Table of Contents

1 WLAN Security Configuration Commands· 1-1

authentication-method· 1-1

cipher-suite· 1-2

gtk-rekey client-offline enable· 1-2

gtk-rekey enable· 1-3

gtk-rekey method· 1-4

ptk-lifetime· 1-5

security-ie· 1-5

tkip-cm-time· 1-6

wep default-key· 1-6

wep key-id· 1-7

wep mode· 1-8

 

 

authentication-method

Syntax

authentication-method { open-system | shared-key }

undo authentication-method { open-system | shared-key }

View

WLAN service template view

Default Level

2: System level

Parameters

open-system: Enables open system authentication.

shared-key: Enables shared key authentication.

Description

Use the authentication-method command to select 802.11 authentication method to be used.

Use the undo authentication-method command to disable the selected authentication method.

By default, open system authentication is enabled.

When you use this command to set the authentication method, if the current service template is of crypto type, and the encryption mode is WEP, you can set the authentication method to either open system or shared key.

 

 

Examples

# Enable the open system authentication.

<Sysname> system-view

[Sysname] wlan service-template 1 clear

[Sysname-wlan-st-1] authentication-method open-system

# Enable shared key authentication.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] authentication-method shared-key

cipher-suite

Syntax

cipher-suite { ccmp | tkip | wep40 | wep104 | wep128}*

undo cipher-suite { ccmp | tkip | wep40 | wep104 | wep128}*

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

ccmp: Enables the CCMP cipher suite. CCMP is an AES-based encryption method.

tkip: Enables the TKIP cipher suite. TKIP is an encryption method based on RC4 and dynamic key management.

wep40: Enables the WEP-40 cipher suite. WEP is an encryption method based on RC4 and shared key management.

wep104: Enables the WEP-104 cipher suite.

wep128: Enables the WEP-128 cipher suite.

Description

Use cipher-suite command to select the cipher suite used in the encryption of frames. The cipher suites supported are CCMP, TKIP, WEP40, WEP104 and WEP128.

Use the undo cipher-suite command to disable the selected cipher suite.

By default, no cipher suite is selected.

Examples

# Enable TKIP cipher suite.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] cipher-suite tkip

gtk-rekey client-offline enable

Syntax

gtk-rekey client-offline enable

undo gtk-rekey client-offline

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

None

Description

Use the gtk-rekey client-offline enable to enable refreshing group temporal key (GTK) when some client is off-line. This function is effective when the gtk-rekey enable command is executed.

Use the undo gtk-rekey client-offline command to set not refreshing GTK when some client is off-line.

By default, GTK is not refreshed when some client is off-line.

Examples

# Enable GTK refreshing when some client is off-line.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] gtk-rekey client-offline enable

gtk-rekey enable

Syntax

gtk-rekey enable

undo gtk-rekey enable

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

None

Description

Use the gtk-rekey enable command to allow GTK refresh.

Use undo gtk-rekey enable command to disable GTK refresh.

By default, GTK refresh is enabled.

Examples

# Disable GTK refresh.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] undo gtk-rekey enable

gtk-rekey method

Syntax

gtk-rekey method { packet-based [ packet ] | time-based [ time ] }

undo gtk-rekey method

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

packet-based: Indicates GTK will be rekeyed after transmitting a specified number of packets.

packet: Number of packets (including multicasts and broadcasts) that are transmitted before the GTK is refreshed. The value ranges from 5000 to 4294967295.

time-based: Indicates GTK will be rekeyed on time based.

time: Specifies the time after which the GTK is refreshed. The value ranges from 180 to 604800 seconds.

Description

Use the gtk-rekey method command to select a mechanism for re-keying GTK.

Use the undo gtk-rekey method command to set the refreshing method to the default value.

By default, the GTK refreshing method is time-based, and the interval is 86400 seconds.

l          If option time-based is selected then the GTK will be refreshed after a specified period of time, the range the time is 180 seconds to 604800 seconds, the default value is 86400 seconds.

l          If option packet-based is selected then GTK will be refreshed after transmitting a specified number of packets, the range the number of packets is 5000 to 4294967295, and the default value is 10000000.

 

 

Examples

# Enable packet-based GTK refreshing and the packets number is 60000.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] gtk-rekey method packet-based 60000

ptk-lifetime

Syntax

ptk-lifetime time

undo ptk-lifetime

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

time: Lifetime in seconds, which ranges from 180 to 604800.

Description

Use the ptk-lifetime command to change the life time of pairwise transient key (PTK).

Use the undo ptk-lifetime command is used to set the PTK lifetime to the default value.

By default, the lifetime of PTK is 43200 seconds.

Examples

# Specify the PTK lifetime to 86400 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] ptk-lifetime 86400

security-ie

Syntax

security-ie { rsn | wpa }

undo security-ie { rsn | wpa }

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

rsn: Enables the RSN Information element in the beacon and probe response frames sent by AP. RSN IE advertises the Robust Security Network (RSN) capabilities of the AP.

wpa: Enables the WPA Information element in the beacon and probe response frames sent by AP. WPA IE advertises the Wi-Fi Protected Access (WPA) capabilities of the AP.

Description

Use the security-ie command to enable WPA-IE or RSN-IE or both of them present in the Beacon and Probe response frame. 

Use the undo security-ie command to disable WPA -IE or RSN-IE present in the Beacon and Probe response frame.

By default, both WPA-IE and RSN-IE are disabled.

Examples

# Enable the WPA-IE in the frames.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] security-ie wpa

tkip-cm-time

Syntax

tkip-cm-time time

undo tkip-cm-time

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

time: Counter measure time for Message Integrity Check (MIC) failure in seconds. The value ranges from 0 to 3600 seconds.

Description

Use the tkip-cm-time command to set the Temporal Key Integrity Protocol (TKIP) Counter measure time.

Use the undo tkip-cm-time command will change the TKIP counter measure time to the default value.

By default, the TKIP counter measure time is 0 seconds, that is, no counter measures are taken.

After countermeasures are enabled, if more than two MIC failures occur within a certain time, the TKIP associations are disassociated, and new associations are allowed to establish only after the specified TKIP counter measure time expires.

Examples

# Set the TKIP counter measure time to 90 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] tkip-cm-time 90

wep default-key

Syntax

wep default-key key-index { wep40 | wep104 | wep128} { pass-phrase | raw-key } [ cipher | simple ] key

undo wep default-key key-index

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

key-index: The key index values can be:

l          1: Configures the 1st wep default key.

l          2: Configures the 2nd wep default key.

l          3: Configures the 3rd wep default key.

l          4: Configures the 4th wep default key.

wep40: Indicates the wep40 key option.

wep104: Indicates the wep104 key option.

wep128: Indicates the wep128 key option.

pass-phrase: Enables the pass-phrase option. Then a string of alphanumeric characters is used as the key. If WEP40 is selected, 5 alphanumeric characters should be entered as the key; if WEP104 is selected, 13 alphanumeric characters should be entered as the key; if WEP128 is selected, 16 alphanumeric characters should be entered as the key.

raw-key: Enables the raw-key option. The key is entered as a hexadecimal number. If WEP40 is selected, a 10-digit hexadecimal number should be entered as the key; if WEP104 is selected, a 26-digit hexadecimal number should be entered as the key; if WEP128 is selected, a 32-digit hexadecimal number should be entered as the key. The length of the raw-key is fixed.

cipher key: Sets the wep key in cipher text, and the key is displayed in cipher text. The key argument is a case sensitive string of 24 to 88 characters.

simple key: Sets the wep key in simple text, and the key is displayed in simple text. The value range of the key argument (case sensitive) depends on the key option you select.

If you provide neither the simple nor the cipher keyword, you set a wep key in simple text, and the key will be displayed in cipher text. The value range of the key argument is the same as the key specified by simple key.

Description

Use wep default-key command to configure the wep default key.

Use undo wep default-key command to delete the configured wep default key.

By default, no wep default key is configured.

Examples

# Specify the wep default key 1(wep40) as hello.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase hello

# Specify the wep default key as c25d3fe4483e867d1df96eaacd.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep default-key 1 wep104 raw-key c25d3fe4483e867d1df96eaacd

wep key-id

Syntax

wep key-id { 1 | 2 | 3 | 4 }

undo wep key-id

View

WLAN service template view (crypto type)

Default Level

2: System level

Parameters

key-index: The key index ranges from 1 to 4:

1: Selects the key index as 1.

2: Selects the key index as 2.

3: Selects the key index as 3.

4: Selects the key index as 4.

Description

Use the wep key-id command to configure the key index.

Use the undo wep key-id command to restore the default.

By default, the key index is 1.

There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding to the specified key index will be used for encrypting and decrypting the broadcast and multicast frames.

Examples

# Set the key index to 2.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep key-id 2

wep mode

Syntax

wep mode dynamic

undo wep mode

View

Service template view

Default Level

2: System level

Parameters

dynamic: Enables dynamic WEP encryption.

Description

Use the wep mode command to enable WEP encryption.

Use the undo wep mode command to restore the default.

By default, static WEP encryption is enabled.

l          Dynamic WEP encryption must be used together with 802.1X authentication, and the WEP key ID cannot be configured as 4.

l          With dynamic WEP encryption configured, the device automatically uses the WEP 104 encryption method. To change the encryption method, use the cipher-suite command.

l          With dynamic WEP encryption configured, the WEP key used to encrypt unicast frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key.

Related commands: wep key-id, cipher-suite, and wep default-key.

Examples

# Specify the WEP encryption mode as dynamic.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep mode dynamic