attack detection policy to a VSD.

Use undo apply detect policy to remove an attack detection policy from a VSD.

Syntax

apply detect policy policy-name

undo apply detect policy policy-name

Default

No attack detection policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack detection policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply the attack detection policy policy2 to the VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply detect policy policy2

apply signature policy

Use apply signature policy to apply a signature policy to a VSD.

Use undo apply signature policy to restore the default.

Syntax

apply signature policy policy-name

undo apply signature policy policy-name

Default

No signature policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a signature policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply the signature policy policy1 to the VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply signature policy policy1

apply signature rule

Use apply signature rule to bind a signature to a signature policy.

Use undo apply signature rule to restore the default.

Syntax

apply signature rule rule-id

undo apply signature rule rule-id

Default

No signature is bound to a signature policy.

Views

Signature policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a signature by its ID in the range of 1 to 65535.

Examples

# Bind signature 1 to the signature policy office.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature policy office

[Sysname-wips-sig-office] apply signature rule 1

ap-rate-limit

Use ap-rate-limit to rate limit AP entry learning.

Use undo ap-rate-limit to restore the default.

Syntax

ap-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo ap-rate-limit

Default

The statistics collection interval for learned AP entries is 60 seconds, the quiet time is 1200 seconds, and the AP entry threshold is 64.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for learned AP entries, in the range of 1 to 3600 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP entry attack. The value range for the quiet-value argument is 1200 to 3600 seconds. WIPS does not trigger an alarm even if it detects an AP entry attack and stops learning new entries within the quiet time.

threshold threshold-value: Specifies the number of AP entries that triggers an AP entry attack alarm. The value range for the threshold-value argument is 1 to 4096.

Examples

# Rate limit AP entry learning.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-rate-limit interval 60 quiet 1600 threshold 100

ap-spoofing

Use ap-spoofing to enable AP spoofing attack detection.

Use undo ap-spoofing to disable AP spoofing attack detection.

Syntax

ap-spoofing [ quiet quiet-value ]

undo ap-spoofing

Default

AP spoofing attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP spoofing attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP spoofing attack within the quiet time.

Examples

# Enable AP spoofing attack detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-spoofing quiet 360

ap-timer

Use ap-timer to set the AP entry timer.

Use undo ap-timer to restore the default.

Syntax

ap-timer [ inactive inactive-value aging aging-value ]

undo ap-timer

Default

The inactive time is 300 seconds, and the aging time is 600 seconds.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

inactive inactive-value: Specifies the inactive time in the range of 60 to 1200 seconds. When an AP neither receives nor sends frames within the specified inactive time, WIPS sets the AP to inactive state.

aging aging-value: Specifies the aging time for an AP entry, in the range of 120 to 86400 seconds. When an AP neither receives nor sends frames within the specified aging time, WIPS deletes the entry. The aging time must be greater than the inactive time.

Examples

# Set the inactive time to 120 seconds, and set the aging time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-timer inactive 120 aging 360

association-table-overflow

Use association-table-overflow to configure association/reassociation DoS attack detection.

Use undo association-table-overflow to disable association/reassociation DoS attack detection.

Syntax

association-table-overflow [ quiet quiet-value ]

undo association-table-overflow

Default

Association/reassociation DoS attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an association/reassociation DoS attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an association/reassociation DoS attack within the quiet time.

Examples

# Enable association/reassociation DoS attack detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] association-table-overflow quiet 100

authentication

Use authentication to configure an AP classification rule to match the authentication mode of APs.

Use undo authentication to restore the default.

Syntax

authentication { equal | include } { 802.1x | none | other | psk }

undo authentication

Default

An AP classification rule does not match the authentication mode of APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

equal: Matches authentication modes equal to the specified authentication mode.

include: Matches authentication modes that include the specified authentication mode.

802.1x: Specifies the 802.1X authentication mode.

none: Specifies no authentication.

other: Specifies an authentication mode other than 802.1X and PSK.

psk: Specifies the PSK authentication mode.

Examples

# Configure AP classification rule 1 to match APs that use the PSK authentication mode.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] authentication equal psk

block mac-address

Use block mac-address to add the MAC address of an AP or client to the static prohibited device list.

Use undo block mac-address to remove one or all MAC addresses from the static prohibited device list.

Syntax

block mac-address mac-address

undo block mac-address { mac-address | all }

Default

No MAC address is added to the static prohibited device list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies an AP or client by its MAC address, in the H-H-H format.

all: Specifies all MAC addresses.

Examples

# Add the MAC address 78AC-C0AF-944F to the static prohibited device list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] block mac-address 78AC-C0AF-944F

classification policy

Use classification policy to create a classification policy and enter its view.

Use undo classification policy to remove a classification policy.

Syntax

classification policy policy-name

undo classification policy policy-name

Default

No classification policy is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a classification policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Create the classification policy home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home]

client-online

Use client-online to configure an AP classification rule to match the number of associated clients for APs.

Use undo client-online to restore the default.

Syntax

client-online value1 [ to value2 ]

undo client-online

Default

An AP classification rule does not match the number of associated clients for APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 to value2: Specifies a value range for the number of associated clients for APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 128 for both the value1 and value2 arguments, and value2 must be greater than value1.

Examples

# Configure AP classification rule 1 to match APs that are associated with 20 to 40 clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] client-online 20 to 40

client-proximity-sensor ap-timer

Use client-proximity-sensor ap-timer to set the AP entry timers.

Use undo client-proximity-sensor ap-timer to restore the default.

Syntax

client-proximity-sensor ap-timer inactive inactive-value aging aging-value

undo client-proximity-sensor ap-timer

Default

The inactive time and aging time for AP entries are 300 seconds and 600 seconds, respectively.

Views

System view

Predefined user roles

network-admin

Parameters

inactive inactive-value: Specifies the inactive time in the range of 60 to 1200 seconds.

aging aging-value: Specifies the aging time in the range of 120 to 86400 seconds.

Examples

# Set the inactive time and aging time for AP entries to 120 seconds and 360 seconds, respectively.

<Sysname> system-view

[Sysname] client-proximity-sensor ap-timer inactive 120 aging 360

client-proximity-sensor ap-udp-server

Use client-proximity-sensor ap-udp-server to specify a UDP server to which APs send device information.

Use undo client-proximity-sensor ap-udp-server to restore the default.

Syntax

client-proximity-sensor ap-udp-server ip-address port port-number [ interval interval | preshared-key { cipher | simple } string ] *

undo client-proximity-sensor ap-udp-server

Default

No UDP server is specified.

Views

AP view

AP group view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address of the UDP server.

port port-number: Specifies the port number of the UDP server, in the range of 1 to 65534.

interval interval: Specifies the interval at which APs send device information to the UDP server, in the range of 1 to 600 seconds. The default interval is 30 seconds.

preshared-key: Specifies a preshared key.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 8 to 63 characters. Its encrypted form is a case-sensitive string of 41 to 117 characters.

Examples

# Specify the UDP server with IP address 10.152.3.209 and port number 443 for APs to send device information.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA4320i-ACN

[Sysname-wlan-ap-ap1] client-proximity-sensor ap-udp-server 10.152.3.209 port 443

# Specify the UDP server with IP address 10.152.3.103 and port number 1234 for APs to send device information.

<Sysname> system-view

[Sysname] wlan ap-group group1

[Sysname-wlan-ap-group-group1] client-proximity-sensor ap-udp-server 10.152.3.103 port 1234

client-proximity-sensor client-timer

Use client-proximity-sensor client-timer to set the client entry timers.

Use undo client-proximity-sensor client-timer to restore the default.

Syntax

client-proximity-sensor client-timer inactive inactive-value aging aging-value

undo client-proximity-sensor client-timer

Default

The inactive time and aging time for client entries are 300 seconds and 600 seconds, respectively.

Views

System view

Predefined user roles

network-admin

Parameters

inactive inactive-value: Specifies the inactive time in the range of 60 to 1200 seconds.

aging aging-value: Specifies the aging time in the range of 120 to 86400 seconds.

Examples

# Set the inactive time and aging time for client entries to 120 seconds and 360 seconds, respectively.

<Sysname> system-view

[Sysname] client-proximity-sensor client-timer inactive 120 aging 360

client-proximity-sensor coordinates

Use client-proximity-sensor coordinates to set the longitude and latitude of an AP for client probing.

Use undo client-proximity-sensor coordinates to remove the configuration.

Syntax

client-proximity-sensor coordinates longitude longitude-value latitude latitude-value

undo client-proximity-sensor coordinates

Default

The longitude and latitude of an AP are not set for client probing.

Views

AP view

Predefined user roles

network-admin

Parameters

longitude longitude-value: Specifies the longitude of the AP, in XXX-XX-XX.X format. The value ranges for XXX and XX are 0 to 180 and 0 to 60, respectively. The value of .X can be e or w and is case insensitive.

latitude latitude-value: Specifies the latitude of the AP, in XXX-XX-XX.X format. The value ranges for XXX and XX are 0 to 90 and 0 to 60, respectively. The value of .X can be s or n and is case insensitive.

Usage guidelines

After you configure the longitude and latitude for an AP, the AP sends the longitude and latitude information together with the collected wireless device information to the specified server.

Examples

# Set the longitude and latitude for AP ap1 to 123-40-40.e and 80-30-30.n, respectively.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA4320i-ACN

[Sysname-ap-ap1] client-proximity-sensor coordinates longitude 123-40-40.e latitude 80-30-30.n

client-proximity-sensor enable

Use client-proximity-sensor enable to enable client probing.

Use undo client-proximity-sensor enable to disable client probing.

Syntax

client-proximity-sensor enable

undo client-proximity-sensor enable

Default

Client probing is disabled.

Views

Radio view

AP group radio view

Predefined user roles

network-admin

Examples

# Enable client probing for the AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA4320i-AGN

[Sysname-wlan-ap-ap1] radio 1

[Sysname-wlan-ap-ap1-radio-1] client-proximity-sensor enable

client-proximity-sensor filter-list

Use client-proximity-sensor filter-list to configure a MAC address list for client probing to filter client MAC addresses.

Use undo client-proximity-sensor filter-list to remove the configuration.

Syntax

client-proximity-sensor filter-list list

undo client-proximity-sensor filter-list { list | all }

Default

No MAC address list is configured for client probing to filter client MAC addresses.

Views

System view

Predefined user roles

network-admin

Parameters

list: Adds a MAC address or a class of MAC addresses in H-H-H format to the MAC address list. For example, if you specify 0400-0000-0000, you add MAC addresses whose third bit in the first byte is 1 to the MAC address list.

all: Specifies all MAC addresses.

Examples

# Configure a MAC address list for client probing to filter client MAC addresses whose third bit in the first byte is 1.

<Sysname> system-view

[Sysname] client-proximity-sensor filter-list 0400-0000-0000

client-proximity-sensor random-mac-report enable

Use client-proximity-sensor random-mac-report enable to enable APs to send information about Apple terminals that use a random MAC to the server.

Use undo client-proximity-sensor random-mac-report enable to restore the default.

Syntax

client-proximity-sensor random-mac-report enable

undo client-proximity-sensor random-mac-report enable

Default

APs do not send information about Apple terminals that use a random MAC address to the server.

Views

System view

Predefined user roles

network-admin

Usage guidelines

An Apple terminal might send probe requests by using a random MAC address whose second bit in the first byte is 1. If the MAC address is reported to the server, WIPS might trigger a false alarm for detecting a rogue device or a non-existent wireless terminal.

Examples

# Enable APs to send information about Apple terminals that use a random MAC address to the server.

<Sysname> system-view

[Sysname] client-proximity-sensor random-mac-report enable

client-proximity-sensor report-ac

Use client-proximity-sensor report-ac enable to enable APs to send information about the detected devices to the AC.

Use undo client-proximity-sensor report-ac enable to restore the default.

Syntax

client-proximity-sensor report-ac enable

undo client-proximity-sensor report-ac enable

Default

APs do not send information about the detected devices to the AC.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command consumes AC resources.

Examples

# Enable APs to send information about the detected devices to the AC.

<Sysname> system-view

[Sysname] client-proximity-sensor report-ac enable

client-proximity-sensor report-ac-interval

Use client-proximity-sensor report-ac-interval to set the interval for APs the send device information to the AC.

Use undo client-proximity-sensor report-ac-interval to restore the default.

Syntax

client-proximity-sensor report-ac-interval interval

undo client-proximity-sensor report-ac-interval

Default

The interval for APs to send device information to the AC is 3000 milliseconds.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval for APs to send device information to the AC, in the range of 100 to 60000 milliseconds.

Examples

# Set the interval for APs to send device information to the AC to 2000 milliseconds.

<Sysname> system-view

[Sysname] client-proximity-sensor report-ac-interval 2000

client-proximity-sensor report-ap enable

Use client-proximity-sensor report-ap enable to enable APs to send detected AP information to the UDP server.

Use undo client-proximity-sensor report-ap enable to restore the default.

Syntax

client-proximity-sensor report-ap enable

undo client-proximity-sensor report-ap enable

Default

APs do not send detected AP information to the UDP server.

Views

System view

Predefined user roles

network-admin

Examples

# Enable APs to send detected AP information to the UDP server.

<Sysname> system-view

[Sysname] client-proximity-sensor report-ap enable

client-proximity-sensor rssi-change-threshold

Use client-proximity-sensor rssi-change-threshold to set the RSSI variation threshold.

Use undo client-proximity-sensor rssi-change-threshold to restore the default.

Syntax

client-proximity-sensor rssi-change-threshold threshold-value

undo client-proximity-sensor rssi-change-threshold

Default

The RSSI variation threshold is 100.

Views

System view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the RSSI variation threshold in the range of 1 to 100.

Usage guidelines

An AP sends information about a device to the AC only when the device meets either of the following conditions:

·     The device is detected by the AP for the first time.

·     The RSSI variation of the device reaches the specified threshold.

Examples

# Set the RSSI variation threshold to 50.

<Sysname> system-view

[Sysname] client-proximity-sensor rssi-threshold 50

client-proximity-sensor rssi-threshold

Use client-proximity-sensor rssi-threshold to set the RSSI threshold for client probing.

Use undo client-proximity-sensor rssi-threshold to remove the configuration.

Syntax

client-proximity-sensor rssi-threshold { ap ap-rssi-value | client client-rssi-value }

undo client-proximity-sensor rssi-threshold { ap | client }

Default

The RSSI threshold for client probing is not set.

Views

System view

Predefined user roles

network-admin

Parameters

ap ap-rssi-value: Specifies the RSSI threshold for APs, in the range of 1 to 100.

client client-rssi-value: Specifies the RSSI threshold for clients, in the range of 1 to 100.

Usage guidelines

After you configure this command, an AP enabled with client probing does not detect APs or clients with a signal strength lower than the specified RSSI threshold.

Examples

# Set the RSSI threshold for APs to 30.

<Sysname> system-view

[Sysname] client-proximity-sensor rssi-threshold ap 30

client-proximity-sensor rt-report enable

Use client-proximity-sensor rt-report enable to enable fast wireless device information reporting.

Use undo client-proximity-sensor rt-report enable to restore the default.

Syntax

client-proximity-sensor rt-report enable

undo client-proximity-sensor rt-report enable

Default

Fast wireless device information reporting is disabled and APs send detected wireless device information to the server at the interval specified by the client-proximity-sensor ap-udp-server command.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables APs to send wireless device information to the server immediately after obtaining the information.

Examples

# Enable fast wireless device information reporting.

<Sysname> system-view

[Sysname] client-proximity-sensor rt-report enable

client-proximity-sensor server

Use client-proximity-sensor server to specify an HTTPS server for client probing.

Use undo client-proximity-sensor server to delete an HTTPS server for client probing.

Syntax

client-proximity-sensor server string [ window-time window-time-value | partner partner-value ] *

undo client-proximity-sensor server

Default

No HTTPS server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

string: Specifies an HTTPS server by its address, a case-sensitive string of 8 to 127 characters. The address must start with https://.

window-time window-time-value: Specifies the window time in the range of 10 to 60 seconds. The default window time is 30 seconds.

partner partner-value: Specifies the partner flag value. The default partner flag value is 11.

Examples

# Specify the HTTPS server with the address https://10.152.3.209:443/xxx/yy for client probing.

[Sysname] client-proximity-sensor server https://10.152.3.209:443/xxx/yy

client-proximity-sensor udp-server

Use client-proximity-sensor udp-server to specify a UDP server for client probing.

Use undo client-proximity-sensor udp-server to delete the UDP server for client probing.

Syntax

client-proximity-sensor udp-server ip-address port port-number [ interval interval | preshared-key [ cipher | simple ] key-string ] *

undo client-proximity-sensor udp-server

Default

No UDP server is specified.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address of the UDP server.

port port-number: Specifies the port number of the UDP server, in the range of 1 to 65534.

interval interval: Specifies the interval at which APs send device information to the UDP server, in the range of 1 to 600 seconds. The default interval is 30 seconds.

preshared-key: Specifies a preshared key.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form.

key-string: Specifies the key. Its plaintext form is a case-sensitive string of 8 to 63 characters. Its encrypted form is a case-sensitive string of 41 to 117 characters.

Examples

# Specify the UDP server with IP address 10.152.3.209 and port number 443 for client probing.

<Sysname> system-view

[Sysname] client-proximity-sensor udp-server 10.152.3.209 port 443

client-rate-limit

Use client-rate-limit to rate limit client entry learning.

Use undo client -rate-limit to restore the default.

Syntax

client-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo client-rate-limit

Default

The statistics collection interval for learned client entries is 60 seconds, the quiet time is 1200 seconds, and the client entry threshold is 512.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for learned client entries, in the range of 1 to 3600 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a client entry attack. The value range for the quiet-value argument is 1200 to 3600 seconds. WIPS does not trigger an alarm even if it detects a client entry attack and stops learning new entries within the quiet time.

threshold threshold-value: Specifies the number of client entries that triggers a client entry attack alarm. The value range for the threshold-value argument is 1 to 4096.

Examples

# Rate limit client entry learning.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] client-rate-limit interval 80 quiet 1600 threshold 100

client-spoofing

Use client-spoofing to enable client spoofing attack detection.

Use undo client-spoofing to disable client spoofing attack detection.

Syntax

client-spoofing [ quiet quiet-value ]

undo client-spoofing

Default

Client spoofing attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a client spoofing attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a client spoofing attack within the quiet time.

Examples

# Enable client spoofing attack detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] client-spoofing quiet 360

client-timer

Use client-timer to set the client entry timer.

Use undo client-timer to restore the default.

Syntax

client-timer inactive inactive-value aging aging-value

undo client-timer

Default

The inactive time is 300 seconds, and the aging time is 600 seconds.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

inactive inactive-value: Specifies the inactive time in the range of 60 to 1200 seconds. When a client neither receives nor sends frames within the specified inactive time, WIPS sets the client to inactive state.

aging aging-value: Specifies the aging time for a client entry, in the range of 120 to 86400 seconds. When a client neither receives nor sends frames within the specified aging time, WIPS deletes the entry. The aging time must be greater than the inactive time.

Examples

# Set the inactive time to 120 seconds, and set the aging time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] client-timer inactive 120 aging 360

countermeasure adhoc

Use countermeasure adhoc to enable WIPS to take countermeasures against Ad hoc devices.

Use undo countermeasure adhoc to restore the default.

Syntax

countermeasure adhoc

undo countermeasure adhoc

Default

WIPS does not take countermeasures against Ad hoc devices.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against Ad hoc devices.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure adhoc

countermeasure attack all

Use countermeasure attack all to enable WIPS to take countermeasures against all attackers.

Use undo countermeasure attack all to restore the default.

Syntax

countermeasure attack all

undo countermeasure attack all

Default

WIPS does not take countermeasures against all attackers.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against all attackers.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack all

countermeasure attack deauth-broadcast

Use countermeasure attack deauth-broadcast to enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks.

Use undo countermeasure deauth-broadcast to restore the default.

Syntax

countermeasure attack deauth-broadcast

undo countermeasure attack deauth-broadcast

Default

WIPS does not take countermeasures against devices that launch broadcast deauthentication attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack deauth-broadcast

countermeasure attack disassoc-broadcast

Use countermeasure attack disassoc-broadcast to enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks.

Use undo countermeasure attack disassoc-broadcast to restore the default.

Syntax

countermeasure attack disassoc-broadcast

undo countermeasure attack disassoc-broadcast

Default

WIPS does not take countermeasures against devices that launch broadcast disassociation attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack disassoc-broadcast

countermeasure attack honeypot-ap

Use countermeasure attack honeypot-ap to enable WIPS to take countermeasures against honeypot APs.

Use undo countermeasure attack honeypot-ap to restore the default.

Syntax

countermeasure attack honeypot-ap

undo countermeasure attack honeypot-ap

Default

WIPS does not take countermeasures against honeypot APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against honeypot APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack honeypot-ap

countermeasure attack hotspot-attack

Use countermeasure attack hotspot-attack to enable WIPS to take countermeasures against devices that launch hotspot attacks.

Use undo countermeasure attack hotspot-attack to restore the default.

Syntax

countermeasure attack hotspot-attack

undo countermeasure attack hotspot-attack

Default

WIPS does not take countermeasures against devices that launch hotspot attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch hotspot attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack hotspot-attack

countermeasure attack ht-40-mhz-intolerance

Use countermeasure attack ht-40-mhz-intolerance to enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled.

Use undo countermeasure attack ht-40-mhz-intolerance to restore the default.

Syntax

countermeasure attack ht-40-mhz-intolerance

undo countermeasure attack ht-40-mhz-intolerance

Default

WIPS does not take countermeasures against devices with the 40 MHz bandwidth mode disabled.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack ht-40-mhz-intolerance

countermeasure attack malformed-packet

Use countermeasure attack malformed-packet to enable WIPS to take countermeasures against devices that send malformed packets.

Use undo countermeasure attack malformed-packet to restore the default.

Syntax

countermeasure attack malformed-packet

undo countermeasure attack malformed-packet

Default

WIPS does not take countermeasures against devices that send malformed packets.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that send malformed packets.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack malformed-packet

countermeasure attack man-in-the-middle

Use countermeasure attack man-in-the-middle to enable WIPS to take countermeasures against devices that launch MITM attacks.

Use undo countermeasure attack man-in-the-middle to restore the default.

Syntax

countermeasure attack man-in-the-middle

undo countermeasure attack man-in-the-middle

Default

WIPS does not take countermeasures against devices that launch MITM attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch MITM attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack man-in-the-middle

countermeasure attack omerta

Use countermeasure attack omerta to enable WIPS to take countermeasures against devices that launch Omerta attacks.

Use undo countermeasure attack omerta to restore the default.

Syntax

countermeasure attack omerta

undo countermeasure attack omerta

Default

WIPS does not take countermeasures against devices that launch Omerta attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch Omerta attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack omerta

countermeasure attack power-save

Use countermeasure attack power-save to enable WIPS to take countermeasures against devices that launch power save attacks.

Use undo countermeasure attack power-save to restore the default.

Syntax

countermeasure attack power-save

undo countermeasure attack power-save

Default

WIPS does not take countermeasures against devices that launch power save attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch power save attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack power-save

countermeasure attack soft-ap

Use countermeasure attack soft-ap to enable WIPS to take countermeasures against soft APs.

Use undo countermeasure attack soft-ap to restore the default.

Syntax

countermeasure attack soft-ap

undo countermeasure attack soft-ap

Default

WIPS does not take countermeasures against soft APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against soft APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack soft-ap

countermeasure attack unencrypted-trust-client

Use countermeasure attack unencrypted-trust-client to enable WIPS to take countermeasures against unencrypted authorized clients.

Use undo countermeasure attack unencrypted-trust-client to restore the default.

Syntax

countermeasure attack unencrypted-trust-client

undo countermeasure attack unencrypted-trust-client

Default

WIPS does not take countermeasures against unencrypted authorized clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against unencrypted authorized clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack unencrypted-trust-client

countermeasure attack weak-iv

Use countermeasure attack weak-iv to enable WIPS to take countermeasures against devices that use weak IVs

Use undo countermeasure  weak-iv to restore the default.

Syntax

countermeasure attack weak-iv

undo countermeasure attack weak-iv

Default

WIPS does not take countermeasures against devices that use weak IVs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that use weak IVs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack weak-iv

countermeasure attack windows-bridge

Use countermeasure attack windows-bridge to enable WIPS to take countermeasures against devices that launch Windows bridge attacks.

Use undo countermeasure attack windows-bridge to restore the default.

Syntax

countermeasure attack windows-bridge

undo countermeasure attack windows-bridge

Default

WIPS does not take countermeasures against devices that launch Windows bridge attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch Windows bridge attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack windows-bridge

countermeasure external-ap

Use countermeasure external-ap to enable WIPS to take countermeasures against external APs.

Use undo countermeasure external-ap to restore the default.

Syntax

countermeasure external-ap

undo countermeasure external-ap

Default

WIPS does not take countermeasures against external APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against external APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure external-ap

countermeasure mac-address

Use countermeasure mac-address to enable WIPS to take countermeasures against the device with the specified MAC address.

Use undo countermeasure mac-address to remove the configuration.

Syntax

countermeasure mac-address mac-address

undo countermeasure mac-address { mac-address | all }

Default

WIPS does not take countermeasures against detected devices.

Views

Countermeasure policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies an AP or a client by its MAC address in the H-H-H format.

all: Specifies all APs and clients.

Usage guidelines

You can configure this command multiple times to enable WIPS to take countermeasures against multiple devices.

Examples

# Enable WIPS to take countermeasures against the device with the MAC address 2a11-1fa1-141f.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure mac-address 2a11-1fa1-141f

countermeasure misassociation-client

Use countermeasure misassociation-client to enable WIPS to take countermeasures against misassociated clients.

Use undo countermeasure misassociation-client to restore the default.

Syntax

countermeasure misassociation-client

undo countermeasure misassociation-client

Default

WIPS does not take countermeasures against misassociated clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against misassociated clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure misassociation-client

countermeasure misconfigured-ap

Use countermeasure misconfigured-ap to enable WIPS to take countermeasures against misconfigured APs.

Use undo countermeasure misconfigured-ap to restore the default.

Syntax

countermeasure misconfigured-ap

undo countermeasure misconfigured-ap

Default

WIPS does not take countermeasures against misconfigured APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against misconfigured APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure misconfigured-ap

countermeasure policy

Use countermeasure policy to create a countermeasure policy and enter its view.

Use undo countermeasure policy to remove a countermeasure policy.

Syntax

countermeasure policy policy-name

undo countermeasure policy policy-name

Default

No countermeasure policy is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a countermeasure policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Create the countermeasure policy home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home]

countermeasure potential-authorized-ap

Use countermeasure potential-authorized-ap to enable WIPS to take countermeasures against potential-authorized APs.

Use undo countermeasure potential-authorized-ap to restore the default.

Syntax

countermeasure potential-authorized-ap

undo countermeasure potential-authorized-ap

Default

WIPS does not take countermeasures against potential-authorized APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against potential-authorized APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure potential-authorized-ap

countermeasure potential-external-ap

Use countermeasure potential-external-ap to enable WIPS to take countermeasures against potential-external APs.

Use undo countermeasure potential-external-ap to restore the default.

Syntax

countermeasure potential-external-ap

undo countermeasure potential-external-ap

Default

WIPS does not take countermeasures against potential-external APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against potential-external APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure potential-external-ap

countermeasure potential-rogue-ap

Use countermeasure potential-rogue-ap to enable WIPS to take countermeasures against potential-rogue APs.

Use undo countermeasure potential-rogue-ap to restore the default.

Syntax

countermeasure potential-rogue-ap

undo countermeasure potential-rogue-ap

Default

WIPS does not take countermeasures against potential-rogue APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against potential-rogue APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure potential-rogue-ap

countermeasure rogue-ap

Use countermeasure rogue-ap to enable WIPS to take countermeasures against rogue APs.

Use undo countermeasure rogue-ap to restore the default.

Syntax

countermeasure rogue-ap

undo countermeasure rogue-ap

Default

WIPS does not take countermeasures against rogue APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against rogue APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure rogue-ap

countermeasure unauthorized-client

Use countermeasure unauthorized-client to enable WIPS to take countermeasures against unauthorized clients.

Use undo countermeasure unauthorized-client to restore the default.

Syntax

countermeasure unauthorized-client

undo countermeasure unauthorized-client

Default

WIPS does not take countermeasures against unauthorized clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against unauthorized clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure unauthorized-client

countermeasure uncategorized-ap

Use countermeasure uncategorized-ap to enable WIPS to take countermeasures against uncategorized APs.

Use undo countermeasure uncategorized-ap to restore the default.

Syntax

countermeasure uncategorized-ap

undo countermeasure uncategorized-ap

Default

WIPS does not take countermeasures against uncategorized APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against uncategorized APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure uncategorized-ap

countermeasure uncategorized-client

Use countermeasure uncategorized-client to enable WIPS to take countermeasures against uncategorized clients.

Use undo countermeasure uncategorized-client to restore the default.

Syntax

countermeasure uncategorized-client

undo countermeasure uncategorized-client

Default

WIPS does not take countermeasures against uncategorized clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against uncategorized clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure uncategorized-client

deauthentication-broadcast

Use deauthentication-broadcast to configure broadcast deauthentication attack detection.

Use undo deauthentication-broadcast to disable broadcast deauthentication attack detection.

Syntax

deauthentication-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo deauthentication-broadcast

Default

Broadcast deauthentication attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for broadcast deauthentication frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a broadcast deauthentication attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a broadcast deauthentication attack within the quiet time.

threshold threshold-value: Specifies the number of broadcast deauthentication frames that triggers a broadcast deauthentication attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable broadcast deauthentication attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] deauthentication-broadcast interval 100 threshold 100 quiet 360

detect policy

Use detect policy to create an attack detection policy and enter its view.

Use undo detect policy to remove an attack detection policy.

Syntax

detect policy policy-name

undo detect policy policy-name

Default

No attack detection policy is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack detection policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Create the attack detection policy home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home]

detect signature

Use detect signature to enable user-defined attack detection based on signatures.

Use undo detect signature to disable user-defined attack detection based on signatures.

Syntax

detect signature [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo detect

Default

User-defined attack detection based on signatures is enabled.

Views

Signature policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for packets that match a signature. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a user-defined attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a user-defined attack within the quiet time.

threshold threshold-value: Specifies the number of packets matching a signature that triggers a user-defined attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable WIPS to detect packets that match a signature, and set the interval-value, threshold-value, and quiet-value arguments to 60, 100, and 360, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature policy home

[Sysname-wips-sig-home] detect signature interval 60 threshold 100 quiet 360

disassociation-broadcast

Use disassociation-broadcast to configure broadcast disassociation attack detection.

Use undo disassociation-broadcast to disable broadcast disassociation attack detection.

Syntax

disassociation-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo disassociation-broadcast

Default

Broadcast disassociation attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for broadcast disassociation frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a broadcast disassociation attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a broadcast disassociation attack within the quiet time.

threshold threshold-value: Specifies the number of broadcast disassociation frames that triggers a broadcast disassociation attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable broadcast disassociation attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] disassociation-broadcast interval 100 threshold 100 quiet 360

discovered-ap

Use discovered-ap to configure an AP classification rule to match the number of sensors that detect an AP.

Use undo discovered-ap to restore the default.

Syntax

discovered-ap value1 [ to value2 ]

undo discovered-ap

Default

An AP classification rule does not match the number of sensors that detect an AP.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 to value2: Specifies a value range for the number of sensors that detect an AP. The value 1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 1 to 128 for both the value1 and value2 arguments, and value2 must be greater than value1.

Examples

# Configure AP classification rule 1 to match APs that are detected by 10 to 128 sensors.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] discovered-ap 10 to 128

display client-proximity-sensor device

Use display client-proximity-sensor device to display information about detected wireless devices.

Syntax

display client-proximity-sensor device [ ap | client | mac-address mac-address ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap: Displays information about detected APs.

client: Displays information about detected clients.

mac-address mac-address: Displays information about the specified wireless device. The mac-address argument specifies the MAC address of the device, in H-H-H format.

verbose: Displays detailed information. If you do not specify this keyword, the command displays brief information.

Examples

# Display brief information about all detected wireless devices.

<Sysname> display client-proximity-sensor device

Total 3 detected devices

 

MAC address    Type      Duration    Sensors Channel Status

0AFB-423B-893C AP        00h 10m 46s 1       11      Active

0AFB-423B-893D AP        00h 10m 46s 1       6       Active

0AFB-423B-893E AP        00h 10m 46s 1       1       Active

Table 1 Command output

Field

Description

MAC address

MAC address of the detected wireless device.

Type

Wireless device type:

·     AP.

·     Client.

Duration

Duration since the wireless device entered the current state.

Sensors

Number of APs that detect the wireless device.

Channel

Channel where the AP most recently detected the wireless device.

Status

Wireless device state:

·     Active—The wireless device is active.

·     Inactive—The wireless device is inactive.

 

# Display detailed information about all detected wireless devices.

<Sysname> display client-proximity-sensor device verbose

Total 2 detected devices

 

 AP: 0AFB-423B-893C

   Status: Active

   Status duration: 00h 27m 57s

   Vendor: Not found

   SSID: service

   Radio type: 802.11g

   Security: None

   Encryption method: None

   Authentication method: None

   Broadcast SSID: Yes

   QoS supported: No

   Beacon interval: 0 TU

   Up duration: 00h 27m 57s

Channel bandwidth supported: 20MHZ

   Total number of reported APs: 1

     AP 1:

       AP ID: 3

       AP name: 1

       Radio ID: 1

       RSSI: 15

       Channel: 6

       First reported time: 2016-04-03/09:05:51

       Last reported time: 2016-04-03/09:05:51

   Total number of associated clients: 1

     01: 80EA-9656-AAAB

Client: 80EA-9656-AAAB

  Last detected associated AP: 0AFB-423B-893C

  Last associated AP (not detected): None

  Status: Active

  Status duration: 00h 00m 02s

  Vendor: Not found

  Radio type: 802.11a

  Total number of reported APs: 1

     AP 1:

       AP ID: 2

       AP name: 1

       Radio ID: 1

       RSSI: 50

       Channel: 116

       First reported time: 2016-04-03/14:52:56

       Last reported time: 2016-04-03/14:52:56

       Reported associated AP: 0AFB-423B-893C

Table 2 Command output

Field

Description

Total number detected devices

Number of detected wireless devices.

AP

MAC address of the detected AP.

Client

MAC address of the detected client.

Last detected associated AP

MAC address of the AP with which the wireless client was most recently associated. The MAC address is the BSSID of the AP.

Last associated AP (not detected)

MAC address of the AP with which the wireless client most recently communicated. The AP is not detected by the system, and the MAC address of the AP is obtained from packets exchanged between the client and the AP.

Status

Wireless device state:

·     Active—The wireless device is active.

·     Inactive—The wireless device is inactive.

Status duration

Duration since the wireless device entered the current state.

Vendor

OUI of the wireless device. This field displays Not found if no OUIs are imported or the OUI of the device cannot match the imported OUIs.

Security

Security method: None, WEP, WPA, or WPA2.

Encryption method

Encryption method: TKIP, CCMP, WEP, or None.

Authentication method

Authentication method:

·     None.

·     PSK.

·     802.1X.

·     Others—Authentication methods except for PSK authentication and 802.1X authentication.

Broadcast SSID

Whether the AP broadcasts SSIDs. If the AP does not broadcast SSIDs, the SSID field in the output is null.

Beacon interval

Beacon interval in TUs.

Up duration

Duration since the AP started.

Channel bandwidth supported

Channel bandwidth supported by the AP: 20/40MHZ or 20MHZ.

Total number of reported APs

Number of APs that detect the client.

AP n

AP that detects the wireless device. n represents the number of the AP and is automatically assigned by the system.

AP name

Name of the AP that detects the wireless device.

Radio ID

ID of the radio that detects the wireless device.

RSSI

RSSI of the AP.

Channel

Channel where the AP most recently detected the wireless device.

First reported time

Time when the AP detected the wireless device for the first time.

Last reported time

Time when the AP most recently detected the wireless device.

Total number of associated clients

Number of clients that are associated with the AP.

n:H-H-H

MAC address of the wireless client associated with the AP. n is the number of the wireless client and is automatically assigned by the system.

Reported associated AP

AP with which the wireless client is associated.

 

display client-proximity-sensor sensor

Use display client-proximity-sensor sensor to display information about all sensors.

Syntax

display client-proximity-sensor sensor

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all sensors.

<Sysname> display client-proximity-sensor sensor

Total number of sensors: 1

Sensor ID    Sensor name                Radio ID  

3            ap1                        1         

Table 3 Command output

Field

Description

Radio ID

ID of the radio that is enabled with client probing.

 

display client-proximity-sensor statistics receive

Use display client-proximity-sensor statistics receive to display detection statistics that the AC receives from APs.

Syntax

display client-proximity-sensor statistics receive

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display detection statistics that the AC receives from APs.

<Sysname> display client-proximity-sensor statistics receive

Information from sensor 1

 Statistics information for received messages:

   Detected AP updated messages: 7

   Detected client updated messages: 5

   Detected AP deleted messages: 3

   Detected client deleted messages: 0

   Detected all device deleted messages: 0

Information from sensor 2

 Statistics information for received messages:

   Detected AP updated messages: 6

   Detected client updated messages: 5

   Detected AP deleted messages: 3

   Detected client deleted messages: 2

Detected all device deleted messages: 0

Related commands

reset client-proximity-sensor statistics

display wips sensor

Use display wips sensor to display information about all sensors.

Syntax

display wips sensor

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all sensors.

<Sysname> display wips sensor

Total number of sensors: 1

Sensor ID    Sensor name                VSD name               Radio ID   Status

3            ap1                        aaa                    1          Active

Table 4 Command output

Field

Description

VSD name

Name of the VSD to which the AP belongs.

Radio ID

ID of the radio enabled with WIPS.

Status

Status of the sensor:

·     ActiveThe sensor is enabled with WIPS.

·     InactiveThe sensor is not enabled with WIPS.

 

display wips statistics

Use display wips statistics to display attack detection information collected from sensors.

Syntax

display wips statistics [ receive | virtual-security-domain vsd-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

receive: Displays attack detection statistics information that the AC receives from sensors in all VSDs.

virtual-security-domain vsd-name: Displays attack detection statistics information that the AC receives from sensors in the specified VSD.

Examples

# Display attack detection information collected from sensors in all VSDs.

<Sysname> display wips statistics receive

Information from sensor 3

 Information about attack statistics:

   Detected association-request flood messages: 0

   Detected authentication flood messages: 0

   Detected beacon flood messages: 0

   Detected block-ack flood messages: 0

   Detected cts flood messages: 0

   Detected deauthentication flood messages: 0

   Detected disassociation flood messages: 0

   Detected eapol-start flood messages: 0

   Detected null-data flood messages: 0

   Detected probe-request flood messages: 0

   Detected reassociation-request flood messages: 0

   Detected rts flood messages: 0

   Detected eapol-logoff flood messages: 0

   Detected eap-failure flood messages: 0

   Detected eap-success flood messages: 0

   Detected duplicated-ie messages: 0

   Detected fata-jack messages: 0

   Detected illegal-ibss-ess messages: 0

   Detected invalid-address-combination messages: 0

   Detected invalid-assoc-req messages: 0

   Detected invalid-auth messages: 0

   Detected invalid-deauth-code messages: 0

   Detected invalid-disassoc-code messages: 0

   Detected invalid-ht-ie messages: 0

   Detected invalid-ie-length messages: 0

   Detected invalid-pkt-length messages: 0

   Detected large-duration messages: 0

   Detected null-probe-resp messages: 0

   Detected overflow-eapol-key messages: 0

   Detected overflow-ssid messages: 0

   Detected redundant-ie messages: 0

   Detected AP spoof AP messages: 0

   Detected AP spoof client messages: 0

   Detected AP spoof ad-hoc messages: 0

   Detected ad-hoc spoof AP messages: 0

   Detected client spoof AP messages: 0

   Detected weak IV messages: 0

   Detected excess AP messages: 0

   Detected excess client messages: 0

   Detected signature rule messages: 0

   Detected 40MHZ messages: 0

   Detected power save messages: 0

   Detected omerta messages: 0

   Detected windows bridge messages: 0

   Detected soft AP messages: 0

   Detected broadcast disassoc messages: 2

   Detected broadcast deauth messages: 0

   Detected AP impersonate messages: 0

   Detected HT greenfield messages: 0

   Detected association table overflow messages: 0

   Detected wireless bridge messages: 0

   Detected AP flood messages: 11

Table 5 Command output

Field

Description

Information from sensor n

Information collected from sensor n, where n represents the ID of the sensor.

Detected association-request flood messages

Number of detected messages for association request flood attacks.

Detected authentication flood messages

Number of detected messages for authentication request flood attacks.

Detected beacon flood messages

Number of detected messages for beacon flood attacks.

Detected block-ack flood messages

Number of detected messages for Block Ack flood attacks.

Detected cts flood messages

Number of detected messages for CTS flood attacks.

Detected deauthentication flood messages

Number of detected messages for deauthentication flood attacks.

Detected disassociation flood messages

Number of detected messages for disassociation flood attacks.

Detected eapol-start flood messages

Number of detected messages for EAPOL-start flood attacks.

Detected null-data flood messages

Number of detected messages for null data flood attacks.

Detected probe-request flood messages

Number of detected messages for probe request flood attacks.

Detected reassociation-request flood messages

Number of detected messages for reassociation request flood attacks.

Detected rts flood messages

Number of detected messages for RTS flood attacks.

Detected eapol-logoff flood messages

Number of detected messages for EAPOL-logoff flood attacks.

Detected eap-failure flood messages

Number of detected messages for EAP-failure flood attacks.

Detected eap-success flood messages

Number of detected messages for EAP-success flood attacks.

Detected duplicated-ie messages

Number of detected messages for malformed packets with duplicated IE.

Detected fata-jack messages

Number of detected messages for FATA-Jack malformed packets.

Detected illegal-ibss-ess messages

Number of detected messages for malformed packets with abnormal IBSS and ESS setting.

Detected invalid-address-combination messages

Number of detected messages for malformed packets with invalid source address.

Detected invalid-assoc-req messages

Number of detected messages for malformed association request frames.

Detected invalid-auth messages

Number of detected messages for malformed authentication request frames.

Detected invalid-deauth-code messages

Number of detected messages for malformed packets with invalid deauthentication code.

Detected invalid-disassoc-code messages

Number of detected messages for malformed packets with invalid disassociation code.

Detected invalid-ht-ie messages

Number of detected messages for malformed packets with malformed HT IE.

Detected invalid-ie-length messages

Number of detected messages for malformed packets with invalid IE length.

Detected invalid-pkt-length messages

Number of detected messages for malformed packets with invalid packet length.

Detected large-duration messages

Number of detected messages for malformed packets with oversized duration.

Detected null-probe-resp messages

Number of detected messages for malformed probe response frames.

Detected overflow-eapol-key messages

Number of detected messages for malformed packets with oversized EAPOL key.

Detected overflow-ssid messages

Number of detected messages for malformed packets with oversized SSID.

Detected redundant-ie messages

Number of detected messages for malformed packets with redundant IE.

Detected AP spoof AP messages

Number of detected messages for AP spoofing (AP spoofs AP) attacks.

Detected AP spoof client messages

Number of detected messages for client spoofing (AP spoofs client) attacks.

Detected AP spoof ad-hoc messages

Number of detected messages for Ad hoc spoofing (AP spoofs Ad hoc) attacks.

Detected ad-hoc spoof AP messages

Number of detected messages for AP spoofing (Ad hoc spoofs AP) attacks.

Detected client spoof AP messages

Number of detected messages for AP spoofing (client spoofs AP) attacks.

Detected weak IV messages

Number of detected messages for weak IVs.

Detected excess AP messages

Number of detected messages for AP entry attacks.

Detected excess client messages

Number of detected messages for client entry attacks.

Detected 40MHZ messages

Number of detected messages for clients disabled with the 40 MHz bandwidth mode.

Detected power save messages

Number of detected messages for power saving attacks.

Detected omerta messages

Number of detected messages for Omerta attacks.

Detected windows bridge messages

Number of detected messages for Windows bridge.

Detected soft AP messages

Number of detected messages for soft APs.

Detected broadcast disassoc messages

Number of detected messages for broadcast disassociation attacks.

Detected broadcast deauth messages

Number of detected messages for broadcast deauthentication attacks.

Detected AP impersonate messages

Number of detected messages for AP impersonation attacks.

Detected HT greenfield messages:

Number of detected messages for HT greenfield APs.

Detected association table overflow messages

Number of detected messages for association/reassociation DoS attacks.

Detected wireless bridge messages

Number of detected messages for wireless bridge.

Detected AP flood messages

Number of detected messages for AP flood attacks.

 

# Display attack detection information collected from sensors in the specified VSD.

<Sysname> display wips statistics virtual-security-domain 111

Information from VSD 111

Information about attack statistics:

   Detected hotspot attack messages: 1

   Detected unencrypted authorized AP messages: 0

   Detected unencrypted trust client messages: 0

   Detected honeypot AP messages: 1

   Detected man in the middle messages: 1

   Detected AP channel change messages: 0

Table 6 Command output

Field

Description

Detected hotspot attack messages

Number of detected messages for hotspot attacks.

Detected unencrypted authorized AP messages

Number of detected messages for unencrypted authorized APs.

Detected unencrypted trust client messages

Number of detected messages for unencrypted authorized clients.

Detected honeypot AP messages

Number of detected messages for honeypot APs.

Detected man in the middle messages

Number of detected messages for MITM attacks.

Detected AP channel change messages

Number of detected messages for channel changes.

 

Related commands

reset wips statistics

display wips virtual-security-domain countermeasure record

Use display wips virtual-security-domain countermeasure record to display information about countermeasures that WIPS has taken against rogue devices.

Syntax

display wips virtual-security-domain vsd-name countermeasure record

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Display information about countermeasures that WIPS has taken against rogue devices for the VSD office.

<Sysname> display wips virtual-security-domain office countermeasure record

Total 3 times countermeasure, current 3 countermeasure record in virtual-security-domain office

 

Reason: Attack; Ass - associated; Black - blacklist;

        Class - classification; Manu - manual;

 

MAC address    Type   Reason   Countermeasure AP     Radio ID   Time

1000-0000-00e3 AP     Manu     ap1                    1          2016-05-03/09:32:01

1000-0000-00e4 AP     Manu     ap2                    1          2016-05-03/09:32:11

2000-0000-f282 Client Black    ap3                    1          2016-05-03/09:31:56

Table 7 Command output

Field

Description

Total 3 times countermeasure, current 3 countermeasure record in virtual-security-domain office

Number of successful countermeasures. This field can display up to 1024 countermeasure records.

MAC Address

MAC address of the wireless device against which WIPS has taken countermeasures.

Type

Type of the wireless device: AP or Client.

Reason

Reason why WIPS takes countermeasures against the wireless device:

·     Attack—WIPS takes countermeasures against the device because it is an attacker.

·     Ass—WIPS takes countermeasures against the device because WIPS has taken countermeasures against its associated AP.

·     Black—After WIPS takes countermeasures against the client, the client is added to the blacklist when it associates with an AP.

·     Class—WIPS takes countermeasures against the device based on its device type.

·     Manu—WIPS takes countermeasures against the device based on its MAC address.

Countermeasure AP

Name of the sensor that takes countermeasures against the wireless device.

Radio ID

Radio ID of the sensor that takes countermeasures against the wireless device.

Time

Time when the AC informs the sensor of taking countermeasures against the wireless device.

 

Related commands

reset wips virtual-security-domain countermeasure record

display wips virtual-security-domain device

Use display wips virtual-security-domain device to display information about wireless devices detected in a VSD.

Syntax

display wips virtual-security-domain vsd-name device [ ap [ ad-hoc | authorized | external | misconfigured | potential-authorized | potential-external | potential-rogue | rogue ] | client [ [ dissociative-client ] | [ authorized | misassociation | unauthorized | uncategorized ] ] | mac-address mac-address ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

device: Displays wireless device information.

ap: Displays AP information.

ad-hoc: Displays information about APs operating in Ad hoc mode.

authorized: Displays information about authorized APs.

external: Displays information about external APs.

misconfigured: Displays information about misconfigured APs.

potential-authorized: Displays information about potential-authorized APs.

potential-external: Displays information about potential-external APs.

potential-rogue: Displays information about potential-rogue APs.

rogue: Displays information about rogue APs.

client: Displays client information.

dissociative-client: Displays unassociated client information.

authorized: Displays information about authorized clients.

misassociation: Displays information about misassociated clients.

unauthorized: Displays information about unauthorized clients.

uncategorized: Displays information about uncategorized clients.

mac-address mac-address: Displays information about a specific wireless device. The mac-address argument represents the MAC address of the wireless device and is in the H-H-H format.

verbose: Displays detailed device information.

Examples

# Display information about wireless devices detected in the VSD office.

<Sysname> display wips virtual-security-domain office device

Total 200 detected devices in virtual-security-domain office

 

Class: Auth - authorization; Ext - external; Mis - mistake;

       Unauth - unauthorized; Uncate - uncategorized;

       (A) - associate; (C) - config; (P) - potential

 

MAC address    Type   Class    Duration    Sensors Channel Status

1000-0000-0000 AP     Ext(P)   00h 10m 46s 1       11      Active

1000-0000-0001 AP     Ext(P)   00h 10m 46s 1       6       Active

1000-0000-0002 AP     Ext(P)   00h 10m 46s 1       1       Active

Table 8 Command output

Field

Description

Type

Wireless device type: AP, Client, or Mesh.

Class

Category of the wireless device.

Duration

Duration since the wireless device entered the current state.

Sensors

Number of sensors that have detected the wireless device.

Channel

Channel on which the wireless device was most recently detected.

Status

Status of the AP or client:

·     Active—The AP or client is active.

·     Inactive—The AP or client is inactive.

 

# Display detailed information about wireless devices detected in the VSD a.

<Sysname> display wips virtual-security-domain a device verbose

Total 2 detected devices in virtual-security-domain a

 

 AP: 1000-0000-0000

   Mesh Neighbor: None

   Classification: Mis(C)

   Severity level: 0

   Classify way: Auto

   Status: Active

   Status duration: 00h 27m 57s

   Vendor: Not found

   SSID: service

   Radio type: 802.11g

   Countermeasuring: No

   Security: None

   Encryption method: None

   Authentication method: None

   Broadcast SSID: Yes

   QoS supported: No

   Ad-hoc: No

   Beacon interval: 100 TU

   Up duration: 00h 27m 57s

Channel band-width supported: 20MHZ

   Hotspot AP: No

   Soft AP: No

   Honeypot AP: No

   Total number of reported sensors: 1

     Sensor 1:

       Sensor ID: 3

       Sensor name: 1

       Radio ID: 1

       RSSI: 15

       Channel: 149

       First reported time: 2014-06-03/09:05:51

       Last reported time: 2014-06-03/09:05:51

   Total number of associated clients: 1

     01: 2000-0000-0000

Client: 2000-0000-0000

  Last reported associated AP: 1000-0000-0000

  Classification: Uncate

  Severity level: 0

  Classify way: Auto

  Dissociative status: No

  Status: Active

  Status duration: 00h 00m 02s

  Vendor: Not found

  Radio type: 802.11a

  40mhz intolerance: No

  Countermeasuring: No

  Man in the middle: No

  Total number of reported sensors: 1

     Sensor 1:

       Sensor ID: 2

       Sensor name: 1

       Radio ID: 1

       RSSI: 50

       Channel: 149

       First reported time: 2014-06-03/14:52:56

       Last reported time: 2014-06-03/14:52:56

       Reported associated AP: 1000-0000-0000

Table 9 Command output

Field

Description

AP

MAC address of the AP.

Mesh Neighbor

MAC address of the mesh AP's neighbor.

Client

MAC address of the client.

Last reported associated AP

MAC address of the associated AP that the client most recently reports.

Classification

Category of the AP or client:

·     AP category options include the following:

¡     ad_hoc

¡     authorized

¡     rogue

¡     misconfigured

¡     external

¡     potential-authorized

¡     potential-rogue

¡     potential-external

¡     uncategorized

·     Client category options include the following:

¡     authorized

¡     unauthorized

¡     misassociated

¡     uncategorized

Severity level

Severity level of the device.

Classify way

AP or client classification method:

·     Manual—Manual classification.

·     Invalid OUI—Added to the invalid OUI list.

·     Block List—Added to the prohibited device list.

·     Associated—APs that are connected to the AC.

·     Trust List—Added to the permitted device list.

·     User Define—User-defined classification.

·     AutoAutomatic classification.

Dissociative status

Whether the client is an unassociated client.

Status

Status of the AP or client:

·     Active—The AP or client is active.

·     Inactive—The AP or client is inactive.

Status duration

Duration since the wireless device entered the current state.

Vendor

OUI of the device. This field displays the device OUI if the OUI matches an imported OUI. This field displays Not found if no OUI is configured for the device or the OUI does not match any imported OUIs.

SSID

SSID of the wireless service provided by the AP.

Radio Type

Radio mode of the wireless device.

40mhz intolerance

Whether the client supports 40 MHz bandwidth mode.

Countermeasuring

Whether WIPS is taking countermeasures against the wireless device:

·     No

·     Yes

Man in the middle

Whether an MITM attack is detected.

Security

Security method. Options include the following:

·     None

·     WEP

·     WPA

·     WPA2

Encryption method

Data encryption method. Options include the following:

·     TKIP

·     CCMP

·     WEP

·     None

Authentication method

Authentication method. Options include the following:

·     None

·     PSK

·     802.1X

·     Others—Authentication methods except for PSK authentication and 802.1X authentication.

Broadcast SSID

Whether the AP broadcasts the SSID. This field displays nothing if the AP does not broadcast the SSID.

QoS supported

Whether the wireless device supports QoS.

Ad-hoc

Whether the wireless device is in Ad hoc mode.

Beacon interval

Beacon interval in TU. One TU is equal to 1024 milliseconds.

Channel band-width supported

Supported channel bandwidth mode:

·     20/40/80MHZ

·     20/40MHZ

·     20MHZ

Hotspot AP

Whether the AP is a hotspot attack AP.

Soft AP

Whether the AP is a soft AP.

Honeypot AP

Whether the AP is a honeypot AP.

Sensor n

Sensor that detected the wireless device. n represents the ID assigned by the system.

Channel

Channel on which the sensor most recently detected the wireless device.

First reported time

Time when the sensor first detected the wireless device.

Last reported time

Time when the sensor most recently detected the wireless device.

n: H-H-H

MAC address of the client associated with the AP. n represents the number assigned by the system.

Reported associated AP

MAC address of the associated AP that the sensor reports.

 

Related commands

reset wips virtual-security-domain device

display wlan nat-detect

Use display wlan nat-detect to display information about clients with NAT configured.

Syntax

display wlan nat-detect [ mac-address mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address mac-address: Specifies a client by its MAC address. If you do not specify this option, the command displays information about all detected NAT-configured clients.

Examples

# Display information about all detected NAT-configured clients.

<Sysname> display wlan nat-detect

Total 1 detected clients with NAT configured

 

MAC address    Last report         First report         Duration

0a98-2044-0000 2015-08-24/11:05:23 2015-08-24/10:05:23  01h 15m 00s

Table 10 Command output

Field

Description

Total number detected clients with NAT configured

Number of detected NAT-configured clients.

MAC address

MAC address of the detected client.

Last report

Time when the client was most recently detected.

First report

Time when the client was detected for the first time.

Duration

Duration since the client is configured with NAT.

 

Related commands

reset wlan nat-detect

flood association-request

Use flood association-request to configure association request flood attack detection.

Use undo flood association-request to restore the default.

Syntax

flood association-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood association-request

Default

Association request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for association request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an association request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an association request flood attack within the quiet time.

threshold threshold-value: Specifies the number of association request frames that triggers an association request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable association request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood association-request interval 100 threshold 100 quiet 360

flood authentication

Use flood authentication to configure authentication request flood attack detection.

Use undo flood authentication to restore the default.

Syntax

flood authentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood authentication

Default

Authentication request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for authentication request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an authentication request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an authentication request flood attack within the quiet time.

threshold threshold-value: Specifies the number of authentication request frames that triggers an authentication request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable authentication request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood authentication interval 100 threshold 100 quiet 360

flood beacon

Use flood beacon to configure beacon flood attack detection.

Use undo flood beacon to restore the default.

Syntax

flood beacon [ interval interval-value | quiet quiet-value | threshold threshold-value] *

undo flood beacon

Default

Beacon flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for beacon frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a beacon flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a beacon flood attack within the quiet time.

threshold threshold-value: Specifies the number of beacon frames that triggers a beacon flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable beacon flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood beacon interval 100 threshold 100 quiet 360

flood block-ack

Use flood block-ack to configure Block Ack flood attack detection.

Use undo flood block-ack to restore the default.

Syntax

flood block-ack [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood block-ack

Default

Block Ack flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for Block Ack frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a Block Ack flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a Block Ack flood attack within the quiet time.

threshold threshold-value: Specifies the number of Block Ack frames that triggers a Block Ack flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable Block Ack flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood block-ack interval 100 threshold 100 quiet 360

flood cts

Use flood cts to configure CTS flood attack detection.

Use undo flood cts to restore the default.

Syntax

flood cts [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood cts

Default

CTS flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for CTS frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a CTS flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a CTS flood attack within the quiet time.

threshold threshold-value: Specifies the number of CTS frames that triggers a CTS flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable CTS flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood cts interval 100 threshold 100 quiet 360

flood deauthentication

Use flood deauthentication to configure deauthentication flood attack detection.

Use undo flood deauthentication to restore the default.

Syntax

flood deauthentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood deauthentication

Default

Deauthentication flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for deauthentication frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a deauthentication flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a deauthentication flood attack within the quiet time.

threshold threshold-value: Specifies the number of deauthentication frames that triggers a deauthentication flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable deauthentication flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood deauthentication interval 100 threshold 100 quiet 360

flood disassociation

Use flood disassociation to configure disassociation flood attack detection.

Use undo flood disassociation to restore the default.

Syntax

flood disassociation [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood disassociation

Default

Disassociation flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for disassociation frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a disassociation flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a disassociation flood attack within the quiet time.

threshold threshold-value: Specifies the number of disassociation frames that triggers a disassociation flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable disassociation flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood disassociation interval 100 threshold 100 quiet 360

flood eap-failure

Use flood eap-failure to configure EAP-failure flood attack detection.

Use undo flood eap-failure to restore the default.

Syntax

flood eap-failure [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eap-failure

Default

EAP-failure flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAP-failure frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAP-failure flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAP-failure flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAP-failure frames that triggers an EAP-failure flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAP-failure flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eap-failure interval 100 threshold 100 quiet 360

flood eapol-logoff

Use flood eapol-logoff to configure EAPOL-logoff flood attack detection.

Use undo flood eapol-logoff to restore the default.

Syntax

flood eapol-logoff [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eapol-logoff

Default

EAPOL-logoff flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAPOL-logoff frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAPOL-logoff flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAPOL-logoff flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAPOL-logoff frames that triggers an EAPOL-logoff flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAPOL-logoff flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eapol-logoff interval 100 threshold 100 quiet 360

flood eapol-start

Use flood eapol-start to configure EAPOL-start flood attack detection.

Use undo flood eapol-start to restore the default.

Syntax

flood eapol-start [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eapol-start

Default

EAPOL-start flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAPOL-start frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAPOL-start flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAPOL-start flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAPOL-start frames that triggers an EAPOL-start flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAPOL-start flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eapol-start interval 100 threshold 100 quiet 360

flood eap-success

Use flood eap-success to configure EAP-success flood attack detection.

Use undo flood eap-success to restore the default.

Syntax

flood eap-success [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eap-success

Default

EAP-success flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAP-success frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAP-success flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAP-success flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAP-success frames that triggers an EAP-success flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAP-success flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eap-success interval 100 threshold 100 quiet 360

flood null-data

Use flood null-data to configure null data flood attack detection.

Use undo flood null-data to restore the default.

Syntax

flood null-data [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood null-data

Default

Null data flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for null data frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a null data flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a null data flood attack within the quiet time.

threshold threshold-value: Specifies the number of null data frames that triggers a null data flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable null data flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood null-data interval 100 threshold 100 quiet 360

flood probe-request

Use flood probe-request to configure probe request flood attack detection.

Use undo flood probe-request to restore the default.

Syntax

flood probe-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood probe-request

Default

Probe request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for probe request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a probe request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a probe request flood attack within the quiet time.

threshold threshold-value: Specifies the number of probe request frames that triggers a probe request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable probe request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood probe-request interval 100 threshold 100 quiet 360

flood reassociation-request

Use flood reassociation-request to configure reassociation request flood attack detection.

Use undo flood reassociation-request to restore the default.

Syntax

flood reassociation-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood reassociation-request

Default

Reassociation request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for reassociation request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a reassociation request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a reassociation request flood attack within the quiet time.

threshold threshold-value: Specifies the number of reassociation request frames that triggers a reassociation request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable reassociation request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood reassociation-request interval 100 threshold 100 quiet 360

flood rts

Use flood rts to configure RTS flood attack detection.

Use undo flood rts to restore the default.

Syntax

flood rts [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood rts

Default

RTS flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for RTS frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an RTS flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an RTS flood attack within the quiet time.

threshold threshold-value: Specifies the number of RTS frames that triggers an RTS flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable RTS flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood rts interval 100 threshold 100 quiet 360

frame-type

Use frame-type to configure a subsignature to match the frame type of a frame.

Use undo frame-type to restore the default.

Syntax

frame-type { control | data | management [ frame-subtype { association-request | association-response | authentication | beacon | deauthentication | disassociation | probe-request } ] }

undo frame-type

Default

No subsignature is configured to match the frame type of a frame.

Views

Signature view

Predefined user roles

network-admin

Parameters

control: Matches control frames.

data: Matches data frames.

management: Matches management frames.

frame-subtype: Specifies a frame subtype.

association-request: Matches association request frames.

association-response: Matches association response frames.

authentication: Matches authentication frames.

beacon: Matches beacon frames.

deauthentication: Matches deauthentication frames.

disassociation: Matches disassociation frames.

probe-request: Matches probe request frames.

Examples

# Configure a subsignature to match data frames for signature 1.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[wips-sig-rule-1] frame-type data

honeypot-ap

Use honeypot-ap to configure honeypot AP detection.

Use undo honeypot-ap to disable honeypot AP detection.

Syntax

honeypot-ap [ similarity similarity-value | quiet quiet-value ] *

undo honeypot-ap

Default

Honeypot AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

similarity similarity-value: Specifies the similarity threshold that triggers a honeypot AP alarm, in the range of 70 to 100 in percentage. The default value is 80%. An AP is determined as a honeypot AP if the similarity between the SSID of the AP and the SSID of a legitimate AP reaches the threshold.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a honeypot AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a honeypot AP within the quiet time.

Examples

# Enable honeypot AP detection, and set the similarity threshold and quiet time to 90% and 10 seconds, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] honeypot-ap similarity 90 quiet 10

hotspot-attack

Use hotspot-attack to configure hotspot attack detection.

Use undo hotspot-attack to disable hotspot attack detection.

Syntax

hotspot-attack [ quiet quiet-value ]

undo hotspot-attack

Default

Hotspot attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a hotspot attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a hotspot attack within the quiet time.

Examples

# Enable hotspot attack detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] hotspot-attack quiet 100

ht-40mhz-intolerance

Use ht-40mhz-intolerance to configure detection on clients with the 40 MHz bandwidth mode disabled.

Use undo ht-40mhz-intolerance to disable detection on clients with the 40 MHz bandwidth mode disabled.

Syntax

ht-40mhz-intolerance [ quiet quiet-value ]

undo ht-40mhz-intolerance

Default

Detection on clients with the 40 MHz bandwidth mode disabled is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a client with the 40 MHz bandwidth mode disabled. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a client with the 40 MHz bandwidth mode disabled within the quiet time.

Examples

# Enable detection on clients with the 40 MHz bandwidth mode disabled and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ht-40mhz-intolerance quiet 100

ht-greenfield

Use ht-greenfield to configure HT-greenfield AP detection.

Use undo ht-greenfield to disable HT-greenfield AP detection.

Syntax

ht-greenfield [ quiet quiet-value ]

undo ht-greenfield

Default

HT-greenfield AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an HT-greenfield AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an HT-greenfield AP within the quiet time.

Examples

# Enable HT-greenfield AP detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ht-greenfield quiet 100

ignorelist

Use ignorelist to add a MAC address to the alarm-ignored device list.

Use undo ignorelist to remove a specific or all MAC addresses from the alarm-ignored device list.

Syntax

ignorelist mac-address mac-address

undo ignorelist mac-address { mac-address | all }

Default

No MAC address is added to the alarm-ignored device list.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address: Specifies a MAC address in the H-H-H format.

all: Specifies all MAC addresses in the alarm-ignored device list.

Usage guidelines

For wireless devices in the alarm-ignored device list, WIPS only monitors them but does not generate any alarms.

Examples

# Add the MAC address 2a11-1fa1-1311 to the alarm-ignored device list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ignorelist mac-address 2a11-1fa1-1311

import hotspot

Use import hotspot to import hotspots from a configuration file.

Use undo import hotspot to remove the configuration.

Syntax

import hotspot file-name

undo import hotspot

Default

No hotspot is imported.

Views

WIPS view

Predefined user roles

network-admin

Parameters

file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).

Usage guidelines

You can import hotspots from only one configuration file.

Examples

# Import hotspots from the configuration file hotspot_cfg.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] import hotspot hotspot_cfg

import oui

Use import oui to import OUIs from a configuration file.

Use undo import oui to cancel the configuration.

Syntax

import oui file-name

undo import oui

Default

No OUI is imported.

Views

WIPS view

Predefined user roles

network-admin

Parameters

oui: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).

Usage guidelines

You can download the configuration file from the IEEE website.

You can import OUIs from only one configuration file.

Examples

# Import OUIs from the configuration file oui_import_cfg.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] import oui oui_import_cfg

Related commands

invalid-oui-classify illegal

invalid-oui-classify illegal

Use invalid-oui-classify illegal to configure WIPS to classify devices with invalid OUIs as rogue devices.

Use undo invalid-oui-classify to restore the default.

Syntax

invalid-oui-classify illegal

undo invalid-oui-classify

Default

WIPS does not classify devices with invalid OUIs as rogue devices.

Views

Classification policy view

Predefined user roles

network-admin

Examples

# Configure WIPS to classify devices with invalid OUIs as rogue devices.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] invalid-oui-classify illegal

Related commands

import oui

mac-address

Use mac-address to configure a subsignature to match the MAC address of a frame.

Use undo mac-address to restore the default.

Syntax

mac-address { bssid | destination | source } mac-address

undo mac-address

Default

No subsignature is configured to match the MAC address of a frame.

Views

Signature view

Predefined user roles

network-admin

Parameters

bssid: Matches the specified BSSID.

destination: Matches the specified destination MAC address.

source: Matches the specified source MAC address.

mac-address: Specifies a MAC address in the H-H-H format.

Examples

# Configure a subsignature to match frames with the source MAC address 000f-e201-0101 for signature 1.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-rule-1] mac-address source 000f-e201-0101

malformed duplicated-ie

Use malformed duplicated-ie to enable WIPS to detect malformed packets with duplicated IE.

Use undo malformed duplicated-ie to restore the default.

Syntax

malformed duplicated-ie [ quiet quiet-value ]

undo malformed duplicated-ie

Default

WIPS does not detect malformed packets with duplicated IE.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a duplicated IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a duplicated IE within the quiet time.

Usage guidelines

This function is applicable to all management frames. WIPS considers a packet malformed if the packet has an duplicate IE. This detection is not applicable to vendor-defined IEs.

Examples

# Enable WIPS to detect malformed packets with duplicated IE and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed duplicated-ie quiet 360

malformed fata-jack

Use malformed fata-jack to enable WIPS to detect FATA-Jack malformed packets.

Use undo malformed fata-jack to restore the default.

Syntax

malformed fata-jack [ quiet quiet-value ]

undo malformed fata-jack

Default

WIPS does not detect FATA-Jack malformed packets.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a FATA-Jack malformed packet. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a FATA-Jack malformed packet within the quiet time.

Usage guidelines

This function is applicable to authentication frames. WIPS considers an authentication frame malformed if the value of the authentication algorithm number is 2.

Examples

# Enable WIPS to detect FATA-Jack malformed packets and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed fata-jack quiet 360

malformed illegal-ibss-ess

Use malformed illegal-ibss-ess to enable WIPS to detect malformed packets with abnormal IBSS and ESS setting.

Use undo malformed illegal-ibss-ess to restore the default.

Syntax

malformed illegal-ibss-ess [ quiet quiet-value ]

undo malformed illegal-ibss-ess

Default

WIPS does not detect malformed packets with abnormal IBSS and ESS setting.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an abnormal IBSS and ESS setting. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an abnormal IBSS and ESS setting within the quiet time.

Usage guidelines

This function is applicable to beacon frames and probe response frames. WIPS considers a frame malformed if both IBSS and ESS are set to 1 in the frame.

Examples

# Enable WIPS to detect malformed packets with abnormal IBSS and ESS setting and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed illegal-ibss-ess quiet 360

malformed invalid-address-combination

Use malformed invalid-address-combination to enable WIPS to detect malformed packets with invalid source address.

Use undo malformed invalid-address-combination to restore the default.

Syntax

malformed invalid-address-combination [ quiet quiet-value ]

undo malformed invalid-address-combination

Default

WIPS does not detect malformed packets with invalid source address.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid source address. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid source address within the quiet time.

Usage guidelines

This function is applicable to all management frames. WIPS considers a frame malformed in the following situations:

·     The TO DS of the frame is 1, indicating that the frame is sent to the AP by a client.

·     The source MAC address of the frame is a multicast or broadcast address.

Examples

# Enable WIPS to detect malformed packets with invalid source address and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-address-combination quiet 360

malformed invalid-assoc-req

Use malformed invalid-assoc-req to enable WIPS to detect malformed association request frames.

Use undo malformed invalid-assoc-req to restore the default.

Syntax

malformed invalid-assoc-req [ quiet quiet-value ]

undo malformed invalid-assoc-req

Default

WIPS does not detect malformed association request frames.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed association request frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed association request frame within the quiet time.

Usage guidelines

This function is applicable to association request frames. WIPS considers a frame malformed if the SSID length in the frame is 0.

Examples

# Enable WIPS to detect malformed association request frames and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-assoc-req quiet 360

malformed invalid-auth

Use malformed invalid-auth to enable WIPS to detect malformed authentication request frames.

Use undo malformed invalid-auth to restore the default.

Syntax

malformed invalid-auth [ quiet quiet-value ]

undo malformed invalid-auth

Default

WIPS does not detect malformed authentication request frames.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed authentication request frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed authentication request frame within the quiet time.

Usage guidelines

This function is applicable to authentication request frames. WIPS considers a frame malformed in the following situations:

·     The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3.

·     The authentication transaction sequence number, indicating the authentication process between the client and the AP, is 1 and the status code is not 0.

·     The authentication transaction sequence number is larger than 4.

Examples

# Enable WIPS to detect malformed authentication request frames and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-auth quiet 360

malformed invalid-deauth-code

Use malformed invalid-deauth-code to enable WIPS to detect malformed packets with invalid deauthentication code.

Use undo malformed invalid-deauth-code to restore the default.

Syntax

malformed invalid-deauth-code [ quiet quiet-value ]

undo malformed invalid-deauth-code

Default

WIPS does not detect malformed packets with invalid deauthentication code.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid deauthentication code. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid deauthentication code within the quiet time.

Usage guidelines

This function is applicable to deauthentication frames. WIPS considers a frame malformed if the reason code in the frame is 0 or in the range of 67 to 65535.

Examples

# Enable WIPS to detect malformed packets with invalid deauthentication code and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-deauth-code quiet 360

malformed invalid-disassoc-code

Use malformed invalid-disassoc-code to enable WIPS to detect malformed packets with invalid disassociation code.

Use undo malformed invalid-disassoc-code to restore the default.

Syntax

malformed invalid-disassoc-code [ quiet quiet-value ]

undo malformed invalid-disassoc-code

Default

WIPS does not detect malformed packets with invalid disassociation code.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid disassociation code. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid disassociation code within the quiet time.

Usage guidelines

This function is applicable to disassociation frames. WIPS considers a frame malformed if the reason code in the frame is 0 or in the range of 67 to 65535.

Examples

# Enable WIPS to detect malformed packets with invalid disassociation code and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-disassoc-code quiet 360

malformed invalid-ht-ie

Use malformed invalid-ht-ie to enable WIPS to detect malformed packets with malformed HT IE.

Use undo malformed invalid-ht-ie to restore the default.

Syntax

malformed invalid-ht-ie [ quiet quiet-value ]

undo malformed invalid-ht-ie

Default

WIPS does not detect malformed packets with malformed HT IE.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed HT IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed HT IE within the quiet time.

Usage guidelines

This function is applicable to beacon, probe response, association response, and reassociation response frames. WIPS considers a frame malformed in the following situations:

·     The SM power save value of the HT capabilities IE is 2.

·     The secondary channel offset value of the HT operation IE is 2.

Examples

# Enable WIPS to detect malformed packets with malformed HT IE and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-ht-ie quiet 360

malformed invalid-ie-length

Use malformed invalid-ie-length to enable WIPS to detect malformed packets with invalid IE length.

Use undo malformed invalid-ie-length to restore the default.

Syntax

malformed invalid-ie-length [ quiet quiet-value ]

undo malformed invalid-ie-length

Default

WIPS does not detect malformed packets with invalid IE length.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid IE length. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid IE length within the quiet time.

Usage guidelines

This function is applicable to all management frames. WIPS considers a frame malformed if the length of an IE in the frame does not conform to the 802.11 protocol.

Examples

# Enable WIPS to detect malformed packets with invalid IE length and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-ie-length quiet 360

malformed invalid-pkt-length

Use malformed invalid-pkt-length to enable WIPS to detect malformed packets with invalid packet length.

Use undo malformed invalid-pkt-length to restore the default.

Syntax

malformed invalid-pkt-length [ quiet quiet-value ]

undo malformed invalid-pkt-length

Default

WIPS does not detect malformed packets with invalid packet length.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid packet length. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid packet length within the quiet time.

Usage guidelines

This function is applicable to all management frames. WIPS considers a frame malformed if the remaining length of the IE is not zero after the packet payload is resolved.

Examples

# Enable WIPS to detect malformed packets with invalid packet length and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-pkt-length quiet 360

malformed large-duration

Use malformed large-duration to enable WIPS to detect malformed packets with oversized duration.

Use undo malformed large-duration to restore the default.

Syntax

malformed large-duration [ quiet quiet-value | threshold value ]

undo malformed large-duration

Default

WIPS does not detect malformed packets with oversized duration.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized duration. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized duration within the quiet time.

threshold value: Specifies the duration size that triggers WIPS to determine an oversized duration and trigger an alarm. The value range for the value argument is 1 to 32767 and the default value is 5000.

Usage guidelines

This function is applicable to unicast management frames, unicast data frames, RTS, CTS, and ACK frames. WIPS considers a frame malformed if the duration value in the frame is larger than the specified threshold.

Examples

# Enable WIPS to detect malformed packets with oversized duration and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed large-duration quiet 360

malformed null-probe-resp

Use malformed null-probe-resp to enable WIPS to detect malformed probe response frames.

Use undo malformed null-probe-resp to restore the default.

Syntax

malformed null-probe-resp [ quiet quiet-value ]

undo malformed null-probe-resp

Default

WIPS does not detect malformed probe response frames.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed probe response frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed probe response frame within the quiet time.

Usage guidelines

This function is applicable to probe response frames. WIPS considers a frame malformed if the frame is not a mesh frame and its SSID length is 0, the packet is determined as a malformed packet.

Examples

# Enable WIPS to detect malformed probe response frames and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed null-probe-resp quiet 360

malformed overflow-eapol-key

Use malformed overflow-eapol-key to enable WIPS to detect malformed packets with oversized EAPOL key.

Use undo malformed overflow-eapol-key to restore the default.

Syntax

malformed overflow-eapol-key [ quiet quiet-value ]

undo malformed overflow-eapol-key

Default

WIPS does not detect malformed packets with oversized EAPOL key.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized EAPOL key. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized EAPOL key within the quiet time.

Usage guidelines

This function is applicable to EAPOL-Key frames. WIPS considers a frame malformed if the TO DS is 1 and the key length is larger than 0 in the frame. A malicious EAPOL-Key frame might result in DOS attacks.

Examples

# Enable WIPS to detect malformed packets with oversized EAPOL key and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed overflow-eapol-key quiet 360

malformed overflow-ssid

Use malformed overflow-ssid to enable WIPS to detect malformed packets with oversized SSID.

Use undo malformed overflow-ssid to restore the default.

Syntax

malformed overflow-ssid [ quiet quiet-value ]

undo malformed overflow-ssid

Default

WIPS does not detect malformed packets with oversized SSID.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized SSID. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized SSID within the quiet time.

Usage guidelines

This function is applicable to beacon, probe request, probe response, and association request frames. WIPS considers a frame malformed if the SSID length in the frame is larger than 32, which does not conform to the 802.11 protocol.

Examples

# Enable WIPS to detect malformed packets with oversized SSID and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed overflow-ssid quiet 360

malformed redundant-ie

Use malformed redundant-ie to enable WIPS to detect malformed packets with redundant IE.

Use undo malformed redundant-ie to restore the default.

Syntax

malformed redundant-ie [ quiet quiet-value ]

undo malformed redundant-ie

Default

WIPS does not detect malformed packets with redundant IE.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a redundant IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a redundant IE within the quiet time.

Usage guidelines

This function is applicable to all management frames.  WIPS considers a frame malformed if an IE in the frame is neither a necessary IE to the frame nor a reserved IE.

Examples

# Enable WIPS to detect malformed packets with redundant IE and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed redundant-ie quiet 360

man-in-the-middle

Use man-in-the-middle to configure man-in-the-middle (MITM) attack detection.

Use undo man-in-the-middle to disable MITM attack detection.

Syntax

man-in-the-middle [ quiet quiet-value ]

undo man-in-the-middle

Default

MITM attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an MITM attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an MITM attack within the quiet time.

Usage guidelines

Enable honeypot AP detection before you enable MITM attack detection.

Examples

# Enable MITM attack detection.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] honeypot-ap

[Sysname-wips-dtc-home] man-in-the-middle

manual-classify mac-address

Use manual-classify mac-address to specify a category for an AP.

Use undo manual-classify mac-address to restore the default.

Syntax

manual-classify mac-address mac-address { authorized-ap | external-ap | misconfigured-ap | rogue-ap }

undo manual-classify mac-address { mac-address | all }

Default

No category is specified for an AP.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies an AP by its MAC address, in the H-H-H format.

authorized-ap: Specifies the AP as an authorized AP.

external-ap: Specifies the AP as an external AP.

misconfigured-ap: Specifies the AP as a misconfigured AP.

rogue-ap: Specifies the AP as a rogue AP.

all: Specifies all APs.

Examples

# Specify the AP whose MAC address is 000f-00e2-0001 as an authorized AP.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] manual-classify mac-address 000f-00e2-0001 authorized-ap

omerta

Use omerta to configure Omerta attack detection.

Use undo omerta to disable Omerta attack detection.

Syntax

omerta [ quiet quiet-value ]

undo omerta

Default

Omerta attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an Omerta attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an Omerta attack within the quiet time.

Examples

# Enable Omerta attack detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] omerta quiet 100

oui

Use oui to configure an AP classification rule to match the OUI information of APs.

Use undo oui to restore the default.

Syntax

oui oui-info

undo oui

Default

An AP classification rule does not match the OUI information of APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

oui-info: Specifies the OUI information in the XXXXXX format, a case-insensitive hexadecimal string.

Examples

# Configure AP classification rule 1 to match APs with the OUI 000fe4.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] oui 000fe4

pattern

Use pattern to configure a subsignature to match the specified bits of a frame.

Use undo pattern to restore the default.

Syntax

pattern pattern-number offset offset-value mask mask value1 [ to value2 ] [ from-payload ]

undo pattern { pattern-number | all }

Default

No subsignature is configured to match the specified bits of a frame.

Views

Signature view

Predefined user roles

network-admin

Parameters

pattern-number: Specifies a subsignature that matches the specified bits of a frame by its number in the range of 0 to 65535.

offset offset-value: Specifies the offset from the specified bit to the reference bit. The value range for the offset-value argument is 0 to 2346 bits. The reference bit can be the first bit of the frame head (default) or the frame payload.

mask mask: Specifies a two-byte mask that is used for the AND operation with the specified bits. The mask is in hexadecimal format and the value range for the mask is 0 to ffff.

value1 [ to value2 ]: Specifies a value range for the specified bits. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 65535 for both the value1 and value2 arguments, and value2 cannot be smaller than value1.

from-payload: Specifies the first bit of the frame payload as the reference bit. If you do not specify this keyword, the first bit of the frame head is the reference bit.

Examples

# Configure a subsignature to match the second and third bits from the frame head of a frame. If the values of the second and third bytes of a frame are within the range of 0x0015 to 0x0020, the frame matches the subsignature.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-rule-1] pattern 1 offset 8 mask ffff 15 to 20

permit-channel

Use permit-channel to add one or multiple channels to the permitted channel list.

Use undo permit-channel to remove the specified or all channels from the permitted channel list.

Syntax

permit-channel channel-id-list

undo permit-channel { channel-id-list | all }

Default

No channel is added to the permitted channel list.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

channel-id-list: Specifies a space-separated list of up to 10 permitted channel items. Each item specifies a channel number or a range of channel numbers in the form of value1 to value2. The value range for channel numbers is 1 to 224. The value for the value2 argument must be equal to or greater than the value for the value1 argument.

all: Specifies all permitted channels.

Usage guidelines

To prevent WIPS from taking all channels as prohibited channels, use this command to configure a permitted channel list before you configure prohibited channel detection.

Examples

# Add channel 1 to the permitted channel list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] permit-channel 1

Related commands

prohibited-channel

power-save

Use power-save to configure power saving attack detection.

Use undo power-save to disable power saving attack detection.

Syntax

power-save [ interval interval-value | minoffpacket packet-value | onoffpercent percent-value | quiet quiet-value ] *

undo power-save

Default

Power saving attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for power save frames. The value range for the interval-value argument is 1 to 3600 seconds, and the default value is 10 seconds.

minoffpacket packet-value: Specifies the threshold for the number of power save off frames that triggers power save attack analysis. If the number of off frames from a client reaches the threshold, WIPS analyzes the power save frames to determine whether a power save attack occurs. The value range for the argument is 10 to 150, and the default is 50.

onoffpercent percent-value: Specifies the threshold for the ratio between the power save on frames and off frames from a client. WIPS triggers an alarm for a power save attack when the threshold is reached. The value range for this argument is 0 to 100, and the default is 80.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a power saving attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a power saving attack within the quiet time.

Examples

# Enable power saving attack detection, and set the interval-value, packet-value, percent-value, and quiet-value arguments to 20, 20, 90, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] power-save interval 20 minoffpacket 20 onoffpercent 90 quiet 100

prohibited-channel

Use prohibited-channel to configure prohibited channel detection.

Use undo prohibited-channel to disable prohibited channel detection.

Syntax

prohibited-channel [ quiet quiet-value ]

undo prohibited-channel

Default

Prohibited channel detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a prohibited channel. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a prohibited channel within the quiet time.

Usage guidelines

To prevent WIPS from taking all channels as prohibited channels, use the permit-channel command to configure a permitted channel list before you configure prohibited channel detection.

Examples

# Enable prohibited channel detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] prohibited-channel quiet 100

Related commands

permit-channel

reset client-proximity-sensor device

Use reset client-proximity-sensor device to clear wireless device entries.

Syntax

reset client-proximity-sensor device { ap | client | mac-address mac-address | all }

Views

User view

Predefined user roles

network-admin

Parameters

ap: Specifies all APs.

client: Specifies all clients.

mac-address mac-address: Specifies a wireless device by its MAC address in H-H-H format.

all: Specifies all wireless devices.

Examples

# Clear information about all wireless clients.

<Sysname> reset client-proximity-sensor device client

# Clear information about the wireless device with the specified MAC address.

<Sysname> reset client-proximity-sensor device mac-address 0023-1212-2323

Related commands

display client-proximity-sensor entry

reset client-proximity-sensor statistics

Use reset client-proximity-sensor statistics to clear detection statistics received from APs.

Syntax

reset client-proximity-sensor statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear detection statistics received from APs.

<Sysname> reset client-proximity-sensor statistics

Related commands

display client-proximity-sensor statistics receive

reset wips statistics

Use reset wips statistics to clear information collected from all sensors.

Syntax

reset wips statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear information collected from all sensors.

<Sysname> reset wips statistics

Related commands

display wips statistics receive

reset wips virtual-security-domain

Use reset wips virtual-security-domain to clear the learned AP or client entries in a VSD.

Syntax

reset wips virtual-security-domain vsd-name device { ap { all | mac-address mac-address } | client { all | mac-address mac-address } | all }

Views

User view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

device: Clears device entries.

ap: Clears AP entries.

all: Clears entries for all APs.

mac-address mac-address: Clears the entries for an AP. The mac-address argument represents the MAC address of the AP.

client: Clears client entries.

all: Clears entries for all clients.

mac-address mac-address: Clears the entries for a client. The mac-address argument represents the MAC address of the client

all: Clears entries for all APs and clients.

Examples

# Clear the learned AP and client entries in the VSD aaa.

<Sysname> reset wips virtual-security-domain aaa device all

Related commands

display wips virtual-security-domain device

reset wips virtual-security-domain countermeasure record

Use reset wips virtual-security-domain countermeasure record to clear information about countermeasures that WIPS has taken against rogue devices.

Syntax

reset wips virtual-security-domain vsd-name countermeasure record

Views

User view

Predefined user roles

network-admin

Parameters

vsd-name: Specify a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Clear information about countermeasures that WIPS has taken against rogue devices for the VSD aaa.

<Sysname> reset wips virtual-security-domain aaa countermeasure record

Related commands

display wips virtual-security-domain countermeasure record

reset wlan nat-detect

Use reset wlan nat-detect to clear information about clients with NAT configured.

Syntax

reset wlan nat-detect

Views

User view

Predefined user roles

network-admin

network-operator

Examples

# Clear information about clients with NAT configured.

<Sysname> reset wlan nat-detect

Related commands

display wlan nat-detect

rssi

Use rssi to configure an AP classification rule to match the RSSI of APs.

Use undo rssi to restore the default.

Syntax

rssi value1 [ to value2 ]

undo rssi

Default

An AP classification rule does not match the RSSI of APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 [ to value2 ]: Specifies a value range for the RSSI of APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 100 for both the value1 and value2 arguments, and value2 cannot be smaller than value1.

Examples

# Configure AP classification rule 1 to match APs with an RSSI of 20 to 40.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] rssi 20 to 40

security

Use security to configure an AP classification rule to match the security mode used by APs.

Use undo security to restore the default.

Syntax

security { equal | include } { clear | wep | wpa | wpa2 }

undo security

Default

No AP classification rule is configured to match the security mode used by APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

equal: Matches security modes equal to the specified security mode.

include: Matches security modes that include the specified security mode.

clear: Specifies the clear security mode.

wep: Specifies the WEP security mode.

wpa: Specifies the WPA security mode.

wpa2: Specifies the WPA2 security mode.

Examples

# Configure AP classification rule 1 to match APs that use the WEP security mode.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] security equal wep

select sensor all

Use select sensor all to enable all sensors that detect an attacker to take countermeasures against the attacker.

Use undo select sensor all to remove the configuration.

Syntax

select sensor all

undo select sensor all

Default

Only the sensor that most recently detects the attacker takes countermeasures against the attacker.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable all sensors that detect an attacker to take countermeasures against the attacker.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-ctm-home] select sensor all

seq-number

Use seq-number to configure a subsignature to match the sequence number of a frame.

Use undo seq-number to restore the default.

Syntax

seq-number seq-value1 [ to seq-value2 ]

undo seq-number

Default

No subsignature is configured to match the sequence number of a frame.

Views

Signature view

Predefined user roles

network-admin

Parameters

seq-value1 [ to seq-value2 ]: Specifies a value range for the sequence number of a frame. The seq-value1 and seq-value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 4095 for both the seq-value1 and seq-value2 arguments, and seq-value2 cannot be smaller than seq-value1.

Examples

# Configure a subsignature to match frames with the sequence number 100.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[wips-sig-rule-1] seq-number 100

signature policy

Use signature policy to create a signature policy and enter its view. If the specified signature policy already exists, this command enters signature policy view.

Use undo signature policy to remove a signature policy.

Syntax

signature policy policy-name

undo signature policy policy-name

Default

No signature policy is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a signature policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Create a signature policy named home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature policy home

signature rule

Use signature rule to create a signature and enter its view. If the specified signature already exists, the command enters signature view.

Use undo signature rule to remove a signature.

Syntax

signature rule rule-id

undo signature rule rule-id

Default

No signature is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a signature by its ID in the range of 1 to 65535.

Examples

# Create signature 1 and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

soft-ap

Use soft-ap to configure soft AP detection.

Use undo soft-ap to disable soft AP detection.

Syntax

soft-ap [ convert-time time-value ]

undo soft-ap

Default

Soft AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

convert-time time-value: Specifies the interval at which a soft AP switches between its role of client and AP. The value range for the time-value argument is 5 to 600 seconds, and the default is 10 seconds.

Examples

# Enable soft AP detection and set the time-value argument to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] soft-ap convert-time 100

ssid (AP classification rule view)

Use ssid to configure an AP classification rule to match the SSID of the wireless service for APs.

Use undo ssid to restore the default.

Syntax

ssid [ case-sensitive ] [ not ] { equal | include } ssid-string

undo ssid

Default

An AP classification rule does not match the SSID of the wireless service for APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

case-sensitive: Concerns the case of the SSID.

not: Matches SSIDs that are not equal to or do not include the specified SSID.

equal: Matches SSIDs equal to the specified SSID.

include: Matches SSIDs that include the specified SSID.

ssid-string: Specifies an SSID, a case-sensitive string of 1 to 32 characters.

Examples

# Configure AP classification rule 1 to match APs using wireless services with the SSID abc.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] ssid equal abc

ssid (signature view)

Use ssid to configure a subsignature to match the SSID of a frame.

Use undo ssid to restore the default.

Syntax

ssid [ case-sensitive ] [ not ] { equal | include } string

undo ssid

Default

No subsignature is configured to match the SSID of a frame.

Views

Signature view

Predefined user roles

network-admin

Parameters

case-sensitive: Concerns the case of the SSID.

not: Matches SSIDs that are not equal to or do not include the specified SSID.

equal: Matches SSIDs equal to the specified SSID.

include: Matches SSIDs that include the specified SSID.

string: Specifies an SSID, a case-sensitive string of 1 to 32 characters.

Examples

# Configure a subsignature to match frames with the SSID office for signature 1.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-rule-1] ssid equal office

ssid-length

Use ssid-length to configure a subsignature to match the SSID length in a frame.

Use undo ssid-length to restore the default.

Syntax

ssid-length length-value1 [ to length-value2 ]

undo ssid-length

Default

No subsignature is configured to match the SSID length in a frame.

Views

Signature rule

Predefined user roles

network-admin

Parameters

length-value1 [ to length-value2 ]: Specifies the value range for the SSID length. The length-value1 and length-value2 arguments specify the start value and end value for the value range, respectively. The value range is 1 to 32 for both the length-value1 and length-value2 arguments, and length-value2 cannot be smaller than length-value1.

Examples

# Configure a subsignature to match frames in which the SSID length is 10.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-1] ssid-length 10

trust mac-address

Use trust mac-address to add the MAC address of an AP or client to the permitted device list.

Use undo trust mac-address to remove one or all MAC addresses from the permitted device list.

Syntax

trust mac-address mac-address

undo trust mac-address { mac-address | all }

Default

No MAC address is added to the permitted device list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies a MAC address.

all: Specifies all MAC addresses.

Examples

# Add the MAC address 78AC-C0AF-944F to the permitted device list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] trust mac-address 78AC-C0AF-944F

trust oui

Use trust oui to add an OUI to the trusted OUI list.

Use undo trust oui to remove one or all OUIs from the trusted OUI list.

Syntax

trust oui oui

undo trust oui { oui | all }

Default

No OUI is added to the trusted OUI list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

oui: Specifies an OUI by its name, a case-insensitive string of 6 characters.

all: Specifies all OUIs.

Examples

# Add the OUIs 000fe4 and 000fe5 to the trusted OUI list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] trust oui 000fe4

[Sysname-wips-cls-home] trust oui 000fe5

trust ssid

Use trust ssid to add an SSID to the trusted SSID list.

Use undo trust ssid to remove one or all SSIDs from the trusted SSID list.

Syntax

trust ssid ssid-name

undo trust ssid { ssid-name | all }

Default

No SSID is added to the trusted SSID list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.

all: Specifies all SSIDs.

Examples

# Add the SSID flood1 to the trusted SSID list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] trust ssid flood1

unencrypted-authorized-ap

Use unencrypted-authorized-ap to configure unencrypted authorized AP detection.

Use undo unencrypted-authorized-ap to disable unencrypted authorized AP detection.

Syntax

unencrypted-authorized-ap [ quiet quiet-value ]

undo unencrypted-authorized-ap

Default

Unencrypted authorized AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an unencrypted authorized AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an unencrypted authorized AP within the quiet time.

Examples

# Enable unencrypted authorized AP detection and set the quiet time to 10 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] unencrypted-authorized-ap quiet 10

unencrypted-trust-client

Use unencrypted-trust-client to configure unencrypted authorized client detection.

Use undo unencrypted-trust-client to disable unencrypted authorized client detection.

Syntax

unencrypted-trust-client [ quiet quiet-value ]

undo unencrypted-trust-client

Default

Unencrypted authorized client detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an unencrypted authorized client. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an unencrypted authorized client within the quiet time.

Examples

# Enable unencrypted authorized client detection and set the quiet time to 10 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] unencrypted-trust-client quiet 10

up-duration

Use up-duration to configure an AP classification rule to match the running time of APs.

Use undo up-duration to restore the default.

Syntax

up-duration value1 [ to value2 ]

undo up-duration

Default

An AP classification rule does not match the running time of APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 [ to value2 ]: Specifies the value range for the running time of APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 2592000 seconds for both the value1 and value2 arguments, and value2 must be greater than value1.

Examples

# Configure AP classification rule 1 to match APs with a running time of 2000 to 40000 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] up-duration 2000 to 40000

virtual-security-domain

Use virtual-security-domain to create a VSD and enter its view.

Use undo virtual-security-domain to remove a VSD.

Syntax

virtual-security-domain vsd-name

undo virtual-security-domain vsd-name

Default

No VSD is created.

Views

WIPS view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Create the VSD office and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain office

[Sysname-wips-vsd-office]

weak-iv

Use weak-iv to enable weak IV detection.

Use undo weak-iv to restore the default.

Syntax

weak-iv [ quiet quiet-value ]

undo weak-iv

Default

Weak IV detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a weak IV. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a weak IV within the quiet time.

Examples

# Enable weak IV detection.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] weak-iv

windows-bridge

Use windows-bridge to configure Windows bridge detection.

Use undo windows-bridge to disable Windows bridge detection.

Syntax

windows-bridge [ quiet quiet-value ]

undo windows-bridge

Default

Windows bridge detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a Windows bridge. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a Windows bridge within the quiet time.

Examples

# Enable Windows bridge detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] windows-bridge quiet 360

wips

Use wips to enter WIPS view.

Use undo wips to clear all configurations in WIPS view.

Syntax

wips

undo wips

Default

No configuration exists in WIPS view.

Views

System view

Predefined user roles

network-admin

Examples

# Enter WIPS view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips]

wips enable

Use wips enable to enable WIPS.

Use undo wips enable to restore the default.

Syntax

wips enable

undo wips enable

Default

In radio view, a radio uses the configuration in AP group view.

In AP group radio view, WIPS is disabled.

Views

Radio view

AP group radio view

Predefined user roles

network-admin

Examples

# Enable WIPS for radio 1 of AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA2620i-AGN

[Sysname-wlan-ap-ap1] radio 1

[Sysname-wlan-ap-ap1-radio-1] wips enable

# Enable WIPS for radio 1 of APs with model WA4320i-ACN in AP group apgroup1.

<Sysname> system-view

[Sysname] wlan ap-group apgroup1

[Sysname-wlan-ap-group-apgroup1] ap-model WA4320i-ACN

[Sysname-wlan-ap-group-apgroup1-ap-model-WA4320i-ACN] radio 1

[Sysname-wlan-ap-group-apgroup1-ap-model-WA4320i-ACN-radio-1] wips enable

wips virtual-security-domain

Use wips virtual-security-domain to add an AP to a VSD.

Use undo wips virtual-security-domain to remove an AP from the VSD.

Syntax

wips virtual-security-domain vsd-name

undo wips virtual-security-domain

Default

In AP view, an AP uses the configuration in AP group view.

In AP group view, an AP group is not added to any VSD.

Views

AP view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Add AP 1 to the VSD office.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA2620i-AGN

[Sysname-wlan-ap-ap1] wips virtual-security-domain office

# Add AP group apgroup1 to VSD office.

<Sysname> system-view

[Sysname] wlan ap-group apgroup1

[Sysname-wlan-ap-group-apgroup1] wips virtual-security-domain office

wireless-bridge

Use wireless-bridge to configure wireless bridge detection.

Use undo wireless-bridge to disable wireless bridge detection.

Syntax

wireless-bridge [ quiet quiet-value ]

undo wireless-bridge

Default

Wireless bridge detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a wireless bridge. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a wireless bridge within the quiet time.

Examples

# Enable wireless bridge detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] wireless-bridge quiet 100

wlan nat-detect

Use wlan nat-detect enable to enable detection on clients with NAT configured.

Use wlan nat-detect disable to disable detection on clients with NAT configured.

Use undo wlan nat-detect to restore the default.

Syntax

wlan nat-detect { disable | enable }

undo wlan nat-detect

Default

In AP view, an AP uses the configuration in AP group view.

In AP group view, detection on clients with NAT configured is disabled.

Views

AP view

AP group view

Predefined user roles

network-admin

Parameters

disable: Disables detection on clients with NAT configured.

enable: Enables detection on clients with NAT configured.

Usage guidelines

The device generates an alarm when it detects a client configured with NAT. To view information about detected NAT-configured clients, use the display wlan nat-detect command.

Examples

# Enable detection on clients with NAT configured for AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA4320i-ACN

[Sysname-wlan-ap-ap1] wlan nat-detect enable

# Enable detection on clients with NAT configured for APs in AP group aaa.

<Sysname> system-view

[Sysname] wlan ap-group aaa

[Sysname-wlan-ap-group-aaa] wlan nat-detect enable