Managing a large number of APs is both time consuming and costly. The fit AP+AC network architecture enables an AC to establish Control And Provisioning of Wireless Access Points (CAPWAP) tunnels with a large number of APs for centralized AP management and maintenance.

CAPWAP tunnel

CAPWAP defines how an AP communicates with an AC. It provides a generic encapsulation and transport mechanism between AP and AC. CAPWAP uses UDP and supports both IPv4 and IPv6.

As shown in Figure 1, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets.

Figure 1 CAPWAP tunnel

AC discovery

After starting up with zero configurations, an AP automatically creates VLAN-interface 1 and enables the DHCP client, DHCPv6 client, and DNS features on the interface. Then it obtains its own IP address from the DHCP server and discovers ACs by using the following methods:

· Static IP address:

If AC IP addresses have been manually configured for the AP, the AP sends a unicast discovery request to each AC IP address to discover ACs.

· DHCP options:

a. The AP obtains AC IPv4 addresses from Option 138, Option 43, and IPv6 addresses from Option 52 sent from the DHCP server. It uses these addresses in descending order.

b. The AP sends a unicast discovery request to each received AC address to discover ACs.

For more information about DHCP options, see Layer 3—IP Services Configuration Guide.

· DNS:

a. The AP obtains the domain name suffix from the DHCP server.

b. The AP adds the suffix to the host name.

c. The DNS server translates the domain name into IP addresses.

d. The AP sends a unicast discovery request to each IP address to discover ACs.

For more information about DNS, see Layer 3—IP Services Configuration Guide.

· Broadcast:

The AP broadcasts discovery requests to IP address 255.255.255.255 to discover ACs.

· IPv4 multicast:

The AP sends multicast discovery requests to IPv4 address 224.0.1.140 to discover ACs.

· IPv6 multicast:

The AP sends multicast discovery requests to IPv6 address FF0E::18C to discover ACs.

The methods of static IP address, DHCPv4 options, broadcast, IPv4 multicast, IPv4 DNS, IPv6 multicast, DHCPv6 option, and IPv6 DNS are used in descending order.

The AP does not stop AC discovery until it establishes a CAPWAP tunnel with one of the discovered ACs.

CAPWAP tunnel establishment

Figure 2 Establishing a CAPWAP tunnel

As shown in Figure 2, the AP and an AC establish a CAPWAP tunnel by using the following procedure:

1. The AP sends a discovery request to each AC to discover ACs.

2. Upon receiving the discovery request, an AC determines whether to send a discovery response by performing the following steps:

a. Identifies whether the discovery request is a unicast packet.

- Unicast packet—The AC proceeds to step b.

- Broadcast or multicast packet—The AC proceeds to step b if it is disabled with the feature of responding to only unicast discovery requests. If this feature is enabled, the AC does not send a discovery response.

b. Identifies whether it has manual AP configuration for the AP model specified in the discovery request.

- If manual AP configuration exists, the AC sends a discovery response to the AP. The discovery response contains information about whether the AC has the manual configuration for the AP, the AP connection priority, and the AC's load status.

- If no manual AP configuration exists, the AC proceeds to step c.

c. Identifies whether auto AP is enabled.

- If auto AP is enabled, the AC sends a discovery response to the AP. The discovery response contains the enabling status of auto AP, AP connection priority, and AC's load information.

- If auto AP is disabled, the AP does not send a discovery response.

3. Upon receiving the discovery responses, the AP selects the optimal AC in descending order.

? AC that saves information about the AP.

? AC where the auto AP feature is enabled.

? AC with higher AP connection priority.

? AC with the lighter load.

4. The AP sends a join request to the optimal AC.

5. After receiving the join request, the AC examines information in the request to determine whether to provide access services to the AP and sends a join response.

6. After receiving the join response, the AP examines the result code in the response:

? If the result code represents failure, the AP does not establish a CAPWAP tunnel with the AC.

? If the result code represents success, the AP establishes a CAPWAP tunnel with the AC.

AC rediscovery

An AC enabled with AC rediscovery will add the CAPWAP Control IP Address message element to the discovery responses sent to APs. Upon receiving such a discovery response, an AP establishes a CAPWAP tunnel by following this procedure:

1. Examines whether a discovery request has been sent to the IP address specified in the CAPWAP Control IP Address message element.

2. Performs either of the following operations:

? Sends a join request to the specified IP address representing the optimal AC for CAPWAP establishment if a discovery request has been sent.

? Sends a discovery request to each specified IP address to initiate a new AC discovery process if a discovery request has not been sent.

An AC disabled with AC rediscovery does not add the CAPWAP Control IP Address message element in discovery responses sent to APs. APs that receive the discovery responses will send join requests to the source IP address of the discovery responses to establish CAPWAP tunnels with the AC.

AP configuration methods

You can configure APs by using either of the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the priorities of the configuration in AP view, AP group view, and global configuration view are in descending order.

APDB

The Access Point Information Database (APDB) on an AC stores the following AP information:

· AP models.

· Hardware version and software version mappings.

· Information about radios supported by AP models.

? Number of radios.

? Radio type.

? Valid region code.

? Valid antenna type.

? Maximum transmission power.

The AC can establish a CAPWAP tunnel with an AP only when the APDB contains the corresponding AP model information.

You can use the system script and user scripts to manage data in the APDB. The system script is released with the AC software version, and it is automatically loaded each time the AC starts. If you need to add new AP models, upgrade the AC software version (see Fundamentals Configuration Guide) or create a user script and load it on the AC (see "Loading an APDB user script").

Protocols and standards

· RFC 5415, Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification

· RFC 5416, Control and Provisioning of Wireless Access Points (CAPWAP) Protocol Binding for IEEE 802.11

· RFC 5417, Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller DHCP Option

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Configuration task list

Tasks at a glance
(Required.) Configuring CAPWAP tunnel establishment
(Optional.) Configuring AC rediscovery
(Optional.) Upgrading APs' software
(Optional.) Configuring a CAPWAP tunnel
(Optional.) Configuring AC request retransmission
(Optional.) Setting the statistics report interval
(Optional.) Configuring remote AP
(Optional.) Configuring the default input power level
(Optional.) Enabling or disabling USB interfaces for APs
(Optional.) Resetting APs
(Optional.) Renaming a manual AP
(Optional.) Managing the file system of an AP
(Optional.) Configuring an AP group
(Optional.) Preprovisioning APs
(Optional.) Enabling SNMP notifications
(Optional.) Loading an APDB user script
(Optional.) Enabling service anomaly detection

Configuration prerequisites

Before you manage APs, complete the following tasks:

· Create a DHCP address pool on the DHCP server to assign IP addresses to APs.

· If DHCP options are used for AC discovery, configure Option 138, Option 43, or Option 52 in the specified DHCP address pool on the DHCP server.

· If DNS is used for AC discovery, configure the IP address of the DNS server and the AC domain name suffix in the specified DHCP address pool on the DHCP server. Then configure the mapping between the domain name and the AC IP address on the DNS server.

· Make sure the APs and the AC can reach each other.

For more information about DHCP and DNS, see Layer 3—IP Services Configuration Guide.

Configuring CAPWAP tunnel establishment

Creating a manual AP

You can create a manual AP on the AC according to the AP model, serial ID, and MAC address of the AP you are using. An AP prefers to establish a CAPWAP tunnel with an AC that saves the manual AP configuration.

To create a manual AP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a manual AP and enter its view.	wlan ap ap-name [ model model-name ]	By default, no manual AP exists. You must specify the model name when you create an AP.
3. Specify the serial ID or the MAC address for the AP.	· Specify the serial ID for the AP: serial-id serial-id · Specify the MAC address for the AP: mac-address mac-address	Use either command.
4. (Optional.) Set a description for the AP.	description text	By default, no description is set for an AP.

Managing auto APs

The auto AP feature enables APs to connect to an AC without manual AP configuration. The AC names auto APs by their MAC addresses. This feature simplifies configuration when you deploy a large number of APs in a WLAN.

Enabling the auto AP feature

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the auto AP feature.	wlan auto-ap enable	By default, the auto AP feature is disabled.

Converting auto APs to manual APs

You must convert auto APs to manual APs after they come online because of the following reasons:

· You can modify auto AP configuration only when they are converted to manual APs.

· For security purposes, auto APs can re-associate with the AC upon an AC reboot or CAPWAP tunnel termination only when they are converted to manual APs.

To convert auto APs to manual APs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Convert auto APs to manual APs.	· Convert online auto APs to manual APs: wlan auto-ap persistent { all \| name auto-ap-name [ new-ap-name ] } · Convert auto APs to manual APs automatically after auto APs come online: wlan auto-persistent enable	Use either command. By default, auto APs are not converted to manual APs. The wlan auto-persistent enable command does not take effect on auto APs that are already online.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Convert auto APs to manual APs.

· Convert online auto APs to manual APs:
wlan auto-ap persistent { all | name auto-ap-name [ new-ap-name ] }

· Convert auto APs to manual APs automatically after auto APs come online:
wlan auto-persistent enable

Use either command.

By default, auto APs are not converted to manual APs.

The wlan auto-persistent enable command does not take effect on auto APs that are already online.

Setting the AP connection priority for the AC

ACs put their AP connection priorities in discovery responses. An AP prefers to establish a CAPWAP tunnel with an AC that has higher connection priority when either of the following conditions exists:

· Multiple ACs have manual AP configuration for the AP.

· No AC has manual AP configuration for the AP, but multiple ACs are enabled with the auto AP feature.

Setting the AP connection priority in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the AP connection priority for the AC.	priority priority	By default, an AP uses the configuration in AP group view. A larger number represents a higher priority.

Setting the AP connection priority in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the AP connection priority for the AC.	priority priority	The default setting is 4. A larger number represents a higher priority.

Enabling the AC to respond to only unicast discovery requests

An AP can send unicast, multicast, and broadcast discovery requests to discover ACs. This feature enables an AC to respond to only unicast discovery requests.

To enable the AC to respond to only unicast discovery requests:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the AC to respond to only unicast discovery requests.	wlan capwap discovery-policy unicast	By default, the AC can respond to unicast, multicast, and broadcast discovery requests.

Enabling an AP to prefer discovering ACs by IPv6 address

This feature enables an AP to discover ACs by using the static IP addresses, IPv6 multicast, DHCPv6 option, IPv6 DNS, DHCPv4 options, broadcast/IPv4 multicast, and IPv4 DNS successively. If the AP connects to an AC successfully with a discovered IP address, it stops AC discovery.

Enabling an AP to prefer discovering ACs by IPv6 address in AP provision view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter AP provision view.	provision	N/A
4. Enable an AP to prefer discovering ACs by IPv6 address.	ac discovery policy ipv6	By default, an AP uses the configuration in AP group provision view.

Enabling an AP to prefer discovering ACs by IPv6 address in AP group provision view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP group provision view.	provision	N/A
4. Enable an AP to prefer discovering ACs by IPv6 address.	ac discovery policy ipv6	By default, an AP prefers to discover ACs by IPv4 address.

Configuring AC rediscovery

Configuring AC rediscovery in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure AC rediscovery.	control-address { disable \| enable }	By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.
4. Specify the IP address to be carried in the CAPWAP Control IP Address message element.	control-address { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

Configuring AC rediscovery in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure AC rediscovery.	control-address { disable \| enable }	By default, an AP uses the configuration in global configuration view.
4. Specify the IP address to be carried in the CAPWAP Control IP Address message element.	control-address { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in global configuration view. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

Configuring AC rediscovery in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure AC rediscovery.	control-address { disable \| enable }	By default, AC rediscovery is disabled.
4. Specify the IP address to be carried in the CAPWAP Control IP Address message element.	control-address { ip ipv4-address \| ipv6 ipv6-address }	By default, the IP address in the element is the AC's IP address. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

Upgrading APs' software

Overview

Software upgrade for an AP proceeds as follows:

1. The AP reports the software version and AP model information to the AC.

2. The AC examines the received AP software version.

? If a match is found, the AC establishes a CAPWAP tunnel with the AP.

? If no match is found, the AC sends a message that notifies the AP of the AP software version inconsistency.

3. Upon receiving the inconsistency message, the AP requests a software version from the AC.

4. The AC assigns the software version to the AP after receiving the request.

5. The AP upgrades the software version, and restarts to establish a CAPWAP tunnel with the AC.

Configuring software upgrade

The AC examines the AP software version while establishing the CAPWAP tunnel only when software upgrade is enabled. If this feature is disabled, the AC does not examine the software version of the AP and directly establishes a CAPWAP tunnel with the AP.

Configuring software upgrade in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure software upgrade.	firmware-upgrade { disable \| enable }	By default, an AP uses the configuration in AP group view. If no software upgrade configuration exists in AP group view, the AP uses the configuration in global configuration view.

Configuring software upgrade in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure software upgrade.	firmware-upgrade { disable \| enable }	By default, an AP uses the configuration in global configuration view.

Configuring software upgrade in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure software upgrade.	firmware-upgrade { disable \| enable }	By default, the software upgrade feature is enabled.

Configuring the mapping between a software version and a hardware version of an AP model

CAUTION:

To avoid CAPWAP tunnel establishment failure, use this feature under the guidance of H3C Support.

Perform this task to configure the mapping between a software version and a hardware version of an AP model for software upgrade.

Perform this task only when the AP software version for an AP model stored in the APDB is inconsistent with the software version you expect for the AP model. To display the AP software version for each AP model in the APDB, use the display wlan ap-model command.

To configure the mapping between a software version and a hardware version of an AP model:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the mapping between a software version and a hardware version of an AP model.	wlan apdb model-name hardware-version software-version	By default, the software version for a hardware version of an AP model is the software version that is stored in APDB user scripts.

Specifying the preferred location for the AC to obtain an AP image file

The AC assigns an AP image file to an AP if the AP requests a software version during CAPWAP tunnel establishment. You can specify the preferred location as the AC's RAM or local folder for the AC to obtain an AP image file. If the AC cannot obtain an AP image file from the preferred location, it obtains an AP image file from the other location. If no AP image file exists, the AC fails to obtain an image file and cannot assign a software version to the AP.

Configuration restrictions and guidelines

When you specify the preferred image location for the AC to obtain an AP image file, follow these restrictions and guidelines:

· The AC can assign only .ipe AP image files to APs.

· If you specify the local folder, make sure the AC uses a CF card as the default file system and the AP image file is stored in the root directory of the file system on the AC.

Configuration procedure

To specify the preferred location for the AC to obtain an AP image file:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify the preferred location for the AC to obtain an AP image file.	wlan image-load filepath { local \| ram }	By default, the AC prefers the AP image file stored in the RAM when assigning a software version to an AP.

Configuring a CAPWAP tunnel

Configuring CAPWAP tunnel latency detection

This feature enables an AC to detect the transmission latency of CAPWAP control frames or data frames from an AP to the AC and back.

This feature takes effect only on the master AC after a CAPWAP tunnel is established.

When an AP goes offline, CAPWAP tunnel latency detection automatically stops. To restart CAPWAP tunnel latency detection when the AP comes online, execute the tunnel latency-detect start command again.

To display CAPWAP tunnel latency information, use the display wlan tunnel latency ap name command.

To configure CAPWAP tunnel latency detection:

Step	Command		Remarks
1. Enter system view.	system-view		N/A
2. Enter AP view.		wlan ap ap-name [ model model-name ]		N/A
3. Configure CAPWAP tunnel latency detection.	tunnel latency-detect { start \| stop }		By default, CAPWAP tunnel latency detection is not started.

Setting the control tunnel keepalive time for an AP

An AP sends echo requests to the AC at the specified echo interval to identify whether the CAPWAP control tunnel is operating correctly. The AC responds by sending echo responses. If the AP does not receive any echo responses within the keepalive time, the AP terminates the connection. If the AC does not receive any echo requests within the keepalive time, the AC terminates the connection. The keepalive time is the echo interval multiplied by the maximum number of echo request transmission attempts.

Setting the control tunnel keepalive time for an AP in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the interval at which the AP sends echo requests.	echo-interval interval	By default, an AP uses the configuration in AP group view.
4. Set the maximum number of echo request transmission attempts.	echo-count count	By default, an AP uses the configuration in AP group view.

Setting the control tunnel keepalive time for APs in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the interval at which the APs send echo requests.	echo-interval interval	The default setting is 10 seconds.
4. Set the maximum number of echo request transmission attempts.	echo-count count	The default setting is 3.

Setting the data tunnel keepalive time for an AP

An AP sends data channel keepalive packets to the AC at the specified keepalive time after a CAPWAP tunnel is established between the AP and the AC.

Setting the data tunnel keepalive time for an AP in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the data tunnel keepalive interval.	keepalive-interval interval	By default, an AP uses the configuration in AP group view.

Setting the data tunnel keepalive time for APs in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the data tunnel keepalive interval.	keepalive-interval interval	The default setting is 10 seconds.

Setting the maximum fragment size for CAPWAP packets

Perform this task to prevent intermediate devices from dropping packets between AC and AP if the AP connects to the AC across the Internet.

Any maximum fragment size modification takes effect immediately on online APs.

Setting the maximum fragment size for CAPWAP packets in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the maximum fragment size for CAPWAP control or data packets.	fragment-size { control control-size \| data data-size }	By default, an AP uses the configuration in AP group view.

Setting the maximum fragment size for CAPWAP packets in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the maximum fragment size for CAPWAP control or data packets.	fragment-size { control control-size \| data data-size }	By default, the maximum fragment size for CAPWAP control packets and data packets is 1450 bytes and 1500 bytes, respectively.

Setting the TCP MSS for CAPWAP tunnels

About setting the TCP MSS

Perform this task to set the value of the Maximum Segment Size (MSS) option in SYN packets transmitted over a CAPWAP tunnel.

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than or equal to the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment based on the receiver's MSS.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the TCP MSS for CAPWAP tunnels.	wlan tcp mss value	The default setting is 1460 bytes.

Configuring AC request retransmission

The AC transmits a request sent to an AP at the retransmission interval until the maximum number of request retransmission attempts is reached or a response is received.

Configuring AC request retransmission in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the maximum number of request retransmission attempts.	retransmit-count value	By default, an AP uses the configuration in AP group view.
4. Set the interval at which an AC request is retransmitted.	retransmit-interval interval	By default, an AP uses the configuration in AP group view.

Configuring AC request retransmission in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the maximum number of request retransmission attempts.	retransmit-count value	The default setting is 3.
4. Set the interval at which an AC request is retransmitted.	retransmit-interval interval	The default setting is 5 seconds.

Setting the statistics report interval

Perform this task to change the interval for an AP to report its statistics. You can use these statistics to monitor the operating status of radios on the AP.

Setting the statistics report interval in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the statistics report interval.	statistics-interval interval	By default, an AP uses the configuration in AP group view.

Setting the statistics report interval in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the statistics report interval.	statistics-interval interval	The default setting is 50 seconds.

Configuring remote AP

An AP stops providing services for clients when the tunnel between the AP and the AC is disconnected. This feature enables an AP to automatically perform the following tasks when the tunnel between the AP and the AC is disconnected:

· Forwards client traffic.

· Provides client access services if local authentication is enabled and association is enabled at the AP.

Remote AP takes effect only on APs that operate in local forwarding mode.

When the tunnel between the AC and AP is recovered, clients with the AC as the authenticator need reauthentication. Clients with the AP as the authenticator remain online.

Remote AP is applicable to telecommuting, small branches, and SOHO solutions.

Configuring remote AP in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure remote AP.	hybrid-remote-ap { disable \| enable }	By default, an AP uses the configuration in AP group view.

Configuring remote AP in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure remote AP.	hybrid-remote-ap { disable \| enable }	By default, remote AP is disabled.

Configuring the default input power level

NOTE:

Support for this feature depends on the device model.

Configure the default input power level for an AP in case the AP cannot obtain its input power level at startup.

Input power level overview

An AP automatically performs power supply mode detection to obtain its input power level at startup. If the AP fails to obtain the input power level, it operates at the low power level before associating with an AC. After the association, it operates at the configured default input power level.

An AP can be powered through a power adapter or through its PoE or PoE+ ports. The following table shows the relationship between the AP's power supply mode and input power level:

Power supply mode	Input power level
· Power adapter. · Multiple PoE+ ports. · Combination of PoE and PoE+ ports.	High
· Single PoE+ port · Multiple PoE ports	Middle
Single PoE port	Low

An AP's support for MIMO modes and USB interfaces varies by input power level, as shown in Table 1.

Table 1 AP's support for MIMO modes and USB interfaces

Input power level	Supported MIMO modes	Whether USB interfaces can be enabled
High	1×1, 2×2, 3×3, and 4×4.	Yes.
Middle	1×1, 2×2, 3×3, and 4×4.	Yes when the MIMO mode is 1×1 or 2×2.
Low	1×1.	No.

Configuration restrictions and guidelines

When you configure the default input power level for an AP, make sure the setting matches its power mode. An excessively low input power level prevents the AP from operating correctly. An excessively high input power level causes overload of the AP in case of power shortage.

Configuring the default input power level in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure the default input power level.	power-level default { high \| low \| middle }	By default, an AP uses the configuration in AP group's AP model view.

Configuring the default input power level in AP group's AP model view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Configure the default input power level.	power-level default { high \| low \| middle }	The default setting is middle.

Enabling or disabling USB interfaces for APs

NOTE:

Support for this feature depends on the AP model.

After you enable USB interfaces for an AP, the USB interfaces are active only when either of the following requirements is met:

· The input power level of the AP is high.

· The input power level of the AP is middle and the MIMO mode is 1×1 or 2×2.

For information about input power levels, see "Configuring the default input power level." For information about MIMO modes, see "Configuring radio management."

Enabling or disabling USB interfaces in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable or disable USB interfaces.	usb { enable \| disable }	By default, an AP uses the configuration in AP group's AP model view.

Enabling or disabling USB interfaces in AP group' AP model view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enable or disable USB interfaces.	usb { enable \| disable }	By default, USB interfaces are disabled.

Resetting APs

Perform the following task in user view:

Task	Command
Reset all APs or the specified AP.	reset wlan ap { all \| ap-group group-name \| model model-name \| name ap-name }

Renaming a manual AP

Step	Command
1. Enter system view.	system-view
2. Rename a manual AP.	wlan rename-ap ap-name new-ap-name

Managing the file system of an AP

You can perform the following tasks on an AC to manage files for an AP after the AP establishes a CAPWAP tunnel with the AC:

· View file information for the AP.

· Delete a file from the AP.

· Download an image file from the AC to the AP.

This feature takes effect only on master ACs.

To manage the file system of an AP:

Step	Command
1. Display information about files or file folders on an AP.	display wlan ap files name ap-name
2. Enter system view.	system-view
3. Enter AP view.	wlan ap ap-name [ model model-name ]
4. Delete a file from the AP.	delete file filename
5. Download an image file to the AP.	download file file-name

Configuring an AP group

This feature enables you to configure multiple APs in a batch to reduce configuration workload.

APs in an AP group use the configuration of the group. By default, all APs belong to the default AP group default-group. The default AP group cannot be created or deleted.

You can configure AP grouping rules by AP names, serial IDs, MAC addresses, and IP addresses to add APs to the specified AP group. Priorities of these grouping rules are in descending order. If an AP does not match any grouping rules, it is added to the default AP group.

Configuration restrictions and guidelines

When you configure an AP group, follow these restrictions and guidelines:

· An AP can be added to only one AP group.

· You cannot delete an AP group that contains an AP.

· You cannot create grouping rules for the default AP group.

· You cannot create the same grouping rule for different AP groups. If you do so, the most recent configuration takes effect.

· The configuration priorities for an AP in AP view, AP group view, and global configuration view are in descending order. If no settings are configured in one view, the settings in the view with a lower priority are used. If no settings are configured in any one of the three views, the AP uses the default configuration in the view that has the lowest priority.

· AP grouping rules by IPv4 or IPv6 addresses for an AP group or for different AP groups cannot overlap with each other.

· An AP group supports a maximum of 32 AP grouping rules by IPv4 or IPv6 addresses.

Creating an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter its view.	wlan ap-group group-name	By default, there is a default AP group.
3. (Optional.) Set a description for the AP group.	description text	By default, no description is set for an AP group.
4. Create an AP grouping rule by AP names.	ap ap-name-list	N/A
5. Create an AP grouping rule by serial IDs.	serial-id serial-id	N/A
6. Create an AP grouping rule by MAC addresses.	mac-address mac-address	N/A
7. Create an AP grouping rule by IPv4 addresses.	if-match ip ip-address { mask-length \| mask }	N/A
8. Create an AP grouping rule by IPv6 addresses.	if-match ipv6 { ipv6-address prefix-length \| ipv6-address/prefix-length }	N/A
9. (Optional.) Create an AP regrouping rule.	wlan re-group { ap ap-name \| ap-group old-group-name \| mac-address mac-address \| serial-id serial-id } group-name	N/A

Preprovisioning APs

AP preprovisioning allows you to configure network settings for fit APs on an AC. The AC automatically assigns these settings to the fit APs in run state through CAPWAP tunnels in a batch. This reduces the work load in large WLAN networks.

You must save these settings in configuration file wlan_ap_prvs.xml for an AP.

This feature takes effect only on master ACs.

You can configure network settings in AP provision view or AP group provision view. Settings in AP provision view have a higher priority.

If you modify the preprovisioned settings of an AP, resave the settings in the preprovisioned configuration file.

The save wlan ap-provision command has the same effect as the reset wlan ap provision command if no preprovisioned settings exist.

Preprovisioned settings configured in provision view take effect immediately when you execute the save wlan ap provision command.

Cancellations of preprovisioned settings in provision view do not take effect when you execute the save wlan ap provision command. For the cancellations to take effect on an AP, restart the AP.

For the reset wlan ap provision command to take effect on an AP, restart the AP after execution.

Configuring preprovisioned settings for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable AP preprovisioning and enter AP provision view.	provision	By default, an AP uses the configuration in AP group view.
4. Specify an AC for the AP.	ac { host-name host-name \| ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in AP group view.
5. Specify an IPv4 address for the management VLAN interface.	ip address ip-address { mask \| mask-length }	By default, no IPv4 address is specified for the management VLAN interface.
6. Specify an IPv6 address for the management VLAN interface.	ipv6 address { ipv6-address prefix-length \| ipv6-address/prefix-length }	By default, no IPv6 address is specified for the management VLAN interface.
7. Set the gateway IP address.	gateway { ip ipv4-address \| ipv6 ipv6-address }	By default, no gateway IP address is specified for an AP.
8. Specify a DNS server.	dns server { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in AP group view.
9. Set a DNS domain name suffix.	dns domain domain-name	By default, an AP uses the configuration in AP group view.

Configuring network settings for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable AP preprovisioning and enter AP group provision view.	provision	By default, AP preprovisioning is disabled.
4. Specify an AC.	ac { host-name host-name \| ip ip-address \| ipv6 ipv6-address }	By default, no static AC is specified for an AP.
5. Specify a DNS server.	dns server { ip ip-address \| ipv6 ipv6-address }	By default, no DNS server is specified for an AP.
6. Set a domain name suffix for the DNS server.	dns domain domain-name	By default, no domain name suffix is specified for a DNS server.

Assigning preprovisioned settings to APs

Perform this task to enable the AC to assign preprovisioned settings to an AP with which the AC has established a CAPWAP tunnel. The preprovisioned settings will be saved to configuration file wlan_ap_prvs.xml on the AP, and the settings will overwrite the network settings saved in the configuration file.

You can use either of the following methods to assign preprovisioned settings to an AP:

· Manual configuration—You save the preprovisioned settings to configuration file wlan_ap_prvs.xml on the AP after it comes online.

Modifying the AC address configuration in the configuration file of the AP will trigger a new optimal AC selection process. Then the AP will terminate the original CAPWAP tunnel and establish a CAPWAP tunnel with the new AC.

· Auto assignment of preprovisioned settings—The preprovisioned settings are assigned to an AP when it is coming online. The AP will establish a CAPWAP tunnel with the AC specified in the preprovisioned settings. For information about optimal AC selection , see "CAPWAP tunnel establishment."

Saving the network settings to the configuration file on an AP

Perform the following task in any view:

Task	Command
Save the network settings to the preprovisioned configuration file wlan_ap_prvs.xml on the specified AP or all APs.	save wlan ap provision { all \| name ap-name }

Configuring auto assignment of preprovisioned settings

To configure auto assignment of preprovisioned settings in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure auto assignment of preprovisioned settings for the AP.	provision auto-update { disable \| enable }	By default, an AP uses the configuration in AP group view.

To configure auto assignment of preprovisioned settings in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure auto assignment of preprovisioned settings for APs in the AP group.	provision auto-update { disable \| enable }	By default, auto assignment of preprovisioned settings is disabled.

Configuring auto loading of preprovisioned settings

Auto loading of preprovisioned settings ensures successful CAPWAP tunnel establishment between AP and AC. An AP uses the following procedure to discover an AC when you enable this feature:

1. Uses the preprovisioned settings to discover an AC that has the AP's manual or auto AP configuration.

2. Reboots and uses other methods to discover ACs if AC discovery fails.

3. Reboots and uses the preprovisioned settings again to discover ACs if the AP still fails to discover the target AC.

This AC discovery process will be repeated until the AP discovers the target AC to establish a CAPWAP tunnel.

Configuring auto loading of preprovisioned settings for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure auto loading of preprovisioned settings for the AP.	provision auto-recovery { disable \| enable }	By default, an AP uses the configuration in AP group view.

Configuring auto loading of preprovisioned settings for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure auto loading of preprovisioned settings for APs in the AP group.	provision auto-recovery { disable \| enable }	By default, auto loading of preprovisioned settings is enabled.

Enabling SNMP notifications

To report critical WLAN events to an NMS, enable SNMP notifications. For WLAN event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

To enable SNMP notifications:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable SNMP notifications.

· Enable SNMP notifications for AP management:
snmp-agent trap enable wlan ap

· Enable SNMP notifications for CAPWAP:
snmp-agent trap enable wlan capwap

By default, SNMP notifications for AP management and CAPWAP are disabled.

Loading an APDB user script

Perform this task to add new AP models to the APDB without upgrading AC software.

Configuration restrictions and guidelines

When you load an APDB user script, follow these restrictions and guidelines:

· Make sure the user script is valid. Invalid scripts can cause loading failure.

· The AP models in the user script must be different from the AP models in the system script.

· If you load multiple user scripts on the AC, the most recently loaded user script overwrites the old user scripts.

· If you rename the user script in the file system, reload the user script to prevent AP model configuration in the user script from being lost after an AC reboot.

· If you replace the user script with a new user script in the file system, reload the new user script. If the new user script does not include AP model information saved in the replaced user script, the AP model information will be lost after an AC reboot.

· If you delete a user script in the file system, the AP model configuration in the user script will be lost after an AC reboot.

If an old user script already exists, follow these restrictions and guidelines when you load an APDB user script:

· If a manual AP or an online auto AP whose model is listed in the old user script exists ,you can load a new user script only when you delete the corresponding AP model information on the AC.

· If APs of an AP model listed in the old user script have been added to an AP group, you can load a new user script only when you remove the APs from the AP group.

· If the old user script includes an AP model whose software version was already configured, you can load a new user script only when you use the wlan apdb command to restore the original software version.

Configuration procedure

To load an APDB user script:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Load an APDB user script.	wlan apdb file user.apdb	By default, no user script is loaded on the AC.

Enabling service anomaly detection

Perform this task on the master AC in an IRF fabric.

This feature enables an AC to check service status and start a 10-minute timer upon detecting that no APs are associated with the AC.

When the timer expires, the AC performs either of the following operations:

· Restarts if no AP is online.

· Deletes the timer if a minimum of one AP is online.

If APs come online and then all go offline before the timer expires, the AC restarts the 10-minute timer upon detecting that the last online AP goes offline.

As a best practice, enable this feature for an AC to recover automatically in case of service anomaly.

To enable service anomaly detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable service anomaly detection.	wlan detect-anomaly enable	By default, service anomaly detection is enabled.

Displaying and maintaining AP management

Setting a LED lighting mode

You can configure LEDs on an AP to flash in the following modes:

· quiet—All LEDs are off.

· awake—All LEDs flash once every minute. Support for this mode depends on the AP model.

· always-on—All LEDs are steady on. Support for this mode depends on the AP model.

· normal—How LEDs flash in this mode varies by AP model. This mode can identify the running status of an AP.

If you set the LED lighting mode to awake or always-on in AP group view, the setting takes effect only on member APs that support the specified LED lighting mode.

Setting a LED lighting mode in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set a LED lighting mode.	led-mode { always-on \| awake \| normal \| quiet }	By default, an AP uses the configuration in AP group view.

Setting a LED lighting mode in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Set a LED lighting mode.	led-mode { always-on \| awake \| normal \| quiet }	By default, the LED lighting mode is normal.

Displaying AP management information

Execute display commands in any view.

Task	Command
Display information about all APs or the specified AP.	display wlan ap { all \| name ap-name } [ verbose ]
Display address information for all APs or the specified AP.	display wlan ap { all \| name ap-name } address
Display configuration status of CAPWAP features.	display wlan ap all feature capwap
Display AP connection records on the AC.	display wlan ap connection record { all \| name ap-name }
Display AP online duration.	display wlan ap online-time { all \| name ap-name }
Display the reboot logs of the specified AP.	display wlan ap reboot-log name ap-name
Display running configuration for all APs or the specified AP.	display wlan ap running-configuration { all \| ap-name ap-name } [ verbose ]
Display association failure records for APs.	display wlan ap statistics association-failure-record
Display online AP quantity records.	display wlan ap statistics online-record [ datetime date time [ count count ] ]
Display CAPWAP tunnel down records.	display wlan ap statistics tunnel-down-record
Display information about all AP groups or the specified AP group.	display wlan ap-group [ brief \| name group-name ]
Display AP model information.	display wlan ap-model { all \| name model-name }
Display tunnel latency information for the specified CAPWAP tunnel.	display wlan tunnel latency ap name ap-name
Display information about distribution of attached APs for ACs.	display wlan ap-distribution { all \| slot slot-number }
Display the attachment location of an AP.	display wlan ap-distribution ap-name ap-name

Clearing AP management information

Execute reset commands in user view.

Task	Command
Clear the reboot logs of all APs or the specified AP.	reset wlan ap reboot-log { all \| name ap-name }
Clear tunnel latency information for all CAPWAP tunnels or the specified CAPWAP tunnel.	reset wlan tunnel latency ap { all \| name ap-name }
Delete the configuration file wlan_ap_prvs.xml from all APs or the specified AP.	reset wlan ap provision { all \| name ap-name }

AP management configuration examples

CAPWAP tunnel establishment through DHCP configuration example

Network requirements

As shown in Figure 3, configure the AP to obtain its IP address and AC IP address from the DHCP server through DHCP Option 43. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Figure 3 Network diagram

Configuration procedures

1. Configure the DHCP server:

# Enable the DHCP service.

<DHCP server> system-view

[DHCP server] dhcp enable

# Configure DHCP address pool 1.

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 01010103 (1.1.1.3) represents the IP address of the AC.

[DHCP server-dhcp-pool-1] option 43 hex 800700000101010103

[DHCP Server-dhcp-pool-1] quit

[DHCP Server] quit

2. Configure the AC:

# Set the IP address of VLAN-interface 1 on the AC to 1.1.1.3/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 1.1.1.3 24

[AC-Vlan-interface1] quit

# Create AP ap1 with model WA536-WW, and set its serial ID to 219801A1NQB117012935.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC-wlan-ap-ap1] quit

# Start up the AP. The AP performs the following operations:

? Obtains its IP address 1.1.1.2 from the DHCP server.

? Obtains the IP address of the AC through Option 43.

? Establishes a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify the following information:

· The AP obtains the IP address of the AC through DHCP.

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : CN

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 0AFB-423B-893C

IP address : 192.168.1.50

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : R2206P02

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 149(auto)

Channel usage(%) : 0

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 3:

Basic BSSID : N/A

Admin state : Down

Radio type : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 6(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

Continuous mode : N/A

HT protection mode : No protection

CAPWAP tunnel establishment through DHCPv6 configuration example

Network requirements

As shown in Figure 4, configure the AP to obtain its IP address and the AC's IP address from the DHCPv6 server through DHCP Option 52. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Figure 4 Network diagram

Configuration procedures

1. Configure the DHCPv6 server:

# Assign an IPv6 address to GigabitEthernet 1/0/1.

<DHCPv6 Server> system-view

[DHCPv6 Server] interface gigabitethernet 1/0/1

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 address 1::1/64

# Disable RA message advertising suppression.

[DHCPv6 Server-GigabitEthernet1/0/1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 service on GigabitEthernet 1/0/1.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 dhcp select server

[DHCPv6 Server-GigabitEthernet1/0/1] quit

# Create a DHCPv6 address pool, and specify an IPv6 subnet for dynamic allocation in the DHCPv6 address pool.

[DHCPv6 Server] ipv6 dhcp pool 1

[DHCPv6 Server-dhcp6-pool-1] network 1::0/64

[DHCPv6 Server-dhcp6-pool-1] quit

# Configure Option 52 that specifies an AC address 1::3 in DHCPv6 address pool 1.

[DHCPv6 Server-dhcp-pool-1] option 52 hex 00010000000000000000000000000003

[DHCPv6 Server-dhcp-pool-1] quit

[DHCPv6 Server] quit

2. Configure the AC:

# Set the IPv6 address of VLAN-interface 1 to 1::3/64.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ipv6 address 1::3 64

# Create an AP named ap1 and specify its model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC-wlan-ap-ap1] quit

# Start up the AP. The AP performs the following operations:

? Obtains its IPv6 address 1::2 from the DHCP server.

? Obtains the IPv6 address of the AC through Option 52.

? Establishes a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify the following information:

· The AP obtains the IP address of the AC through DHCP.

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : CN

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 0AFB-423B-893C

IP address : 1::2

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : R2206P02

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Protection mode : cts-to-selfs

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11ac

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 149(auto)

Channel usage(%) : 0

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 3:

Basic BSSID : N/A

Admin state : Down

Radio type : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 6(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

Continuous mode : N/A

HT protection mode : No protection

CAPWAP tunnel establishment through DNS configuration example

Network requirements

As shown in Figure 5, configure the AP to obtain the IP address of the AC through DNS to establish a CAPWAP tunnel with the AC.

Figure 5 Network diagram

Configuration procedures

1. Configure the DHCP server:

# Enable the DHCP service, configure DHCP address pool 1, and set the domain name suffix of the AC to abc.

<DHCP server> system-view

[DHCP server] dhcp enable

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

[DHCP server-dhcp-pool-1] domain-name abc

[DHCP server-dhcp-pool-1] dns-list 1.1.1.4

[DHCP server-dhcp-pool-1] gateway-list 1.1.1.2

[DHCP server-dhcp-pool-1] quit

[DHCP server] quit

2. Configure a mapping between domain name h3c.abc and IP address 2.1.1.1/24. For more information, see Layer 3—IP Services Configuration Guide. (Details not shown.)

3. Configure the AC:

# Set the IP address of VLAN-interface 1 to 2.1.1.1/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 2.1.1.1 24

[AC-Vlan-interface1] quit

# Configure a default route with next hop address 2.1.1.2.

[AC] ip route-static 0.0.0.0 0 2.1.1.2

# Create AP ap1 and specify its model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Start up the AP.

[AC-wlan-ap-ap1] quit

The AP performs the following operations:

? Obtains its IP address 1.1.1.1, the domain name suffix of the AC, and the IP address of the DNS server from the DHCP server.

? Adds the domain name suffix to the hostname.

? Informs the DNS client to translate the domain name into an IP address.

? Uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify the following information:

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

· The AP obtains the IP address of the AC through DNS.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : CN

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 0AFB-423B-893C

IP address : 1.1.1.1

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : R2206P02

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DNS

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 149(auto)

Channel usage(%) : 0

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 3:

Basic BSSID : N/A

Admin state : Down

Radio type : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 6(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

Continuous mode : N/A

HT protection mode : No protection

Auto AP configuration example

Network requirements

As shown in Figure 6, enable the auto AP feature on the AC. The AP obtains the AC IP address through DHCP Option 43 and establishes a CAPWAP tunnel with the AC.

Figure 6 Network diagram

Configuration procedures

1. Configure the DHCP server:

# Enable the DHCP service.

<DHCP server> system-view

[DHCP server] dhcp enable

# Configure DHCP address pool 1.

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 02010102 (2.1.1.2) represents the IP address of the AC.

[DHCP server-dhcp-pool-1] option 43 ip-address hex 800700000102010102

[DHCP Server-dhcp-pool-1] gateway-list 1.1.1.3

[DHCP Server-dhcp-pool-1] quit

[DHCP Server] quit

2. Configure the AC:

# Set the IP address of VLAN-interface 1 on the AC to 2.1.1.2/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 2.1.1.2 24

[AC-Vlan-interface1] quit

# Configure a default route with next hop 2.1.1.1.

[AC] ip route-static 0.0.0.0 0 2.1.1.1

# Enable auto AP.

[AC] wlan auto-ap enable

Verifying the configuration

# Verify that the AP has established a CAPWAP tunnel with the AC.

[AC] display wlan ap name 0011-2200-0101 verbose

AP name : 0011-2200-0101

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : CN

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 0011-2200-0101

IP address : 1.1.1.2

UDP control port number : 18313

UDP data port number : N/A

H/W version : Ver.C

S/W version : R2206P02

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 149(auto)

Channel usage(%) : 0

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

MU-TxBF : Enabled

SU-TxBF : Enabled

Continuous mode : N/A

HT protection mode : No protection

Radio 3:

Basic BSSID : N/A

Admin state : Down

Radio type : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 6(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise floor : 0 dBm

Protection mode : cts-to-self

Continuous mode : N/A

HT protection mode : No protection

AP group configuration example

Network requirements

As shown in Figure 7, configure AP groups and add AP 1 to AP group group1, and AP 2, AP 3, and AP 4 to AP group group2.

Figure 7 Network diagram

Configuration procedure

1. Configure APs to obtain their IP addresses and the AC IP address from the DHCP server. (Details not shown.)

2. Configure manual APs. (Details not shown.)

3. Configure AP groups:

# Create AP group group1.

<AC> system-view

[AC] wlan ap-group group1

# Add AP 1 to AP group group1.

[AC-wlan-ap-group-group1] ap ap1

[AC-wlan-ap-group-group1] quit

# Create AP group group2.

[AC] wlan ap-group group2

# Add AP 2, AP 3, and AP 4 to AP group group2.

[AC-wlan-ap-group-group2] ap ap2 ap3 ap4

[AC-wlan-ap-group-group2] quit

[AC] quit

Verifying the configuration

# Verify that AP 1 is in AP group group1, and AP 2, AP 3, and AP 4 are in AP group group2.

[AC-wlan-ap-group-group2] display wlan ap-group

Total number of AP groups: 3

AP group name : default-group

Description : Not configured

AP model : Not configured

APs : Not configured

AP group name : group1

Description : Not configured

AP model : WA536-WW

AP grouping rules:

AP name : ap1

Serial ID : Not configured

MAC address : Not configured

IPv4 address : Not configured

IPv6 address : Not configured

APs : ap1 (AP name)

AP group name : group2

Description : Not configured

AP model : WA536-WW

AP grouping rules:

AP name : ap2, ap3, ap4

Serial ID : Not configured

MAC address : Not configured

IPv4 address : Not configured

IPv6 address : Not configured

APs : ap2 (AP name), ap3 (AP name), ap4 (AP name)

Configuring radio management

Overview

Radio frequency (RF) is a rate of electrical oscillation in the range of around 300 KHz to 300 GHz. WLAN uses the 2.4 GHz band (2.4 GHz to 2.4835 GHz) and 5 GHz band (5.150 GHz to 5.350 GHz and 5.725 GHz to 5.850 GHz) radio frequencies as the transmission media.

The term "radio frequency" or its abbreviation "RF" is also used as a synonym for "radio" in wireless communication.

Radio mode

IEEE defines the 802.11a, 802.11b, 802.11g, 802.11n, and 802.11ac radio modes. H3C defines a 802.11gac radio mode that enables 802.11ac radios to use the 2.4 GHz band.

Table 2 provides a comparison of these radio modes.

Table 2 802.11 standards comparison

IEEE standard	Frequency band		Maximum rate		Indoor coverage		Outdoor coverage
802.11a	5 GHz		54 Mbps		About 50 meters (164.04 ft)		About 100 meters (328.08 ft)
802.11b	2.4 GHz		11 Mbps		About 300 meters (984.25 ft)		About 600 meters (1968.50 ft)
802.11g	2.4 GHz		54 Mbps		About 300 meters (984.25 ft)		About 600 meters (1968.50 ft)
802.11n	2.4 GHz or 5 GHz		600 Mbps		About 300 meters (984.25 ft)		About 600 meters (1968.50 ft)
802.11ac	5 GHz		6900 Mbps		About 30 meters (98.43 ft)		About 60 meters (196.85 ft)
802.11gac		2.4 GHz		1600 Mbps		About 100 meters (328.08 ft)		About 200 meters (656.17 ft)

NOTE:

· 802.11g, 802.11n, and 802.11ac are backward compatible.

· The term "802.11ac" in this document includes 802.11gac unless otherwise specified.

Channel

A channel is a range of frequencies with a specific bandwidth. There are 14 channels designated in the 2.4 GHz band. The bandwidth for each channel is 20 MHz and each two channels are spaced 5 MHz apart. Among the 14 channels, four groups of non-overlapping channels exist and the most commonly used one contains channels 1, 6, and 11.

The 5 GHz band can provide higher rates and is more immune to interferences. There are 24 non-overlapping channels designated in the 5 GHz band. The channels are spaced 20 MHz apart with a bandwidth of 20 MHz.

Transmit power

Transmit power reflects the signal strength of a wireless device. A higher transmit power enables a radio to cover a larger area but it brings more inferences to adjacent devices. The signal strength decreases as the transmission distance increases.

Transmission rate

Transmission rate refers to the speed at which wireless devices transmit traffic. It varies by radio mode and spreading, coding, and modulation schemes. Rates that are supported by different modes of radios are as follows:

· 802.11a—6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.

· 802.11b—1 Mbps, 2 Mbps, 5.5 Mbps, and 11 Mbps.

· 802.11g—1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.

· 802.11n—Rates for 802.11n radios vary by channel bandwidth. For more information, see "MCS."

· 802.11ac—Rates for 802.11ac radios vary by channel bandwidth and number of spatial streams (NSS). For more information, see "VHT-MCS."

MPDU aggregation

A MAC Protocol Data Unit (MPDU) refers to a data frame in 802.11 format. MPDU aggregation aggregates multiple MPDUs into one aggregate MPDU (A-MPDU) to reduce additional information, ACK frames, and Physical Layer Convergence Procedure (PLCP) header overhead. This improves network throughput and channel efficiency.

All MPDUs in an A-MPDU must have the same QoS priority, source address, and destination address.

Figure 8 A-MPDU format

MSDU aggregation

An AP or client encapsulates a MAC Service Data Unit (MSDU) with an Ethernet header and then converts the frame into 802.11 format for forwarding.

MSDU aggregation aggregates multiple MSDUs into one aggregate MSDU (A-MSDU) to reduce PLCP preamble, PLCP header, and MAC header overheads. This improves network throughput and frame forwarding efficiency.

All MSDUs in an A-MSDU must have the same QoS priority, source address, and destination address. When a device receives an A-MSDU, it restores the A-MSDU to multiple MSDUs for processing.

Figure 9 A-MSDU format

MCS

Modulation and Coding Scheme (MCS) defined in IEEE 802.11n-2009 is a value that determines the modulation, coding, and number of spatial streams. An MCS is identified by an MCS index, which is represented by an integer in the range of 0 to 76. An MCS index is the mapping from MCS to a data rate.

Table 3 through Table 10 show sample MCS parameters for both 20 MHz and 40 MHz.

When the bandwidth mode is 20 MHz, MCS indexes 0 through 15 are mandatory for APs, and MCS indexes 0 through 7 are mandatory for clients.

Table 3 MCS parameters (20 MHz, NSS=1)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
0	1	BPSK	6.5	7.2
1	1	QPSK	13.0	14.4
2	1	QPSK	19.5	21.7
3	1	16-QAM	26.0	28.9
4	1	16-QAM	39.0	43.3
5	1	64-QAM	52.0	57.8
6	1	64-QAM	58.5	65.0
7	1	64-QAM	65.0	72.2

Table 4 MCS parameters (20 MHz, NSS=2)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
8	2	BPSK	13.0	14.4
9	2	QPSK	26.0	28.9
10	2	QPSK	39.0	43.3
11	2	16-QAM	52.0	57.8
12	2	16-QAM	78.0	86.7
13	2	64-QAM	104.0	115.6
14	2	64-QAM	117.0	130.0
15	2	64-QAM	130.0	144.4

Table 5 MCS parameters (20 MHz, NSS=3)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
16	3	BPSK	19.5	21.7
17	3	QPSK	39.0	43.3
18	3	QPSK	58.5	65.0
19	3	16-QAM	78.0	86.7
20	3	16-QAM	117.0	130.0
21	3	64-QAM	156.0	173.3
22	3	64-QAM	175.5	195.0
23	3	64-QAM	195.0	216.7

Table 6 MCS parameters (20 MHz, NSS=4)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
24	4	BPSK	26.0	28.9
25	4	QPSK	52.0	57.8
26	4	QPSK	78.0	86.7
27	4	16-QAM	104.0	115.6
28	4	16-QAM	156.0	173.3
29	4	64-QAM	208.0	231.1
30	4	64-QAM	234.0	260.0
31	4	64-QAM	260.0	288.9

Table 7 MCS parameters (40 MHz, NSS=1)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
0	1	BPSK	13.5	15.0
1	1	QPSK	27.0	30.0
2	1	QPSK	40.5	45.0
3	1	16-QAM	54.0	60.0
4	1	16-QAM	81.0	90.0
5	1	64-QAM	108.0	120.0
6	1	64-QAM	121.5	135.0
7	1	64-QAM	135.0	150.0

Table 8 MCS parameters (40 MHz, NSS=2)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
8	2	BPSK	27.0	30.0
9	2	QPSK	54.0	60.0
10	2	QPSK	81.0	90.0
11	2	16-QAM	108.0	120.0
12	2	16-QAM	162.0	180.0
13	2	64-QAM	216.0	240.0
14	2	64-QAM	243.0	270.0
15	2	64-QAM	270.0	300.0

Table 9 MCS parameters (40 MHz, NSS=3)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
16	3	BPSK	40.5	45.0
17	3	QPSK	81.0	90.0
18	3	QPSK	121.5	135.0
19	3	16-QAM	162.0	180.0
20	3	16-QAM	243.0	270.0
21	3	64-QAM	324.0	360.0
22	3	64-QAM	364.5	405.0
23	3	64-QAM	405.0	450.0

Table 10 MCS parameters (40 MHz, NSS=4)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
24	4	BPSK	54.0	60.0
25	4	QPSK	108.0	120.0
26	4	QPSK	162.0	180.0
27	4	16-QAM	216.0	240.0
28	4	16-QAM	324.0	360.0
29	4	64-QAM	432.0	480.0
30	4	64-QAM	486.0	540.0
31	4	64-QAM	540.0	600.0

MCS indexes are classified into the following types:

· Mandatory MCS indexes—Mandatory MCS indexes for an AP. Clients can associate with an 802.11n AP only when they support the mandatory MCS indexes for the AP.

· Supported MCS indexes—MCS indexes supported by an AP except for the mandatory MCS indexes. Supported MCS indexes allow a client that supports both mandatory and supported MCS indexes to use a higher rate to communicate with the AP.

· Multicast MCS index—MCS index corresponding to the rate at which an AP transmits multicast frames.

NOTE:

· For all the MCS data rate tables, see IEEE 802.11n-2009.

· Support for MCS indexes depends on the AP model.

VHT-MCS

802.11 ac uses Very High Throughput Modulation and Coding Scheme (VHT-MCS) indexes to indicate wireless data rates. A VHT-MCS is identified by a VHT-MCS index, which is represented by an integer in the range of 0 to 9. A VHT-MCS index is the mapping from VHT-MCS to a data rate.

802.11ac supports the 20 MHz, 40 MHz, 80 MHz, and 160 MHz bandwidth modes, and supports a maximum of eight spatial streams. 802.11gac supports the 20 MHz and 40 MHz bandwidth modes.

Table 11 through Table 22 show VHT-MCS parameters that are supported by an AP.

Table 11 VHT-MCS parameters (20 MHz, NSS=1)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	6.5	7.2
1	QPSK	13.0	14.4
2	QPSK	19.5	21.7
3	16-QAM	26.0	28.9
4	16-QAM	39.0	43.3
5	64-QAM	52.0	57.8
6	64-QAM	58.5	65.0
7	64-QAM	65.0	72.2
8	256-QAM	78.0	86.7
9	Not valid

Table 12 VHT-MCS parameters (20 MHz, NSS=2)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	13.0	14.4
1	QPSK	26.0	28.9
2	QPSK	39.0	43.3
3	16-QAM	52.0	57.8
4	16-QAM	78.0	86.7
5	64-QAM	104.0	115.6
6	64-QAM	117.0	130.0
7	64-QAM	130.0	144.4
8	256-QAM	156.0	173.3
9	Not valid

Table 13 VHT-MCS parameters (20 MHz, NSS=3)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	19.5	21.7
1	QPSK	39.0	43.3
2	QPSK	58.5	65.0
3	16-QAM	78.0	86.7
4	16-QAM	117.0	130.0
5	64-QAM	156.0	173.3
6	64-QAM	175.5	195.0
7	64-QAM	195.0	216.7
8	256-QAM	234.0	260.0
9	256-QAM	260.0	288.9

Table 14 VHT-MCS parameters (20 MHz, NSS=4)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	26.0	28.9
1	QPSK	52.0	57.8
2	QPSK	78.0	86.7
3	16-QAM	104.0	115.6
4	16-QAM	156.0	173.3
5	64-QAM	208.0	231.1
6	64-QAM	234.0	260.0
7	64-QAM	260.0	288.9
8	256-QAM	312.0	346.7
9	Not valid

Table 15 VHT-MCS parameters (40 MHz, NSS=1)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	13.5	15.0
1	QPSK	27.0	30.0
2	QPSK	40.5	45.0
3	16-QAM	54.0	60.0
4	16-QAM	81.0	90.0
5	64-QAM	108.0	120.0
6	64-QAM	121.5	135.0
7	64-QAM	135.0	150.0
8	256-QAM	162.0	180.0
9	256-QAM	180.0	200.0

Table 16 VHT-MCS parameters (40 MHz, NSS=2)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	27.0	30.0
1	QPSK	54.0	60.0
2	QPSK	81.0	90.0
3	16-QAM	108.0	120.0
4	16-QAM	162.0	180.0
5	64-QAM	216.0	240.0
6	64-QAM	243.0	270.0
7	64-QAM	270.0	300.0
8	256-QAM	324.0	360.0
9	256-QAM	360.0	400.0

Table 17 VHT-MCS parameters (40 MHz, NSS=3)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	40.5	45.0
1	QPSK	81.0	90.0
2	QPSK	121.5	135.0
3	16-QAM	162.0	180.0
4	16-QAM	243.0	270.0
5	64-QAM	324.0	360.0
6	64-QAM	364.5	405.0
7	64-QAM	405.0	450.0
8	256-QAM	486.0	540.0
9	256-QAM	540.0	600.0

Table 18 VHT-MCS parameters(40 MHz, NSS=4)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	54.0	60.0
1	QPSK	108.0	120.0
2	QPSK	162.0	180.0
3	16-QAM	216.0	240.0
4	16-QAM	324.0	360.0
5	64-QAM	432.0	480.0
6	64-QAM	486.0	540.0
7	64-QAM	540.0	600.0
8	256-QAM	648.0	720.0
9	256-QAM	720.0	800.0

Table 19 VHT-MCS parameters (80 MHz, NSS=1)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	29.3	32.5
1	QPSK	58.5	65.0
2	QPSK	87.8	97.5
3	16-QAM	117.0	130.0
4	16-QAM	175.5	195.0
5	64-QAM	234.0	260.0
6	64-QAM	263.0	292.5
7	64-QAM	292.5	325.0
8	256-QAM	351.0	390.0
9	256-QAM	390.0	433.3

Table 20 VHT-MCS parameters (80 MHz, NSS=2)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	58.5	65.0
1	QPSK	117.0	130.0
2	QPSK	175.5	195.0
3	16-QAM	234.0	260.0
4	16-QAM	351.0	390.0
5	64-QAM	468.0	520.0
6	64-QAM	526.5	585.0
7	64-QAM	585.0	650.0
8	256-QAM	702.0	780.0
9	256-QAM	780.0	866.7

Table 21 VHT-MCS parameters (80 MHz, NSS=3)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	87.8	97.5
1	QPSK	175.5	195.0
2	QPSK	263.3	292.5
3	16-QAM	351.0	390.0
4	16-QAM	526.5	585.0
5	64-QAM	702.0	780.0
6	Not valid
7	64-QAM	877.5	975.0
8	256-QAM	1053.0	1170.0
9	256-QAM	1170.0	1300.0

Table 22 VHT-MCS parameters (80 MHz, NSS=4)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	117.0	130.0
1	QPSK	234.0	260.0
2	QPSK	351.0	390.0
3	16-QAM	468.0	520.0
4	16-QAM	702.0	780.0
5	64-QAM	936.0	1040.0
6	64-QAM	1053.0	1170.0
7	64-QAM	1170.0	1300.0
8	256-QAM	1404.0	1560.0
9	256-QAM	1560.0	1733.3

802.11ac NSSs are classified into the following types:

· Mandatory NSSs—Mandatory NSSs for an AP. Clients can associate with an 802.11ac AP only when they support the mandatory NSSs for the AP.

· Supported NSSs—NSSs supported by an AP except for the mandatory NSSs. Supported NSSs allow a client that supports both mandatory and supported NSSs to use a higher rate to communicate with the AP.

· Multicast NSS—An AP uses a rate in the VHT-MCS data rate table for the NSS to transmit multicast frames.

NOTE:

· For all the VHT-MCS data rate tables, see IEEE 802.11ac-2013.

· Support for VHT-MCS indexes depends on the AP model.

Configuration restrictions and guidelines

The priorities for the configuration in radio view, AP group radio view, and global configuration view are in descending order.

Configuration task list

Tasks at a glance	Remarks
(Required.) Enabling or disabling radios	N/A
(Required.) Specifying a radio mode	N/A
(Optional.) Configuring basic radio functions: · Specifying a working channel · Configuring 2.4 GHz radios to use the European channel gap for auto channel selection · Configuring the channel selection blacklist or whitelist · Setting the antenna type · Setting the antenna gain · Setting the maximum transmit power · Configuring power lock · Setting transmission rates · Setting the preamble type · Setting the maximum transmission distance · Setting the beacon interval · Setting the DTIM interval · Setting the maximum number of clients that can associate with an AP · Configuring 802.11b client access · Configuring ANI · Specifying a collision avoidance mode · Setting the RTS threshold · Configuring 802.11g protection · Setting the fragmentation threshold · Setting the maximum number of hardware retransmissions · Performing on-demand channel usage measurement · Enabling the continuous mode for a radio	The basic radio functions are applicable to all radios.
(Optional.) Configuring 802.11n functions: · Specifying the A-MPDU aggregation method · Specifying the A-MSDU aggregation method · Configuring short GI · Configuring LDPC · Configuring STBC · Setting MCS indexes · Configuring access for only 802.11n and 802.11ac clients · Setting the 802.11n bandwidth mode · Specifying a MIMO mode · Configuring energy saving · Configuring 802.11n protection	The 802.11n functions are applicable only to 802.11an and 802.11gn, 802.11ac, and 802.11gac radios.
(Optional.) Configuring 802.11ac functions: · Setting NSSs · Configuring access for only 802.11ac clients · Setting the 802.11ac bandwidth mode · Configuring TxBF	The 802.11ac functions are applicable only to 802.11ac and 802.11gac radios.
(Optional.) Configuring the smart antenna feature	N/A

Enabling or disabling radios

Enabling or disabling all radios

CAUTION:

Disabling all radios terminates wireless services. Use it with caution.

This feature only takes effect on manual APs and online auto APs.

To enable or disable all radios:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable or disable all radios.	wlan radio { enable \| disable }	By default, radios are disabled unless they are already enabled in radio view or AP group radio view.

Enabling or disabling a radio in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Enable or disable the radio.	radio { enable \| disable }	By default, a radio is enabled if the wlan radio enable command is executed in system view. If the wlan radio enable command is not executed in system view, a radio uses the configuration in AP group radio view.

Enabling or disabling a radio in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable or disable the radio.	radio { enable \| disable }	By default, a radio is disabled unless it is already enabled by using the wlan radio enable command in system view.

Specifying a radio mode

CAUTION:

Modifying the radio mode logs off all associated clients.

Support for channels and transmit powers depends on the radio mode. When you change the mode of a radio, the system automatically adjusts the channel and power parameters for the radio.

When you change the radio mode in AP group radio view, the default settings for the commands related to the radio mode are restored.

Specifying a radio mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Specify a radio mode.	type { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn }	By default, the radio uses the configuration in AP group view.

Specifying a radio mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a radio mode.	type { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn }	The default setting for this command varies by AP model.

Configuring basic radio functions

Specifying a working channel

Perform this task to reduce interferences from both wireless and non-wireless devices.

You can manually specify a channel or configure the system to automatically select a channel for a radio.

When radar signals are detected on the working channel of a radio, either of the following cases occurs:

· If the channel is a manually specified channel, the radio changes its channel, and switches back to the specified channel after 30 minutes and then starts the quiet timer. If no radar signals are detected within the quiet time, the radio starts to use the channel. If radar signals are detected within the quiet time, the radio changes its channel.

· If the channel is an automatically assigned channel, the radio changes its channel.

Specifying a working channel in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Specify a working channel.	channel { channel-number \| auto { lock \| unlock } }	By default, the radio uses the configuration in AP group view.

Specifying a working channel in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a working channel.	channel { channel-number \| auto { lock \| unlock } }	By default, the AC automatically selects a channel for the radio and does not lock the channel.

Configuring 2.4 GHz radios to use the European channel gap for auto channel selection

By default, 2.4 GHz radios use non-European channel gap 5 to automatically select channels 1, 6, and 11. You can use this feature to enable the radios to use European channel gap 6 to automatically select channels 1, 7, and 13.

To configure 2.4 GHz radios to use the European channel gap for auto channel selection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure 2.4 GHz radios to use the European channel gap for auto channel selection.	auto-channel european-gap enable	By default, 2.4 GHz radios use the non-European channel gap for auto channel selection.

Configuring the channel selection blacklist or whitelist

Perform this task for an AP to not select channels in the blacklist or to select only channels in the whitelist in automatic channel selection. You cannot configure both the channel selection blacklist and whitelist for the same AP.

Configuring the channel selection blacklist or whitelist in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Add the specified channels to the channel selection blacklist or whitelist.	channel auto-select { blacklist \| whitelist } channel-number	By default, a radio uses the configuration in AP group view.

Configuring the channel selection blacklist or whitelist in AP group radio view

Step	Command	Remarks
5. Enter system view.	system-view	N/A
6. Enter AP group view.	wlan ap-group group-name	N/A
7. Enter AP model view.	ap-model ap-model	N/A
8. Enter radio view.	radio radio-id	N/A
9. Add the specified channels to the channel selection blacklist or whitelist.	channel auto-select { blacklist \| whitelist } channel-number	By default, no channel selection blacklist or the whitelist exists.

Setting the antenna type

NOTE:

Antenna types supported by an AP vary by device model.

If an AP uses a third-party antenna, you must set the antenna type to the type of the antenna that the AP uses.

The antenna gain automatically changes after you set the antenna type to ensure that the transmit power is within the correct range.

Setting the antenna type in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the antenna type.	antenna type antenna-type	By default, the radio uses the configuration in AP group view.

Setting the antenna type in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the antenna type.	antenna type antenna-type	The default antenna type for an AP varies by device model.

Setting the antenna gain

IMPORTANT:

This feature is available only when an AP uses a third-party antenna.

Effective Isotropic Radiated Power (EIRP) is the actual transmit power of an antenna, and it is the sum of the antenna gain and the maximum transmit power of the radio.

If an AP uses a third-party antenna, you must set the antenna gain to the gain of the antenna that the AP uses.

Setting the antenna gain in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the antenna gain.	custom-antenna gain antenna-gain	By default, the radio uses the configuration in AP group view.

Setting the antenna gain in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the antenna gain.	custom-antenna gain antenna-gain	By default, the antenna gain is 0 dBi.

Setting the maximum transmit power

Make sure the maximum transmit power is within the transmit power range supported by a radio. The transmit power range supported by a radio varies by country code, channel, AP model, radio mode, antenna type, and bandwidth mode. If you change these attributes for a radio after you set the maximum transmit power, the configured maximum transmit power might be out of the supported transmit power range. If this happens, the system automatically adjusts the maximum transmit power to a valid value.

If you enable power lock, the locked power becomes the maximum transmit power. For more information about power lock, see "Configuring power lock."

Setting the maximum transmit power in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum transmit power.	max-power radio-power	By default, the radio uses the configuration in AP group view.

Setting the maximum transmit power in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum transmit power.	max-power radio-power	By default, the radio uses the supported maximum transmit power.

Configuring power lock

If you enable power lock, the current power is locked and becomes the maximum transmit power. The locked power still takes effect after the AC restarts.

If a radio enabled with power lock switches to a new channel that provides lower power than the locked power, the maximum power supported by the new channel takes effect.

Configuring power lock in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure power lock.	power-lock { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring power lock in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure power lock.	power-lock { disable \| enable }	By default, power lock is disabled.

Setting transmission rates

Transmission rates are classified into the following types:

· Prohibited rates—Rates that cannot be used by an AP.

· Mandatory rates—Rates that the clients must support to associate with an AP.

· Supported rates—Rates that an AP supports. After a client associates with an AP, the client can select a higher rate from the supported rates to communicate with the AP. The AP automatically decreases the transmission rate when great interference, retransmission, or packet dropping is detected and increases the rate when a little interference, retransmission, or packet dropping is detected.

· Multicast rate—Rate at which an AP transmits multicasts and broadcasts. The multicast rate must be selected from the mandatory rates.

Setting the transmission rates in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the transmission rates for the radio.	rate { multicast { auto \| rate-value } \| { disabled \| mandatory \| supported } rate-value }	By default, the radio uses the configuration in AP group view.

Setting the transmission rates in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the transmission rates for the radio.	rate { multicast { auto \| rate-value } \| { disabled \| mandatory \| supported } rate-value }	The default settings are as follows: · 802.11a/802.11an/802.11ac radios: ? Prohibited rates —None. ? Mandatory rates—6, 12, and 24. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—9, 18, 36, 48, and 54. · 802.11b radios: ? Prohibited rates—None. ? Mandatory rates—1 and 2. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—5.5, and 11. · 802.11g/802.11gn/802.11gac radios: ? Prohibited rates—None. ? Mandatory rates—1, 2, 5.5, and 11. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—6, 9, 12, 18, 24, 36, 48, and 54.

Setting the preamble type

IMPORTANT:

This feature is applicable only to 802.11b, 802.11g, and 802.11gn radios.

A preamble is a set of bits in a packet header to synchronize transmission signals between sender and receiver. A short preamble improves network performance and a long preamble ensures compatibility with all wireless devices of early models.

Setting the preamble type in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the preamble type.	preamble { long \| short }	By default, the radio uses the configuration in AP group view.

Setting the preamble type in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the preamble type.	preamble { long \| short }	By default, a short preamble is used.

Setting the maximum transmission distance

The strength of wireless signals gradually degrades as the transmission distance increases. The maximum transmission distance of wireless signals depends on the surrounding environment and on whether an external antenna is used.

· Without an external antenna—About 300 meters (984.25 ft).

· With an external antenna—30 km (18.64 miles) to 50 km (31.07 miles).

· In an area with obstacles—35 m (114.83 ft) to 50 m (164.04 ft).

Setting the maximum transmission distance in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum transmission distance.	distance distance	By default, the radio uses the configuration in AP group view.

Setting the maximum transmission distance in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum transmission distance.	distance distance	By default, the maximum transmission distance is 1 km (0.62 miles).

Setting the beacon interval

Perform this task to enable an AP to broadcast beacon frames at the specified interval. A small beacon interval enables clients to easily detect the AP but consumes more system resources.

Setting the beacon interval in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the beacon interval.	beacon-interval interval	By default, the radio uses the configuration in AP group view.

Setting the beacon interval in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the beacon interval.	beacon-interval interval	By default, the beacon interval is 100 TU.

Setting the DTIM interval

An AP periodically broadcasts a beacon compliant with the Delivery Traffic Indication Map (DTIM). After the AP broadcasts the beacon, it sends buffered broadcast and multicast frames based on the value of the DTIM interval. For example, if you set the DTIM interval to 5, the AP sends buffered broadcast and multicast frames every five beacon frames.

Setting the DTIM interval in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the DTIM interval.	dtim counter	By default, the radio uses the configuration in AP group view.

Setting the DTIM interval in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the DTIM interval.	dtim counter	By default, the DTIM interval is 1.

Setting the maximum number of clients that can associate with an AP

When the maximum number of clients is reached on an AP, the AP stops accepting new clients. This prevents the AP from being overloaded.

Setting the maximum number of clients that can associate with an AP in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum number of clients that can associate with the AP.	client max-count max-number	By default, the radio uses the configuration in AP group view.

Setting the maximum number of clients that can associate with an AP in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum number of clients that can associate with the AP.	client max-count max-number	By default, no limit is set for the number of clients that can associate with an AP.

Configuring 802.11b client access

To reduce the impact of low-speed 802.11b clients and speed up wireless data transmission, you can enable an 802.11g, 802.11gn, or 802.11gac radio to prohibit access for 802.11b clients.

Configuring 802.11b client access in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure 802.11b client access.	client dot11b-forbidden { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring 802.11b client access in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure 802.11b client access.	client dot11b-forbidden { disable \| enable }	By default, the radio accepts 802.11b clients.

Configuring ANI

Adaptive Noise Immunity (ANI) enables the device to adjust the anti-noise level based on the environment to reduce the interference from the surrounding environment.

Configuring ANI in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure ANI.	ani { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring ANI in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure ANI.	ani { disable \| enable }	By default, ANI is enabled.

Specifying a collision avoidance mode

Wireless devices operate in half duplex mode and cannot send and receive data simultaneously. 802.11 allows wireless devices to send Request to Send (RTS) or Clear to Send (CTS) packets to avoid collision.

You can specify either of the following collision avoidance modes for an AP:

· RTS/CTS—An AP sends an RTS packet to a client before sending data to the client. After receiving the RTS packet, the client sends a CTS packet to the AP. The AP begins to send data after receiving the CTS packet, and other devices that detect the RTS or CTS packet do not send data within a specific time period.

NOTE:

802.11b radios support only the RTS/CTS mode.

· CTS-to-self—An AP sends a CTS packet with its own MAC address as the destination MAC address before sending data to a client. After receiving the CTS-to-self packet, the AP begins to send data, and other devices that detect the CTS-to-self packet do not send data within a specific time period. The CTS-to-self mode reduces the transmission time but might result in hidden node problems.

To ensure wireless resource efficiency, collision avoidance takes effect only when the following conditions are met:

· The packet to be sent is longer than the RTS threshold 2346 bytes.

· 802.11g or 802.11n protection is enabled. For more information about 802.11g or 802.11n protection, see "Configuring 802.11g protection" and "Configuring 802.11n protection."

Specifying a collision avoidance mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify a collision avoidance mode.	protection-mode { cts-to-self \| rts-cts }	By default, the radio uses the configuration in AP group view.

Specifying a collision avoidance mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a collision avoidance mode.	protection-mode { cts-to-self \| rts-cts }	By default, the CTS-to-self mode is used.

Setting the RTS threshold

802.11 allows wireless devices to send Request to Send (RTS) or Clear to Send (CTS) packets to avoid collision. However, excessive RTS and CTS packets consume more system resources and reduce transmission efficiency. You can set an RTS threshold to resolve this problem. The system performs collision avoidance only for packets larger than the RTS threshold.

In a low-density WLAN, increase the RTS threshold to improve the network throughput and efficiency. In a high-density WLAN, decrease the RTS threshold to reduce collisions in the network.

Setting the RTS threshold in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the RTS threshold.	protection-threshold size	By default, the radio uses the configuration in AP group view.

Setting the RTS threshold in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the RTS threshold.	protection-threshold size	By default, the RTS threshold is 2346 bytes.

Configuring 802.11g protection

IMPORTANT:

This feature is applicable only to 802.11g and 802.11n (2.4 GHz) radios.

When both 802.11b and 802.11g clients exist in a WLAN, transmission collision might occur because they use different modulation modes. 802.11g protection can avoid such avoidance. It enables 802.11g, 802.11n, and 802.11ac devices to send RTS/CTS or CTS-to-self packets to inform 802.11b clients to defer access to the medium. For more information about RTS/CTS or CTS-to-self, see "Specifying a collision avoidance mode."

802.11g, 802.11n, and 802.11ac devices send RTS/CTS or CTS-to-self packets before sending data only when 802.11b signals are detected on the channel.

802.11g protection automatically takes effect when 802.11b clients associate with an 802.11g, 802.11n (2.4 GHz), or 802.11ac AP.

Configuring 802.11g protection in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure 802.11g protection.	dot11g protection { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring 802.11g protection in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure 802.11g protection.	dot11g protection { disable \| enable }	By default, 802.11g protection is disabled.

Setting the fragmentation threshold

Frames larger than the fragmentation threshold are fragmented before transmission. Frames smaller than the fragmentation threshold are transmitted without fragmentation.

In a WLAN with great interference, decrease the fragmentation threshold to improve the network throughput and efficiency.

Setting the fragmentation threshold in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the fragmentation threshold.	fragment-threshold size	By default, the radio uses the configuration in AP group view.

Setting the fragmentation threshold in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the fragmentation threshold.	fragment-threshold size	By default, the fragmentation threshold is 2346 bytes.

Setting the maximum number of hardware retransmissions

In wireless networks, unicast frames require acknowledgements. If a device fails to receive the acknowledgement for a packet, it retransmits the packet.

You can set different values for the maximum number of hardware retransmissions for large frames and small frames. Transmitting large frames requires a large buffer size and a long time because the system performs collision avoidance for large frames before transmission. Therefore, you can reduce the maximum number of hardware retransmissions for large frames to save system buffer and transmission time.

Setting the maximum number of hardware retransmissions in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum number of hardware retransmissions for small frames.	short-retry threshold count	By default, the radio uses the configuration in AP group view.
5. Set the maximum number of hardware retransmissions for large frames.	long-retry threshold count	By default, the radio uses the configuration in AP group view.

Setting the maximum number of hardware retransmissions in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum number of hardware retransmissions for small frames.	short-retry threshold count	By default, the maximum number of hardware retransmissions is 7 for small frames.
6. Set the maximum number of hardware retransmissions for large frames.	long-retry threshold count	By default, the maximum number of hardware retransmissions is 4 for large frames.

Performing on-demand channel usage measurement

This feature enables an AP to scan supported channels and display the channel usage after scanning. It takes about one second to scan a channel.

To perform on-demand channel usage measurement:

Step	Command
7. Enter system view.	system-view
8. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]
9. Enter radio view.	radio radio-id
10. Perform on-demand channel usage.	channel-usage measure

Enabling the continuous mode for a radio

About the continuous mode

This feature is used for network testing only. Do not use it under any other circumstances.

The feature enables continuous data packet sending at the specified rate. When the feature is enabled, do not perform any other operations except for changing the transmit rate.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable the continuous mode for the radio.	continuous-mode { mcs mcs-index \| nss nss-index vht-mcs vhtmcs-index \| rate rate-value }	By default, the continuous mode is disabled. The rate rate-value option applies to all radio types. The mcs mcs-index option applies only to 802.11n, 802.11ac, and 802.11gac radios. The nss nss-index vht-mcs vhtmcs-index option applies only to 802.11ac and 802.11gac radios.

Configuring 802.11n functions

NOTE:

Support for 802.11n depends on the device model.

IMPORTANT:

When you configure 802.11n functions for an AP, if another user is configuring 802.11n functions for the same AP, your configuration fails.

IEEE 802.11n is designated to provide high-quality wireless services and enable WLAN to achieve the same network performance as Ethernet. 802.11n improves the throughput and transmission rate of WLAN by optimizing the physical layer and Media Access Control (MAC) layer.

The physical layer of 802.11n is based on OFDM. 802.11n uses Multiple Input, Multiple Output (MIMO), 40 MHz bandwidth, short Guard Interval (GI), Space-Time Block Coding (STBC), and Low-Density Parity Check (LDPC) to achieve high throughput at the physical layer. It uses A-MPDU, A-MSDU, and Block Acknowledgment (BA) to improve transmission efficiency at the MAC layer.

Specifying the A-MPDU aggregation method

Specifying the A-MPDU aggregation method in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Specify the A-MPDU aggregation method.	a-mpdu { disable \| enable }	By default, the radio uses the configuration in AP group view.

Specifying the A-MPDU aggregation method in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify the A-MPDU aggregation method.	a-mpdu { disable \| enable }	By default, the A-MPDU aggregation method is disabled.

Specifying the A-MSDU aggregation method

Specifying the A-MSDU aggregation method in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Specify the A-MSDU aggregation method.	a-msdu { disable \| enable }	By default, the radio uses the configuration in AP group view.

Specifying the A-MSDU aggregation method in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify the A-MSDU aggregation method.	a-msdu { disable \| enable }	By default, the A-MSDU aggregation method is enabled.

Configuring short GI

802.11 OFDM fragments frames to data blocks for transmission. It uses GI to ensure that the data block transmissions do not interfere with each other and are immune to transmission delays.

The GI used by 802.11a/g is 800 ns. 802.11n supports a short GI of 400 ns, which provides a 10% increase in data rate.

Both the 20 MHz and 40 MHz bandwidth modes support short GI.

Configuring short GI in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure short GI.	short-gi { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring short GI in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure short GI.	short-gi { disable \| enable }	By default, short GI is enabled.

Configuring LDPC

802.11n introduces the Low-Density Parity Check (LDPC) mechanism to increase the signal-to-noise ratio and enhance the transmission quality. LDPC takes effect only when both ends support LDPC.

Configuring LDPC in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-number	N/A
4. Configure LDPC.	ldpc { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring LDPC in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure LDPC.	ldpc { disable \| enable }	By default, LDPC is disabled.

Configuring STBC

The Space-Time Block Coding (STBC) mechanism can enhance the reliability of data transmission and does not require high transmission rates for clients.

Configuring STBC in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-number	N/A
4. Configure STBC.	stbc { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring STBC in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure STBC.	stbc { disable \| enable }	By default, STBC is enabled.

Setting MCS indexes

Follow these restrictions and guidelines when you set MCS indexes for an 802.11n AP:

· 802.11n clients use the rate corresponding to the MCS index to send unicast frames, and 802.11a/b/g clients use the 802.11a/b/g rate to send unicast frames.

· If you do not set a multicast MCS index, 802.11n clients and the AP use the 802.11a/b/g multicast rate to send multicast frames. If you set a multicast MCS index, either of following cases occurs:

? The AP and clients use the rate corresponding to the multicast MCS index to send multicast frames if only 802.11n clients exist.

? The AP and clients use the 802.11a/b/g multicast rate to send multicast frames if any 802.11a/b/g clients exist.

· When you set the maximum mandatory or supported MCS index, you actually specify a range. For example, if you set the maximum mandatory MCS index to 5, rates corresponding to MCS indexes 0 through 5 are configured as 802.11n mandatory rates.

Setting MCS indexes in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum mandatory MCS index.	dot11n mandatory maximum-mcs index	The default settings are as follows: · If the maximum supported MCS index is set, no maximum mandatory MCS index is set. · If the maximum supported MCS index is not set, the radio uses the configuration in AP group view.
5. Set the maximum supported MCS index.	dot11n support maximum-mcs index	The default settings are as follows: · If the maximum mandatory MCS index is set, the maximum supported MCS index is 76. · If the maximum mandatory MCS index is not set, the radio uses the configuration in AP group view. The maximum supported MCS index cannot be smaller than the maximum mandatory MCS index.
6. Set the multicast MCS index.	dot11n multicast-mcs index	The default settings are as follows: · If the maximum supported MCS index or the maximum mandatory MCS index is set, no multicast MCS index is set. · If neither the maximum supported MCS index nor the maximum mandatory MCS index is set, the radio uses the configuration in AP group view. The multicast MCS index cannot be greater than the maximum mandatory MCS index.

Setting MCS indexes in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum mandatory MCS index.	dot11n mandatory maximum-mcs index	By default, no maximum mandatory MCS index is set.
6. Set the maximum supported MCS index.	dot11n support maximum-mcs index	By default, the maximum supported MCS index is 76. The maximum supported MCS index cannot be smaller than the maximum mandatory MCS index.
7. Set the multicast MCS index.	dot11n multicast-mcs index	By default, no multicast MCS index is set. The multicast MCS index cannot be greater than the maximum mandatory MCS index.

Configuring access for only 802.11n and 802.11ac clients

To reduce the impact of low-speed 802.11a/b/g clients and speed up wireless data transmission, you can enable an AP to accept only 802.11n and 802.11ac clients.

Configuring access for only 802.11n and 802.11ac clients in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure access for only 802.11n and 802.11ac clients.	client dot11n-only { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring access for only 802.11n and 802.11ac clients in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure access for only 802.11n and 802.11ac clients.	client dot11n-only { disable \| enable }	By default, this feature is disabled.

Setting the 802.11n bandwidth mode

802.11n uses the channel structure of 802.11a/b/g, but the number of subchannels in a 20 MHz channel for transmitting data is increased to 52. This improves data transmission rate.

802.11n binds two adjacent 20 MHz channels to form a 40 MHz channel (one primary channel and one secondary channel). This provides a simple way to double the data rate.

The bandwidth for a radio varies by the bandwidth mode and chip capability.

Setting the 802.11n bandwidth mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the 802.11n bandwidth mode.	channel band-width { 20 \| 40 [ auto-switch ] }	By default, the radio uses the configuration in AP group view. Only 802.11gn radios support the auto-switch keyword.

Setting the 802.11n bandwidth mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the 802.11n bandwidth mode.	channel band-width { 20 \| 40 [ auto-switch ] }	By default, the bandwidth mode is 40 MHz for 802.11an radios and 20 MHz for 802.11gn radios. Only 802.11gn radios support the auto-switch keyword.

Specifying a MIMO mode

NOTE:

Number of spatial streams supported by a radio varies by AP model.

Multiple-input and multiple-output (MIMO) enables a radio to send and receive wireless signals through multiple spatial streams to improve system capacity and spectrum usage without requiring higher bandwidth.

A radio can operate in one of the following MIMO modes:

· 1x1—Sends and receives wireless signals through one spatial stream.

· 2x2—Sends and receives wireless signals through two spatial streams.

· 3x3—Sends and receives wireless signals through three spatial streams.

· 4x4—Sends and receives wireless signals through four spatial streams.

Specifying a MIMO mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Specify a MIMO mode.	mimo { 1x1 \| 2x2 \| 3x3 \| 4x4 }	By default, the radio uses the configuration in AP group view.

Specifying a MIMO mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a MIMO mode.	mimo { 1x1 \| 2x2 \| 3x3 \| 4x4 }	The default MIMO mode for a radio varies by AP model.

Configuring energy saving

After you enable the energy saving feature, the MIMO mode of a radio automatically changes to 1x1 if no clients associate with the radio. This reduces power consumption.

Configuring energy saving in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure energy saving.	green-energy-management { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring energy saving in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure energy saving.	green-energy-management { disable \| enable }	By default, energy saving is disabled.

Configuring 802.11n protection

When both 802.11n and non-802.11n clients exist in a WLAN, transmission collision might occur because they use different modulation modes. 802.11n protection can avoid such avoidance. It enables 802.11n devices to send RTS/CTS or CTS-to-self packets to inform non-802.11n clients to defer access to the medium. For more information about RTS/CTS or CTS-to-self, see "Specifying a collision avoidance mode."

802.11n devices send RTS/CTS or CTS-to-self packets before sending data only when non-802.11n signals are detected on the channel.

802.11n protection automatically takes effect when non-802.11n clients associate with an 802.11n AP.

NOTE:

802.11n devices refer to 802.11n and 802.11ac devices.

Configuring 802.11n protection in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure 802.11n protection.	dot11n protection { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring 802.11n protection in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure 802.11n protection.	dot11n protection { disable \| enable }	By default, 802.11n protection is disabled.

Configuring 802.11ac functions

NOTE:

Support for 802.11ac depends on the device model.

IMPORTANT:

When you configure 802.11ac functions for an AP, if another user is configuring 802.11ac functions for the same AP, your configuration fails.

Based on 802.11n, 802.11ac further increases the data transmission rate and improves the network performance by providing higher bandwidth, more spatial streams, and more advanced modulation schemes.

Setting NSSs

Follow these restrictions and guidelines when you set NSSs for an 802.11ac AP:

· If the AP supports an NSS, it supports all VHT-MCS indexes for the NSS.

· 802.11ac clients use the rate corresponding to the VHT-MCS index for the NSS to send unicast frames, and non-802.11ac clients use the 802.11a/b/g/n rate to send unicast frames.

· If you do not set a multicast NSS, 802.11ac clients and the AP use the 802.11a/b/g/n multicast rate to send multicast frames. If you set a multicast NSS and specify a VHT-MCS index, either of following cases occurs:

? The AP and clients use the rate corresponding to the VHT-MCS index for the NSS to send multicast frames if all clients are 802.11ac clients.

? The AP and clients use the 802.11a/b/g/n multicast rate to send multicast frames if any non-802.11ac clients exist.

· When you set the maximum mandatory or supported NSS, you actually specify a range. For example, if you set the maximum mandatory NSS to 5, rates corresponding to VHT-MCS indexes for NSSs 1 through 5 are configured as 802.11ac mandatory rates.

Setting NSSs in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum mandatory NSS.	dot11ac mandatory maximum-nss nss-number	The default settings are as follows: · If the maximum supported NSS is set, no maximum mandatory NSS is set. · If the maximum supported NSS is not set, the radio uses the configuration in AP group view.
5. Set the maximum supported NSS.	dot11ac support maximum-nss nss-number	The default settings are as follows: · If the maximum mandatory NSS is set, the maximum supported NSS is 8. · If the maximum mandatory NSS is not set, the radio uses the configuration in AP group view. The maximum supported NSS cannot be smaller than the maximum mandatory NSS.
6. Set the multicast NSS and specify a VHT-MCS index.	dot11ac multicast-nss nss-number vht-mcs index	The default settings are as follows: · If the maximum supported NSS or the maximum mandatory NSS is set, no multicast NSS is set. · If neither the maximum supported NSS nor the maximum mandatory NSS is set, the radio uses the configuration in AP group view. The multicast NSS cannot be greater than the maximum mandatory NSS.

Setting NSSs in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum mandatory NSS.	dot11ac mandatory maximum-nss nss-number	By default, no maximum mandatory NSS is set.
6. Set the maximum supported NSS.	dot11ac support maximum-nss nss-number	By default, the maximum supported NSS is 8.
7. Set the multicast NSS and specify a VHT-MCS index.	dot11ac multicast-nss nss-number vht-mcs index	By default, no multicast NSS is set.

Configuring access for only 802.11ac clients

To reduce the impact of low-speed 802.11a/b/g/n clients and speed up wireless data transmission, you can enable an AP to accept only 802.11ac clients.

Configuring access for only 802.11ac clients in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure access for only 802.11ac clients.	client dot11ac-only { disable \| enable }	By default, the radio uses the configuration in AP group view.

Configuring access for only 802.11ac clients in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure access for only 802.11ac clients.	client dot11ac-only { disable \| enable }	By default, 802.11ac radios accept 802.11a, 802.11an, and 802.11ac clients, and 802.11gac radios accept 802.11b, 802.11gn, and 802.11gac clients.

Setting the 802.11ac bandwidth mode

802.11ac uses the channel structure of 802.11n and increases the maximum bandwidth from 40 MHz to 80 MHz. 802.11ac can bind two adjacent 20 MHz channels to form a 40 MHz channel and bind two adjacent 40 MHz channels to form an 80 MHz channel.

If the current channel of a radio does not support the specified bandwidth mode, the radio clears the channel configuration and selects another channel.

NOTE:

802.11gac supports the 20 MHz and 40 MHz bandwidth modes.

Figure 10 802.11ac bandwidth modes

Setting the 802.11ac bandwidth mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Set the 802.11ac bandwidth mode.	· Set the 802.11ac bandwidth mode: channel band-width { 20 \| 40 \| 80 } · Set the 802.11gac bandwidth mode: channel band-width { 20 \| 40 [ auto-switch ] }	By default, the radio uses the configuration in AP group view.

Setting the 802.11ac bandwidth mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and it cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the 802.11ac bandwidth mode.	· Set the 802.11ac bandwidth mode: channel band-width { 20 \| 40 \| 80 } · Set the 802.11gac bandwidth mode: channel band-width { 20 \| 40 \| [ auto-switch ] }	By default, the bandwidth mode is 80 MHz and 20 MHz for 802.11ac and 802.11gac radios, respectively.

Configuring TxBF

NOTE:

Support for this feature depends on the AP model.

Transmit beamforming (TxBF) enables an AP to adjust transmitting parameters based on the channel information to focus RF signals on intended clients. This feature improves the RF signal quality. TxBF includes single-user TxBF and multi-user TxBF.

· Single-user TxBF—Single-user TxBF enables an AP to improve the signal to one intended client. Single-user TxBF is applicable to WLANs that have widely spread clients, poor network quality, and serious signal attenuation.

· Multi-user TxBF—Multi-user TxBF is part of 802.11ac Wave2. Multi-user TxBF enables an AP to focus different RF signals on their intended clients to reduce interference and transmission delay. This improves traffic throughput and bandwidth usage. Multi-user TxBF is applicable to WLANs that have a large number of clients and require high bandwidth usage and low transmission delay.

Configuring TxBF in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no APs exist. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Configure single-user TxBF.	su-txbf { disable \| enable }	By default, a radio uses the configuration in AP group radio view.
5. Configure multi-user TxBF.	mu-txbf { disable \| enable }	By default, a radio uses the configuration in AP group radio view. Multi-user TxBF takes effect only when single-user TxBF is enabled.

Configuring TxBF in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, a system-defined AP group exists. This AP group is named default-group and cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure single-user TxBF.	su-txbf { disable \| enable }	By default, single-user TxBF is enabled.
6. Configure multi-user TxBF.	mu-txbf { disable \| enable }	By default, multi-user TxBF is enabled. Multi-user TxBF takes effect only when single-user TxBF is enabled.

Configuring the smart antenna feature

NOTE:

Support for this feature depends on the device model.

IMPORTANT:

This feature is applicable to only 802.11n and 802.11ac radios.

The smart antenna feature enables an AP to automatically adjust the antenna parameters based on the client location and channel information to improve signal quality and stability.

You can configure a radio to operate in one of the following smart antenna modes:

· Auto—Uses the high availability mode for audio and video packets, and uses the high throughput mode for other packets.

· High-availability—Applicable to WLANs that require stable bandwidth, this mode reduces noise and interference impacts and ensures the bandwidth for clients.

· High-throughput—Applicable to WLANs that require high performance, this mode enhances signal strength and association capability.

Configuring the smart antenna feature in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	By default, no AP is created. You must specify the name and model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Enable the smart antenna feature.	smart antenna enable	By default, the radio uses the configuration in AP group view.
5. Specify a smart antenna mode.	smart-antenna policy { auto \| high-availability \| high-throughput }	By default, the radio uses the configuration in AP group view.

Configuring the smart antenna feature in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, the default AP group default-group exists and cannot be deleted.
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable the smart antenna feature.	smart antenna enable	By default, the smart antenna feature is enabled.
6. Specify a smart antenna mode.	smart-antenna policy { auto \| high-availability \| high-throughput }	By default, the auto mode is used.

Displaying and maintaining radio management

Execute display commands in any view and reset commands in user view.

Task	Command
Display AP radio information.	display wlan ap { all \| name ap-name } radio [ frequency-band { 5 \| 2.4 } ]
Display radio channel information.	display wlan ap { all \| name ap-name } radio channel
Display radio type information.	display wlan ap { all \| name ap-name } radio type
Display radio statistics.	display wlan ap { all \| name ap-name } radio-statistics
Clear radio statistics.	reset wlan ap { all \| name ap-name } radio-statistics

Radio management configuration examples

Basic radio function configuration example

Network requirements

As shown in Figure 11, create a manual AP and set the radio mode, working channel, and maximum transmit power to 802.11gn, channel 11, and 19 dBm, respectively.

Figure 11 Network diagram

Configuration procedure

# Create the manual AP ap1, and specify its model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enter radio view of radio 2.

[AC-wlan-ap-ap1] radio 2

# Set the radio mode to dot11gn.

[AC-wlan-ap-ap1-radio-2] type dot11gn

# Configure radio 2 to work on channel 11.

[AC-wlan-ap-ap1-radio-2] channel 11

# Set the maximum transmit power to 19 dBm.

[AC-wlan-ap-ap1-radio-2] max-power 19

# Enable radio 2.

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] return

Verifying the configuration

# View information about all radios.

<AC> display wlan ap all verbose

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 3072

Remaining APs: 3071

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : CN

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 0AFB-423B-893C

IP address : 192.168.1.50

UDP port number : 65488

H/W version : Ver.C

S/W version : R2206P02

Boot version : 1.01

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : Static Configuration

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio mode : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –102 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Up

Radio mode : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 11

Max power : 19 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –105 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

802.11n configuration example

Network requirements

As shown in Figure 12, specify radio 1 on the AP as an 802.11an radio, and enable the A-MSDU and A-MPDU aggregation methods on the radio.

Figure 12 Network diagram

Configuration procedure

# Create the manual AP ap1, and specify its model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enter radio view of radio 1 on AP 1, and specify the radio as an 802.11an radio.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] type dot11an

# Enable the A-MPDU and A-MSDU aggregation methods.

[AC-wlan-ap-ap1-radio-1] a-mpdu enable

[AC-wlan-ap-ap1-radio-1] a-msdu enable

# Enable radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# View information about radios on AP 1.

<AC> display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : CN

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 0AFB-423B-893C

IP address : 192.168.1.50

UDP port number : 65488

H/W version : Ver.C

S/W version : R2206P02

Boot version : 1.01

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : Static Configuration

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio mode : 802.11n(5GHz)

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –102 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Up

Radio mode : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 11

Max power : 19 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -105 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Configuring WLAN access

This chapter describes how to configure WLAN access.

WLAN access overview

A wireless client can access a WLAN only when it completes the scanning, link layer authentication, association, and WLAN authentication processes.

For more information about data link layer authentication, see "Configuring WLAN security."

For more information about WLAN authentication, see "Configuring WLAN authentication."

Figure 13 WLAN access process

Scanning

Active scanning

A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from received probe responses. Based on whether a probe request carries an SSID, active scanning can be divided into the following types:

· Active scanning of all wireless networks.

As shown in Figure 14, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response, which carries the available wireless network information. The client associates with the optimal AP.

Figure 14 Scanning all wireless networks

· Active scanning of a specific wireless network.

As shown in Figure 15, the client periodically sends a probe request carrying the specified SSID if the wireless client has an SSID configured or has been associated with an SSID. When an AP that can provide wireless services with the specified SSID receives the probe request, it sends a probe response.

Figure 15 Scanning a specific wireless network

Passive scanning

As shown in Figure 16, the clients periodically listen to beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Then the clients select an AP for association. Passive scanning is used when clients want to save power.

Figure 16 Passive scanning

Association

A client sends an association request to the associated AP after passing date link layer authentication. Upon receiving the request, the AP determines the capability supported by the wireless client and sends an association response to the client. Then the client is associated with the AP.

Client access control

The following client access control methods are available:

· AP group-based access control—Allows clients associated with APs in the specified AP group to access the WLAN.

· SSID-based access control—Allows clients associated with the specified SSID to access the WLAN.

· Whitelist- and blacklist-based access control—Uses the whitelist and blacklists to control access for the specified clients.

AP group-based access control

As shown in Figure 17, for AP group-based access control, configure AP group 1 as the permitted AP group for Client 1 and Client 2, and configure AP group 2 as the permitted AP group for Client 3.

When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the AP with which the client associates is in the permitted AP group. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.

Figure 17 AP group-based access control

SSID-based access control

As shown in Figure 18, for SSID-based access control, configure ssida as the permitted SSID for Client 1 and Client 2, and configure ssidb as the permitted SSID for Client 3.

When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the associated SSID of the client is the permitted SSID. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.

Figure 18 AP group-based access control

Whitelist- and blacklist-based access control

You can configure the whitelist or blacklists to filter frames from WLAN clients and implement client access control.

· Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. Frames from clients not in the whitelist are discarded. This list is manually configured.

· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.

· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. An AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients. The entries in the list are removed when the aging timer expires. For more information about WIPS, see "Configuring WIPS". For more information about WLAN MAC authentication, see "Configuring WLAN authentication."

When an AP receives an association request and sends an Add Mobile message to the AC, the AC performs the following operations to determine whether to permit the client:

1. Searches the whitelist.

? If the client MAC address does not match any entries in the whitelist, the client is rejected.

? If a match is found, the client is permitted.

2. Searches the static and dynamic blacklists if no whitelist entries exist.

? If the client MAC address matches an entry in either blacklist, the client is rejected.

? If no match is found, or no blacklist entries exist, the client is permitted.

Figure 19 Whitelist- and blacklist-based access control

Configuration restrictions and guidelines

The priorities for the configuration in AP view, AP group view, and global configuration view are in descending order.

Configuration task list

Tasks at a glance
(Required.) Configuring a service template
(Required.) Setting an SSID
(Optional.) Configuring a description for a service template
(Optional.) Specifying the VLAN allocation method for clients
(Optional.) Configuring clients to prefer the authorization VLAN after roaming
(Optional.) Setting the client cache aging time
(Optional.) Enabling client association at the AC or APs
(Optional.) Specifying the client traffic forwarder
(Optional.) Enabling client traffic forwarding
(Optional.) Setting the encapsulation format for client data frames
(Optional.) Enabling quick association
(Required.) Enabling a service template
(Required.) Binding a service template to a radio
(Optional.) Specifying a region code
(Optional.) Disabling an AP from responding to broadcast probe requests
(Optional.) Setting the client idle timeout timer
(Optional.) Configuring client keepalive
(Optional.) Configuring an AP to not inherit the specified service template from an AP group
(Optional.) Setting the NAS ID
(Optional.) Setting the way in which an AP processes traffic from unknown clients
(Optional.) Configuring policy-based forwarding
(Optional.) Specifying a permitted AP group for client access
(Optional.) Specifying a permitted SSID for client access
(Optional.) Adding a client to the whitelist
(Optional.) Adding a client to the static blacklist
(Optional.) Configuring the dynamic blacklist
(Optional.) Setting the idle period before client reauthentication
(Optional.) Deploying a configuration file to an AP
(Optional.) Configuring uplink client rate limit
(Optional.) Specifying the Web server to which client information is reported
(Optional.) Enabling SNMP notification
(Optional.) Enabling the device to generate client logs in the specified format

Configuring a service template

A service template defines a set of wireless service attributes, such as SSID and authentication method.

To configure a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template.	wlan service-template service-template-name	By default, no service template exists.
3. Assign clients coming online through the service template to a VLAN.	vlan vlan-id	By default, clients are assigned to VLAN 1 after coming online through a service template.

Setting an SSID

APs advertise SSIDs in beacon frames. If the number of clients in a BSS exceeds the limit or the BSS is unavailable, you can enable SSID-hidden to prevent clients from discovering the BSS. When SSID-hidden is enabled, the BSS hides its SSID in beacon frames and does not respond to broadcast probe requests. A client must send probe requests with the specified SSID to access the WLAN. This feature can protect the WLAN from being attacked.

To set an SSID:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set an SSID for the service template.	ssid ssid-name	By default, no SSID is set for a service template. As a best practice, set a unique SSID for a service template.
4. (Optional.) Enable SSID-hidden in beacon frames.	beacon ssid-hide	By default, beacon frames carry SSIDs.

Configuring a description for a service template

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure a description for the service template.	description text	By default, a service template does not have a description.

Specifying the VLAN allocation method for clients

When a client comes online for the first time, the radio assigns a random VLAN to it. When the client comes online again, the VLAN assigned to the client depends on the allocation method.

· Static allocation—The client inherits the VLAN that has been assigned to it. If the IP address lease has not expired, the client will use the same IP address. This method helps save IP addresses.

· Dynamic allocation—The client is re-assigned a VLAN. This method balances clients in all VLANs.

Removing VLANs from or adding VLANs to a client VLAN group does not affect online clients.

After a client goes offline and comes online again, its VLAN might change in the following situations:

· In static allocation mode, the AP will assign a new VLAN to the client if its original VLAN has been removed from the VLAN group.

· If you change the VLAN allocation method from dynamic to static, the AP might assign the clients a different VLAN after they come online again.

To specify the VLAN allocation method for clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the VLAN allocation method for clients.	client vlan-alloc { dynamic \| static }	By default, the VLAN allocation method for clients is dynamic.

Configuring clients to prefer the authorization VLAN after roaming

As a best practice, configure this feature on all ACs in a mobility group.

Typically, the VLAN of a client remains unchanged after client roaming. However, if the client triggers a security alert configured on IMC after roams to another AP, the issued authorization VLAN for user isolation takes effect.

This feature takes effect only on 802.1X and MAC authentication clients.

To configure clients to prefer the authorization VLAN after roaming:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure clients to prefer the authorization VLAN after roaming.	client preferred-vlan authorized	By default, clients prefer the authorization VLAN after roaming.

Setting the client cache aging time

The client cache saves information such as the PMK list and access VLAN for clients. If a client roams to another AP before the cache aging time expires, the client can inherit the cache information. If a client does not come online before the cache aging time expires, its cache information is cleared.

To set the client cache aging time:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the client cache aging time.	client cache aging-time aging-time	By default, the client cache aging time is 180 seconds.

Enabling client association at the AC or APs

If you enable client association at the AC, management frames are sent to the AC over the CAPWAP tunnel. This ensures security and facilitates management. As a best practice, enable client association at the APs when the network between AC and AP is complicated.

Layer 3 roaming is not supported if client association is enabled at APs. When you use the service-template command, you must specify the same VLAN for the APs that use the same service template and have overlapping coverage areas.

To enable client association at the AC or APs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable client association at the AC or APs.	client association-location { ac \| ap }	By default, client association is performed at the AC.

Specifying the client traffic forwarder

The client traffic forwarder can be the AC (centralized forwarding) or APs (local forwarding). Using APs to forward client traffic releases the forwarding burden on the AC.

If APs forward client traffic, you can specify a VLAN or a VLAN range for the APs to forward traffic from the specified VLANs. The AC forwards data traffic from the other VLANs.

For the configuration of using the AC to forward client traffic to take effect, make sure client traffic forwarding has been enabled.

To specify the client traffic forwarder:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the client traffic forwarder.	client forwarding-location { ac \| ap [ vlan { vlan-start [ to vlan-end ] } ] }	The AC forwards client data traffic.

Enabling client traffic forwarding

You must enable this feature if you configure the AC as the client traffic forwarder.

To enable client traffic forwarding:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable client traffic forwarding.	wlan client forwarding enable	By default, client traffic forwarding is enabled.

Setting the encapsulation format for client data frames

In the centralized forwarding infrastructure, an AP sends data frames from clients to the AC over the CAPWAP tunnel. You can set the encapsulation format for the client data frames to 802.3 or 802.11. As a best practice, set the format to 802.3 so the AC does not need to perform frame format conversion.

To set the encapsulation format for client data frames:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the encapsulation format for client data frames.	client frame-format { dot3 \| dot11 }	By default, client data frames are encapsulated in the 802.3 format.

Enabling quick association

Enabling load balancing or band navigation might affect client association efficiency. For delay-sensitive services or in an environment where load balancing and band navigation is not needed, you can enable quick association for a service template.

This feature disables the device from performing load balancing or band navigation on clients associated with the service template even if load balancing and band navigation is enabled in the WLAN.

To enable quick association:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable quick association.	quick-association enable	By default, quick association is disabled.

Enabling a service template

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the service template.	service-template enable	By default, a service template is disabled.

Binding a service template to a radio

If you bind a service template to a radio, the AP creates a BSS that can provide wireless services defined in the service template.

You can perform the following tasks when binding a service template to a radio:

· Bind a VLAN group to the radio so that clients associated with the BSS will be assigned evenly to all VLANs in the VLAN group.

· Bind the NAS port ID or the NAS ID to the radio to identify the network access server.

· Enable the AP to hide SSIDs in beacon frames.

Binding a service template to a radio in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Bind a service template to the radio.	service-template service-template-name [ vlan vlan-id \| vlan-group vlan-group-name ] [ ssid-hide ] [ nas-id nas-id \| nas-port-id nas-port-id ]	By default, the configuration in AP group view is used. You can bind a maximum of 16 service templates to a radio.

Binding a service template to a radio in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Bind a service template to the radio.	service-template service-template-name [ vlan vlan-id \| vlan-group vlan-group-name ] [ ssid-hide ] [ nas-id nas-id \| nas-port-id nas-port-id ]	By default, a radio is not bound to any service templates. You can bind a maximum of 16 service templates to a radio.

Specifying a region code

A region code determines characteristics such as available frequencies, available channels, and transmit power level. Set a valid region code before configuring an AP.

To prevent regulation violation caused by region code modification, lock the region code.

Specifying a region code in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify a region code.	region-code code	By default, the AP uses the configuration in AP group view. If no region code exists in AP group view, the AP uses the configuration in global configuration view.
4. Lock the region code.	region-code-lock enable	By default, the AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.

Specifying a region code in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify a region code.	region-code code	By default, the AP group uses the configuration in global configuration view.
4. Lock the region code.	region-code-lock enable	By default, the AP group uses the configuration in global configuration view.

Specifying a global region code

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Specify a region code.	region-code code	By default, no region code is specified.
4. Lock the region code.	region-code-lock enable	By default, the region code is not locked.

Disabling an AP from responding to broadcast probe requests

Broadcast probe requests do not carry any SSIDs. Upon receiving a broadcast probe request, an AP responds with a probe response that carries service information for the AP.

This feature enables clients that send unicast probe requests to the AP to associate with the AP more easily.

Disabling an AP from responding to broadcast probe requests in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Disable the AP from responding to broadcast probe requests.	broadcast-probe reply disable	By default, the AP uses the configuration in AP group view.

Disabling APs in an AP group from responding to broadcast probe requests in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Disable APs in the AP group from responding to broadcast probe requests.	broadcast-probe reply disable	By default, an AP responds to broadcast probe requests.

Setting the client idle timeout timer

If an online client does not send any frames to the associated AP before the client idle timeout timer expires, the AP logs off the client.

Setting the client idle timeout timer in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Set the client idle timeout timer.	client idle-timeout interval	By default, the AP uses the configuration in AP group view.

Setting the client idle timeout timer in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the client idle timeout timer.	client idle-timeout interval	By default, the client idle timeout timer is 3600 seconds.

Configuring client keepalive

This feature enables an AP to send keepalive packets to clients at the specified interval to identify whether the clients are online. If the AP does not receive any replies from a client within three keepalive intervals, it logs off the client.

Configuring client keepalive in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable client keepalive.	client keep-alive enable	By default, the AP uses the configuration in AP group view.
4. (Optional.) Set the client keepalive interval.	client keep-alive interval value	By default, the AP uses the configuration in AP group view.

Configuring client keepalive in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable client keepalive.	client keep-alive enable	By default, client keepalive is disabled.
4. (Optional.) Set the client keepalive interval.	client keep-alive interval value	By default, the client keepalive interval is 300 seconds.

Configuring an AP to not inherit the specified service template from an AP group

By default, APs in an AP group inherit the service template bound to the AP group and create BSSs. You can perform this task to configure an AP to not inherit the specified service template from an AP group.

To configure an AP to not inherit the specified service template from an AP group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure the AP to not inherit the specified service template from an AP group.	inherit exclude service-template service-template-name	By default, an AP inherits the service template bound to an AP group.

Setting the NAS ID

A network access server identifier (NAS ID), network access server port identifier (NAS port ID), or network access server VLAN identifier (NAS VLAN ID) identifies the network access server of a client and differentiates the source of client traffic.

If you specify a NAS ID or NAS port ID when binding a service template to a radio, the radio uses the NAS ID or NAS port ID specified for the service template.

If a NAS port ID has been specified by using the nas-port-id command, clients use the specified NAS port ID. If no NAS port ID is specified, clients use the specified NAS port ID format to generate NAS port IDs.

Setting the NAS ID in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the format of NAS port IDs for wireless clients.	wlan nas-port-id format { 2 \| 4 }	By default, clients use format 2 to generate NAS port IDs.
3. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
4. Set the NAS ID.	nas-id nas-id	By default, the AP uses the configuration in AP group view. If no NAS ID is specified in AP group view, the AP uses the configuration in global configuration view.
5. Set the NAS port ID.	nas-port-id nas-port-id	By default, an AP uses the configuration in AP group view. If no NAS port ID is specified in AP group view, the AP uses the configuration in global configuration view.
6. Set the NAS VLAN ID and enable the AC to encapsulate the VLAN ID in RADIUS requests.	nas-vlan vlan-id	By default, no NAS VLAN ID is set. Authentication requests sent to the RADIUS server do not contain the NAS VLAN ID field. Set the NAS VLAN ID when a third-party Security Accounting Management (SAM) server is used as the RADIUS server.

Setting the NAS ID in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the format of NAS port IDs for wireless clients.	wlan nas-port-id format { 2 \| 4 }	By default, clients use format 2 to generate NAS port IDs.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Set the NAS ID.	nas-id nas-id	By default, the AP uses the configuration in global configuration view.
5. Set the NAS port ID.	nas-port-id nas-port-id	By default, an AP uses the configuration in global configuration view.

Setting the global NAS ID

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the format of NAS port IDs for wireless clients.	wlan nas-port-id format { 2 \| 4 }	By default, clients use format 2 to generate NAS port IDs.
3. Enter global configuration view.	wlan global-configuration	N/A
4. Set the global NAS ID.	nas-id nas-id	By default, no NAS ID is set.
5. Set the NAS port ID.	nas-port-id nas-port-id	By default, no NAS port ID is set.

Setting the way in which an AP processes traffic from unknown clients

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the way in which an AP processes traffic from unknown clients.	unknown-client [ deauthenticate \| drop ]	By default, an AP drops packets from unknown clients and deauthenticates these clients.

Configuring policy-based forwarding

Forwarding policies enable the AC to perform policy-based forwarding for different client traffic flows.

You can apply a forwarding policy to a service template or user profile. The AC preferentially uses the forwarding policy applied to a user profile to direct client traffic forwarding. If the user profile of a client does not have a forwarding policy, the AC uses the forwarding policy applied to the service template.

For forwarding policies to take effect, you must specify the AC to perform authentication for clients. For more information about specifying the authentication location, see "Configuring WLAN authentication."

Make sure the AC and its associated APs are in different network segments.

Configuring a forwarding policy

A forwarding policy contains one or multiple forwarding rules. Each forwarding rule specifies a traffic match criterion and the forwarding mode for matching traffic. The traffic match criterion can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The forwarding mode can be local forwarding or centralized forwarding.

Actions defined in ACL rules do not take effect in wireless packet forwarding. All matched packets are forwarded based on the forwarding mode.

For more information about ACLs, see ACL and QoS Configuration Guide.

To configure a forwarding policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a forwarding policy and enter its view.	wlan forwarding-policy policy-name	By default, no forwarding policies are configured.
3. Configure a forwarding rule.	classifier acl { acl-number \| ipv6 ipv6-acl-number } behavior { local \| remote }	By default, no forwarding rules are configured. Repeat this command to configure more forwarding rules.

Applying a forwarding policy to a service template

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Apply a forwarding policy to the service template.	client forwarding-policy-name policy-name	By default, no forwarding policy is applied to a service template.
4. Enable policy-based forwarding.	client forwarding-policy enable	By default, policy-based forwarding is disabled for a service template. For the forwarding policy to take effect, you must enable policy-based forwarding for the service template.

Applying a forwarding policy to a user profile

For the AC to perform policy-based forwarding for clients that use a user profile, apply a forwarding policy to the user profile. After a client passes authentication, the authentication server sends the user profile name specified for the client to the AC. The AC will forward traffic of the client based on the forwarding policy applied to the user profile.

If you modify or delete the applied forwarding policy, the change takes effect when the client comes online again.

To apply a forwarding policy to a user profile:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user profile view.	user-profile profile-name	N/A
3. Apply a forwarding policy to the user profile.	wlan client forwarding-policy-name policy-name	By default, no forwarding policy is applied to a user profile.
4. Return to system view.	quit	N/A
5. Enter service template view.	wlan service-template service-template-name	N/A
6. Enable policy-based forwarding.	client forwarding-policy enable	By default, policy-based forwarding is disabled for a service template. For the forwarding policy applied to the user profile to take effect, you must enable policy-based forwarding for the service template that the user profile uses.

Specifying a permitted AP group for client access

Perform this task to configure clients to access APs in the specified AP group.

To specify a permitted AP group for client access:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user profile view.	user-profile profile-name	N/A
3. Specify a permitted AP group for client access.	wlan permit-ap-group ap-group-name	By default, no permitted AP group is specified for client access.

Specifying a permitted SSID for client access

Perform this task to configure clients to access a WLAN through the specified SSID.

To specify a permitted SSID for client access:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user profile view.	user-profile profile-name	N/A
3. Specify a permitted SSID for client access.	wlan permit-ssid ssid-name	By default, no permitted SSID is specified for client access.

Adding a client to the whitelist

When you add the first client to the whitelist, the system asks you whether to disconnect all online clients. Enter Y at the prompt to configure the whitelist.

To add a client to the whitelist:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add a client to the whitelist.	wlan whitelist mac-address mac-address	By default, no clients exist in the whitelist.

Adding a client to the static blacklist

You cannot add a client to both the whitelist and the static blacklist.

To add a client to the static blacklist:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add a client to the static blacklist.	wlan static-blacklist mac-address mac-address	By default, no clients exist in the static blacklist.

Configuring the dynamic blacklist

You can configure the dynamic blacklist to take effect on the AC or on APs.

If you configure the dynamic blacklist to take effect on the AC, all APs connected to the AC will reject the client in the dynamic blacklist. If you configure the dynamic blacklist to take effect on APs, the AP associated with the client in the dynamic blacklist will reject the client, but the client can still associate with other APs connected to the AC. As a best practice, configure the dynamic blacklist to take effect on the AC in high-density environments.

The configured aging time takes effect only on entries added to the dynamic blacklist afterwards.

If the whitelist and blacklists are configured, only the whitelist takes effect.

To configure the dynamic blacklist:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the dynamic blacklist to take effect on the AC or on APs.	· Configure the dynamic blacklist to take effect on APs: wlan dynamic-blacklist active-on-ap · Configure the dynamic blacklist to take effect on the AC: undo wlan dynamic-blacklist active-on-ap	By default, the dynamic blacklist takes effect on APs.
3. Set the aging time for dynamic blacklist entries.	wlan dynamic-blacklist lifetime lifetime	By default, the aging time is 300 seconds. The aging time for dynamic blacklist entries takes effect only on rogue client entries.

Setting the idle period before client reauthentication

Set the idle period before client reauthentication to reduce reauthentication failures.

When URL redirection is enabled for WLAN MAC authentication clients, an AP logs off a client that has passed MAC authentication. At the next MAC authentication attempt, the client can pass MAC authentication and access the WLAN. With the idle period configured, the AP adds the client to the dynamic blacklist after logging off the client and the client entry ages out after the specified idle period.

To set the idle period before client reauthentication:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the idle period before client reauthentication.	wlan client reauthentication-period [ period-value ]	By default, the idle period is not configured.

Deploying a configuration file to an AP

Deploy a configuration file to an AP if you want to update its configuration file or configure features that require a configuration file. For example, to configure a user profile for an AP in local forwarding mode, you must write related commands to a configuration file and then deploy the configuration file to the AP. The configuration file takes effect when the CAPWAP tunnel to the AC is in Run state. It does not survive an AP reboot.

Make sure the configuration file is stored in the storage medium of the AC. Contents in the configuration file must be complete commands.

An AP can only use its main IP address to establish a CAPWAP tunnel to the AC if the AP is configured by using a configuration file.

In an IRF fabric, save the configuration file on each member AC in case of master and backup AC switchover. The map-configuration command takes effect only on the master AC. If you specify a path when executing the command, make sure the path leads to the file on the master AC.

Deploying a configuration file to an AP in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Deploy a configuration file to the AP.	map-configuration filename	By default, no configuration file is deployed to an AP.

Deploying a configuration file to an AP in AP group AP model view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Deploy a configuration file to the AP.	map-configuration filename	By default, no configuration file is deployed to an AP.

Configuring uplink client rate limit

The following matrix shows the feature and hardware compatibility:

Hardware series	Model	Uplink client rate limit compatibility
WX1800H series	WX1804H	No
WX1800H series	WX1810H WX1820H WX1840H	Yes
WX3800H series	WX3820H WX3840H	No
WX5800H series	WX5860H	No

Perform this task to limit both the global rate and per-client rate for uplink client packets to ensure both uplink bandwidth usage and per-client bandwidth.

Uplink client rate limit supports the following limit modes:

· Dynamic—You specify only the global CIR. The per-client CIR is the global CIR divided by the number of clients. This mode avoids uplink bandwidth waste when there are less clients.

· Static—You specify both the global CIR and the per-client CIR.

When this feature is configured, an AP discards non-HTTP packets if both the global CIR and the per-client CIR are exceeded. For an HTTP packet, the AP discards the packet if the global CIR, the per-client CIR, and the HTTP CIR are all exceeded. The HTTP CIR depends on the configured global CIR.

To configure uplink client rate limit:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure uplink client rate limit.

uplink client-rate-limit { inbound | outbound } mode { dynamic | static } global cir committed-information-rate [ user cir committed-information-rate ]

By default, uplink client rate limit is not configured.

If you rate limit packets in both inbound and outbound directions, make sure the rate limit modes are the same.

Specifying the Web server to which client information is reported

Perform this task to enable client information reporting to the specified Web server through HTTP. Reported client information includes client MAC address, associated AP, and association time. The Web server accepts client information only when the server's host name, port number, and path are specified.

To specify the Web server to which client information is reported:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify the host name and port number of the Web server.	wlan web-server host host-name port port-number	By default, the host name and port number of the Web server are not specified.
3. Specify the path of the Web server.	wlan web-server api-path path	By default, the path of the Web server is not specified.
4. Set the maximum number of client entries to be reported at a time.	wlan web-server max-client-entry	By default, a maximum of 10 client entries can be reported at a time.

Enabling SNMP notification

Perform this task to enable the device to report client status changes to an NMS. When WLAN access SNMP notification is enabled, the device sends a notification every time the status of a client changes. When client audit SNMP notification is enabled, the device sends notifications only when a client comes online, goes offline, roams to another AP, or obtains an IP address.

For the notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

To enable SNMP notification:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notification for WLAN access.	snmp-agent trap enable wlan client	By default, SNMP notification is disabled for WLAN access.
3. Enable SNMP notification for client audit.	snmp-agent trap enable wlan client-audit	By default, SNMP notification is disabled for client audit.

Enabling the device to generate client logs in the specified format

The device can generate client logs in the following formats when clients come online:

· H3C—Logs AP name, radio ID, client MAC address, SSID, BSSID, and client online status. By default, the device generates client logs only in H3C format.

· normal—Logs AP MAC address, AP name, client IP address, client MAC address, SSID, and BSSID.

· sangfor—Logs AP MAC address, client IP address, and client MAC address.

This feature enables the device to generate client logs in normal or sangfor format and send the logs to the information center. Log destinations are determined by the information center settings. For more information about the information center, see Network Management and Monitoring Configuration Guide.

This feature does not affect the generation of client logs in H3C format.

To enable the device to generate client logs in the specified format:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the device to generate client logs in the specified format.	customlog format wlan { normal \| sangfor }	By default, the device generates client logs only in the H3C format.

Displaying and maintaining WLAN access

Execute display commands and the wlan link-test command in any view, and the reset command in user view.

Task	Command
Display uplink client rate limit settings.	display uplink client-rate-limit
Display blacklist entries.	display wlan blacklist { dynamic \| static }
Display client information.	display wlan client [ ap ap-name [ radio radio-id ] \| mac-address mac-address \| service-template service-template-name \| frequency-band { 2.4 \| 5 } ] [ verbose ]
Display client status information.	display wlan client status [ mac-address mac-address ] [ verbose ]
Display WLAN forwarding policy information.	display wlan forwarding-policy [ policy-name ]
Display region code information for APs.	display wlan region-code ap { all \| name ap-name }
Display service template information.	display wlan service-template [ service-template-name ] [ verbose ]
Display client statistics or service template statistics.	display wlan statistics { ap { all \| name ap-name } connect-history \| client [ mac-address mac-address ] \| service-template service-template-name [ connect-history ] }
Display whitelist entries.	display wlan whitelist
Log off clients.	reset wlan client { all \| mac-address mac-address }
Remove the specified client or all clients from the dynamic blacklist.	reset wlan dynamic-blacklist [ mac-address mac-address ]
Clear client statistics.	reset wlan statistics client { all \| mac-address mac-address }
Test the quality of the wireless link to a client.	wlan link-test mac-address

WLAN access configuration examples

WLAN access configuration example

Network requirements

As shown in Figure 20, the switch acts as the DHCP server to assign IP addresses to the AP and the client. The AP provides wireless services with the SSID trade-off.

Figure 20 Network diagram

Configuration procedures

1. Create VLAN 100.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

2. Create VLAN-interface 100 and assign it an IP address.

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 10.1.9.58 16

[AC-Vlan-interface100] quit

3. Create the manual AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC-wlan-ap-ap1] quit

4. Configure a service template and bind it to the AP radio:

# Create the service template service1, set the SSID to trade-off, assign clients coming online through the service template to VLAN 100, and enable the service template.

[AC] wlan service-template service1

[AC-wlan-st-service1] ssid trade-off

[AC-wlan-st-service1] vlan 100

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Set the working channel to channel 157 for radio 1 of the AP.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 157

# Bind service template service1 to radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify that the SSID is trade-off, and the service template is enabled.

[AC] display wlan service-template verbose

Service template name : service1

Description : Not configured

SSID : trade-off

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : Not configured

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 100

AKM mode : Not configured

Security IE : Not configured

Cipher suite : Not configured

TKIP countermeasure time : 0 s

PTK life time : 43200 s

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 s

GTK rekey client-offline : Disabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : my-domain

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Enabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : SHA1

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

# Associate the client with the AP. (Details not shown.)

# Verify that the client can access the WLAN.

[AC] display wlan client service-template service1

Total number of clients: 1

MAC address Username AP name RID IP address IPv6 address VLAN

0023-8933-223b N/A ap1 1 3.0.0.3 100

Whitelist configuration example

Network requirements

As shown in Figure 21, configure the whitelist to permit only the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 21 Network diagram

Configuration procedures

# Add the MAC address 0000-000f-1211 to the whitelist.

<AC> system-view

[AC] wlan whitelist mac-address 0000-000f-1211

Verifying the configuration

# Verify that the MAC address 0000-000f-1211 is in the whitelist.

[AC] display wlan whitelist

Total number of clients: 1

MAC addresses:

0000-000f-1211

Static blacklist configuration example

Network requirements

As shown in Figure 22, configure the static blacklist to forbid the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 22 Network diagram

Configuration procedures

# Add the MAC address 0000-000f-1211 to the static blacklist.

<AC> system-view

[AC] wlan static-blacklist mac-address 0000-000f-1211

Verifying the configuration

# Verify that the MAC address 0000-000f-1211 is in the static blacklist.

[AC] display wlan blacklist static

Total number of clients: 1

MAC addresses:

0000-000f-1211

Configuring WLAN security

Overview

The original IEEE 802.11 is a Pre Robust Security Network Association (Pre-RSNA) mechanism. This mechanism is vulnerable to security attacks such as key exposure, traffic interception, and tampering. To enhance WLAN security, IEEE 802.11i (the RSNA mechanism) was introduced. You can select either of the Pre-RSNA or RSNA as needed to secure your WLAN.

IEEE 802.11i encrypts only WLAN data traffic. Unencrypted WLAN management frames are open to attacks on secrecy, authenticity, and integrity. IEEE 802.11w offers management frame protection based on the 802.11i framework to prevent attacks such as forged de-authentication and disassociation frames.

Pre-RSNA mechanism

The pre-RSNA mechanism uses the open system and shared key algorithms for authentication and uses WEP for data encryption. WEP uses the stream cipher RC4 for confidentiality and supports key sizes of 40 bits (WEP40), 104 bits (WEP104), and 128 bits (WEP128).

Open system authentication

Open system authentication is the default and simplest authentication algorithm. Any client that requests authentication by using this algorithm can pass the authentication.

Open system authentication uses the following process:

1. The client sends an authentication request to the AP.

2. The AP sends an authentication response to the client after the client passes the authentication.

Figure 23 Open system authentication process

Shared key authentication

Shared key authentication uses a WEP key for the AP and client to complete authentication.

Shared key authentication uses the following process:

1. The client sends an authentication request to the AP.

2. The AP randomly generates a challenge text and sends it to the client.

3. The client uses the WEP key to encrypt the challenge text and sends it to the AP.

4. The AP uses the WEP key to decrypt the challenge text and compares the decrypted challenge text with the original challenge text. If they are identical, the client passes the authentication. If they are not, the authentication fails.

Figure 24 Shared key authentication process

RSNA mechanism

IMPORTANT:

RSNA requires open system authentication for link layer authentication.

The RSNA mechanism includes WPA and RSN security modes. RSNA provides the following features:

· 802.1X and PSK authentication and key management (AKM) for authenticating user integrity and dynamically generating and updating keys.

? 802.1X—802.1X performs user authentication and generates the pairwise master key (PMK) during authentication. The client and AP use the PMK to generate the pairwise transient key (PTK).

? Private PSK—The MAC address of the client is used as the PSK to generate the PMK. The client and AP use the PMK to generate the PTK.

? PSK—The PSK is used to generate the PMK. The client and AP use the PMK to generate the PTK.

· Temporal key integrity Protocol (TKIP) and Counter Mode CBC-MAC Protocol (CCMP) mechanisms for encrypting data.

Authentication

802.1X authentication is more secure than PSK authentication. For more information about 802.1X authentication, see "Configuring WLAN user access authentication."

PSK authentication requires the same PSK to be configured for both an AP and a client. PSK integrity is verified during the four-way handshake. If PTK negotiation succeeds, the client passes the authentication.

Key management

Key management defines how to generate and update the PTK and group temporary key (GTK). The PTK is used in unicast and the GTK is used in multicast and broadcast.

PTK and GTK

· PTK structure

? EAPOL-Key Confirmation Key (KCK) is used to verify the integrity of an EAPOL-Key frame.

? EAPOL-Key Encryption Key (KEK) is used to encrypt the key data in the EAPOL-Key frame.

? Temporal Key (TK) is used to encrypt unicast packets.

· The GTK includes the TK and other fields. The TK is used to encrypt multicast and broadcast packets.

EAPOL-Key packet

The IEEE 802.11i protocol uses EAPOL-Key packets during key negotiation.

Figure 25 EAPOL-Key structure

Table 23 EAPOL-Key field description

Field	Description
Descriptor type	Specifies the network type: · WPA network. · RSN network.
Key information	For more information about this field, see Table 24.
Key length	Length of the key.
Key replay counter	Records the total number of GTK updates to prevent replay attacks. The AP sets this field to 0 at the beginning of the negotiation and increments the value on each successive EAPOL-Key frame. The client records this field from the last valid EAPOL-Key frame that it received if this field is greater than the field recorded previously. EAPOL-Key frame retransmission is required in the following situations: · The field received by the client is smaller than or equal to the field recorded by the client. · The field received by the AP is not equal to the field recorded on the AP. If the retransmission attempts exceed the maximum number, the AP disconnects the client.
Key nonce	Random value used to generate the PTK.
EAPOL Key IV	Encrypts the TKIP. This field is valid only when the encryption type is not CCMP.
Key RSC	Records the total number of multicast packets or broadcast packets to prevent replay attacks. The AP increments the value of this field on transmission of each multicast or broadcast packet.
Reserved	Reserved field.
Key MIC	Message integrity check.
Key data length	Length of the key data.
Key data	Data to be transmitted, such as the GTK and pairwise master key identifier (PMKID).

Figure 26 Key information structure

Table 24 Key information description

Field	Description
Key Descriptor Version	3-bit key version: · 1—Non-CCMP key. · 2—CCMP key.
Key Type	1-bit key type: · 0—Multicast negotiation key. · 1—Unicast negotiation key.
Reserved	2-bit field reserved. The sender sets this field to 0, and the receiver ignores this field.
Install	1-bit key installation field. If the Key Type field is 1, this field is 0 or 1. · 0—The AP does not request the client to install the TK. · 1—The AP requests the client to install the TK. If the Key type field is 0, the sender sets this field to 0, and the receiver ignores this field.
Key Ack	1-bit key acknowledgment field. The value 1 indicates that the AP requests an acknowledgement from the client.
Key MIC	Message integrity check. If this field is 1, the generated MIC must be included in the Key MIC field of the EAPOL-key frame.
Secure	1-bit key status. The value 1 indicates that the key has been generated.
Error	1-bit MIC check status. The value 1 indicates that a MIC failure has occurred. The client sets this field to 1 when the Request field is 1.
Request	1-bit request used by the client to request the AP to initiate the four-way handshake or multi-cast handshake in a MIC failure report.
Encrypted Key Data	1-bit key data encryption status. The value 1 indicates that the key data is encrypted.
Reserved	3-bit reserved field. The sender sets this field to 0, and the receiver ignores this field.

WPA key negotiation

WPA uses EAPOL-Key packets in the four-way handshake to negotiate the PTK, and in the two-way handshake to negotiate the GTK.

Figure 27 WPA key negotiation process

WPA key negotiation uses the following process:

1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.

2. The client performs the following operations:

a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the key derivation function (KDF).

b. Uses the KCK in the PTK to generate the MIC.

c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.

3. The AP performs the following operations:

a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.

b. Uses the KCK in the PTK to generate the MIC.

c. Compares the received MIC with the local MIC.

d. Returns EAPOL-Key message 3 that contains the PTK installation request tag and MIC if the two MICs are the same.

4. The client performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and returns EAPOL-Key message 4 that contains the MIC if the two MICs are the same.

5. The AP performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and generates a GTK with the GMK and MAC address of the AP by using the KDF if the two MICs are the same.

c. Returns EAPOL-Key group message 1 that contains the GTK and MIC.

6. The client performs the following operations:

a. Installs the GTK if the two MICs are the same.

b. Returns EAPOL-Key group message 2 that contains the MIC.

7. The AP performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the GTK if the MICs are the same.

RSN key negotiation

RSN uses EAPOL-Key packets in the four-way handshake to negotiate the PTK and the GTK.

Figure 28 RSN key negotiation process

RSN key negotiation uses the following process:

1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.

2. The client performs the following operations:

a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the KDF.

b. Uses the KCK in the PTK to generate the MIC.

c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.

3. The AP performs the following operations:

a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.

b. Uses the KCK in the PTK to generate the MIC.

c. Compares the received MIC with the local MIC.

d. Generates a GTK with the random GMK and MAC address of the AP by using the KDF if the two MICs are the same.

e. Returns EAPOL-Key message 3 that contains the key installation request tag, MIC, and GTK.

4. The client performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and GTK if the two MICs are the same.

c. Returns EAPOL-Key message 4 that contains the MIC.

5. The AP performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and GTK if the two MICs are the same.

Key updates

Key updates enhance WLAN security. Key updates include PTK updates and GTK updates.

· PTK updates—Updates for the unicast keys using the four-way handshake negotiation.

· GTK updates—Updates for the multicast keys using the two-way handshake negotiation.

Cipher suites

TKIP

TKIP and WEP both use the RC4 algorithm. You can change the cipher suite from WEP to TKIP by updating the software without changing the hardware. TKIP has the following advantages over WEP:

· TKIP provides longer initialization vectors (IVs) to enhance encryption security. Compared with WEP encryption, TKIP encryption uses the 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.

· TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP dynamic keys cannot be easily deciphered.

· TKIP offers MIC and countermeasures. If a packet has been tampered with, it will fail the MIC. If two packets fail the MIC in a period, the AP automatically takes countermeasures by stopping providing services in a period to prevent attacks.

CCMP

CCMP is based on the Counter-Mode/CBC-MAC (CCM) of the Advanced Encryption Standard (AES) encryption algorithm.

CCMP contains a dynamic key negotiation and management method. Each client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP cipher suite. During the encryption process, CCMP uses a 48-bit packet number (PN) to make sure each encrypted packet uses a different PN. This improves WLAN security.

Management frame protection

The management frame protection service protects a set of robust management frames, such as de-authentication, disassociation, and some robust action frames. Management frame protection uses the PTK to encrypt unicast management frames and provides secrecy, integrity, and replay protection. It uses the Broadcast Integrity Protocol (BIP) to provide integrity and replay protection for broadcast and multicast management frames.

The security association (SA) query mechanism is used to enhance security if the AP and client negotiate to use management frame protection. SA queries include active SA queries and passive SA queries.

· Active SA query

As shown in Figure 29, active SA query uses the following process:

a. The client sends an association or reassociation request to the AP.

b. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate at a later time. The response contains the association comeback time.

c. The AP sends an SA query request to verify the status of the client:

- If the AP receives an SA query response within the timeout time, it determines that the client is online.

- If the AP does not receive an SA query response within the timeout time, it sends another SA query request. If the AP receives an SA query response within the retransmission time, it determines that the client is online. The AP does not respond to any association or reassociation requests from the client until the association comeback time times out.

- If the AP does not receive an SA query response within the retransmission time, it determines that the client is offline and allows the client to reassociate.

Figure 29 Active SA query process

· Passive SA query

As shown in Figure 30, passive SA query uses the following process:

a. The client triggers the SA query process upon receiving an unencrypted disassociation or deauthentication frame.

b. The client sends an SA query request to the AP.

c. The AP sends an SA query response to the client:

- If the client receives the response, the client determines that the AP is online and does not process the disassociation or deauthentication frame.

- If the client does not receive a response, the client determines that the AP is offline and disassociates with the AP.

Figure 30 Passive SA query process

Dynamic WEP mechanism

IMPORTANT:

The dynamic WEP mechanism uses open system authentication for link layer authentication.

IEEE 802.11 provides the dynamic WEP mechanism to ensure that each user uses a private WEP key. For unicast communications, the mechanism uses the WEP key negotiated by the client and server during 802.1X authentication. For multicast and broadcast communications, the mechanism uses the configured WEP key. If you do not configure a WEP key, the AP randomly generates a WEP key for broadcast and multicast communications.

After the client passes 802.1X authentication, the AP sends the client an RC4-EAPOL packet that contains the unicast WEP key ID, and the multicast and broadcast WEP key and key ID. The unicast WEP key ID is 4.

Protocols and standards

· IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—2004

· WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004

· Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999

· IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X™-2004

· 802.11i IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

· 802.11w IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

WLAN security configuration task lists

IMPORTANT:

· RSNA requires open system authentication for link layer authentication.

· The dynamic WEP mechanism requires 802.1X authentication for user access authentication.

· The AKM mode, security IE, and cipher suite must be configured for RSNA networks.

· Management frame protection takes effect only for a network that uses the RSNA mechanism and is configured with the CCMP cipher suite and RSN security information element.

To configure the pre-RSNA mechanism, perform the following tasks:

Tasks at a glance
(Required.) Setting the cipher suite
(Required.) Setting the WEP key
(Optional.) Enabling SNMP notifications for WLAN security

To configure the RSNA mechanism, perform the following tasks:

Tasks at a glance
(Required.) Configuring the AKM mode
(Required.) Setting the security information element
(Required.) Setting the cipher suite
(Optional.) Setting the PSK
(Optional.) Setting the KDF
(Optional.) Configuring GTK update
(Optional.) Setting the PTK lifetime
(Optional.) Setting the TKIP MIC failure hold time
(Optional.) Setting the WEP key
(Optional.) Configuring management frame protection
(Optional.) Enabling SNMP notifications for WLAN security

To configure the dynamic WEP mechanism, perform the following tasks:

Tasks at a glance
(Optional.) Setting the cipher suite
(Optional.) Setting the WEP key
(Required.) Enabling the dynamic WEP mechanism
(Optional.) Enabling SNMP notifications for WLAN security

NOTE:

· If a WEP key is configured, the dynamic WEP mechanism uses the configured WEP key as the multicast and broadcast WEP key. The negotiated unicast WEP has an ID of 4 and uses the cipher suite length setting.

· If no WEP key is configured, the length for both dynamic WEP keys is 104 bits. The negotiated unicast WEP key has an ID of 4. The generated multicast and broadcast WEP key has an ID of 1.

Configuring the AKM mode

Each of the following AKM modes must be used with a specific authentication mode:

· 802.1X AKM—802.1X authentication mode.

· Private PSK AKM—MAC authentication mode.

· PSK AKM—MAC or bypass authentication mode.

· WiFi alliance anonymous 802.1X AKM—802.1X authentication mode.

To configure the AKM mode:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Configure the AKM mode.	akm mode { dot1x \| private-psk \| psk \| anonymous-dot1x }	By default, no AKM mode is configured.

Setting the security information element

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the security IE.	security-ie { osen \| rsn \| wpa }	By default, no security IE is set.

Setting the cipher suite

Cipher suites include:

· WEP (WEP40, WEP104, or WEP128).

· CCMP.

· TKIP.

To set the cipher suite:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the cipher suite.	cipher-suite { ccmp \| tkip \| wep40 \| wep104 \| wep128 }	By default, no cipher suite is set. You cannot set both WEP 128 and CCMP or both WEP 128 and TKIP.

Setting the PSK

The PSK must be set if the AKM mode is PSK. If you configure the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.

To set the PSK:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the PSK.	preshared-key { pass-phrase \| raw-key } { cipher \| simple } key	By default, no PSK is set.

Setting the KDF

KDFs are used by RSNA networks to generate PTKs and GTKs. KDFs include HMAC-SHA1 and HMAC-SHA256 algorithms. The HMAC-SHA256 algorithm is more secure than the HMAC-SHA1 algorithm.

To set the KDF:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the KDF.	key-derivation { sha1 \| sha256 \| sha1-and-sha256 }	By default, the HMAC-SHA1 algorithm is set.

Configuring GTK update

The system generates the GTK during key negotiation if the AKM, security IE, and cipher suite are configured. This feature updates the GTK to enhance key security based on the following updating modes:

· Time-based—The GTK is updated at the specified interval.

· Packet-based—The GTK is updated after the specified number of packets is sent.

· Offline-triggered—The GTK is updated when a client in the basic service set (BSS) goes offline.

To configure GTK update:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable GTK update.	gtk-rekey enable	By default, GTK update is enabled.
4. (Optional.) Configure a GTK update method.	gtk-rekey method { packet-based [ packet ] \| time-based [ time ] }	By default, the GTK is updated at an interval of 85400 seconds. The default packet quantity is 10000000 for packet-based GTK update.
5. (Optional.) Enable the offline-triggered GTK update.	gtk-rekey client-offline enable	By default, offline-triggered GTK update is disabled.

Setting the PTK lifetime

About the PTK lifetime

The system generates the PTK during key negotiation when the AKM, security IE, and cipher suite are configured. This feature updates the PTK after the PTK lifetime expires.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable PTK rekey.	ptk-rekey enable	By default, PTK rekey is enabled.
4. Set the PTK lifetime.	ptk-lifetime time	By default, the PTK lifetime is 43200 seconds.

Setting the TKIP MIC failure hold time

After configuring the TKIP, you can configure the TKIP MIC failure hold time. If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.

To set the TKIP MIC failure hold time:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the TKIP MIC failure hold time.	tkip-cm-time time	By default, the TKIP MIC failure hold time is 0. The AP does not take any countermeasures.

Setting the WEP key

The WEP key can be used to encrypt all packets for pre-RSNA networks and encrypt multicast packets for RSNA networks. If the WEP key is not set, a pre-RSNA network does not encrypt packets and an RSNA network uses the negotiated GTK to encrypt multicast packets.

To set the WEP key:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the WEP key.	wep key key-id { wep40 \| wep104 \| wep128 } { pass-phrase \| raw-key } { cipher \| simple } key	By default, no WEP key is set.
4. (Optional.) Apply the WEP key.	wep key-id { 1 \| 2 \| 3 \| 4 }	By default, WEP key 1 is applied. Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.

Configuring management frame protection

Management frame protection takes effect only for a network that uses the RSNA mechanism and is configured with the CCMP cipher suite and RSN security information element.

If management frame protection is disabled, network access is available for all clients, but management frame protection is not performed. If management frame protection is enabled, the network access and management frame protection availability varies by management frame protection mode.

· Optional mode—Network access is available for all clients, but management frame protection is performed only for clients that support management frame protection.

· Mandatory mode—Network access and management frame protection are available only for clients that support management frame protection.

To configure management frame protection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable management frame protection.	pmf { optional \| mandatory }	By default, management frame protection is disabled.
4. Set the interval for sending SA query requests.	pmf saquery retrytimeout timeout	By default, the interval for sending SA query requests is 200 milliseconds.
5. Set the maximum transmission attempts for SA query requests.	pmf saquery retrycount count	By default, the maximum retransmission attempt number is 4 for SA query requests.
6. Set the association comeback time.	pmf association-comeback time	By default, the association comeback time is 1 second.

Enabling the dynamic WEP mechanism

The dynamic WEP mechanism must be used with the 802.1X authentication mode.

To enable the dynamic WEP mechanism:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable the dynamic WEP mechanism.	wep mode dynamic	By default, the dynamic WEP mechanism is disabled.

Enabling SNMP notifications for WLAN security

To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for WLAN security:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN security.	snmp-agent trap enable wlan usersec	By default, SNMP notifications are disabled for WLAN security.

Displaying and maintaining WLAN security

Execute display commands in any view.

Task

Command

Display WLAN service template information.

display wlan service-template [ service-template-name ] [ verbose ]

For more information about this command, see "WLAN access commands."

Display client information.

display wlan client [ ap ap-name [ radio radio-id ] | mac-address mac-address | service-template service-template-name ] [ verbose ]

For more information about this command, see "WLAN access commands."

WLAN security configuration examples

Shared key authentication configuration example

Network requirements

As shown in Figure 31, the switch functions as a DHCP server to assign IP addresses to the AP and client. Configure shared key authentication to enable the client to access the network by using the WEP key 12345.

Figure 31 Network diagram

Configuration procedure

# Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

# Specify the SSID service for the service template.

[AC-wlan-st-service1] ssid service

# Specify the cipher suite wep40 and key 12345 for the service template service1, and apply the key with the ID 2.

[AC-wlan-st-service1] cipher-suite wep40

[AC-wlan-st-service1] wep key 2 wep40 pass-phrase simple 12345

[AC-wlan-st-service1] wep key-id 2

# Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : Not configured

Security IE : Not configured

Cipher suite : WEP40

WEP key ID : 2

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

PSK authentication and bypass authentication configuration example

Network requirements

As shown in Figure 32, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and bypass authentication.

· Configure the client to use the preshared key 12345678 to access the network.

Figure 32 Network diagram

Configuration procedure

1. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

2. Specify the SSID service for the service template.

[AC-wlan-st-service1] ssid service

3. Configure WLAN security for the service template service1:

# Configure PSK as the AKM mode and specify the plaintext key 12345678.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

4. Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

5. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

6. Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

PSK authentication and MAC authentication configuration example

Network requirements

As shown in Figure 33, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and MAC authentication so that the client can access the network by using the login username abc and password 123.

· Configure the client to use the preshared key 12345678 to access the network.

Figure 33 Network diagram

Configuration procedure

1. Configure the username abc and the password 123 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Create a WLAN service template named service1 with an SSID of service.

<AC> system-view

[AC] wlan service-template service1

[AC-wlan-st-service1] ssid service

3. Configure WLAN security for the service template service1:

# Configure PSK as the AKM mode and specify the plaintext key 12345678.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

# Configure MAC authentication.

[AC-wlan-st-service1] client-security authentication-mode mac

4. Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

5. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345678 in plaintext.

[AC-radius-radius1] key authentication simple 12345678

[AC-radius-radius1] key accounting simple 12345678

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

6. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

7. Configure the ISP domain dom1, username abc, and password 123 for the user.

[AC] mac-authentication mac domain dom1

[AC] mac-authentication user-name-format fixed account abc password simple 123

8. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

9. Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : MAC

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

802.1X AKM configuration example

Network requirements

As shown in Figure 34, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and 802.1X authentication so that the client can access the network by using the login username abcdef and password 123456.

· Configure 802.1X as the AKM mode.

Figure 34 Network diagram

Configuration procedure

1. Configure the username abcdef and the password 123456 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Configure the 802.1X client. (Details not shown.)

3. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

4. Specify the SSID service for the service template.

[AC-wlan-st-service1] ssid service

5. Configure WLAN security for the service template service1:

# Configure 802.1X as the AKM mode.

[AC-wlan-st-service1] akm mode dot1x

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

# Configure the 802.1X authentication mode.

[AC-wlan-st-service1] client-security authentication-mode dot1x

6. Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

7. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345 in plaintext.

[AC-radius-radius1] key authentication simple 12345

[AC-radius-radius1] key accounting simple 12345

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

8. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

9. Configure dom1 as the default ISP domain.

[AC] domain default enable dom1

10. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

11. Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : dot1x

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : 802.1X

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Management frame protection configuration example

Network requirements

As shown in Figure 35, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure the client to use the preshared key 12345678 to access the network.

· Configure the CCMP cipher suite, RSN security IE, and management frame protection.

Figure 35 Network diagram

Configuration procedure

1. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

2. Specify the SSID service for the service template.

[AC-wlan-st-service1] ssid service

3. Configure management frame protection:

# Enable management frame protection in optional mode.

[AC-wlan-st-service1] pmf optional

# Set the KDF to sha1-and-sha256.

[AC-wlan-st-service1] key-derivation sha1-and-sha256

4. Configure the RSNA mechanism:

# Configure PSK as the AKM mode and specify the plaintext key 12345678.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and RSN as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie rsn

5. Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

6. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

7. Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : RSN

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : SHA1-AND-SHA256

PMF status : Optional

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

# Use the display wlan client verbose command to verify the management frame protection negotiation results after a 802.11w client comes online.

<AC> display wlan client verbose

Total number of clients: 1

MAC address : 5250-0012-0411

IPv4 address : 135.3.2.1

IPv6 address : N/A

Username : 11w

AID : 1

AP ID : 1

AP name : ap1

Radio ID : 1

SSID : service

BSSID : 1111-2222-3333

VLAN ID : 1

Sleep count : 147

Wireless mode : 802.11a

Channel bandwidth : 20MHz

SM power save : Disabled

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

Block Ack : TID 0 In

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

Supported rates : 1, 2, 5.5, 6, 9, 11,

12, 18, 24, 36, 48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 46

Rx/Tx rate : 39/65

Authentication method : Open system

Security mode : RSN

AKM mode : 802.1X

Cipher suite : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : Enabled

Forwarding policy name : N/A

Online time : 0days 0hours 2minutes 56seconds

FT status : Inactive

Dynamic WEP mechanism configuration example

Network requirements

As shown in Figure 36, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and 802.1X authentication so that the client can access the network by using the login username abcdef and password 123456.

· Configure the dynamic WEP mechanism.

Figure 36 Network diagram

Configuration procedure

1. Configure the username abcdef and the password 123456 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Configure the 802.1X client. (Details not shown.)

3. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

4. Specify the SSID service for the service template.

[AC-wlan-st-service1] ssid service

5. Enable the dynamic WEP mechanism.

[AC-wlan-st-service1] wep mode dynamic

6. Configure the 802.1X authentication mode.

[AC-wlan-st-service1] client-security authentication-mode dot1x

7. Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

8. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345 in plaintext.

[AC-radius-radius1] key authentication simple 12345

[AC-radius-radius1] key accounting simple 12345

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

9. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

10. Configure dom1 as the default ISP domain.

[AC] domain default enable dom1

11. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

12. Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : Not configured

Security IE : Not configured

Cipher suite : WEP104

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : 802.1X

Intrusionprotection : Disabled

Intrusionprotection mode : Temporary-block

Temporary block time : 180 sec

Temporaryservicestop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Private PSK authentication and MAC authentication configuration example

Network requirements

As shown in Figure 37, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure the MAC authentication mode so that the client can access the network by using its MAC address as the login username and password.

· Configure the private PSK AKM mode so that the client can use its MAC address as the PSK.

Figure 37 Network diagram

Configuration procedure

1. Configure the username 00-23-12-45-67-7a and the password 00-23-12-45-67-7a on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Create a WLAN service template named service1 with the SSID service.

<AC> system-view

[AC] wlan service-template service1

[AC-wlan-st-service1] ssid service

3. Configure WLAN security for the service template service1:

# Configure private PSK as the AKM mode.

[AC-wlan-st-service1] akm mode psk

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

# Configure MAC authentication.

[AC-wlan-st-service1] client-security authentication-mode mac

4. Enable the service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

5. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345678 in plaintext.

[AC-radius-radius1] key authentication simple 12345678

[AC-radius-radius1] key accounting simple 12345678

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

6. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

7. Configure the MAC address as the username and password for ISP domain dom1.

[AC] mac-authentication mac domain dom1

[AC] mac-authentication user-name-format mac-address with-hyphen lowercase

8. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

9. Bind the service template service1 to radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : Private-PSK

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : MAC

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

WLAN authentication overview

This chapter describes H3C implementation of WLAN authentication. WLAN authentication performs MAC-based network access control for WLAN clients to ensure access security.

WLAN authentication includes 802.1X authentication, MAC authentication, and OUI authentication.

Application scenarios

The authenticator authenticates the client to control access to the WLAN. As shown in Figure 38, either the AC or AP can be specified as the authenticator by using the client-security authentication-location command.

Figure 38 Network diagram

802.1X authentication

802.1X uses Extensible Authentication Protocol (EAP) to transport authentication information for the client, the authenticator, and the authentication server.

802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the authenticator over a WLAN. Between the authenticator and the authentication server, 802.1X delivers authentication information by using one of the following methods:

· Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in "EAP relay."

· Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in "EAP termination."

For information about EAP packet encapsulation, see Security Configuration Guide.

802.1X authentication initiation

Both the client and the authenticator can initiate 802.1X authentication.

· Client initiation—After the client is associated with the authenticator, it sends an EAPOL-Start packet to the authenticator to initiate 802.1X authentication.

· Authenticator initiation—After the client is associated with the authenticator, the authenticator sends an EAP-Request/Identity packet to initiate the authentication. The authenticator retransmits the packet if no response has been received within the client timeout timer.

802.1X authentication process

The authenticator uses EAP relay or EAP termination to communicate with the RADIUS server.

EAP relay

In this mode, the authenticator uses EAPOR packets to send authentication information to the RADIUS server. The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and must use the same authentication method as the client. For the authenticator, you only need to use the dot1x authentication-method eap command to enable EAP relay.

Figure 39 shows the basic 802.1X authentication process in EAP relay mode. In this example, EAP-MD5 is used.

NOTE:

If the AP is specified as the authenticator, it uses the same authentication process as Figure 39 except that the AP handles the EAP and RADIUS packets.

Figure 39 802.1X authentication process in EAP relay mode

The following steps describe the 802.1X authentication process:

1. When a user launches the 802.1X client and enters a registered username and password, the 802.1X client sends an EAPOL-Start packet to the authenticator.

For information about the client and AP association, see "Configuring WLAN security."

2. The authenticator responds with an EAP-Request/Identity packet to request for the username.

3. The client sends the username in an EAP-Response/Identity packet to the authenticator.

4. The authenticator relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server.

5. The authentication server uses the username in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5-challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the authenticator.

6. The authenticator transmits the EAP-Request/MD5-Challenge packet to the client.

7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the authenticator.

8. The authenticator relays the EAP-Response/MD5-Challenge packet in a RADIUS Access-Request packet to the authentication server.

9. The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the authenticator.

10. Upon receiving the RADIUS Access-Accept packet, the authenticator allows the client to access the network.

11. After the client comes online, the authenticator periodically sends handshake requests to examine whether the client is still online.

12. Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a number of consecutive handshake attempts (two by default), the authenticator logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X clients that have abnormally gone offline.

13. The client sends an EAPOL-Logoff packet to request a logoff from the authenticator.

14. In response to the EAPOL-Logoff packet, the authenticator sends an EAP-Failure packet to the client.

EAP termination

In this mode, the authenticator performs the following operations:

1. Terminates the EAP packets received from the client.

2. Encapsulates the client authentication information in standard RADIUS packets.

3. Uses PAP or CHAP to communicate with the RADIUS server.

Figure 40 shows the basic 802.1X authentication process in EAP termination mode. In this example, CHAP authentication is used.

NOTE:

If the AP is specified as the authenticator, it uses the same authentication process as Figure 40 except that the AP handles the EAP and RADIUS packets.

Figure 40 802.1X authentication process in EAP termination mode

In EAP termination mode, the authentication device rather than the authentication server generates an MD5 challenge for password encryption. The authentication device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

MAC authentication

MAC authentication controls network access by authenticating source MAC addresses. The feature does not require any client software. Clients do not have to enter usernames or passwords for network access. The authenticator initiates a MAC authentication process when it detects an unknown source MAC address. If the MAC address passes authentication, the client can access authorized network resources. If the authentication fails, the authenticator marks the MAC address as a silent MAC address and rejects the client's access.

User account policies

User accounts are required for identifying clients. MAC authentication supports the following user account policies:

· One MAC-based user account for each client. The authenticator uses the unknown source MAC addresses in packets as the usernames and passwords of clients for MAC authentication.

· One shared user account for all clients. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication clients on the authenticator. The username is a case-sensitive string of 1 to 55 characters which cannot include the at sign (@). The password can be a plaintext string of 1 to 63 characters or ciphertext string of 1 to 117 characters.

Authentication methods

You can perform MAC authentication on the authenticator (local authentication) or through a RADIUS server.

RADIUS authentication:

· MAC-based accounts—The authenticator sends the source MAC address of the packet as the username and password to the RADIUS server for authentication.

· A shared account—The authenticator sends the shared account username and password to the RADIUS server for authentication.

Local authentication:

· MAC-based accounts—The authenticator uses the source MAC address of the packet as the username and password to search the local account database for a match.

· A shared account—The authenticator uses the shared account username and password to search the local account database for a match.

For more information about configuring local authentication and RADIUS authentication, see Security Configuration Guide.

OUI authentication

OUI authentication examines the OUIs in the MAC addresses of clients. A client passes OUI authentication if the client's OUI matches one of the OUIs configured for the authenticator.

NOTE:

An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI.

Authentication modes

Authentication mode	Working mechanism
bypass (the default)	Does not perform authentication.
dot1x	Performs 802.1X authentication only.
mac	Performs MAC authentication only.
mac-then-dot1x	Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed.
dot1x-then-mac	Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed.
oui-then-dot1x	Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed.

Intrusion protection

When the authenticator detects an association request from a client that fails authentication, intrusion protection is triggered. The feature takes one of the following predefined actions on the BSS where the request is received:

· temporary-block (default)—Adds the source MAC address of the request to the blocked MAC address list and drops the request packet. The client at a blocked MAC address cannot establish connections with the AP within a period. To set the period, use the client-security intrusion-protection timer temporary-block command.

· service-stop—Stops the BSS where the request is received until the BSS is enabled manually on the radio interface.

· temporary-service-stop—Stops the BSS where the request is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.

NOTE:

Intrusion protection action is not supported in bypass mode.

WLAN VLAN manipulation

VLAN authorization

You can specify authorization VLANs for a WLAN client to control the client's access to network resources. When the client passes 802.1X or MAC authentication, the authentication server assigns the authorization VLAN information to the authenticator. When the device acts as the authenticator, it can resolve server-assigned VLANs of the following formats:

· VLAN ID.

· VLAN name.

The VLAN name represents the VLAN description on the access device.

· VLAN group name.

For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.

· Combination of VLAN IDs and VLAN names.

In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 25 describes the VLAN selection and assignment rules for a group of authorization VLANs.

Table 25 VLAN selection and assignment for a group of authorization VLANs

Types of authorized VLANs

VLAN selection and assignment rules

· VLANs by IDs

· VLANs by names

The device selects the VLAN with the lowest ID from the group of VLANs.

VLAN group name

1. The device selects the VLAN that has the fewest number of online users.

2. If multiple VLANs have the same number of online 802.1X users, the device selects the VLAN with the lowest ID.

NOTE:

The device converts VLAN names and VLAN group names into VLAN IDs before it assigns a VLAN to the client.

The device fails VLAN authorization for a client in the following situations:

· The device fails to resolve the authorization VLAN information.

· The server assigns a VLAN name to the device, but the device does not have any VLAN using the name.

· The server assigns a VLAN group name to the device, but the VLAN group does not exist or the VLAN group has not been assigned any VLANs.

Authorization VLAN information is used to control data forwarding, so they must be assigned by the device that forwards data traffic. VLAN assignment can be local VLAN assignment or remote VLAN assignment depending on whether the authenticator and the forwarding device are the same device.

· Local VLAN assignment—The authenticator and the forwarding device are the same device. After the authenticator obtains the authorization VLAN information, it resolves the information and assigns the VLAN.

· Remote VLAN assignment—The authenticator and the forwarding device are different devices. After the authenticator obtains the authorization VLAN information, it sends the information to the remote forwarding device. The forwarding device then resolves the information and assigns the VLAN.

For more information about VLANs, see Layer 2—LAN Switching Configuration Guide.

Auth-Fail VLAN

The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered wrong passwords or usernames. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.

Clients in the Auth-Fail VLAN can access a limited set of network resources.

The authenticator reauthenticates a client in the Auth-Fail VLAN at the interval of 30 seconds.

· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

· If the client fails the reauthentication, the client is still in the Auth-Fail VLAN.

Clients that use RSNA cannot be assigned to the Auth-Fail VLAN after they fail 802.1X authentication. The authenticator directly logs off the clients.

The Auth-Fail VLAN feature takes precedence over intrusion protection. When a client fails authentication, the Auth-Fail VLAN setting applies first. If no Auth-Fail VLAN is configured, the intrusion protection feature takes effect. If neither feature is configured, the authenticator directly logs off the client.

Using WLAN authentication with other features

ACL assignment

You can specify an ACL for an 802.1X client to control the client's access to network resources. After the client passes authentication, the authentication server assigns the ACL to the client for filtering traffic for this client. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure rules for the ACL on the authenticator. If the AP acts as the authenticator, you must configure the ACL rules on the AC.

To change the access control criteria for the client, you can use one of the following methods:

· Modify the ACL rules on the authenticator.

· Specify another ACL for the client on the authentication server.

For more information about ACLs, see ACL and QoS Configuration Guide.

User profile assignment

You can specify a user profile for an 802.1X client to control the client's access to network resources. After the client passes 802.1X authentication, the authentication server assigns the user profile to the client for filtering traffic. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure the user profile on the authenticator. If the AP acts as the authenticator, you must configure the user profile on the AC.

To change the client's access permissions, you can use one of the following methods:

· Modify the user profile configuration on the authenticator.

· Specify another user profile for the client on the authentication server.

For more information about user profiles, see Security Configuration Guide.

BYOD access control

This feature allows the RADIUS server to push different register pages and assign different authorization attributes to clients on different endpoint devices.

NOTE:

This feature supports only IMC servers to act as the RADIUS server at the current version.

The following process illustrates the BYOD access control for a WLAN client that passes 802.1X or MAC authentication:

1. The authenticator performs the following operations:

a. Obtains the Option 55 attribute from DHCP packets.

b. Delivers the Option 55 attribute to the RADIUS server.

On an IMC server, the Option 55 attribute will be delivered to UAM.

2. The BYOD-capable RADIUS server performs the following operations:

a. Uses the Option 55 attribute to identify endpoint device information including endpoint type, operating system, and vendor.

b. Sends a register page and assigns authorization attributes to the client according to the device information.

Configuring WLAN authentication

This chapter describes authenticator configuration for WLAN authentication.

Configuration prerequisites

Before you configure WLAN authentication, complete the following tasks:

· Configure an ISP domain and AAA scheme (local or RADIUS authentication) for WLAN clients.

· If local authentication is used, create local user accounts on the device (including usernames and passwords) and set the service type to lan-access.

· If RADIUS authentication is used, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server. If you are using MAC-based accounts for MAC authentication clients, make sure the username and password for each account are the same as the MAC address of each client.

For more information, see Security Configuration Guide.

WLAN authentication configuration task list

Tasks at a glance

· (Optional.) Configuring global WLAN authentication parameters

? Setting OUIs for OUI authentication

? Specifying 802.1X-supported domain name delimiters

? Enabling EAP relay or EAP termination for 802.1X

? Setting the maximum number of 802.1X authentication request attempts

? Setting the 802.1X authentication timers

? Configuring the MAC authentication user account format

? Specifying a global MAC authentication domain

? Setting the MAC authentication server timeout timer

· Configuring service-specific WLAN authentication parameters

? (Required.) Setting the authentication mode

? (Optional.) Specifying an EAP mode for 802.1X authentication

? (Optional.) Specifying the authenticator for WLAN clients

? (Optional.) Ignoring 802.1X or MAC authentication failures

? (Optional.) Configuring a WLAN Auth-Fail VLAN

? (Optional.) Ignoring authorization information from the server

? (Optional.) Enabling the authorization-fail-offline feature

? (Optional.) Configuring intrusion protection

? (Optional.) Configuring the online user handshake feature

? (Optional.) Specifying an 802.1X authentication domain

? (Optional.) Setting the maximum number of concurrent 802.1X clients

? (Optional.) Enabling the periodic online user reauthentication feature

? (Optional.) Setting the maximum number of concurrent MAC authentication clients

? (Optional.) Specifying a service-specific MAC authentication domain

? (Optional.) Configuring the accounting-start trigger feature

? (Optional.) Configuring the accounting-update trigger feature

Configuring global WLAN authentication parameters

Setting OUIs for OUI authentication

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set OUI values for OUI authentication.

port-security oui index index-value mac-address oui-value

By default, no OUI value is set for OUI authentication.

This step is required only for the oui-then-dot1x mode.

You can set multiple OUIs. The device supports a maximum of 16 OUIs.

Specifying 802.1X-supported domain name delimiters

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a set of domain name delimiters for 802.1X clients.

dot1x domain-delimiter string

By default, only the at sign (@) delimiter is supported.

For more information about this command, see Security Command Reference.

Enabling EAP relay or EAP termination for 802.1X

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable EAP relay or EAP termination.

dot1x authentication-method { chap | eap | pap }

By default, the device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Specify the eap keyword to enable EAP relay.

Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP termination.

For more information about this command, see Security Command Reference.

NOTE:

If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The device sends the authentication data from the client to the server without any modification. For information about the user-name-format command, see Security Command Reference.

Setting the maximum number of 802.1X authentication request attempts

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the maximum number of attempts for sending an 802.1X authentication request.

dot1x retry max-retry-value

The default setting is 2.

For more information about this command, see Security Command Reference.

Setting the 802.1X authentication timers

802.1X uses the following timers to control interactions with the client and the RADIUS server:

· Client timeout timer—Starts when the device sends an EAP-Request/MD5-Challenge packet to a client. If the device does not receive a response when this timer expires, it retransmits the request to the client. If the device has made the maximum transmission attempts without receiving a response, the client fails authentication. To set the maximum attempts, use the dot1x retry command.

· Server timeout timer—Starts when the device sends a RADIUS Access-Request packet to the authentication server. If the device does not receive a response when this timer expires, the device retransmits the request to the server.

· Handshake timer—Starts after a client passes authentication when the online user handshake is enabled. The device sends handshake messages to the client at every handshake interval. The device logs off the client if it does not receive any response from the client after the maximum handshake attempts. To set the maximum attempts, use the dot1x retry command.

· Periodic reauthentication timer—Starts after a client passes authentication when periodic online user reauthentication is enabled. The device reauthenticates the client at the configured interval. Any change to the timer takes effect only on clients that come online after the change.

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions. The following are two examples:

· In a low-speed network, increase the client timeout timer.

· In a network with authentication servers of different performances, adjust the server timeout timer.

To set the 802.1X authentication timers:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the client timeout timer.	dot1x timer supp-timeout supp-timeout-value	The default setting is 30 seconds. For more information about this command, see Security Command Reference.
3. Set the server timeout timer.	dot1x timer server-timeout server-timeout-value	The default setting is 100 seconds. For more information about this command, see Security Command Reference.
4. Set the handshake timer.	dot1x timer handshake-period handshake-period-value	The default setting is 15 seconds. For more information about this command, see Security Command Reference.
5. Set the periodic reauthentication timer.	dot1x timer reauth-period reauth-period-value	The default setting is 3600 seconds. For more information about this command, see Security Command Reference.

Configuring the MAC authentication user account format

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the MAC authentication user account format.

· Use one MAC-based user account for each client:
mac-authentication user-name-format mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ]

· Use one shared user account for all clients:
mac-authentication user-name-format fixed [ account name ] [ password { cipher | simple } password ]

By default, the device uses the MAC address of a client as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

For more information about this command, see Security Command Reference.

Specifying a global MAC authentication domain

To implement different access policies for clients, you can specify ISP domains for MAC authentication clients globally or on a service template.

MAC authentication chooses an ISP domain for WLAN clients in the following order:

1. The domain specified on the service template.

2. The global MAC authentication domain specified in system view.

3. The default domain.

For information about ISP domains, see Security Configuration Guide.

To globally specify an ISP domain for MAC authentication clients:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify an ISP domain for MAC authentication clients.

mac-authentication domain domain-name

By default, no ISP domain is specified for MAC authentication clients in system view.

For more information about this command, see Security Command Reference.

Setting the MAC authentication server timeout timer

MAC authentication starts the server timeout timer when the device sends an authentication request to a RADIUS server. If the device does not receive any response from the RADIUS server within the timeout timer, the device regards the server unavailable. If the timer expires during MAC authentication, the client cannot access the network.

To set the MAC authentication server timeout timer:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the MAC authentication server timeout timer.

mac-authentication timer server-timeout server-timeout-value

The default setting is 100 seconds.

For more information about this command, see Security Command Reference.

Configuring service-specific WLAN authentication parameters

Setting the authentication mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the authentication mode for WLAN clients.	client-security authentication-mode { dot1x \| dot1x-then-mac \| mac \| mac-then-dot1x \| oui-then-dot1x }	By default, the bypass mode applies. The device does not perform authentication. Clients can access the device directly.

Specifying an EAP mode for 802.1X authentication

The EAP mode determines the EAP protocol provisions and packet format that the device uses to interact with clients.

802.1X supports the following EAP modes:

· extended—Requires the device to interact with clients according to the provisions and packet format defined by the H3C proprietary EAP protocol.

· standard—Requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Perform this task only when an IMC server is used as the RADIUS server.

To specify an EAP mode for 802.1X authentication:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an EAP mode for 802.1X authentication.	dot1x eap { extended \| standard }	By default, the EAP mode is standard for 802.1X authentication. Specify the extended keyword for iNode clients, and specify the standard keyword for other clients.

Specifying the authenticator for WLAN clients

You can specify the AC or AP to act as the authenticator to perform local or RADIUS-based authentication for WLAN clients.

For a successful authentication, the authenticator cannot be the AP if the AC is configured to forward client data traffic. For information about specifying the device for forwarding client data traffic, see "Configuring WLAN access."

To specify the authenticator for WLAN clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the authenticator for WLAN clients.	client-security authentication-location { ac \| ap }	By default, the AC acts as the authenticator to authenticate WLAN clients.

Ignoring 802.1X or MAC authentication failures

Overview

This feature applies to the following clients:

· Clients that perform 802.1X authentication.

This feature enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.

· Clients that perform both RADIUS-based MAC authentication and portal authentication.

Typically, a WLAN client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.

This feature simplifies the authentication process for a client as follows:

? If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

? If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failures and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server. At the next authentication attempt, the client will pass MAC authentication and access network resources without performing portal authentication.

Configuration restrictions and guidelines

For RSN + 802.1X clients to roam to a new AP, do not configure this feature.

Configuration procedure

To configure the device to ignore 802.1X or MAC authentication failures:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure the device to ignore 802.1X or MAC authentication failures.	client-security ignore-authentication	By default, the device does not ignore the authentication failures for wireless clients that perform 802.1X authentication or perform RADIUS-based MAC authentication.

Configuring a WLAN Auth-Fail VLAN

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure a WLAN Auth-Fail VLAN.	client-security authentication fail-vlan vlan-id	By default, no WLAN Auth-Fail VLAN is configured. You can configure only on Auth-Fail VLAN on the service template.

Ignoring authorization information from the server

You can configure the device to ignore the authorization information received from the server (local or remote) after a client passes 802.1X or MAC authentication. Authorization information includes VLAN, ACL, and user profile.

To configure the device to ignore authorization information from the server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Ignore the authorization information received from the authentication server.	client-security ignore-authorization	By default, authorization information received from the authentication server is used.

Enabling the authorization-fail-offline feature

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A client fails ACL or user profile authorization in the following situations:

· The device or server fails to authorize the specified ACL or user profile to the client.

· The authorized ACL or user profile does not exist.

This feature does not apply to clients that fail VLAN authorization. The device logs off these clients directly.

To enable the authorization-fail-offline feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the authorization-fail-offline feature.	client-security authorization-fail offline	By default, this feature is disabled. The device does not log off clients that fail ACL or user profile authorization, and it outputs system logs.

Configuring intrusion protection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the intrusion protection feature.	client-security intrusion-protection enable	By default, intrusion protection is disabled.
4. (Optional.) Configure the intrusion protection action.	client-security intrusion-protection action { service-stop \| temporary-block \| temporary-service-stop }	By default, temporary-block is used.
5. (Optional.) Set the blocking period for illegal clients.	client-security intrusion-protection timer temporary-block time	The default setting is 180 seconds.
6. (Optional.) Set the silence period during which the BSS remains disabled.	client-security intrusion-protection timer temporary-service-stop time	The default setting is 20 seconds.

Configuring the online user handshake feature

The online user handshake feature examines the connectivity status of online 802.1X clients. The device sends handshake messages to online clients at the interval specified by the dot1x timer handshake-period command. If the device does not receive any responses from an online client after it has made the maximum handshake attempts, the device sets the client to offline state.

The online user handshake security feature adds authentication information in the handshake messages. This feature can prevent illegal clients from forging legal 802.1X clients to exchange handshake messages with the device. With this feature, the device compares the authentication information in the handshake response message from a client with that assigned by the authentication server. If no match is found, the device logs off the client.

Configuration guidelines

When you configure the online user handshake security feature, follow these restrictions and guidelines:

· To use the online user handshake security feature, make sure the online user handshake feature is enabled.

· The online user handshake security feature protects only online authenticated 802.1X clients.

Configuration procedure

To configure the online user handshake feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the online user handshake feature.	dot1x handshake enable	By default, this feature is disabled.
4. (Optional.) Enable the online user handshake security feature.	dot1x handshake secure enable	By default, this feature is disabled.

Specifying an 802.1X authentication domain

802.1X authentication chooses an ISP domain for WLAN clients in the following order:

· The domain specified on the service template.

· The domain specified by username.

· The default domain.

To specify an 802.1X authentication domain for a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an 802.1X authentication domain for the service template.	dot1x domain domain-name	By default, no 802.1X authentication domain is specified for the service template.

Setting the maximum number of concurrent 802.1X clients

When the maximum number of concurrent 802.1X clients is reached for a service template, new 802.1X clients are rejected.

To set the maximum number of concurrent 802.1X clients for a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of concurrent 802.1X clients for a service template.	dot1x max-user count	The default setting is 4096.

Enabling the periodic online user reauthentication feature

Periodic online user reauthentication tracks the connection status of online clients, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

· If the termination action is Default (logoff), periodic online user reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

· If the termination action is Radius-request, the periodic online user reauthentication configuration on the device does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.

Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.

To enable the periodic online user reauthentication feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable periodic online user reauthentication.	dot1x re-authenticate enable	By default, this feature is disabled.

Setting the maximum number of concurrent MAC authentication clients

When the maximum number of concurrent MAC authentication clients is reached for a service template, new MAC authentication clients are rejected.

To set the maximum number of concurrent MAC authentication clients for a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of concurrent MAC authentication clients for the service template.	mac-authentication max-user count	The default setting is 4096.

Specifying a service-specific MAC authentication domain

MAC authentication chooses an ISP domain for WLAN clients in the following order:

· The domain specified on the service template.

· The global MAC authentication domain specified in system view.

· The default domain.

To specify an ISP domain for MAC authentication clients on a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an ISP domain for MAC authentication clients.	mac-authentication domain domain-name	By default, no ISP domain is specified for MAC authentication clients.

Configuring the accounting-start trigger feature

About accounting-start trigger

The accounting-start trigger specifies the condition for the device to send an accounting-start request after a client passes 802.1X or MAC authentication.

The accounting-start trigger can be one of the following:

· ipv4—Sends an accounting-start request if an 802.1X or MAC authenticated client uses an IPv4 address.

· ipv4-ipv6—Sends an accounting-start request if an 802.1X or MAC authenticated client uses an IPv4 or IPv6 address.

· ipv6—Sends an accounting-start request if an 802.1X or MAC authenticated client uses an IPv6 address.

· none—Sends a start-accounting request when a client passes authentication without examining its IP address type.

In conjunction with an IP-based accounting-start trigger, you can set an accounting delay timer. The accounting delay timer specifies the maximum interval for the device to learn the IP address of an 802.1X or MAC authenticated client before it takes the specified action.

The delay timer starts when a client passes 802.1X or MAC authentication. If the device has failed to learn an IP address that matches the IP-based accounting-start trigger before the accounting delay timer expires, the device takes either of the following actions:

· Sends a start-accounting request immediately if the no-ip-logoff action is not specified.

· Logs off the client if the no-ip-logoff action is specified.

If the delay timer is not set, the device sends a start-accounting request for a client only when the device learns the IP address of that client.

For more information about accounting, see AAA in Security Configuration Guide.

Configuration restrictions and guidelines

If the trigger is IP address type based, you must enable learning IP addresses of that type. For information about wireless client IP address learning, see "Configuring WLAN IP snooping."

The trigger takes effect only on clients that come online after the trigger is configured.

Configure the accounting delay timer depending on the typical amount of time for the device to learn the IP address of a client. As a best practice, increase the delay timer on a low-performance network.

Configuration procedure

To configure the accounting-start trigger feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure the accounting-start trigger for clients.	client-security accounting-start trigger { ipv4 \| ipv4-ipv6 \| ipv6 \| none }	By default, the accounting-start trigger is based on IPv4 address type.
4. (Optional.) Set the accounting delay timer.	client-security accounting-delay time time [ no-ip-logoff ]	By default, the device sends a start-accounting request for a client only when the device learns the IP address of that client.

Configuring the accounting-update trigger feature

About accounting-update trigger

Use this feature to specify an event-based accounting-update trigger. This feature enables the device to send an update-accounting request when the IP address of an online 802.1X or MAC authenticated client changes.

Configuration restrictions and guidelines

Use accounting-update trigger in conjunction with the accounting-start trigger. The accounting-update trigger can take effect only if you have configured the accounting-start trigger by using the client-security accounting-start trigger command.

In addition to the event-based accounting-update trigger, you can set a regular accounting-update interval by using the timer realtime-accounting command.

The accounting-update trigger takes effect only on clients that come online after the trigger is configured.

Configuration procedure

To configure the accounting-update trigger feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an event-based accounting-update trigger.	client-security accounting-update trigger { ipv4 \| ipv4-ipv6 \| ipv6 }	By default, no event-based accounting-update trigger is configured. The device sends update-accounting requests to the accounting server only regularly at server-assigned or user-defined real-time accounting intervals.

Displaying and maintaining WLAN authentication settings

Execute display commands in any view and reset commands in user view.

Task	Command
Display online 802.1X client information.	display dot1x connection [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number \| slot slot-number \| user-mac mac-address \| user-name name-string ]
Display 802.1X session connection information, statistics, or configuration information.	display dot1x [ sessions \| statistics ] [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Display MAC authentication connections.	display mac-authentication connection [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number \| slot slot-number \| user-mac mac-address \| user-name name-string ]
Display MAC authentication information.	display mac-authentication [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Display blocked MAC address information.	display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ]
Clear 802.1X statistics.	reset dot1x statistics [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Clear MAC authentication statistics.	reset mac-authentication statistics [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]

NOTE:

For more information about the display dot1x connection, display dot1x, reset dot1x statistics, display mac-authentication connection, display mac-authentication, and reset mac-authentication statistics commands, see Security Command Reference.

WLAN authentication configuration examples

802.1X CHAP local authentication configuration example

Network requirements

As shown in Figure 41, configure the AC to use CHAP to perform 802.1X local authentication for the client.

Figure 41 Network diagram

Configuration procedure

1. Configure 802.1X and the local client:

# Configure the AC to perform EAP termination and use CHAP.

<AC> system-view

[AC] dot1x authentication-method chap

# Add a local network access user with the username chap1 and the password 123456 in plain text.

[AC] local-user chap1 class network

[AC-luser-network-chap1] password simple 123456

# Set the service type to lan-access.

[AC-luser-network-chap1] service-type lan-access

[AC-luser-network-chap1] quit

2. Configure AAA methods for the ISP domain:

# Create an ISP domain named local.

[AC] domain local

# Configure the ISP domain to use local authentication, local authorization, and local accounting for LAN clients.

[AC-isp-local] authentication lan-access local

[AC-isp-local] authorization lan-access local

[AC-isp-local] accounting lan-access local

[AC-isp-local] quit

3. Configure a service template:

# Create a service template named wlas_local_chap.

[AC] wlan service-template wlas_local_chap

# Set the authentication mode to 802.1X.

[AC-wlan-st-wlas_local_chap] client-security authentication-mode dot1x

# Specify the ISP domain local for the service template.

[AC-wlan-st-wlas_local_chap] dot1x domain local

# Set the SSID to wlas_local_chap.

[AC-wlan-st-wlas_local_chap] ssid wlas_local_chap

# Enable the service template.

[AC-wlan-st-wlas_local_chap] service-template enable

[AC-wlan-st-wlas_local_chap] quit

4. Configure the manual AP ap1, and bind the service template to the AP radio:

# Create ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind the service template wlas_local_chap to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template wlas_local_chap

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify the 802.1X configuration.

[AC] display wlan service-template

[AC] display dot1x

# Display the client connection information after an 802.1X client passes authentication.

[AC] display dot1x connection

802.1X EAP-PEAP RADIUS authentication configuration example

Network requirements

As shown in Figure 42, configure the AC to perform 802.1X RADIUS authentication for the client by using EAP-PEAP.

Figure 42 Network diagram

Configuration procedure

1. Configure the AC:

a. Configure 802.1X and the RADIUS scheme:

# Configure the AC to use EAP relay to authenticate 802.1X clients.

<AC> system-view

[AC] dot1x authentication-method eap

# Create a RADIUS scheme.

[AC] radius scheme imcc

# Specify the primary authentication server and the primary accounting server.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for secure communication with the server to 12345678 in plain text.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Exclude domain names in the usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

b. Configure AAA methods for the ISP domain:

# Create an ISP domain named imc.

[AC] domain imc

# Configure the ISP domain to use the RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

c. Configure a service template:

# Create a service template named wlas_imc_peap.

[AC] wlan service-template wlas_imc_peap

# Set the authentication mode to 802.1X.

[AC-wlan-st-wlas_imc_peap] client-security authentication-mode dot1x

# Specify the ISP domain imc for the service template.

[AC-wlan-st-wlas_imc_peap] dot1x domain imc

# Set the SSID to wlas_imc_peap.

[AC-wlan-st-wlas_imc_peap] ssid wlas_imc_peap

# Set the AKM mode to 802.1X.

[AC-wlan-st-wlas_imc_peap] akm mode dot1x

# Set the CCMP cipher suite.

[AC-wlan-st-wlas_imc_peap] cipher-suite ccmp

# Enable the RSN-IE in the beacon and probe responses.

[AC-wlan-st-wlas_imc_peap] security-ie rsn

# Enable the service template.

[AC-wlan-st-wlas_imc_peap] service-template enable

[AC-wlan-st-wlas_imc_peap] quit

d. Configure the manual AP ap1, and bind the service template to an AP radio:

# Create ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind the service template wlas_imc_peap to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template wlas_imc_peap

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2. Configure the RADIUS server:

In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1, and the EAP-PEAP certificate has been installed.

# Add an access device:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c. Click Add.

The Add Access Device page appears.

d. In the Access Configuration area, configure the following parameters, as shown in Figure 43:

- Enter 12345678 in the Shared Key and Confirm Shared Key fields.

- Use the default values for other parameters.

e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.

Figure 43 Adding an access device

英文增加接入设备图.jpg

f. Click OK.

# Add an access policy:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Policy.

c. Click Add.

d. On the Add Access Policy page, configure the following parameters, as shown in Figure 44:

- Enter dot1x in the Access Policy Name field.

- Select EAP for the Certificate Authentication field.

- Select EAP-PEAP Auth from the Certificate Type list, and select MS-CHAPV2 Auth from the Certificate Sub-Type list.

The certificate sub-type on the IMC server must be the same as the identity authentication method configured on the client.

Figure 44 Adding an access policy

英文增加接入策略.jpg

e. Click OK.

# Add an access service:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Service.

c. Click Add.

d. On the Add Access Service page, configure the following parameters, as shown in Figure 45:

- Enter dot1x in the Service Name field.

- Select dot1x from the Default Access Policy list.

Figure 45 Adding an access service

英文增加接入服务.jpg

e. Click OK.

# Add an access user:

a. Click the User tab.

b. From the navigation tree, select Access User > All Access Users.

The access user list appears.

c. Click Add.

The Add Access User page appears.

d. In the Access Information area, configure the following parameters, as shown in Figure 46:

- Click Select or Add User to associate the user with IMC Platform user user.

- Enter user in the Account Name field.

- Enter dot1x in the Password and Confirm Password fields.

e. In the Access Service area, select dot1x from the list.

Figure 46 Adding an access user account

f. Click OK.

3. Configure the WLAN client:

The WLAN client has been installed with the EAP-PEAP certificate.

To configure the WLAN client, perform the following tasks (details not shown):

? Select PEAP for identity authentication.

? Disable the client from verifying the server certificate.

? Disable the client from automatically using the Windows login name and password.

Verifying the configuration

1. On the client, verify that you can use username user and password dot1x to access the network. (Details not shown.)

2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display online 802.1X client information.

[AC] display dot1x connection

Total connections: 1

User MAC address : 0023-8933-2090

AP name : ap1

Radio ID : 1

SSID : wlas_imc_peap

BSSID : 000f-e201-0003

User name : user

Authentication domain : imc

Authentication method : EAP

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : N/A

Authorization user profile : N/A

Termination action : Default

Session timeout period : 6001 s

Online from : 2014/04/18 09:25:18

Online duration : 0h 1m 1s

# Display WLAN client information.

[AC] display wlan client

Total number of clients : 1

MAC address Username AP name R IP address VLAN

0023-8933-2090 user ap1 1 10.18.1.100 1

RADIUS-based MAC authentication configuration example

Network requirements

As shown in Figure 47, configure the AC to use the RADIUS server to perform MAC authentication for the client.

Figure 47 Network diagram

Configuration procedure

Make sure the RADIUS server, AC, AP, and client can reach each other. (Details not shown.)

1. Configure the AC:

a. Configure the RADIUS scheme:

# Create a RADIUS scheme.

<AC> system-view

[AC] radius scheme imcc

# Specify the primary authentication server and the primary accounting server.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for secure communication with the server to 12345678 in plain text.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Exclude domain names in the usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

b. Configure AAA methods for the ISP domain:

# Create an ISP domain named imc.

[AC] domain imc

# Configure the ISP domain to use the RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

c. Specify the username 123 and the password aaa_maca in plain text for the account shared by MAC authentication clients.

[AC] mac-authentication user-name-format fixed account 123 password simple aaa_maca

d. Configure a service template:

# Create a service template named maca_imc.

[AC] wlan service-template maca_imc

# Set the SSID to maca_imc.

[AC-wlan-st-maca_imc] ssid maca_imc

# Set the authentication mode to MAC authentication.

[AC-wlan-st-maca_imc] client-security authentication-mode mac

# Specify the ISP domain imc for the service template.

[AC-wlan-st-maca_imc] mac-authentication domain imc

# Enable the service template.

[AC-wlan-st-maca_imc] service-template enable

[AC-wlan-st-maca_imc] quit

e. Configure the manual AP ap1, and bind the service template to an AP radio:

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind the service template maca_imc to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template maca_imc

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2. Configure the RADIUS server:

In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1.

# Add an access device:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c. Click Add.

The Add Access Device page appears.

d. In the Access Configuration area, configure the following parameters, as shown in Figure 48:

- Enter 12345678 in the Shared Key and Confirm Shared Key fields.

- Use the default values for other parameters.

e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.

Figure 48 Adding an access device

英文增加接入设备图.jpg

f. Click OK.

# Add an access policy:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Policy.

c. Click Add.

d. On the Add Access Policy page, configure the following parameters, as shown in Figure 49:

- Enter aaa_maca in the Access Policy Name field.

- Use the default values for other parameters.

Figure 49 Adding an access policy

英文增加接入策略截图.jpg

e. Click OK.

# Add an access service:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Service.

c. Click Add.

d. On the Add Access Service page, configure the following parameters, as shown in Figure 50:

- Enter aaa_maca in the Service Name field.

- Select aaa_maca from the Default Access Policy list.

Figure 50 Adding an access service

英文增加接入服务截图.jpg

e. Click OK.

# Add an access user:

a. Click the User tab.

b. From the navigation tree, select Access User > All Access Users.

The access user list appears.

c. Click Add.

The Add Access User page appears.

d. In the Access Information area, configure the following parameters, as shown in Figure 51:

- Click Select or Add User to associate the user with IMC Platform user 123.

- Enter 123 in the Account Name field.

- Enter aaa_maca in the Password and Confirm Password fields.

e. In the Access Service area, select aaa_maca from the list.

Figure 51 Adding an access user account

f. Click OK.

Verifying the configuration

1. On the client, verify that you can use username 123 and password aaa_maca to access the network. (Details not shown.)

2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display online MAC authentication client information.

[AC] display mac-authentication connection

Total connections: 1

User MAC address : 0023-8933-2098

AP name : ap1

Radio ID : 1

SSID : maca_imc

BSSID : 000f-e201-0001

User name : 123

Authentication domain : imc

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : N/A

Authorization user profile : N/A

Termination action : Default

Session timeout period : 6001 s

Online from : 2014/04/17 17:21:12

Online duration : 0h 0m 30s

# Display WLAN client information.

[AC] display wlan client

Total number of clients : 1

MAC address Username AP name R IP address VLAN

0023-8933-2098 123 ap1 1 10.18.1.100 1

Configuring WIPS

Overview

Wireless Intrusion Prevention System (WIPS) helps you monitor your WLAN, detect attacks and rogue devices, and take countermeasures. WIPS provides a complete solution for WLAN security.

WIPS contains the network management module, the AC, and sensors (APs enabled with WIPS). They provide the following functions:

· The sensors monitor the WLAN, collect channel information, and report the information to the AC for further analysis.

· The AC determines attacks and rogue devices, takes countermeasures, and triggers alarms.

· The network management module allows you to configure WIPS in the Web interface. It provides configuration management, report generation, and alarm management functions.

Attack detection

WIPS detects attacks by listening to 802.11 frames and triggers alarms to notify the administrator.

Flood attack detection

An AP might be facing a flood attack if it receives a large number of same-type frames within a short period of time. To prevent the AP from being overwhelmed, WIPS periodically examines incoming packet statistics, and alarms when it detects a suspicious flood attack. WIPS can detect the following flood attacks:

· Authentication request flood attack—Floods the association table of an AP by imitating many clients sending authentication requests to the AP.

· Probe request/association request/reassociation request flood attack—Floods the association table of an AP by imitating many clients sending probe requests/association requests/reassociation requests to the AP.

· EAPOL-start flood attack—Exhausts the AP's resources by imitating many clients sending EAPOL-start frames defined in IEEE 802.1X to the AP.

· Broadcast/unicast deauthentication flood attack—Spoofs deauthentication frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.

· Broadcast/unicast disassociation flood attack—Spoofs disassociation frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.

· RTS/CTS flood attack—Floods RTS/CTS frames to reserve the RF medium and force other wireless devices sharing the RF medium to hold back their transmissions. This attack takes advantage of vulnerabilities of the virtual carrier mechanism.

· Block Ack flood attack—Floods Block Ack frames to the AP to interrupt the operation of the Block Ack mechanism.

· Null data flood attack—Spoofs null data frames with power management bit 1 that are sent from a client to the AP. The AP determines that the client is in power save mode and buffers frames for the client. When the aging time of the buffered frames expires, the AP discards the frames. This interrupts the client's communication with the AP.

· Beacon flood attack—Floods beacon frames imitating a large number of fake APs to interrupt client association.

· EAPOL-logoff flood attack—The IEEE 802.1X standard defines the authentication protocol using Extensible Authentication Protocol over LANs (EAPOL). A client needs to send an EAPOL-logoff frame to terminate the session with an AP. The EAPOL-logoff frames are not authenticated, and an attacker can spoof EAPOL-logoff frames to disassociate a client.

· EAP-success/failure flood attack—In a WLAN using 802.1X authentication, an AP sends an EAP-success or EAP-failure frame to a client to inform authentication success or failure. An attacker can spoof the MAC address of an AP to send EAP-success or EAP-failure frames to a client to disrupt the authentication process.

Malformed packet detection

WIPS determines that a frame is malformed if the frame matches the criteria shown in Table 26, and then it triggers alarms and logs. WIPS can detect 16 kinds of malformed packets.

Table 26 Malformed frame match criteria

Detection type	Applicable frames	Match criteria
Invalid IE length detection	All management frames	The IE length does not conform to the 802.11 protocol. The remaining length of the IE is not zero after the packet is resolved.
Duplicate IE detection	All management frames	Duplicate IE. This type of detection is not applicable to vendor-defined IEs.
Redundant IE detection	All management frames	The IE is not a necessary IE to the frame and is not a reserved IE.
Invalid packet length detection	All management frames	The remaining length of the IE is not zero after the packet payload is resolved.
Abnormal IBSS and ESS setting detection	· Beacon frames · Probe response frames	Both IBSS and ESS are set to 1.
Malformed authentication request frame detection	Authentication request frames	· The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3. · The authentication transaction sequence number is 1 and the status code is not 0. · The authentication transaction sequence number is larger than 4.
Malformed association request frame detection	Association request frames	The frame length is 0.
Malformed HT IE detection	· Beacon frames · Probe responses · Association responses · Reassociation requests	· The SM power save value for the HT capabilities IE is 2. · The secondary channel offset value for the HT operation IE is 2.
Oversized duration detection	· Unicast management frames · Unicast data frames · RTS, CTS, and ACK frames	The packet duration value is larger than the specified threshold.
Malformed probe response frame detection	Probe response frames	The frame is not a mesh frame and its SSID length is 0.
Invalid deauthentication code detection	Deauthentication frames	The reason code is 0 or is in the range of 67 to 65535.
Invalid disassociation code detection	Disassociation frames	The reason code is 0 or is in the range of 67 to 65535.
Oversized SSID detection	· Beacon frames · Probe requests · Probe responses · Association request frames	The SSID length is larger than 32.
FATA-Jack detection	Authentication frames	The value of the authentication algorithm number is 2.
Invalid source address detection	All management frames	· The TO DS is 1, indicating that the frame is sent to the AP by a client. · The source MAC address of the frame is a multicast or broadcast address.
Oversized EAPOL key detection	EAPOL-Key frames	The TO DS is 1 and the length of the key is larger than 0.

Spoofing attack detection

In a spoofing attack, the attacker sends frames on behalf of another device to threaten the network. WIPS supports detecting the following spoofing attacks:

· Frame spoofing—A fake AP spoofs an authorized AP to send beacon or probe response frames to induce clients to associate with it.

· AP MAC address spoofing—A client spoofs an authorized AP to send deauthentication or disassociation frames to other clients. This can cause the clients to go offline and affect the correct operation of the WLAN.

· Client MAC address spoofing—A fake AP spoofs an authorized client to associate with an authorized AP.

Frame spoofing attack detection

WIPS calculates the startup time of an AP by using the frame receiving time and timestamp. If the calculated startup time of the AP is not the same as the startup time recorded in WIPS, WIPS determines that this is a spoofing attack.

AP MAC address spoofing attack detection

WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the AP MAC address table, WIPS determines that this is a spoofing attack.

Client MAC address spoofing attack detection

WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the client MAC address table, WIPS determines that this is a spoofing attack.

Weak IV detection

When the RC4 encryption algorithm, used by the WEP security protocol, uses an insecure IV, the WEP key is more likely to be cracked. An IV is a weak IV if its first byte is smaller than 16 (decimal) and its second byte is FF. WIPS prevents this kind of attack by detecting the IV in each WEP packet.

Omerta attack detection

Omerta is a DoS attack tool based on the 802.11 protocol. It sends disassociation frames with the reason code 0x01 to disassociate clients. Reason code 0x01 indicates an unknown disassociation reason. WIPS detects Omerta attacks by detecting the reason code of each disassociation frame.

Broadcast disassociation/deauthentication attack detection

An attacker spoofs a legitimate AP to send a broadcast disassociation or deauthentication frame to log off all clients associated with the AP.

Detection on clients with the 40 MHz bandwidth mode disabled

802.11n devices support both the 20 MHz and 40 MHz bandwidth modes. If the 40 MHz bandwidth mode is disabled on a client, other clients associated with the same AP as the client must also use the 20 MHz bandwidth. This affects network throughput and efficiency.

WIPS detects such clients by detecting probe request frames sent by the clients.

Power save attack detection

An attacker spoofs the MAC address of a client to send power save on frames to an AP. The AP caches the frames for the client. The attacked client cannot receive data frames because the AP determines that the client is still in power save mode. When the aging time of the cached frames expires, the AP discards the frames. WIPS detects power save attacks by determining the ratio of power save on frames to power save off frames.

Prohibited channel detection

After you configure a permitted channel list and enable prohibited channel detection, WIPS determines that channels that are not in the permitted channel list are prohibited channels.

Soft AP detection

A soft AP refers to a client that acts as an AP and provides wireless services. An attacker can access the internal network through a soft AP and then initiate further attacks. WIPS detects soft APs by detecting the interval at which a device switches its roles between client and AP. WIPS does not perform soft AP detection on unassociated clients.

Windows bridge detection

When a wireless client connected to a wired network establishes a Windows bridge through the wired NIC, the client can bridge an external AP with the internal network. This might bring security problems to the internal network. WIPS detects Windows bridges by analyzing data frames sent by associated clients.

Unencrypted device detection

An authorized AP or client that is transmitting unencrypted frames might bring security problems to the network. WIPS detects unencrypted devices by analyzing the frames sent the by authorized APs or clients.

Hotspot attack detection

An attacker sets up a rogue AP with the same SSID as a hotspot to lure the clients to associate with it. After the clients associate with the malicious AP, the attacker initiates further attacks to obtain client information.

You can configure a hotspot file to enable WIPS to detect hotspot attacks.

AP impersonation attack detection

In an AP impersonation attack, a malicious AP that has the same BSSID and ESSID as a legitimate AP lures the clients to associate with it. Then this impersonating AP initiates hotspot attacks or fools the detection system.

WIPS detects AP impersonation attacks by detecting the interval at which an AP sends beacon frames.

HT-greenfield AP detection

An AP operating in HT-greenfield mode might cause collisions, errors, and retransmissions because it cannot communicate with 802.11a/b/g devices. WIPS detects HT-greenfield APs by analyzing the beacon frames or probe response frames sent by APs.

Honeypot AP detection

In a honeypot AP attack, the attacker sets up a malicious AP to lure clients to associate with it. The SSID of the malicious AP is similar to the SSID of a legitimate AP. After a client associates with a honeypot AP, the honeypot AP initiates further attacks such as port scanning or fake authentication to obtain client information.

WIPS detects honeypot APs by detecting SSIDs of external APs. If the similarity between the SSID of an external AP and the SSID of a legitimate AP reaches the specified threshold, WIPS generates an alarm.

MITM attack detection

In an MITM attack, the attacker sets up a rogue AP and lures a client to associate with it. Then the rogue AP spoofs the MAC address of the client to associate with the authorized AP. When the client and the authorized AP communicate, the rogue AP captures packets from both the client and the authorized AP. The rogue AP might modify the frames and obtain the frame information. WIPS detects MITM attacks by detecting clients that are disassociated from an authorized AP and associated with a honeypot AP.

Wireless bridge detection

An attacker might intrude on the internal networks through a wireless bridge. When detecting a wireless bridge, WIPS generates an alarm. If the wireless bridge is in a mesh network, WIPS records the mesh link.

Association/reassociation DoS attack detection

An association/reassociation DoS attack floods the association table of an AP by imitating many clients sending association requests to the AP. When the number of entries in the table reaches the upper limit, the AP cannot process requests from legitimate clients.

AP flood attack detection

WIPS detects the number of APs in the WLAN and triggers an alarm for an AP flood attack when the number of APs exceeds the specified threshold.

Device entry attack detection

Attackers can send invalid packets to WIPS to increase processing costs. WIPS periodically examines the learned device entries to determine whether to rate limit device entry learning. If the number of AP or client entries learned within the specified interval exceeds the threshold, WIPS triggers an alarm and stops learning new entries.

User-defined attack detection based on signatures

WIPS provides user-defined attack detection based on signatures. A signature contains a packet identification method and actions to take on the matching packets. The sensor matches the detected packets against the signature, and takes actions defined in the signature if a packet matches the signature.

A signature can contain a maximum of six subsignatures, which can be defined based on the frame type, MAC address, serial ID, SSID length, SSID, and frame pattern. A packet matches a signature only when it matches all the subsignatures in the signature.

Device classification

AP classification

As shown in Table 27, WIPS classifies detected APs according to the predefined classification rules.

Table 27 AP classification

Category	Description	Classification rule
Authorized AP	An AP that is permitted in the WLAN.	· Has been connected to the AC and not in the prohibited device list. · Configured as an authorized AP. · In the permitted device list. · Classified as an authorized AP by a user-defined AP classification rule.
Rogue AP	An AP that cannot be used in the WLAN.	· In the prohibited device list. · Not in the OUI configuration file. · Configured as a rogue AP. · Classified as a rogue AP by a user-defined AP classification rule. If the wired port on an AP has been connected to the network and the AP is not connected to the AC, the AP might be a rogue AP.
Misconfigured AP	An AP that can be used in the WLAN but has incorrect configuration.	· Configured as a misconfigured AP. · Classified as a misconfigured AP by a user-defined AP classification rule.
External AP	An AP that is in an adjacent WLAN.	· Configured as an external AP. · Classified as an external AP by a user-defined AP classification rule.
Ad hoc	An AP operating in Ad hoc mode. WIPS detects Ad hoc APs by listening to beacon frames.	N/A
Mesh AP	An AP in a WLAN mesh network.	WIPS identifies mesh APs through beacon frames.
Potential-authorized AP	An AP that is possibly authorized.	An AP is a potential-authorized AP if it meets all the following conditions: · Not in the permitted device list. · Not in the prohibited device list. · Not in the trusted SSID list. · Not in the trusted OUI list. · Has been connected to the AC. · Not manually classified. · Does not match any user-defined AP classification rules.
Potential-rogue AP	An AP that is possibly a rogue AP.	Has incorrect wireless configuration and is not in any one of the following lists: · Permitted device list. · Prohibited device list. · Trusted OUI list. If the wired port on an AP has been connected to the network, the AP is a rogue AP.
Potential-external AP	An AP that is possibly an external AP.	· Has incorrect wireless service configuration. · The wired port has not been connected to the network. · Not in any of the following lists: ? Permitted device list. ? Prohibited device list. ? Trusted OUI list.

WIPS classifies detected APs by following the procedure shown in Figure 52.

Figure 52 AP classification flow

Client classification

As shown in Table 28, WIPS classifies detected clients according to the predefined classification rules.

Table 28 Client classification

Category	Description	Classification rule
Authorized client	A client that is permitted in the WLAN.	· In the prohibited device list and associated with an authorized AP. · Has passed authentication and is associated with an authorized AP.
Unauthorized client	A client that cannot be used in the WLAN.	· In the prohibited device list. · Associated with a rogue AP. · Not in the OUI configuration file.
Misassociated client	A client that is associated with an unauthorized AP.	In the permitted device list but associated with an unauthorized AP. A misassociated client might bring security threats to the network.
Uncategorized client	A client whose category cannot be determined.	N/A

WIPS classifies detected clients by following the procedure shown in Figure 53.

Figure 53 Client classification flow

Countermeasures

Rogue devices are susceptible to attacks and might bring security problems to the WLAN. WIPS enables you to take countermeasures against rogue devices.

WIPS configuration task list

Tasks at a glance
(Required.) Enabling WIPS
(Optional.) Configuring wireless attack detection: · Configuring flood attack detection · Configuring malformed packet detection · Configuring device entry attack detection · Configuring detection on other attacks · Applying an attack detection policy · Configuring user-defined attack detection based on signatures · Configuring the alarm-ignored device list
(Optional.) Configuring device classification: · Configuring a classification policy · Applying a classification policy
(Optional.) Configuring countermeasures: · Configuring a countermeasure policy · Applying a countermeasure policy
(Optional.) Setting the wireless device information report interval
(Optional.) Enabling fast learning of client association entries
(Optional.) Enabling WIPS to detect unassociated clients
(Optional.) Configuring WIPS detection filtering

Enabling WIPS

You can divide a wireless network into multiple virtual security domains (VSDs) and apply different policies to these VSDs.

Before enabling WIPS for a radio of an AP, you must add the AP to a VSD.

Enabling WIPS in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	You must specify the model name when you create an AP.
3. Add the AP to a VSD.	wips virtual-security-domain vsd-name	By default, an AP uses the configuration in AP group view.
4. Enter radio view.	radio radio-id	N/A
5. Enable WIPS.	wips enable	By default, an AP uses the configuration in AP group view.

Enabling WIPS in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Add the AP group to a VSD.	wips virtual-security-domain vsd-name	By default, an AP group is not in any VSD.
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Enable WIPS.	wips enable	By default, WIPS is disabled.

Configuring wireless attack detection

To configure wireless attack detection, you must first create an attack detection policy and enable detection of the specified attacks.

Configuring flood attack detection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policy exists.
4. Configure association request flood attack detection.	flood association-request [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, association request flood attack detection is disabled.
5. Configure authentication request flood attack detection.	flood authentication [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, authentication request flood attack detection is disabled.
6. Configure beacon flood attack detection.	flood beacon [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, beacon flood attack detection is disabled.
7. Configure Block Ack flood attack detection.	flood block-ack [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, Block Ack flood attack detection is disabled.
8. Configure RTS flood attack detection.	flood rts [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, RTS flood attack detection is disabled.
9. Configure CTS flood attack detection.	flood cts [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, CTS flood attack detection is disabled.
10. Configure deauthentication flood attack detection.	flood deauthentication [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, deauthentication flood attack detection is disabled.
11. Configure disassociation flood attack detection.	flood disassociation [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, disassociation flood attack detection is disabled.
12. Configure EAPOL-start flood attack detection.	flood eapol-start [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, EAPOL-start flood attack detection is disabled.
13. Configure null data flood attack detection.	flood null data [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, null data flood attack detection is disabled.
14. Configure probe request flood attack detection.	flood probe-request [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, probe request flood attack detection is disabled.
15. Configure reassociation request flood attack detection.	flood reassociation-request [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, reassociation request flood attack detection is disabled.
16. Configure EAPOL-logoff flood attack detection.	flood eapol-logoff [ interval interval-value \| quiet quiet-value \| threshold threshold-value ]*	By default, EAPOL-logoff flood attack detection is disabled.
17. Configure EAP-failure flood attack detection.	flood eap-failure [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, EAP-failure flood attack detection is disabled.
18. Configure EAP-success flood attack detection.	flood eap-success [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, EAP-success flood attack detection is disabled.

Configuring malformed packet detection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policy exists.
4. Configure duplicated IE detection.	malformed duplicated-ie [ quiet quiet-value ]	By default, duplicated IE detection is disabled.
5. Configure FATA-Jack detection.	malformed fata-jack [ quiet quiet-value ]	By default, FATA-Jack detection is disabled.
6. Configure abnormal IBSS or ESS setting detection.	malformed illegal-ibss-ess [ quiet quiet-value ]	By default, abnormal IBSS or ESS setting detection is disabled.
7. Configure invalid source address detection.	malformed invalid-address-combination [ quiet quiet-value ]	By default, invalid source address detection is disabled.
8. Configure malformed association request frame detection.	malformed invalid-assoc-req [ quiet quiet-value ]	By default, malformed association request frame detection is disabled.
9. Configure malformed authentication request frame detection.	malformed invalid-auth [ quiet quiet-value ]	By default, malformed authentication request frame detection is disabled.
10. Configure invalid deauthentication code detection.	malformed invalid-deauth-code [ quiet quiet-value ]	By default, invalid deauthentication code detection is disabled.
11. Configure invalid disassociation code detection.	malformed invalid-disassoc-code [ quiet quiet-value ]	By default, invalid disassociation code detection is disabled.
12. Configure invalid IE length detection.	malformed invalid-ie-length [ quiet quiet-value ]	By default, invalid IE length detection is disabled.
13. Configure malformed HT IE detection.	malformed invalid-ht-ie [ quiet quiet-value ]	By default, malformed HT IE detection is disabled.
14. Configure invalid packet length detection.	malformed invalid-pkt-length [ quiet quiet-value ]	By default, invalid packet length detection is disabled.
15. Configure oversized duration detection.	malformed large-duration [ quiet quiet-value \| threshold value ]	By default, oversized duration detection is disabled.
16. Configure malformed probe response frame detection.	malformed null-probe-resp [ quiet quiet-value ]	By default, malformed probe response frame detection is disabled.
17. Configure oversized EAPOL key detection.	malformed overflow-eapol-key [ quiet quiet-value ]	By default, oversized EAPOL key detection is disabled.
18. Configure oversized SSID detection.	malformed overflow-ssid [ quiet quiet-value ]	By default, oversized SSID detection is disabled.
19. Configure redundant IE detection.	malformed redundant-ie [ quiet quiet-value ]	By default, redundant IE detection is disabled.

Configuring device entry attack detection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policy exists.
4. Rate limit client entry learning.	client-rate-limit [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, the statistics collection interval is 60 seconds, the quiet time is 1200 seconds, and the client entry threshold is 512 for learned client entries.
5. Set a client entry timer.	client-timer inactive inactive-value aging aging-value	By default, the inactive time is 300 seconds, and the aging time is 600 seconds. When a client neither receives nor sends packets within the inactive time, WIPS sets the client to inactive state. When a client neither receives nor sends frames within the aging time, WIPS deletes the entry.
6. Rate limit AP entry learning.	ap-rate-limit [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, the statistics collection interval is 60 seconds, the quiet time is 1200 seconds, and the AP entry threshold is 64 for learned AP entries.
7. Set an AP entry timer.	ap-timer [ inactive inactive-value aging aging-value ]	By default, the inactive time for APs is 300 seconds, and the aging time is 600 seconds. When an AP neither receives nor sends packets within the inactive time, WIPS sets the AP to inactive state. When an AP neither receives nor sends frames within the aging time, WIPS deletes the entry.

Configuring detection on other attacks

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policy exists.
4. Configure client MAC address spoofing attack detection.	client-spoofing [ quiet quiet-value ]		By default, client MAC address spoofing attack detection is disabled.
5. Configure AP MAC address spoofing attack detection.	ap-spoofing [ quiet quiet-value ]		By default, AP MAC address spoofing attack detection is disabled.
6. Configure weak IV detection.	weak-iv [ quiet quiet-value ]	By default, weak IV detection is disabled.
7. Configure Omerta attack detection.	omerta [ quiet quiet-value ]	By default, Omerta attack detection is disabled.
8. Configure broadcast disassociation attack detection.	disassociation-broadcast [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, broadcast disassociation attack detection is disabled.
9. Configure broadcast deauthentication attack detection.	deauthentication-broadcast [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, broadcast deauthentication attack detection is disabled.
10. Configure detection on clients with the 40 MHz bandwidth mode disabled.	ht-40mhz-intolerance [ quiet quiet-value ]	By default, detection on clients with the 40 MHz bandwidth mode disabled is disabled.
11. Configure power saving attack detection.	power-save [ interval interval-value \| minoffpacket packet-value \| onoffpercent percent-value \| quiet quiet-value ] *	By default, power saving attack detection is disabled.
12. Configure the permitted channel list.	permit-channel channel-id-list	By default, no channel is added to the permitted channel list.
13. Configure prohibited channel detection.	prohibited-channel [ quiet quiet-value ]	By default, prohibited channel detection is disabled.
14. Configure Windows bridge detection.	windows-bridge [ quiet quiet-value ]	By default, Windows bridge detection is disabled.
15. Configure unencrypted authorized AP detection.	unencrypted-authorized-ap [ quiet quiet-value ]	By default, unencrypted authorized AP detection is disabled.
16. Configure unencrypted authorized client detection.	unencrypted-trust-client [ quiet quiet-value ]	By default, unencrypted authorized client detection is disabled.
17. Configure soft AP detection.	soft-ap [ convert-time time-value ]	By default, soft AP detection is disabled.
18. Configure AP impersonation attack detection.	ap-impersonation [ quiet quiet-value ]	By default, AP impersonation attack detection is disabled.
19. Configure HT-greenfield AP detection.	ht-greenfield [ quiet quiet-value ]	By default, HT-greenfield AP detection is disabled.
20. Configure association/reassociation DoS attack detection.	association-table-overflow [ quiet quiet-value ]	By default, association/reassociation DoS attack detection is disabled.
21. Configure wireless bridge detection.	wireless-bridge [ quiet quiet-value ]	By default, wireless bridge detection is disabled.
22. Configure AP flood attack detection.	ap-flood [ apnum apnum-value \| exceed exceed-value \| quiet quiet-value ] *	By default, AP flood attack detection is disabled.
23. Configure honeypot AP detection.	honeypot-ap [ similarity similarity-value \| quiet quiet-value ] *	By default, honeypot AP detection is disabled.
24. Configure MITM attack detection.	man-in-the-middle [ quiet quiet-value ]	By default, MITM attack detection is disabled.
25. Configure channel change detection.	ap-channel-change [ quiet quiet-value ]	By default, channel change detection is disabled.
26. Return to WIPS view.	quit	N/A
27. Import hotspot information from a configuration file.	import hotspot file-name	By default, no hotspot information is imported.
28. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policy exists.
29. Configure hotspot attack detection.	hotspot-attack [ quiet quiet-value ]	By default, hotspot attack detection is disabled.

Applying an attack detection policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create a VSD and enter its view.	virtual-security-domain vsd-name	By default, no VSD exists.
4. Apply an attack detection policy to the VSD.	apply detect policy policy-name	By default, no attack detection policy is applied to the VSD. An attack detection policy applied to a VSD takes effect on all radios in the VSD.

Configuring user-defined attack detection based on signatures

Configuring a signature

WIPS matches detected packets against the configured signatures in ascending order of ID until a match is found.

You can configure one or multiple subsignatures for a signature. A packet matches a signature only when it matches all the subsignatures of the signature.

To configure a signature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create a signature and enter its view.	signature rule rule-id	By default, no signature is created.
4. Configure a subsignature to match the frame type of a frame.	frame-type { control \| data \| management [ frame-subtype { association-request \| association-response \| authentication \| beacon \| deauthentication \| disassociation \| probe-request } ] }	By default, no subsignature is configured to match the frame type of a frame.
5. Configure a subsignature to match the MAC address of a frame.	mac-address { bssid \| destination \| source } mac-address	By default, no subsignature is configured to match the MAC address of a frame.
6. Configure a subsignature to match the sequence number of a frame.	seq-number seq-value1 [ to seq-value2 ]	By default, no subsignature is configured to match the sequence number of a frame.
7. Configure a subsignature to match the SSID length of a frame.	ssid-length length-value1 [ to length-value2 ]	By default, no subsignature is configured to match the SSID length of a frame.
8. Configure a subsignature to match the SSID of a frame.	ssid [ case-sensitive ] [ not ] { equal \| include } string	By default, no subsignature is configured to match the SSID of a frame.
9. Configure a subsignature to match the specified bits of a frame.	pattern pattern-number offset offset-value mask hex-value value1 [ to value2 ] [ from-payload ]	By default, no subsignature is configured to match the specified bits of a frame.

Applying a signature

To apply a signature, bind the signature to a signature policy.

To apply a signature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create a signature policy and enter its view.	signature policy policy-name	By default, no signature policy is created.
4. Bind the specified signature to the signature policy.	apply signature rule rule-id	By default, no signature is bound to a signature policy.
5. Enable WIPS to detect packets that match the signature.	detect signature [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, WIPS detects packets that match a signature. The statistics collection interval is 60 seconds, the quiet interval is 600 seconds, and the alarm threshold is 50.

Applying a signature policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create a VSD and enter its view.	virtual-security-domain vsd-name	By default, no VSD is created.
4. Apply the specified signature policy to the VSD.	apply signature policy policy-name	By default, no signature policy is applied to a VSD.

Configuring the alarm-ignored device list

For wireless devices in an alarm-ignored device list, WIPS only monitors them but does not trigger any alarms.

To configure the alarm-ignored device list:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Add the MAC address of a device to the alarm-ignored device list.	ignorelist mac-address mac-address	By default, no MAC address is added to the alarm-ignored device list.

Configuring device classification

To configure wireless device classification, you must first create a classification policy and configure the classification of the specified devices.

Configuring a classification policy

You can enable WIPS to classify devices by using either of the following methods:

· Automatic classification—WIPS automatically classifies devices by adding the MAC addresses, OUIs, or SSIDs of the devices to the specified lists. WIPS also allows you to classify APs by using user-defined AP classification rules.

· Manual classification—You manually specify a category for a device. Manual classification is applicable only to APs.

If you configure both automatic classification and manual classification, manual classification takes effect.

Configuring automatic device classification

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Import OUIs from an OUI configuration file.	import oui file-name	By default, no OUI is imported.
4. Create a classification policy and enter its view.	classification policy policy-name	By default, no classification policy exists.
5. Configure WIPS to classify devices with invalid OUIs as rogue devices.	invalid-oui-classify illegal	By default, WIPS does not classify devices with invalid OUIs as rogue devices.
6. Add a MAC address to the permitted device list.	trust mac-address mac-address	By default, no MAC address exists in the permitted device list.
7. Add an OUI to the trusted OUI list.	trust oui oui	By default, no OUI exists in the trusted OUI list. This command is applicable only to AP classification.
8. Add an SSID to the trusted SSID list.	trust ssid ssid-name	By default, no SSID exists in the trusted SSID list.
9. Add a MAC address to the static prohibited device list.	block mac-address mac-address	By default, no MAC address exists in to the static prohibited device list.
10. Bind the specified AP classification rule to the classification policy.	apply ap-classification rule rule-id { authorized-ap \| { { external-ap \| misconfigured-ap \| rogue-ap } [ severity-level level ] } }	By default, no AP classification rule is bound to a classification policy.

Configuring an AP classification rule

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an AP classification rule and enter its view.	ap-classification rule rule-id	By default, no AP classification rule is created.
4. Configure the AP classification rule to match the RSSI of an AP.	rssi value1 [ to value2 ]	By default, an AP classification rule does not match the RSSI of an AP.
5. Configure the AP classification rule to match the SSID of the wireless service for an AP.	ssid [ case-sensitive ] [ not ] { equal \| include } ssid-string	By default, an AP classification rule does not match the SSID of the wireless service for an AP.
6. Configure the AP classification rule to match the running time of an AP.	up-duration value1 [ to value2 ]	By default, an AP classification rule does not match the running time of an AP.
7. Configure the AP classification rule to match the number of associated clients for an AP.	client-online value1 [ to value2 ]	By default, an AP classification rule does not match the number of associated clients for an AP.
8. Configure the AP classification rule to match the number of sensors that detect an AP.	discovered-ap value1 [ to value2 ]	By default, an AP classification rule does not match the number of sensors that detect an AP.
9. Configure the AP classification rule to match the security mode used by an AP.	security { equal \| include } { clear \| wep \| wpa \| wpa2 }	By default, an AP classification rule does not match the security mode used by an AP.
10. Configure the AP classification rule to match the authentication mode used by an AP.	authentication { equal \| include } { 802.1x \| none \| other \| psk }	By default, an AP classification rule does not match the authentication mode used by an AP.
11. Configure the AP classification rule to match the OUI information of an AP.	oui oui-info	By default, an AP classification rule does not match the OUI information of an AP.

Configuring manual AP classification

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create a classification policy and enter its view.	classification policy policy-name	By default, no classification policy is created.
4. Specify a category for the specified AP.	manual-classify mac-address mac-address { authorized-ap \| external-ap \| misconfigured-ap \| rogue-ap }	By default, no category is specified for an AP.

Applying a classification policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Enter VSD view.	virtual-security-domain vsd-name	By default, no VSD exists.
4. Apply a classification policy to the VSD.	apply classification policy policy-name	By default, no classification policy is applied on the VSD. A classification policy applied to a VSD takes effect on all radios in the VSD.

Configuring countermeasures

To take countermeasures against rogue devices, you must first create a countermeasure policy and enable WIPS to take countermeasures against the specified devices.

Configuring a countermeasure policy

Applying a countermeasure policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create a VSD and enter its view.	virtual-security-domain vsd-name	By default, no VSD exists.
4. Apply a countermeasure policy to the VSD.	apply countermeasure policy policy-name	By default, no countermeasure policy is applied on the VSD. A countermeasure policy applied to a VSD takes effect on all radios in the VSD.

Setting the wireless device information report interval

To reduce the AC's processing pressure, perform this task to set an appropriate interval for APs to send wireless device information to the AC.

To set the wireless device information report interval:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter attack detection policy view.	detect policy policy-name	N/A
4. Set the interval at which APs report information about detected devices.	report-interval interval	By default, APs report information about detected devices every 30000 milliseconds.

Enabling fast learning of client association entries

Client association entries are entries saved on the AC after a client associates with an AP.

If this feature is not enabled, the sensor can learn the client association entries only after a client is associated with an AP successfully. After this feature is enabled, the sensor can learn the client association entries during the association process.

If the sensor learned the client association entries during the association process, the sensor will update the entries every time it detects an association request or response between the AP and the client.

This feature improves the association efficiency but reduces the association accuracy. As a best practice, enable this feature only when fast attack detection and countermeasures are required in the network.

To enabling fast learning of client association entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Enter attack detection policy view.	detect policy policy-name	N/A
4. Enable fast learning of client association entries.	client-association fast-learn enable	By default, fast learning of client association entries is disabled.

Enabling WIPS to detect unassociated clients

As a best practice to save system resources, do not configure this feature when a large number of unassociated clients exist in the WLAN.

To enable WIPS to detect unassociated clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter attack detection policy view.	detect policy policy-name	N/A
4. Enable WIPS to detect unassociated clients.	detect dissociate-client enable	By default, WIPS does not detect unassociated clients.

Configuring WIPS detection filtering

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WIPS view.	wips	N/A
3. Create an attack detection policy and enter attack detection policy view.	detect policy policy-name	N/A
4. Set the RSSI threshold for client or AP detection.	rssi-threshold { ap ap-rssi-value \| client client-rssi-value }	By default, the RSSI thresholds for client and AP detection are not set.
5. Set the RSSI difference threshold for wireless device detection.	rssi-change-threshold threshold-value	By default, the RSSI difference threshold is 20.

Detecting clients with NAT configured

Perform this task to enable an AP to detect clients with NAT configured to prevent network sharing among clients.

Detecting clients with NAT configured in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	You must specify the name and model when you create an AP.
3. Enable the AP to detect clients with NAT configured.	wlan nat-detect enable	By default, an AP uses the configuration in AP group view.

Detecting clients with NAT configured in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, a system-defined AP group exists. This AP group is named default-group and cannot be deleted.
3. Enable APs in the AP group to detect clients with NAT configured.	wlan nat-detect enable	By default, APs do not detect clients with NAT configured.

Displaying and maintaining WIPS

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about all sensors.	display wips sensor
Display attack detection information collected by sensors.	display wips statistics [ receive \| virtual-security-domain vsd-name ]
Display information about wireless devices detected in a VSD.	display wips virtual-security-domain vsd-name device [ ap [ adhoc \| authorized \| external \| misconfigured \| potential-authorized \| potential-external \| potential-rogue \| rogue ] \| client [ [ dissociative-client ] [ authorized \| misassociation \| unauthorized \| uncategorized ] ] \| mac-address mac-address ] [ verbose ]
Display information about countermeasures that WIPS has taken against rogue devices.	display wips virtual-security-domain vsd-name countermeasure record
Display information about detected NAT-configured clients.	display wlan nat-detect [ mac-address mac-address ]
Clear information received from all sensors.	reset wips statistics
Clear learned AP or client entries for a VSD.	reset wips virtual-security-domain vsd-name { ap { all \| mac-address mac-address} \| client { all \| mac-address mac-address } \| all }
Clear information about countermeasures that WIPS has taken against rogue devices.	reset wips virtual-security-domain vsd-name countermeasure record
Clear information about detected NAT-configured clients.	reset wlan nat-detect

WIPS configuration examples

Device classification and countermeasures configuration example

Network requirements

As shown in Figure 54, the sensor connects to the AC through the switch. AP 1 and AP 2 provide wireless services to clients through the SSID abc. Perform the following tasks:

· Enable WIPS for the sensor.

· Configure wireless device classification to add the MAC address 000f-1c35-12a5 to the static prohibited device list and the SSID abc is added to the trusted SSID list.

· Configure countermeasures to enable WIPS to take countermeasures against potential-external APs and unauthorized clients.

Figure 54 Network diagram

Configuration procedure

# Configure wireless services on the AC. (Details not shown.)

For more information about wireless service configuration, see "Configuring WLAN access."

# Create a VSD named vsd1.

<AC> system-view

[AC] wips

[AC-wips] virtual-security-domain vsd1

[AP-wips-vsd-vsd1] quit

[AC-wips] quit

# Create an AP named Sensor and enable WIPS for the AP.

[AC] wlan ap Sensor model WA536-WW

[AC-wlan-ap-Sensor] serial-id 219801A1NQB117012935

[AC-wlan-ap-Sensor] radio 1

[AC-wlan-ap-Sensor-radio-1] radio enable

[AC-wlan-ap-Sensor-radio-1] wips enable

[AC-wlan-ap-Sensor-radio-1] quit

#Add the AP Sensor to the VSD vsd1.

[AC-wlan-ap-Sensor] wips virtual-security-domain vsd1

[AC-wlan-ap-Sensor] quit

# Create a classification policy named class1, add the MAC address of Client 2 to the prohibited device list, and add SSID abc to the trusted SSID list.

[AC] wips

[AC-wips] classification policy class1

[AC-wips-cls-class1] block mac-address 000f-1c35-12a5

[AC-wips-cls-class1] trust ssid abc

[AC-wips-cls-class1] quit

# Apply the classification policy class1 to the VSD vsd1.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply classification policy class1

[AC-wips-vsd-vsd1] quit

# Create a countermeasure policy named protect, and enable WIPS to take countermeasures against unauthorized clients and potential-external APs.

[AC-wips] countermeasure policy protect

[AC-wips-cms-protect] countermeasure unauthorized-client

[AC-wips-cms-protect] countermeasure potential-external-ap

[AC-wips-cms-protect] quit

# Apply the countermeasure policy protect to the VSD vsd1.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply countermeasure policy protect

[AC-wips-vsd-vsd1] quit

[AC-wips] quit

Verifying the configuration

# Display wireless device classification information for the VSD vsd1.

[AC] display wips virtual-security-domain vsd1 device

Total 3 detected devices in virtual-security-domain vsd1

Class: Auth - authorization; Ext - extern; Mis - mistake;

Unauth - unauthorized; Uncate - uncategorized;

(A) - associate; (C) - config; (P) - potential

MAC address Type Class Duration Sensors Channel Status

00e0-fc00-5829 AP Auth 00h 10m 24s 1 149 Active

000f-e228-2528 AP Auth 00h 10m 04s 1 149 Active

000f-e223-1616 AP Ext(P) 00h 10m 46s 1 149 Active

000f-1c35-12a5 Client Unauth 00h 10m 02s 1 149 Active

000f-e201-0102 Client Auth 00h 10m 02s 1 149 Active

The output shows that the AP with the MAC address 000f-e223-1616 is classified as a potential-external AP and the client with the MAC address 000f-1c35-12a5 is classified as an unauthorized client.

# Display information about countermeasures that WIPS has taken against the devices.

[AC] display wips virtual-security-domain vsd1 countermeasure record

Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1

Reason: Attack; Ass - associated; Black - blacklist;

Class - classification; Manu - manual;

MAC address Type Reason Countermeasure AP Radio ID Time

000f-e223-1616 AP Class Sensor 1 2014-06-03/10:30:36

000f-1c35-12a5 Client Class Sensor 1 2014-06-03/09:13:26

The output shows that WIPS has taken countermeasures against the unauthorized client with the MAC address 000f-1c35-12a5 and the potential-external AP with the MAC address 000f-e223-1616.

Malformed packet and flood attack detection examples

Network requirements

As shown in Figure 55, configure the two APs that connect to the AC through the switch as sensors. Add Sensor 1 and Sensor 2 to the VSD VSD_1. Configure malformed packet detection and flood attack detection to enable WIPS to trigger an alarm when it detects beacon flood attacks or malformed packets with duplicated IE.

Figure 55 Network diagram

Configuration procedure

# Configure wireless services on the AC. (Details not shown.)

For more information about wireless service configuration, see "Configuring WLAN access."

# Create an AP named sensor1 and enable WIPS for the AP.

<AC> system-view

[AC] wlan ap sensor1 model WA536-WW

[AC-wlan-ap-sensor1] serial-id 219801A1NQB117012935

[AC-wlan-ap-sensor1] radio 1

[AC-wlan-ap-sensor1-radio-1] radio enable

[AC-wlan-ap-sensor1-radio-1] wips enable

[AC-wlan-ap-sensor1-radio-1] return

# Create an AP named sensor2 and enable WIPS for the AP.

<AC> system-view

[AC] wlan ap sensor2 model WA536-WW

[AC-wlan-ap-sensor2] serial-id 219801A1NQB117012952

[AC-wlan-ap-sensor2] radio 1

[AC-wlan-ap-sensor2-radio-1] radio enable

[AC-wlan-ap-sensor2-radio-1] wips enable

[AC-wlan-ap-sensor2-radio-1] quit

[AC-wlan-ap-sensor2] quit

# Create a VSD named VSD_1.

[AC] wips

[AC-wips] virtual-security-domain VSD_1

[AP-wips-vsd-VSD_1] quit

# Create an attack detection policy named dtc1.

[AC-wips] detect policy dtc1

# Enable detection on malformed packets with duplicated IE, and set the quiet time to 50 seconds.

[AC-wips-dtc-dtc1] malformed duplicated-ie quiet 50

# Enable beacon flood attack detection, and set the statistics interval, threshold, and quiet time to 100 seconds, 200, and 50 seconds, respectively.

[AC-wips-dtc-dtc1] flood beacon interval 100 quiet 50 threshold 200

[AC-wips-dtc-dtc1] quit

# Apply the attack detection policy dtc1 to the VSD VSD_1.

[AC-wips] virtual-security-domain VSD_1

[AC-wips-vsd-VSD_1] apply detect policy dtc1

[AC-wips-vsd-VSD_1] quit

[AC-wips] quit

# Add the AP sensor1 to the VSD VSD_1.

[AC] wlan ap sensor1

[AC-wlan-ap-sensor1] wips virtual-security-domain VSD_1

[AC-wlan-ap-sensor1] quit

# Add the AP sensor2 to the VSD VSD_1.

[AC] wlan ap sensor2

[AC-wlan-ap-sensor2] wips virtual-security-domain VSD_1

[AC-wlan-ap-sensor2] return

Verifying the configuration

# Display packet statistics when WIPS does not detect any attacks in the WLAN. The output shows that no malformed packet or flood attack message exists.

<AC> display wips statistics receive

Information from sensor 1

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

Information from sensor 2

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

# Display packet statistics when WIPS detects beacon flood attacks and malformed packets with duplicated IE. The output shows that the number of detected messages is 28 for malformed packets with duplicated IE and the number of detected messages is 18 for beacon flood attacks.

<AC> display wips statistics receive

Information from sensor 1

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 18

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

Information from sensor 2

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 28

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

Signature-based user-defined attack detection configuration example

Network requirements

As shown in Figure 56, AP 1 and AP 2 provide wireless services for clients through the SSID abc. Enable WIPS for the sensor, and configure a signature to enable WIPS to trigger an alarm when it detects beacon frames whose SSIDs are not abc.

Figure 56 Network diagram

Configuration procedure

# Configure wireless services on the AC. (Details not shown.)

For more information about wireless service configuration, see "Configuring WLAN access."

# Create an AP named sensor1 and enable WIPS for the AP.

<AC> system-view

[AC] wlan ap sensor1 model WA536-WW

[AC-wlan-ap-sensor1] serial-id 219801A1NQB117012935

[AC-wlan-ap-sensor1] radio 1

[AC-wlan-ap-sensor1-radio-1] radio enable

[AC-wlan-ap-sensor1-radio-1] wips enable

[AC-wlan-ap-sensor1-radio-1] quit

[AC-wlan-ap-sensor1 ] quit

# Create a VSD named vsd1.

[AC] wips

[AC-wips] virtual-security-domain vsd1

[AC-wips] quit

# Add the AP sensor1 to the VSD vsd1.

[AC] wlan ap sensor1

[AC-wlan-ap-sensor1] wips virtual-security-domain vsd1

[AC-wlan-ap-sensor1] quit

# Create signature 1, and configure a subsignature to match beacon frames and a subsignature to match frames whose SSIDs are not abc.

[AC] wips

[AC-wips] signature rule 1

[AC-wips-sig-rule-1] frame-type management frame-subtype beacon

[AC-wips-sig-rule-1] ssid not equal abc

[AC-wips-sig-rule-1] quit

# Create a signature policy named sig1, and bind signature 1 to the signature policy sig1.

[AC-wips] signature policy sig1

[AC-wips-sig-sig1] apply signature rule 1

# Enable WIPS to detect packets that match the signature, and set the statistics collection interval, quiet time, and alarm threshold to 5 seconds, 60 seconds, and 60, respectively.

[AC-wips-sig-sig1] detect signature interval 5 quiet 60 threshold 60

[AC-wips-sig-sig1] quit

# Apply the signature policy sig1 to the VSD vsd1.

[AC] wips

[AC-wips] virtual-security-domain vsd1

[AP-wips-vsd-vsd1] apply signature policy sig1

[AP-wips-vsd-vsd1] quit

Verifying the configuration

# Verify that the AC receives an alarm from the sensor when the sensor detects the wireless service with the SSID free_wlan.

WIPS/5/WIPS_SIGNATURE: -VSD=vsd1-RuleID=1; Signature rule matched.

# Display attack detection information collected from sensors. The output shows that the number of detected messages is 26 for packets that match the signature.

[AC] display wips statistics receive

Information from sensor

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 26

Configuring WLAN QoS

This chapter describes how to configure WLAN QoS.

Overview

An 802.11 network provides contention-based wireless access. To provide applications with QoS services, IEEE developed 802.11e for 802.11-based WLANs.

While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM enables a WLAN to provide QoS services, so that audio and video applications can have better performance in WLANs.

WMM protocol

The Distributed Coordination Function (DCF) in 802.11 requires APs and clients to use the carrier sense multiple access with collision avoidance (CSMA/CA) access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With 802.11, all devices have the same idle duration and contention window. Therefore, they are equal when contending for a channel.

To provide QoS services, WMM divides data traffic into four ACs that have different priorities. Traffic in an AC with a high priority has a better chance to use the channel.

Terminology

· Enhanced distributed channel access—EDCA is a channel contention mechanism defined by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets.

· Access category—WMM defines four ACs: AC-VO for voice traffic, AC-VI for video traffic, AC-BE for best effort traffic, and AC-BK for background traffic. The priorities of the four ACs are in descending order.

· Connect Admission Control—CAC limits the number of clients that can use high-priority ACs (AC-VO and AC-VI) to make sure there is enough bandwidth for these clients.

· Unscheduled automatic power save delivery—U-APSD is a power saving method defined by WMM to save client power.

EDCA parameters

· Arbitration inter-frame spacing number—In 802.11-based WLAN, each client has the same idle duration (DIFS), but WMM defines an idle duration for each AC. The idle duration increases as the AIFSN increases.

· Exponent form of CWmin/Exponent form of CWmax—ECWmin/ECWmax determines the backoff slots, which increase as the two values increase.

· Transmission opportunity limit—TXOP limit specifies the maximum time that a client can hold the channel after a successful contention. A larger value represents a longer time. If the value is 0, a client can send only one packet each time it holds the channel.

Figure 57 EDCA parameters

CAC admission policies

CAC requires a client to obtain permission from an AP before it can use a high-priority AC for transmission. This guarantees bandwidth for the clients that have gained access. CAC controls real time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).

If a client wants to use a high-priority AC (AC-VO or AC-VI), it must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policies:

· Channel usage-based admission policy—The AP calculates the total time that the existing high-priority AC queues occupy the channel per unit time, and then calculates the time that the requesting traffic will occupy the channel per unit time. If the sum of the two values is smaller than or equal to the maximum hold time of the channel, the client can use the requested AC queue. If it is not, the request is rejected.

· Client-based admission policy—If the number of clients using high-priority AC queues is smaller than the maximum number of high-priority AC clients, the request is accepted. If it is not, the request is rejected. During calculation, a client is counted as one client if it is using both the AC-VO and AC-VI queues.

If the request is rejected, the AP assigns AC-BE to clients.

U-APSD power-save mechanism

U-APSD enables clients in sleep mode to wake up and receive the specified number of packets only after receiving a trigger packet. U-APSD improves the 802.11 APSD power saving mechanism.

U-APSD is automatically enabled after you enable WMM.

ACK policy

WMM defines the following ACK policies:

· Normal ACK—The recipient acknowledges each received unicast packet.

· No ACK—The recipient does not acknowledge received packets during wireless packet exchange. This policy improves the transmission efficiency in an environment where communication quality is strong and interference is weak. If communication quality deteriorates, this policy might increase the packet loss rate. For A-MPDU packets sent by 802.11n clients, the No ACK policy does not take effect.

SVP

SpectraLink Voice Priority (SVP) is developed by SpectraLink to provide QoS services for voice traffic.

Bandwidth guaranteeing

This feature provides the following functions:

· Ensures that traffic from all BSSs can pass through freely when the network is not congested.

· Ensures that each BSS can get the guaranteed bandwidth when the network is congested.

This feature improves bandwidth efficiency and maintains fair use of bandwidth among WLAN services. For example, you assign SSID1, SSID2, and SSID3 25%, 25%, and 50% of the total bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 is guaranteed with 25% of the bandwidth.

This feature applies only to AP-to-client traffic.

Client rate limiting

This feature prevents aggressive use of bandwidth by one client and ensures fair use of bandwidth among clients associated with the same AP.

You can configure either of the following modes for client rate limiting:

· Dynamic mode—Sets the total bandwidth shared by all clients. The rate limit for each client is the total rate divided by the number of online clients. For example, if the total rate is 10 Mbps and five clients are online, the rate limit for each client is 2 Mbps.

· Static mode—Sets the bandwidth that can be used by each client. When the rate limit multiplied by the number of associated clients exceeds the available bandwidth provided by the AP, the clients might not get the set bandwidth.

Protocols and standards

· 802.11e-2005, Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, IEEE Computer Society, 2005

· Wi-Fi, WMM Specification version 1.1, Wi-Fi Alliance, 2005

Configuration restrictions and guidelines

The priorities for the configuration in AP view, AP group view, and global configuration view are in descending order.

Configuring WMM

Enabling WMM

The 802.11n protocol requires all 802.11n clients to support WLAN QoS. For 802.11n clients to communicate with the associated AP, enable WMM when the radio operates in 802.11an or 802.11gn mode.

Enabling WMM for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable WMM.	wmm enable	By default, an AP uses the configuration in AP group view.

Enabling WMM for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable WMM.	wmm enable	By default, WMM is enabled.

Setting EDCA parameters

Setting EDCA parameters for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set EDCA parameters.	edca radio { ac-be \| ac-bk \| ac-vi \| ac-vo } { ack-policy { noack \| normalack } \| aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	By default, an AP uses the configuration in AP group view.

Setting EDCA parameters for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set EDCA parameters.	edca radio { ac-be \| ac-bk \| ac-vi \| ac-vo } { ack-policy { noack \| normalack } \| aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	The default values for EDCA parameters are shown in Table 29.

Table 29 Default EDCA parameter values

AC	AIFSN	ECWmin	ECWmax	TXOP Limit
AC-BK	7	4	10	0
AC-BE	3	4	6	0
AC-VI	1	3	4	94
AC-VO	1	2	3	47

Setting EDCA parameters for clients (AC-BE or AC-BK)

Setting EDCA parameters for clients for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set EDCA parameters of AC-BE or AC-BK queues for clients.	edca client { ac-be \| ac-bk } { aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	By default, an AP uses the configuration in AP group view.

Setting EDCA parameters for clients for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set EDCA parameters of AC-BE or AC-BK queues for clients.	edca client { ac-be \| ac-bk } { aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	The default values are shown in Table 30.

Table 30 Default EDCA parameter values of AC-BE or AC-BK queues for clients

AC	AIFSN	ECWmin	ECWmax	TXOP Limit
AC-BK	7	4	10	0
AC-BE	3	4	10	0

Setting EDCA parameters for clients (AC-VI or AC-VO)

Setting EDCA parameters for clients for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set EDCA parameters of AC-VI or AC-VO queues for clients.	edca client { ac-vi \| ac-vo } { aifsn aifsn-value \| cac { disable \| enable } \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	By default, an AP uses the configuration in AP group view.
5. (Optional.) Configure the CAC policy.	cac policy { channelutilization [ channelutilization-value ] \| client [ client-number ] }	By default, an AP uses the configuration in AP group view.

Setting EDCA parameters for clients for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set EDCA parameters of AC-VI or AC-VO queues for clients.	edca client { ac-vi \| ac-vo } { aifsn aifsn-value \| cac { disable \| enable } \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	The default values are shown in Table 31.
6. (Optional.) Configure the CAC policy.	cac policy { channelutilization [ channelutilization-value ] \| client [ client-number ] }	By default, the client-based admission policy is used, and the maximum number of admitted clients is 20.

Table 31 Default EDCA parameter values of AC-VI or AC-VO queues for clients

AC	AIFSN	ECWmin	ECWmax	TXOP Limit
AC-VI	2	3	4	94
AC-VO	2	2	3	47

Configuring a port to trust packet priority for priority mapping

This feature takes effect only on uplink packets.

To configure a port to trust packet priority for priority mapping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure the trusted packet priority type.	qos trust { dot11e \| dscp }	By default, the port priority is trusted.
4. Set the port priority.	qos priority priority-value	By default, the port priority is 0.

Configuring SVP mapping

SVP mapping takes effect only on non-WMM clients.

This feature assigns packets that have the protocol ID 119 in the IP header to the AC-VI or AC-VO queue to provide SVP packets with the specified priority. SVP does not require random backoff for SVP packets. Therefore, you can set both ECWmin and ECWmax to 0 when there are only SVP packets in the AC-VI or AC-VO queue.

When SVP mapping is disabled, SVP packets are assigned to the AC-BE queue.

Configuring SVP mapping for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure SVP mapping.	svp map-ac { ac-vi \| ac-vo \| disable }	By default, an AP uses the configuration in AP group view.

Configuring SVP mapping for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure SVP mapping.	svp map-ac { ac-vi \| ac-vo \| disable }	By default, SVP mapping is disabled.

Configuring bandwidth guaranteeing

Configuring bandwidth guaranteeing for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum bandwidth for the specified radio type.	wlan max-bandwidth { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn } bandwidth	The following default settings apply: · 30000 Kbps for dot11a and dot11g. · 250000 Kbps for dot11an, dot11gn, and dot11gac. · 500000 Kbps for dot11ac. · 7000 Kbps for dot11b.
3. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure bandwidth guaranteeing.	bandwidth-guarantee { disable \| enable }	The following default settings apply: · If the service template setting in AP group view is used, an AP uses the configuration in AP group view. · If a service template is manually bound to a radio, bandwidth guaranteeing is disabled.
6. Set a guaranteed bandwidth percentage for the specified service template.	bandwidth-guarantee service-template service-template-name percent percent	The following default settings apply: · If the service template setting in AP group view is used, an AP uses the configuration in AP group view. · If a service template is manually bound to a radio, no guaranteed bandwidth percentage is set for the service template.

Configuring bandwidth guaranteeing for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum bandwidth for the specified radio type.	wlan max-bandwidth { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn } bandwidth	The following default settings apply: · 30000 Kbps for dot11a and dot11g. · 250000 Kbps for dot11an, dot11gn, and dot11gac. · 500000 Kbps for dot11ac. · 7000 Kbps for dot11b.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Configure bandwidth guaranteeing.	bandwidth-guarantee { disable \| enable }	By default, bandwidth guaranteeing is disabled.
7. Set a guaranteed bandwidth percentage for the specified service template.	bandwidth-guarantee service-template service-template-name percent percent	By default, no guaranteed bandwidth percentage is set for a service template.

Configuring client rate limiting

By rate limit method, you can configure service-template-based, radio-based, or client-type-based client rate limiting. By rate limit mode, you can configure the dynamic or static mode for client rate limiting.

If more than one method and mode are configured, all settings take effect. The rate for a client will be limited to the minimum value among all the client rate-limiting settings.

Configuring service-template-based client rate limiting

This task takes effects on all clients associated with the same service template.

To configure service-template-based client rate limiting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable service-template-based client rate limiting.	client-rate-limit enable	By default, service-template-based client rate limiting is disabled.
4. Configure service-template-based client rate limiting.	client-rate-limit { inbound \| outbound } mode { dynamic \| static } cir cir	By default, service-template-based client rate limiting is not configured.

Configuring radio-based client rate limiting

This task takes effects on all clients associated with the same radio.

Configuring radio-based client rate limiting for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable or disable radio-based client rate limiting.	client-rate-limit { disable \| enable }	By default, an AP uses the configuration in AP group view.
5. Configure radio-based client rate limiting.	client-rate-limit { inbound \| outbound } mode { dynamic \| static } cir cir	By default, an AP uses the configuration in AP group view.

Configuring radio-based client rate limiting for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable or disable radio-based client rate limiting.	client-rate-limit { disable \| enable }	By default, radio-based client rate limiting is disabled.
6. Configure radio-based client rate limiting.	client-rate-limit { inbound \| outbound } mode { dynamic \| static } cir cir	By default, radio-based client rate limiting is not configured.

Configuring client-type-based client rate limiting

This task takes effects on all clients of the specified protocol.

To configure client-type-based client rate limiting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure client-type-based client rate limiting.	wlan client-rate-limit { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn } { inbound \| outbound } cir cir [ cbs cbs ]	By default, client-type-based client rate limiting is not configured.

Displaying and maintaining WMM

Execute display commands in any view and reset commands in user view.

Task	Command
Display WMM statistics for radios.	display wlan wmm radio { all \| ap ap-name }
Display WMM statistics for clients.	display wlan wmm client { all \| ap ap-name \| mac-address mac-address }
Clear WMM statistics for radios.	reset wlan wmm radio { all \| ap ap-name }
Clear WMM statistics for clients.	reset wlan wmm client { all \| ap ap-name \| mac-address mac-address }

WLAN QoS configuration examples

Basic WMM configuration example

Network requirements

As shown in Figure 58, enable WMM on the AC so that the AP and the client can prioritize the traffic.

Figure 58 Network diagram

Configuration procedure

# Create a service template named market, set the SSID to market, and enable the service template.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enable WMM, bind service template market to radio 1, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] wmm enable

[AC-wlan-ap-ap1-radio-1] service-template market

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Display WMM statistics for radios.

[AC] display wlan wmm radio all

AP ID : 1 AP Name : ap1

Radio : 1

Client EDCA updates : 0

QoS mode : WMM

WMM status : Enabled

Radio max AIFSN : 15 Radio max ECWmin : 10

Radio max TXOPLimit : 32767 Radio max ECWmax : 10

CAC information

Clients accepted : 0

Voice : 0

Video : 0

Total request mediumtime(μs) : 0

Voice(μs) : 0

Video(μs) : 0

Calls rejected due to insufficient resources : 0

Calls rejected due to invalid parameters : 0

Calls rejected due to invalid mediumtime : 0

Calls rejected due to invalid delaybound : 0

Radio : 2

Client EDCA updates : 0

QoS mode : WMM

WMM status : Enabled

Radio max AIFSN : 15 Radio max ECWmin : 10

Radio max TXOPLimit : 32767 Radio max ECWmax : 10

CAC information

Clients accepted : 0

Voice : 0

Video : 0

Total request mediumtime(μs) : 0

Voice(μs) : 0

Video(μs) : 0

Calls rejected due to insufficient resources : 0

Calls rejected due to invalid parameters : 0

Calls rejected due to invalid mediumtime : 0

Calls rejected due to invalid delaybound : 0

CAC configuration example

Network requirements

As shown in Figure 59, configure CAC to allow a maximum of 10 clients to use the AC-VO and AC-VI queues.

Figure 59 Network diagram

Configuration procedure

1. Create a service template named market, set the SSID to market, and enable the service template.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

2. Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

3. Configure WMM:

# Bind service template market to radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template market

# Enable WMM for AC-VO and AC-VI queues, and configure a CAC policy to limit the number of clients to 10.

[AC-wlan-ap-ap1-radio-1] wmm enable

[AC-wlan-ap-ap1-radio-1] edca client ac-vo cac enable

[AC-wlan-ap-ap1-radio-1] edca client ac-vi cac enable

[AC-wlan-ap-ap1-radio-1] cac policy client 10

# Enable radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

Verifying the configuration

# Assume that a client requests to use a high-priority AC queue (AC-VO or AC-VI). Verify the following information:

· If the number of clients using high-priority AC queues is smaller than the maximum number of high-priority AC clients (10 in this example), the request is accepted.

· If the number of clients using high-priority AC queues is equal to the maximum number of high-priority AC clients (10 in this example), the request is rejected. The AP decreases the priority of packets from the client.

SVP mapping configuration example

Network requirements

As shown in Figure 60, configure SVP mapping on the AC to assign SVP packets to the AC-VO queue. Set ECWmin and ECWmax to 0 for the AC-VO queue of the AP.

Figure 60 Network diagram

Configuration procedure

1. Create a service template named market, set the SSID to market, and enable the service template.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

2. Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

3. Configure SVP mapping:

# Enable WMM.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] wmm enable

# Assign SVP packets to the AC-VO queue, and set EDCA parameters of AC-VO queues for clients.

[AC-wlan-ap-ap1-radio-1] wmm svp map-ac ac-vo

[AC-wlan-ap-ap1-radio-1] edca client ac-vo ecw ecwmin 0 ecwmax 0

# Bind service template market to radio 1, and enable the radio.

[AC-wlan-ap-ap1-radio-1] service-template market

[AC-wlan-ap-ap1-radio-1] radio enable

Verifying the configuration

# Verify that the AC assigns SVP packets to the AC-VO queue if a non-WMM client comes online and sends SVP packets to the AC.

Traffic differentiation configuration example

Network requirements

As shown in Figure 61, configure priority mapping on the AC to add 802.11 packets from the client to the AC-VO queue.

Figure 61 Network diagram

Configuration procedure

# Create a service template named market, and set the SSID to market.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

# Configure priority mapping, and enable the service template.

[AC-wlan-st-market] qos priority 7

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enable WMM.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] wmm enable

# Bind service template market to radio 1, and enable radio 1.

[AC-wlan-ap-ap1-radio-1] service-template market

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify that packets from the client have been added to the AC-VO queue.

[AC] display wlan statistics client

MAC address : 0015-005e-97cc

AP name : ap1

Radio ID : 1

SSID : market

BSSID : 5866-ba74-e570

RSSI : 27

Sent frames:

Back ground : 0/0 (frames/bytes)

Best effort : 0/0 (frames/bytes)

Video : 0/0 (frames/bytes)

Voice : 14/1092 (frames/bytes)

Received frames:

Back ground : 0/0 (frames/bytes)

Best effort : 66/8177 (frames/bytes)

Video : 0/0 (frames/bytes)

Voice : 0/0 (frames/bytes)

Discarded frames:

Back ground : 0/0 (frames/bytes)

Best effort : 0/0 (frames/bytes)

Video : 0/0 (frames/bytes)

Voice : 0/0 (frames/bytes)

Bandwidth guaranteeing configuration example

Network requirements

As shown in Figure 62, Clients 1, 2, and 3 access the network through SSIDs research, office, and entertain, respectively.

For the network to operate correctly, guarantee 20% of the bandwidth for SSID office, 80% for research, and none for entertain.

Figure 62 Network diagram

Configuration procedure

# Create a service template named office, set the SSID to office, and enable the service template.

<AC> system-view

[AC] wlan service-template office

[AC-wlan-st-office] ssid office

[AC-wlan-st-office] service-template enable

[AC-wlan-st-office] quit

# Create a service template named research, set the SSID to research, and enable the service template.

[AC] wlan service-template research

[AC-wlan-st-research] ssid research

[AC-wlan-st-research] service-template enable

[AC-wlan-st-research] quit

# Create a service template named entertain, set the SSID to entertain, and enable the service template.

[AC] wlan service-template entertain

[AC-wlan-st-entertain] ssid entertain

[AC-wlan-st-entertain] service-template enable

[AC-wlan-st-entertain] quit

# Set the maximum bandwidth to 10000 Kbps for the 802.11ac radio.

[AC] wlan max-bandwidth dot11ac 10000

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Set the radio type to dot11ac for radio 1, bind service templates office, research, and entertain to radio 1, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] type dot11ac

[AC-wlan-ap-ap1-radio-1] service-template office

[AC-wlan-ap-ap1-radio-1] service-template research

[AC-wlan-ap-ap1-radio-1] service-template entertain

[AC-wlan-ap-ap1-radio-1] radio enable

# Enable bandwidth guaranteeing.

[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee enable

# Set the guaranteed bandwidth percentage to 20% for service template office and 80% for service template research.

[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template office percent 20

[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template research percent 80

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Verify that the rate of traffic from the AP to any client is not limited when the total traffic rate is lower than 10000 Kbps.

# Send traffic from the AP to Client 1 and Client 2 at a rate of over 2000 Kbps and over 8000 Kbps, respectively, to verify the following items:

· The AP sends traffic to Client 1 at 2000 Kbps.

· The AP sends traffic to client 2 at 8000 Kbps.

· The rate of traffic from the AP to Client 3 is limited.

Client rate limiting configuration example

Network requirements

As shown in Figure 63, the AC is in the same network as the AP. Perform the following tasks on the AC:

· Configure static mode client rate limiting to limit the rate of incoming client traffic.

· Configure dynamic mode client rate limiting to limit the rate of outgoing client traffic.

Figure 63 Network diagram

Configuration procedure

# Create a service template named service, and set its SSID to service.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] ssid service

# Enable client rate limiting for service template service, and configure client rate limiting as follows:

· Limit the rate of incoming traffic to 8000 Kbps in static mode.

· Limit the rate of outgoing traffic to 8000 Kbps in dynamic mode.

[AC-wlan-st-service] client-rate-limit enable

[AC-wlan-st-service] client-rate-limit inbound mode static cir 8000

[AC-wlan-st-service] client-rate-limit outbound mode dynamic cir 8000

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template service to radio 1, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Configuring WLAN roaming

Overview

WLAN roaming enables clients to seamlessly roam among APs in an ESS while retaining their IP address and authorization information during the roaming process.

H3C ACs also support fast roaming, which enables RSN + 802.1X clients to roam to a new AP without being authenticated again.

Terminology

· Inter Access Controller Tunneling Protocol—IACTP is an H3C-proprietary protocol that provides a generic packet encapsulation and transport mechanism for ACs to securely communicate with each other. ACs providing roaming services establish an IACTP tunnel with each other to exchange control messages and client information.

· Home AC—A home AC is an AC that manages the AP with which a wireless client associates for the first time.

· Foreign AC—A foreign AC is an AC with which a client associates after inter-AC roaming.

WLAN roaming mechanism

Clients can roam between APs managed by ACs in the same mobility group.

Intra-AC roaming

Intra-AC roaming enables clients to roam among APs that are managed by the same AC.

Figure 64 Intra-AC roaming

As shown in Figure 64, intra-AC roaming uses the following procedure:

1. The client comes online from AP 1, and the AC creates a roaming entry for the client.

2. The client roams to AP 2. The AC examines the roaming entry for the client and determines whether to perform fast roaming.

If the client is an RSN + 802.1X client, fast roaming is used, and the client can be associated with AP 2 without reauthentication. If it is not, the client needs to be reauthenticated before being associated with AP 2.

Inter-AC roaming

Inter-AC roaming enables clients to roam among APs that are managed by different ACs. These ACs must be in the same mobility group and have established an IACTP tunnel with each other.

Figure 65 Inter-AC roaming

As shown in Figure 65, inter-AC roaming uses the following procedure:

1. The client comes online from AP 2. AC 1 creates a roaming entry for the client and sends the information to AC 2 through the IACTP tunnel.

2. The client roams to AP 3. AC 2 examines the roaming entry for the client and determines whether to perform fast roaming.

If the client is an RSN + 802.1X client, fast roaming is used, and the client can be associated with AP 3 without reauthentication. If it is not, the client needs to be reauthenticated before being associated with AP 3.

3. The client associates with AP 3. AC 2 sends a roaming request to AC 1.

4. AC 1 verifies the roaming request and performs either of the following operations:

? Sends a roaming response that indicates roaming failure to AC 2 if the request is invalid. AC 2 logs off the client.

? Saves the roaming trace and roam-out information and sends a roaming response that indicates roaming success to AC 2 if the request is valid. AC 2 saves roaming-in information for the client.

Configuration restrictions and guidelines

When you configure WLAN roaming, follow these restrictions and guidelines:

· For a service template where an AP is configured as the client authenticator, WLAN roaming is not supported. For more information about WLAN authentication, see "WLAN authentication overview" and "Configuring WLAN authentication."

· For RSN + 802.1X clients from different VLANs to roam between ACs within a mobility group, make sure uplink interfaces of the member ACs permit all client VLANs.

Configuration task list

Tasks at a glance
(Required.) Creating a mobility group
(Optional.) Setting an authentication mode for IACTP control messages
(Required.) Specifying an IP address type for IACTP tunnels
(Required.) Specifying the source IP address for establishing IACTP tunnels
(Required.) Adding a mobility group member
(Required.) Enabling a mobility group
(Optional.) Enabling tunnel isolation for mobility groups
(Optional.) Enabling SNMP notifications for WLAN roaming

Creating a mobility group

For inter-AC roaming to operate correctly, create the same mobility group and add members to each AC in the mobility group.

To create a mobility group:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a mobility group.

wlan mobility group group-name

By default, no mobility group exists on the AC.

You can create only one mobility group on the AC.

Setting an authentication mode for IACTP control messages

This feature enables the AC to verify the integrity of control messages transmitted over IACTP tunnels. WLAN roaming supports only the 128-bit MD5 algorithm.

To set an authentication mode for IACTP control messages:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter mobility group view.	wlan mobility group group-name	N/A
3. Set an authentication mode for IACTP control messages.	authentication-mode authentication-mode { cipher \| simple } authentication-key	By default, no authentication mode is set for IACTP control messages. The AC does not verify the integrity of IACTP control messages.

Specifying an IP address type for IACTP tunnels

You must specify an IP address type for IACTP tunnels after you create a mobility group.

To specify an IP address type for IACTP tunnels:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter mobility group view.	wlan mobility group group-name	N/A
3. Specify an IP address type for IACTP tunnels.	tunnel-type { ipv4 \| ipv6 }	By default, the IP address type for IACTP tunnels is IPv4. You cannot specify both IPv4 and IPv6 address types for IACTP tunnels.

Specifying the source IP address for establishing IACTP tunnels

When you specify the source IP address for establishing IACTP tunnels, follow these restrictions and guidelines:

· Make sure the mobility group is disabled before you specify the source IP address for establishing IACTP tunnels.

· You can specify one IPv4 address, one IPv6 address, or both, but only the IP address type that is the same as the IP address type for IACTP tunnels takes effect.

To specify the source IP address for establishing IACTP tunnels:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter mobility group view.	wlan mobility group group-name	N/A
3. Specify the source IP address for establishing IACTP tunnels.	source { ip ip-address \| ipv6 ipv6-address }	By default, no source IP address is specified for establishing IACTP tunnels.

Adding a mobility group member

Members in a mobility group are identified by their IP addresses used to establish IACTP tunnels.

You can add both IPv4 and IPv6 members to a mobility group. Only members whose IP address type is the same as the IP address type of IACTP tunnels take effect.

An AC can belong to only one mobility group.

You can add a maximum of 31 IPv4 members and 31 IPv6 members to a mobility group.

You can specify VLANs for a member, so that other members in the mobility group can directly forward client data of the member from the specified VLANs. If you do not specify VLANs for the member, its client data cannot be directly forwarded by another member in the mobility group unless the clients roam to that member.

When you specify VLANs for a mobility group member, follow these restrictions and guidelines:

· If a mobility group has multiple members, make sure no loops exist among IACTP tunnels between members within the mobility group.

· Make sure the VLANs have not been used by interfaces or services.

· Do not assign VLANs that have been specified for a member to interfaces or services.

To add a mobility group member:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter mobility group view.	wlan mobility group group-name	N/A
3. Add a mobility group member.	member { ip ip-address \| ipv6 ipv6-address } [ vlan vlan-id-list ]	By default, a mobility group does not have any members.

Enabling a mobility group

This feature enables the AC to establish IACTP tunnels and synchronize roaming entries with member ACs.

To enable a mobility group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter mobility group view.	wlan mobility group group-name	N/A
3. Enable the mobility group.	group enable	By default, a mobility group is disabled.

Enabling tunnel isolation for mobility groups

Use this feature when loops exist among ACs in a mobility group. It prevents ACs from forwarding packets between tunnels in the mobility group and avoids broadcast storm.

To enable tunnel isolation for mobility groups:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable tunnel isolation for mobility groups.	wlan mobility-group-isolation enable	By default, tunnel isolation is enabled for mobility groups.

Enabling SNMP notifications for WLAN roaming

To report critical WLAN roaming events to an NMS, enable SNMP notifications for WLAN roaming. For WLAN roaming event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for WLAN roaming:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN roaming.	snmp-agent trap enable wlan mobility	By default, SNMP notifications for WLAN roaming are disabled.

Displaying and maintaining WLAN roaming

Execute display commands in any view.

Task	Command
Display roam-track information for a client on the home AC.	display wlan mobility roam-track mac-address mac-address
Display mobility group information.	display wlan mobility group
Display information about clients that have roamed to or from the AC.	display wlan mobility { roam-in \| roam-out } [ member { ip ipv4-address \| ipv6 ipv6-address } ]

WLAN roaming configuration examples

Configuring intra-AC roaming

Network requirements

As shown in Figure 64, configure intra-AC roaming to enable the client to roam from AP 1 to AP 2 that are managed by the same AC.

Configuration procedures

# Create a service template named service, set the SSID to 1, and enable the service template.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] ssid 1

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind the service template to radio 1 of AP 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create a manual AP named ap2, and specify the AP model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012946

# Bind the service template to radio 1 of AP 2.

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] service-template service

[AC-wlan-ap-ap2-radio-1] quit

[AC-wlan-ap-ap2] quit

Verifying the configuration

# Get the client online on AP 1. (Details not shown.)

# Verify that the client associates with AP 1, and the roaming status is N/A, which indicates that the client has not performed any roaming.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : 9cd3-6d9e-6778

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : ap1

Radio ID : 1

SSID : 1

BSSID : 000f-e200-4444

VLAN ID : 1

Sleep count : 242

Wireless mode : 802.11ac

Channel bandwidth : 80MHz

SM power save : Enabled

SM power save mode : Dynamic

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160/80+80MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

SU beamformee capability : Not supported

MU beamformee capability : Not supported

Beamformee STS capability : N/A

Block Ack : TID 0 In

Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11

Authentication method : Open system

Security mode : PRE-RSNA

AKM mode : Not configured

Cipher suite : N/A

User authentication mode : Bypass

Authorization ACL ID : 3001(Not effective)

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : Enabled

Forward policy name : Not configured

Online time : 0days 0hours 1minutes 13seconds

FT status : Inactive

# Verify that the AC has a roaming entry for the client.

[AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries: 1

BSSID Created at Online time AC IP address RID AP name

000f-e200-4444 2017-03-14 11:12:28 00hr 01min 16sec 127.0.0.1 1 ap1

# Make the client roam to AP 2. (Details not shown.)

# Verify that the client has associated with AP 2, and the roaming status is Intra-AC roam.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : 9cd3-6d9e-6778

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : ap2

Radio ID : 1

SSID : 1

BSSID : 000f-e203-7777

VLAN ID : 1

Sleep count : 242

Wireless mode : 802.11ac

Channel bandwidth : 80MHz

SM power save : Enabled

SM power save mode : Dynamic

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160/80+80MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

SU beamformee capability : Not supported

MU beamformee capability : Not supported

Beamformee STS capability : N/A

Block Ack : TID 0 In

Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11

Authentication method : Open system

Security mode : PRE-RSNA

AKM mode : Not configured

Cipher suite : N/A

User authentication mode : Bypass

Authorization ACL ID : 3001(Not effective)

Authorization user profile : N/A

Roam status : Intra-AC roam

Key derivation : SHA1

PMF status : Enabled

Forward policy name : Not configured

Online time : 0days 0hours 5minutes 13seconds

FT status : Inactive

# Verify that the AC has updated the roaming entry for the client.

[AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries: 2

BSSID Created at Online time AC IP address RID AP name

000f-e203-7777 2017-03-14 11:12:28 00hr 01min 02sec 127.0.0.1 1 ap2

000f-e200-4444 2017-03-14 11:12:04 00hr 03min 51sec 127.0.0.1 1 ap1

Configuring inter-AC roaming

Network requirements

As shown in Figure 65, configure inter-AC roaming to enable the client to roam from AP 2 to AP 3 that are managed by different ACs.

Configuration procedures

1. Configure AC 1:

# Create a service template named service, set the SSID to office, and enable the service template.

<AC1> system-view

[AC1] wlan service-template service

[AC1-wlan-st-test] ssid office

[AC1-wlan-st-test] service-template enable

[AC1-wlan-st-test] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC1] wlan ap ap1 model WA536-WW

[AC1-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind the service template to radio 1 of AP 1.

[AC1-wlan-ap-ap1] radio 1

[AC1-wlan-ap-ap1-radio-1] radio enable

[AC1-wlan-ap-ap1-radio-1] service-template service

[AC1-wlan-ap-ap1-radio-1] quit

[AC1-wlan-ap-ap1] quit

# Create a manual AP named ap2, and specify the AP model and serial ID.

[AC1] wlan ap ap2 model WA536-WW

[AC1-wlan-ap-ap2] serial-id 219801A1NQB117012946

# Bind the service template to radio 1 of AP 2.

[AC1-wlan-ap-ap2] radio 1

[AC1-wlan-ap-ap2-radio-1] radio enable

[AC1-wlan-ap-ap2-radio-1] service-template service

[AC1-wlan-ap-ap2-radio-1] quit

[AC1-wlan-ap-ap2] quit

# Create a mobility group named office.

[AC1] wlan mobility group office

# Specify the IP address type for IACTP tunnels as IPv4.

[AC1-wlan-mg-office] tunnel-type ipv4

# Specify the source IP address for establishing IACTP tunnels as 10.1.4.22.

[AC1-wlan-mg-office] source ip 10.1.4.22

# Add AC 2 to the mobility group.

[AC1-wlan-mg-office] member ip 10.1.4.23

# Enable the mobility group.

[AC1-wlan-mg-office] group enable

[AC1-wlan-mg-office] quit

2. Configure AC 2:

# Create a service template named service, specify the SSID as office, and enable the service template.

<AC2> system-view

[AC2] wlan service-template service

[AC2-wlan-st-service] ssid office

[AC2-wlan-st-service] service-template enable

[AC2-wlan-st-service] quit

# Create a manual AP named ap3, and specify the AP model and serial ID.

[AC2] wlan ap ap3 model WA536-WW

[AC2-wlan-ap-ap3] serial-id 219801A1NQB117012957

# Bind the service template to radio 1 of AP 3.

[AC2-wlan-ap-ap3] radio 1

[AC2-wlan-ap-ap3-radio-1] radio enable

[AC2-wlan-ap-ap3-radio-1] service-template service

[AC2-wlan-ap-ap3-radio-1] quit

[AC2-wlan-ap-ap3] quit

# Create a manual AP named ap4, and specify the AP model and serial ID.

[AC2] wlan ap ap4 model WA536-WW

[AC2-wlan-ap-ap4] serial-id 219801A1NQB117012988

# Bind the service template to radio 1 of AP 4.

[AC2-wlan-ap-ap4] radio 1

[AC2-wlan-ap-ap4-radio-1] radio enable

[AC2-wlan-ap-ap4-radio-1] service-template service

[AC2-wlan-ap-ap4-radio-1] quit

[AC2-wlan-ap-ap4] quit

# Create a mobility group named office.

[AC2] wlan mobility group office

# Specify the IP address type for IACTP tunnels as IPv4.

[AC2-wlan-mg-office] tunnel-type ipv4

# Specify the source IP address for establishing IACTP tunnels as 10.1.4.23.

[AC2-wlan-mg-office] source ip 10.1.4.23

# Add AC 2 to the mobility group.

[AC2-wlan-mg-office] member ip 10.1.4.22

# Enable the mobility group.

[AC2-wlan-mg-office] group enable

[AC2-wlan-mg-office] quit

Verifying the configuration

# Verify that a mobility group has been created on AC 1.

[AC1] display wlan mobility group

Mobility group name: office

Tunnel type: IPv4

Source IPv4: 10.1.4.22

Source IPv6: Not configured

Authentication method: Not configured

Mobility group status: Enabled

Member entries: 1

IP address State Online time

10.1.4.23 Up 00hr 00min 12sec

# Verify that a mobility group has been created on AC 2.

[AC2] display wlan mobility group

Mobility group name: office

Tunnel type: IPv4

Source IPv4: 10.1.4.23

Source IPv6: Not configured

Authentication method: Not configured

Mobility group status: Enabled

Member entries: 1

IP address State Online time

10.1.4.22 Up 00hr 00min 05sec

# Get the client online on AP 2 and then make the client roam to AP 3. (Details not shown.)

# Display client roaming information on AC 1 to verify that the client came online from AP 2 and roamed to AP 3.

[AC1] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries: 2

BSSID Created at Online time AC IP address RID AP name

000f-e203-8889 2017-03-14 11:12:28 00hr 06min 56sec 10.1.4.23 1 ap3

000f-e203-7777 2017-03-14 11:11:28 00hr 03min 30sec 127.0.0.1 1 ap2

# On AC 1, verify that the client has roamed to AC 3.

<AC1> display wlan mobility roam-out

Total entries: 1

MAC address BSSID VLAN ID Online time FA IP address

9cd3-6d9e-6778 000f-e203-8889 1 00hr 01min 59sec 10.1.4.23

# On AC 2, verify that the client has associated with AP 3, and the roaming status is Inter-AC roam.

<AC2> display wlan client verbose

Total number of clients: 1

MAC address : 9cd3-6d9e-6778

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 3

AP name : ap3

Radio ID : 1

SSID : 1

BSSID : 000f-e203-8889

VLAN ID : 1

Sleep count : 242

Wireless mode : 802.11ac

Channel bandwidth : 80MHz

SM power save : Enabled

SM power save mode : Dynamic

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160/80+80MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

SU beamformee capability : Not supported

MU beamformee capability : Not supported

Beamformee STS capability : N/A

Block Ack : TID 0 In

Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11

Authentication method : Open system

Security mode : PRE-RSNA

AKM mode : Not configured

Cipher suite : N/A

User authentication mode : Bypass

Authorization ACL ID : 3001(Not effective)

Authorization user profile : N/A

Roam status : Inter-AC roam

Key derivation : SHA1

PMF status : Enabled

Forward policy name : Not configured

Online time : 0days 0hours 5minutes 13seconds

FT status : Inactive

# Verify that the client has roamed from AC 1 to AC 3.

<AC2> display wlan mobility roam-in

Total entries: 1

MAC address BSSID VLAN ID HA IP address

9cd3-6d9e-6778 000f-e203-8889 1 10.1.4.22

Configuring WLAN load balancing

This chapter assumes that an AP has only one radio enabled.

Overview

WLAN load balancing dynamically loads balance clients across APs to ensure wireless service quality and adequate bandwidth for clients in high-density WLANs.

Implementation prerequisites

To implement WLAN load balancing among specific APs, the APs must be managed by the same AC, and the clients can discover the APs. As shown in Figure 66, load balancing is enabled on AP 1, AP 2, and AP 3 that are managed by the same AC. AP 3 has reached its maximum load. When Client 5 tries to associate with AP 3, the AC rejects the association request and directs Client 5 to AP 1 or AP 2. However, if Client 5 can only discover AP 3, it continues to send association requests to AP 3. If the number of times that AP 3 rejects Client 5 reaches the specified maximum number of denials for association requests, AP 3 accepts Client 5's association request.

Figure 66 Implementation prerequisites

Work mechanism

The AC performs load balancing when the following conditions are met:

· The load of an AP reaches the threshold.

· The load gap between the AP and the AP that has the lightest load reaches the load gap threshold.

When the load and load gap for the AP reach their respective threshold, the AP rejects the association request of a client. If the number of times that the AP rejects the client reaches the specified maximum number of denials for association requests, the AP accepts the client's association request.

Load balancing modes

The AC supports session-mode, traffic-mode, and bandwidth-mode load balancing. It performs load balancing of a specific mode when the following conditions are met:

· The specified session/traffic/bandwidth threshold is reached.

· The specified session/traffic/bandwidth gap threshold is reached.

Session-mode load balancing

As shown in Figure 67, Client 1 associates with AP 1, and Client 2 through Client 4 associate with AP 2. Assume that the session threshold and session gap threshold are set to 3 and 2, respectively. When Client 5 tries to associate with AP 2, AP 2 rejects the request because both the session threshold and session gap threshold are reached.

Figure 67 Session-mode load balancing

Traffic-mode load balancing

As shown in Figure 68, Client 1 associates with AP 1, and Client 2 associates with AP 2. When the traffic of AP 1 and the traffic gap between AP 1 and AP 2 reach their respective threshold, AP 1 rejects the association request from Client 3.

Figure 68 Traffic-mode load balancing

Bandwidth-mode load balancing

As shown in Figure 69, Client 1 associates with AP 1, and Client 2 associates with AP 2. When the bandwidth of AP 1 and the bandwidth gap between AP 1 and AP 2 reach their respective thresholds, AP 1 rejects the association request from Client 3.

Figure 69 Bandwidth-mode load balancing

Load balancing types

The AC supports the following load balancing types:

· Radio based—The AC determines the APs that will participate in load balancing based on the neighbor reports of the APs. The neighbor report of an AP records the MAC address and RSSI value of each client that is detected by the AP. The AC determines that an AP will participate in load balancing when either of the following conditions is met:

? A client requests to associate with the AP and the AP detects that RSSI of the client is lower than the RSSI threshold.

? The AP detects that a client's RSSI has reached the RSSI threshold but the client does not request to associate with the AP.

· Load balancing group based—You add the radios of desired APs to a load balancing group. The AC does not perform load balancing on radios that do not belong to the load balancing group.

Configuration task list

Tasks at a glance	Remarks
(Required.) Enabling WLAN load balancing	N/A
(Required.) Setting a load balancing mode	N/A
(Optional.) Configuring a load balancing group	If you do not create any load balancing groups, the AC performs radio-based load balancing.
(Optional.) Configuring load balancing parameters	N/A
(Optional.) Enabling SNMP notifications for WLAN load balancing	N/A

Configuring WLAN load balancing

Before you configure load balancing, make sure the fast association function is disabled. For more information about fast association, see "Configuring WLAN access."

Enabling WLAN load balancing

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable WLAN load balancing.	wlan load-balance enable	By default, WLAN load balancing is disabled.

Setting a load balancing mode

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set a load balancing mode.

· Set session-mode load balancing:
wlan load-balance mode session value [ gap gap-value ]

· Set traffic-mode load balancing:
wlan load-balance mode traffic value [ gap gap-value ]

· Set bandwidth-mode load balancing:
wlan load-balance mode bandwidth value [ gap gap-value ]

By default, session-mode load balancing is used.

Configuring a load balancing group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a load balancing group and enter its view.	wlan load-balance group group-id	By default, no load balancing group exists.
3. Add a radio of an AP to the load balancing group.	ap name ap-name radio radio-id	By default, no radio exists in the load balancing group.
4. (Optional.) Set a description for the load balancing group.	description text	By default, no description is set for the load balancing group.

Configuring load balancing parameters

The following parameters affect load balancing calculation:

· Load balancing RSSI threshold—If an AP detects that the RSSI of a client is lower than the specified RSSI threshold, the AP performs either of the following operations:

? If multiple APs can detect the client, the AP participates in load balancing only when the client requests to associate with the AP.

? If only this AP can detect the client, the AP decreases the maximum number of denials to 1 so that the client has more chances to associate with the AP.

· Maximum number of denials for association requests—If the number of times that an AP rejects a client reaches the specified maximum number of denials for association requests, the AP accepts the association request of the client.

To configure load balancing parameters:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the RSSI threshold.	wlan load-balance rssi-threshold rssi-threshold	By default, the RSSI threshold is 25.
3. Set the maximum number of denials for association requests.	wlan load-balance access-denial access-denial	By default, the maximum number of denials is 10 for association requests.

Enabling SNMP notifications for WLAN load balancing

To report critical WLAN load balancing events to an NMS, enable SNMP notifications for WLAN load balancing. For WLAN load balancing event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for WLAN load balancing:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN load balancing.	snmp-agent trap enable wlan load-balance	By default, SNMP notifications for WLAN load balancing are disabled.

Displaying and maintaining WLAN load balancing

Execute the display command in any view.

Task	Command
Display load balancing group information.	display wlan load-balance group { group-id \| all }

WLAN load balancing configuration examples (for radios)

Configuring session-mode load balancing

Network requirements

As shown in Figure 70, AP 1 and AP 2 are managed by the AC and the clients can discover the APs.

Configure the AC to perform session-mode load balancing on AP 1 and AP 2 when the following conditions are met:

· The number of sessions on one AP reaches 3.

· The session gap between the APs reaches 2.

Figure 70 Network diagram

Configuration procedure

# Create wireless service template 1, and set its SSID to session-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid session-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create the AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012945

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Set the load balancing mode to session mode, and set the session threshold and session gap threshold to 3 and 2, respectively.

[AC] wlan load-balance mode session 3 gap 2

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs session-mode load balancing for AP 1 and AP 2 when the following conditions are met:

· The number of sessions on one AP reaches 3.

· The session gap between the APs reaches 2. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Configuring traffic-mode load balancing

Network requirements

As shown in Figure 71, AP 1 and AP 2 are managed by the AC and the clients can discover the APs. The maximum bandwidth for each AP is 150 Mbps.

Configure the AC to perform traffic-mode load balancing on AP 1 and AP 2 when the following conditions are met:

· The traffic of one AP reaches 30 Mbps (20% of the maximum bandwidth).

· The traffic gap between the APs reaches 15 Mbps (10% of the maximum bandwidth).

Figure 71 Network diagram

Configuration procedure

# Create wireless service template 1, and set its SSID to traffic-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid traffic-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create the AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012945

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Set the load balancing mode to traffic mode, and set the traffic threshold and traffic gap threshold to 20% and 10%, respectively.

[AC] wlan load-balance mode traffic 20 gap 10

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs traffic-mode load balancing for AP 1 and AP 2 when the following conditions are met:

· The traffic of one AP reaches 30 Mbps.

· The traffic gap between the APs reaches 15 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Configuring bandwidth-mode load balancing

Network requirements

As shown in Figure 72, AP 1 and AP 2 are managed by the AC and the clients can discover the APs.

Configure the AC to perform bandwidth-mode load balancing on AP 1 and AP 2 when the following conditions are met:

· The bandwidth of one AP reaches 12 Mbps.

· The bandwidth gap between the APs reaches 3 Mbps.

Figure 72 Network diagram

Configuration procedure

# Create wireless service template 1, and set its SSID to bandwidth-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid bandwidth-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create the AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012945

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Set the load balancing mode to bandwidth mode, and set the bandwidth threshold and bandwidth gap threshold to 12 Mbps and 3 Mbps, respectively.

[AC] wlan load-balance mode bandwidth 12 gap 3

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs bandwidth-mode load balancing for AP 1 and AP 2 when the following conditions are met:

· The bandwidth of one AP reaches 12 Mbps.

· The bandwidth gap between the APs reaches 3 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

WLAN load balancing configuration examples (for a load balancing group)

Configuring session-mode load balancing

Network requirements

As shown in Figure 73, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs.

Configure the AC to perform session-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The number of sessions on one radio reaches 3.

· The session gap between the radios reaches 2.

Figure 73 Network diagram

Configuration procedure

# Create wireless service template 1, and set its SSID to session-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid session-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create the AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012945

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Create the AP template ap3, and specify the model and serial ID.

[AC] wlan ap ap3 model WA536-WW

[AC-wlan-ap-ap3] serial-id 219801A1NQB117012938

# Bind service template 1 to radio 2 of AP 3.

[AC-wlan-ap-ap3] radio 2

[AC-wlan-ap-ap3-radio-2] service-template 1

[AC-wlan-ap-ap3-radio-2] radio enable

[AC-wlan-ap-ap3-radio-2] quit

[AC-wlan-ap-ap3] quit

# Set the load balancing mode to session mode, and set the session threshold and session gap threshold to 3 and 2, respectively.

[AC] wlan load-balance mode session 3 gap 2

# Create load balancing group 1.

[AC] wlan load-balance group 1

# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.

[AC-wlan-lb-group-1] ap name ap1 radio 2

[AC-wlan-lb-group-1] ap name ap2 radio 2

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs session-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The number of sessions on one radio reaches 3.

· The session gap between the radios reaches 2. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Configuring traffic-mode load balancing

Network requirements

As shown in Figure 74, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs. The maximum bandwidth for each AP is 150 Mbps.

Configure the AC to perform traffic-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The traffic of one radio reaches 30 Mbps (20% of the maximum bandwidth).

· The traffic gap between the radios reaches 15 Mbps (10% of the maximum bandwidth).

Figure 74 Network diagram

Configuration procedure

# Create wireless service template 1, and set its SSID to traffic-balance.

<AC> system

[AC] wlan service-template 1

[AC-wlan-st-1] ssid traffic-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create the AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012945

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Create the AP template ap3, and specify the model and serial ID.

[AC] wlan ap ap3 model WA536-WW

[AC-wlan-ap-ap3] serial-id 219801A1NQB117012938

# Bind service template 1 to radio 2 of AP 3.

[AC-wlan-ap-ap3] radio 2

[AC-wlan-ap-ap3-radio-2] service-template 1

[AC-wlan-ap-ap3-radio-2] radio enable

[AC-wlan-ap-ap3-radio-2] quit

[AC-wlan-ap-ap3] quit

# Set the load balancing mode to traffic mode, and set the traffic threshold and traffic gap threshold to 20% and 10%, respectively.

[AC] wlan load-balance mode traffic 20 gap 10

# Create load balancing group 1.

[AC] wlan load-balance group 1

# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.

[AC-wlan-lb-group-1] ap name ap1 radio 2

[AC-wlan-lb-group-1] ap name ap2 radio 2

[AC-wlan-lb-group-1] quit

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs traffic-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The traffic of one radio reaches 30 Mbps.

· The traffic gap between the radios reaches 15 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Configuring bandwidth-mode load balancing

Network requirements

As shown in Figure 75, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs.

Configure the AC to perform bandwidth-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The bandwidth of one radio reaches 12 Mbps.

· The bandwidth gap between the radios reaches 3 Mbps.

Figure 75 Network diagram

Configuration procedure

# Create wireless service template 1, and set its SSID to bandwidth-balance.

<AC> system

[AC] wlan service-template 1

[AC-wlan-st-1] ssid bandwidth-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create the AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA536-WW

[AC-wlan-ap-ap2] serial-id 219801A1NQB117012945

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Create the AP template ap3, and specify the model and serial ID.

[AC] wlan ap ap3 model WA536-WW

[AC-wlan-ap-ap3] serial-id 219801A1NQB117012939

# Bind service template 1 to radio 2 of AP 3.

[AC-wlan-ap-ap3] radio 2

[AC-wlan-ap-ap3-radio-2] service-template 1

[AC-wlan-ap-ap3-radio-2] radio enable

[AC-wlan-ap-ap3-radio-2] quit

[AC-wlan-ap-ap3] quit

# Set the load balancing mode to bandwidth mode, and set the bandwidth threshold and bandwidth gap threshold to 12 Mbps and 3 Mbps, respectively.

[AC] wlan load-balance mode bandwidth 12 gap 3

# Create load balancing group 1.

[AC] wlan load-balance group 1

# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.

[AC-wlan-lb-group-1] ap name ap1 radio 2

[AC-wlan-lb-group-1] ap name ap2 radio 2

[AC-wlan-lb-group-1] quit

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs bandwidth-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The bandwidth of one radio reaches 12 Mbps.

· The bandwidth gap between the radios reaches 3 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Configuring WLAN radio resource measurement

Overview

WLAN radio resource measurement measures channel qualities and radio performance. It enables client and APs to learn the wireless environment and use wireless resources such as spectrum, power, and bandwidth more effectively.

WLAN radio resource measurement includes 802.11h measurement and 802.11k measurement.

802.11h measurement

802.11h measurement measures channels in the 5 GHz band. Table 32 lists the measurement types it supports.

Table 32 802.11h measurement

Type		Description
Spectrum management measurement	Basic	Measures whether a client has detected any of the following: · Packets from other BSSs. · OFDM preambles. · Radar signals. · Unknown signals.
	Clear Channel Assessment (CCA)	Measures the percentage of busy time for a channel to the total measurement period.
	Receive Power Indication (RPI)	Measures the percentage of time for different RPI ranges to the total measurement period.
Transmit Power Control (TPC) measurement		Measures the link redundancy and transmission power for clients.

802.11h measurement operates in the following procedure:

1. An AP sets the Spectrum Mgmt field to 1 in beacons, probe responses, association responses, or reassociation responses to notify the clients that they can send 802.11h measurement requests.

2. Upon receiving a measurement request from a client, the AP performs the required measurement and sends a report to the client.

The AP can also send measurement requests periodically to clients and collect measurement reports from clients.

802.11k measurement

802.11k measurement measures channels in both the 2.4 GHz and 5 GHz bands. Table 33 lists the measurement types it supports.

Table 33 802.11k measurement

Type		Description
Radio measurement	Beacon	Measures the Received Channel Power Indicator (RCPI) and Received Signal to Noise Indicator (RSNI) of beacons, measurement pilot packets, and probe responses.
	Frame	Measures the number of frames transmitted and the average RCPI for these frames.
	Station statistics	Measures the received and transmitted fragment counts, received and transmitted multicast frame counts, failed counts, retry counts, ACK failure counts.
	Transmit stream	Measures the frame of a specific transmit stream.
	Channel load	Measures the channel usage.
	Location	Measures the relative locations of a requester and the requested.
	Noise histogram	Measures the distribution of noise in different decibel ranges.
Link measurement		Measures RCPI, RSNI, and link redundancy for a requested link.
Neighbor measurement		Measures the channel and BSSID of neighbor APs.

802.11k measurement operates in the following procedure:

1. An AP sets the Radio Measurement field to 1 in beacons, probe responses, association responses, or reassociation responses to notify the clients that they can send 802.11k measurement requests.

These frames also carry measurement capabilities of the AP to inform clients of measurement types that the AP supports.

The AP periodically sends Measurement Pilot frames to help clients fast discover the AP. Measurement Pilot frames are sent more frequently than beacons and carry less information.

2. Upon receiving a measurement request from a client, the AP performs the required measurement and sends a report to the client.

The AP can also send measurement requests periodically to clients and collect measurement reports from clients.

Configuration task list

Tasks at a glance
(Required.) Enabling radio resource measurement
(Optional.) Setting the measurement duration and interval
(Optional.) Setting the match mode for client radio resource measurement capabilities

Enabling radio resource measurement

Enabling radio resource measurement in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable radio resource measurement.	resource-measure enable	By default, the configuration in AP group view is used. You must enable radio resource measurement if you enable link, neighbor, or radio measurement.
5. Enable spectrum management.	spectrum-management enable	By default, the configuration in AP group view is used. Spectrum or TPC measurement takes effect only after you enable spectrum management. For more information about this command, see WLAN Command Reference.
6. Enable a measurement type.	measure { all \| link \| neighbor \| radio \| spectrum \| tpc } { enable \| disable }	By default, the configuration in AP group view is used. The spectrum and tpc keywords are available only on 5GHz radios.

Enabling radio resource measurement in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter AP group radio view.	radio radio-id	N/A
5. Enable radio resource measurement.	resource-measure enable	By default, radio resource measurement is disabled. You must enable radio resource measurement if you enable link, neighbor, or radio measurement.
6. Enable spectrum management.	spectrum-management enable	By default, spectrum management is disabled. Spectrum or TPC measurement takes effect only after you enable spectrum management. For more information about this command, see WLAN Command Reference.
7. Enable a measurement type.	measure { all \| link \| neighbor \| radio \| spectrum \| tpc } { enable \| disable }	By default, measurement is disabled. The spectrum and tpc keywords are available only on 5GHz radios.

Setting the measurement duration and interval

When radio resource measurement is enabled for an AP, the AP sends measurement requests that carry the measurement duration to clients at the specified interval.

Setting the measurement duration and interval in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the measurement duration.	measure-duration time	By default, the configuration in AP group view is used.
5. Set the measurement interval.	measure-interval value	By default, the configuration in AP group view is used.

Setting the measurement duration and interval in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter AP group radio view.	radio radio-id	N/A
5. Set the measurement duration.	measure-duration time	By default, the measurement duration is 500 TUs.
6. Set the measurement interval.	measure-interval value	By default, the measurement interval is 30 seconds.

Setting the match mode for client radio resource measurement capabilities

This feature allows a client to associate with an AP based on the predefined match criteria. Radio resource measurement capability refers to the radio resource measurement types supported by the AP and client. The device supports the following match modes for client radio resource measurement capabilities:

· All—A client is allowed to associate with an AP only when all its radio resource measurement capabilities match the AP's radio resource measurement capabilities.

· None—Client radio resource measurement capabilities are not checked.

· Partial—A client is allowed to associate with an AP as long as one of its radio resource measurement capabilities matches any of the AP's radio resource measurement capabilities.

Setting the match mode for client radio resource measurement capabilities in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the match mode for client radio resource measurement capabilities.	rm-capability mode { all \| none \| partial }	By default, the configuration in AP group view is used.

Setting the match mode for client radio resource measurement capabilities in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter AP group radio view.	radio radio-id	N/A
5. Set the match mode for client radio resource measurement capabilities.	rm-capability mode { all \| none \| partial }	By default, an AP does not check the radio resource measurement capabilities of a client.

Displaying and maintaining WLAN radio resource measurement

Execute display commands in any view.

Task	Command
Display client measurement reports.	display wlan measure-report ap ap-name radio radio-id [ client mac-address mac-address ]

Radio resource measurement configuration examples

Network requirements

As shown in Figure 76, configure radio resource measurement to meet the following requirements:

· The client can come online only when all its radio resource measurement capabilities match the AP's.

· The client can perform all types of measurements.

Figure 76 Network diagram

Configuration procedures

# Create service template 1.

<AC> system-view

[AC] wlan service-template 1

# Set the SSID to resource-measure, and enable service template 1.

[AC-wlan-st-1] ssid resource-measure

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the manual AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enter radio view of radio 1.

[AC-wlan-ap-ap1] radio 1

# Enable spectrum management.

[AC-wlan-ap-ap1-radio-1] spectrum-management enable

# Enable radio resource measurement.

[AC-wlan-ap-ap1-radio-1] resource-measure enable

# Enable all measurement features.

[AC-wlan-ap-ap1-radio-1] measure all enable

# Set the match mode for client radio resource measurement capabilities to All.

[AC-wlan-ap-ap1-radio-1] rm-capability mode all

# Bind the service template to radio 1, and enable the radio.

[AC-wlan-ap-ap1-radio-1] service-template 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify that the client has come online.

[AC] display wlan client

Total number of clients: 1

MAC address Username AP name R IP address VLAN

00ee-bd44-557f N/A ap1 1 1.1.1.1 1

# Display measurement reports from the client.

[AC] display wlan measure-report ap ap1 radio 1

Total number of clients: 1

Client MAC address : 00ee-bd44-557f

Link measurement:

Link margin : 2 dBm

RCPI : -85 dBm

RSNI : 53 dBm

Noise histogram:

Antenna ID : 3

ANPI : -56 dBm

IPI0 to IPI10 density : 5 12 16 13 8 5 5 15 17 1 3

Spectrum measurement:

Transmit power : 20 dBm

BSS : Detected

OFDM preamble : Detected

Radar : Detected

Unidentified signal : Undetected

CCA busy fraction : 60

RPI0 to RPI7 density : 3 7 11 19 15 23 15 7

Frame report entry:

BSSID : a072-2351-e253

PHY type : fhss

Average RCPI : -10 dBm

Last RSNI : 2 dBm

Last RCPI : -20 dBm

Frames : 1

Dot11BSSAverageAccessDelay group:

Average access delay : 32 ms

BestEffort average access delay : 1 ms

Background average access delay : 1 ms

Video average access delay : 1 ms

Voice average access delay : 1 ms

Clients : 32

Channel utilization rate : 11

Transmit stream:

Traffic ID : 0

Sent MSDUs : 60

Discarded MSDUs : 5

Failed MSDUs : 3

MSDUs resent multiple times : 3

Lost QoS CF-Polls : 2

Average queue delay : 2 ms

Average transmit delay : 1 ms

Bin0 range : 0 to 10 ms

Bin0 to Bin5 : 5 10 10 5 10 10

Configuring channel scanning

Overview

Channel scanning enables APs to scan channels and capture wireless packets. The AC analyzes the captured wireless packets to obtain wireless service information, including interferences, error bit rate, and wireless signal strength. Channel scanning provides data for WLAN RRM and WIPS, and enhances wireless service quality.

Basic concepts

· Scanning period—In this period, an AP only scans a channel and does not provide wireless services.

· Service period—In this period, an AP works in either of the following ways:

? The AP only provides wireless services and does not scan channels.

? The AP scans its working channel and provides wireless services simultaneously for a time period that is the same as the scanning period. After that, the AP only provides wireless services.

Work mechanism

An AP scans each channel on the channel scanning list in turn regardless of whether the AP provides wireless services, and each channel is scanned for a scanning period. If the AP does not provide wireless services, it starts scanning periods consecutively. If the AP provides wireless services, it starts service periods and scanning periods alternatively.

For example, Figure 77 shows the channel scanning mechanism for an AP when the AP works on channel 6 and the channel scanning list contains channels 1, 6, and 11.

Figure 77 Channel scanning mechanism

Configuring channel scanning

Setting the scanning period

Make sure the scanning period is not greater than the maximum service period.

Setting the scanning period in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the scanning period.	scan scan-time scan-time	By default, a radio uses the configuration in AP group radio view.

Setting the scanning period in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the scanning period.	scan scan-time scan-time	By default, the scanning period is 100 milliseconds.

Setting the maximum service period

To ensure both scanning and service quality, you can set the maximum service period. When the maximum service period is reached, the AP starts a scanning period regardless of whether it has traffic to forward. To ensure wireless service quality, you can configure the AP to not limit the service period. The AP does not start a scanning period unless the service idle timeout expires.

Setting the maximum service period in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum service period.	scan max-service-time { max-service-time \| no-limit }	By default, a radio uses the configuration in AP group radio view.

Setting the maximum service period in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum service period.	scan max-service-time { max-service-time \| no-limit }	By default, the maximum service period is 5000 milliseconds.

Setting the service idle timeout

During a service period, an AP does not begin a new scanning period until the current service period exceeds the scanning period even if the specified service idle timeout expires.

Setting the service idle timeout in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the service idle timeout.	scan idle-time idle-time	By default, a radio uses the configuration in AP group radio view. The service idle timeout cannot be greater than the maximum service period.

Setting the service idle timeout timer in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the service idle timeout timer.	scan idle-time idle-time	By default, the service idle timeout timer is 100 milliseconds.

Configuring the channel scanning blacklist or whitelist

Perform this task for an AP to not scan channels in the blacklist or to scan only channels in the whitelist. You cannot configure both the channel scanning blacklist and whitelist for the same AP.

Configuring the channel scanning blacklist or whitelist in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Add the specified channels to the channel scanning blacklist.	scan channel blacklist channel-list	By default, a radio uses the configuration in AP group radio view.
5. Add the specified channels to the channel scanning whitelist.	scan channel whitelist channel-list	By default, a radio uses the configuration in AP group radio view.

Configuring the channel scanning blacklist or whitelist in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Add the specified channels to the channel scanning blacklist.	scan channel blacklist channel-list	By default, no channel scanning blacklist exists.
6. Add the specified channels to the channel scanning whitelist.	scan channel whitelist channel-list	By default, no channel scanning whitelist exists.

Scanning all channels

This feature is restricted to Hong Kong and Macao.

IMPORTANT:

This feature is applicable only to dual-band radios.

Perform this task to enable an AP to alternatively scan 2.4 GHz channels and 5 GHz channels at the specified interval.

Scanning all channels in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable the radio to scan all channels.	scan mode all [ interval interval-value ]	By default, a radio uses the configuration in AP group radio view.

Scanning all channels in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable the radio to scan all channels.	scan mode all [ interval interval-value ]	By default, a radio does not scan all channels.

Channel scanning configuration examples

Relative forwarding preferred configuration example

Network requirements

As shown in Figure 78, configure channel scanning and set the maximum service period for AP 1 to ensure both channel scanning and wireless service quality.

Figure 78 Network diagram

Configuration procedure

# Create a manual AP and specify the model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enter radio view of radio 1.

[AC-wlan-ap-ap1] radio 1

# Set the scanning period to 200 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan scan-time 200

# Set the maximum service period to 5000 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan max-service-time 5000

# Set the service idle timeout to 100 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan idle-time 100

Absolute forwarding preferred configuration example

Network requirements

As shown in Figure 79, configure channel scanning and do not limit the service period for AP 1 to ensure wireless service quality.

Figure 79 Network diagram

Configuration procedure

# Create a manual AP and specify the model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enter radio view of radio 1.

[AC-wlan-ap-ap1] radio 1

# Set the scanning period to 100 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan scan-time 100

# Configure the radio to not limit the service period.

[AC-wlan-ap-ap1-radio-1] scan max-service-time no-limit

# Set the service idle timeout to 100 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan idle-time 100

Configuring band navigation

Overview

Band navigation enables an AP to prefer directing dual-band (2.4 GHz and 5 GHz) clients to its 5 GHz radio because the 2.4 GHz band is often congested. This can load balance the radios and improve network performance.

As shown in Figure 80, band navigation is enabled in the WLAN. Client 1 is associated with the 5 GHz radio and Client 2 is associated with the 2.4 GHz radio. When the dual-band client Client 3 requests to associate with the 2.4 GHz radio, the AP rejects Client 3 and directs it to the 5 GHz radio.

Figure 80 Band navigation

Configuration task list

Tasks at a glance

Configuring band navigation:

· (Required.) Enabling band navigation globally

· (Required.) Enabling band navigation for an AP

· (Optional.) Configuring load balancing for band navigation

· (Optional.) Configuring band navigation parameters

Configuration prerequisites

Make sure fast association is disabled for the wireless service. For more information about fast association, see "Configuring WLAN access."

Make sure both the 5 GHz and 2.4 GHz radios are enabled and the radios are bound to the same service template.

Configuring band navigation

Do not enable band navigation in a WLAN when most clients in the WLAN support only the 2.4 GHz band or in a WLAN that is sensitive to traffic delay.

Enabling band navigation globally

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable band navigation globally.	wlan band-navigation enable	By default, band navigation is disabled globally.

Enabling band navigation for an AP

Band navigation takes effect on an AP only when you enable band navigation both globally and for the AP.

Enabling band navigation for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable band navigation for the AP.	band-navigation enable	By default, the AP uses the configuration in AP group view.

Enabling band navigation for an AP group

Step	Command	Remarks
4. Enter system view.	system-view	N/A
5. Enter AP group view.	wlan ap-group group-name	N/A
6. Enable band navigation for the AP group.	band-navigation enable	By default, band navigation is enabled.

Configuring load balancing for band navigation

An AP rejects the 5 GHz association request of a client when the following conditions are met:

· The number of clients on the 5 GHz radio reaches the specified threshold.

· The client number gap between the 5 GHz radio and the radio that has the fewest clients reaches the specified threshold.

To enable load balancing for band navigation:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure load balancing for band navigation.	wlan band-navigation balance session session [ gap gap ]	By default, load balancing is disabled for band navigation.

Configuring band navigation parameters

The following parameters affect band navigation:

· Maximum number of denials for 5 GHz association requests—If the number of times that a 5 GHz radio rejects a client reaches the specified maximum number, the radio accepts the association request of the client.

· Band navigation RSSI threshold—A client might be detected by multiple radios. A 5 GHz radio rejects the association request of a client if the client's RSSI is lower than the band navigation RSSI threshold.

· Client information aging time—When an AP receives an association request from a client, the AP records the client's information and starts the client information aging timer. If the AP does not receive any probe requests or association requests from the client before the aging timer expires, the AP deletes the client's information.

Configure appropriate client information aging time to ensure both client association and system resource efficiency.

To configure band navigation parameters:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum number of denials for 5 GHz association requests.	wlan band-navigation balance access-denial access-denial	By default, the AP does not reject 5 GHz association requests.
3. Set the band navigation RSSI threshold.	wlan band-navigation rssi-threshold rssi-threshold	By default, the band navigation RSSI threshold is 15.
4. Set the client information aging time.	wlan band-navigation aging-time aging-time	By default, the client information aging time is 180 seconds.

Band navigation configuration examples

Network requirements

As shown in Figure 81, both the 5 GHz radio and the 2.4 GHz radio are enabled on the AP. Configure band navigation and load balancing for band navigation to load balance the radios.

Figure 81 Network diagram

Configuration procedure

# Create service template 1 and set its SSID to band-navigation.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid band-navigation

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create the AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

# Enter radio view of radio 1, and configure radio 1 to operate in 802.11n (5 GHz) mode.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] type dot11an

# Bind service template 1 to radio 1 of AP 1, and enable radio 1.

[AC-wlan-ap-ap1-radio-1] service-template 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

# Enter radio view of radio 2, and configure radio 2 to operate in 802.11n (2.4 GHz) mode.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] type dot11gn

# Bind service template 1 to radio 2 of AP 1, and enable radio 2.

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Enable band navigation globally.

[AC] wlan band-navigation enable

# Enable band navigation for AP 1.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] band-navigation enable

[AC-wlan-ap-ap1] quit

# Enable load balancing for band navigation, and set the client number threshold and client number gap threshold to 5 and 2, respectively.

[AC] wlan band-navigation balance session 5 gap 2

# Set the maximum number of denials for 5 GHz association requests to 3.

[AC] wlan band-navigation balance access-denial 3

# Set the band navigation RSSI threshold to 30.

[AC] wlan band-navigation rssi-threshold 30

# Set the client information aging time to 160 seconds.

[AC] wlan band-navigation aging-time 160

Verifying the configuration

1. Verify that a dual-band client is associated with the 5 GHz radio when it requests to associate with the AP. (Details not shown.)

2. Verify that a dual-band client is associated with the 2.4 GHz radio when the following conditions are met:

? The number of clients on the 5 GHz radio reaches 5.

? The client number gap between the 5 GHz radio and the 2.4 GHz radio reaches 2. (Details not shown.)

Configuring dual-link backup

Overview

Dual-link backup enables two ACs to back up each other. This reduces risks of service interruption caused by single-AC failures.

With dual-link backup enabled, an AP establishes a master tunnel and a backup CAPWAP tunnel with the master AC and the backup AC, respectively. The master and backup ACs cannot detect each other's link state in real time. When the backup AC takes over traffic forwarding upon master AC failure, temporary communication interruption occurs. When the failed master AC recovers, the master CAPWAP tunnel preemption feature determines the master CAPWAP tunnel based on the AP connection priority.

Dual-link backup is applicable to networks that are service continuity insensitive.

Figure 82 Network diagram for dual-link backup

Dual-link backup configuration task list

Tasks at a glance
(Required.) Setting AP connection priority and specifying a backup AC
(Optional.) Configuring master CAPWAP tunnel preemption

Configuration prerequisites

Configure auto AP or manual APs on both ACs. The manual AP configuration must be identical on the two ACs. For more information, see "Managing APs."

Setting AP connection priority and specifying a backup AC

After an AP establishes a CAPWAP tunnel with the master AC, the AP will establish a backup CAPWAP tunnel with the specified backup AC.

As a best practice, set a higher AP connection priority for the master AC to ensure that APs can associate with the master AC first.

Specifying a backup AC for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the AP connection priority.	priority priority	By default, an AP uses the configuration in AP group view.
4. Specify a backup AC.	backup-ac { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in AP group view.

Specifying a backup AC for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group groupname	N/A
3. Set the AP connection priority.	priority priority	By default, the AP connection priority is 4.
4. Specify a backup AC.	backup-ac { ip ipv4-address \| ipv6 ipv6-address }	By default, no backup AC is specified.

Configuring master CAPWAP tunnel preemption

This feature enables a backup CAPWAP tunnel to become a master tunnel if the backup AC has higher AP connection priority than the master AC.

Configuring master CAPWAP tunnel preemption for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure master CAPWAP tunnel preemption.	wlan tunnel-preempt { disable \| enable }	By default, an AP uses the configuration in AP group view.

Configuring master CAPWAP tunnel preemption for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group groupname	N/A
3. Configure master CAPWAP tunnel preemption.	wlan tunnel-preempt { disable \| enable }	By default, an AP uses the configuration in global configuration view.

Configuring master CAPWAP tunnel preemption globally

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure master CAPWAP tunnel preemption.	wlan tunnel-preempt { disable \| enable }	By default, master CAPWAP tunnel preemption is disabled.

Dual-link backup configuration example

Network requirements

As shown in Figure 83, configure AC 1 to act as the master AC and AC 2 as the backup AC. When AC 1 fails and AC 2 takes over, the AP can communicate through AC 2. Configure the master CAPWAP tunnel preemption feature on both ACs so that the AP reconnects to AC 1 when AC 1 recovers.

Figure 83 Network diagram

Configuration procedure

1. Configure AC 1:

# Create VLAN-interface 1 and assign an IP address to it.

<AC1> system-view

[AC1] interface vlan-interface 1

[AC1-Vlan-interface1] ip address 10.1.1.1 24

[AC1-Vlan-interface1] quit

# Create an AP named ap1, and specify the AP model and serial ID. Set the AP connection priority to 7.

[AC1] wlan ap ap1 model WA536-WW

[AC1-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC1-wlan-ap-ap1] priority 7

# Specify an IPv4 backup AC.

[AC1-wlan-ap-ap1] backup-ac ip 11.1.1.1

# Enable master CAPWAP tunnel preemption.

[AC1-wlan-ap-ap1] wlan tunnel-preempt enable

[AC1-wlan-ap-ap1] quit

2. Configure AC 2:

# Create VLAN-interface 1 and assign an IP address to it.

<AC2> system-view

[AC2] interface Vlan-interface 1

[AC2-Vlan-interface1] ip address 11.1.1.1 24

[AC2-Vlan-interface1] quit

# Create an AP named ap1, and specify the AP model and serial ID. Set the AP connection priority to 5.

[AC2] wlan ap ap1 model WA536-WW

[AC2-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC2-wlan-ap-ap1] priority 5

# Specify an IPv4 backup AC.

[AC2-wlan-ap-ap1] backup-ac ip 10.1.1.1

# Enable master CAPWAP tunnel preemption.

[AC2-wlan-ap-ap1] wlan tunnel-preempt enable

[AC2-wlan-ap-ap1] quit

Verifying the configuration

# Get the AP online on AC 1. (Details not shown.)

# Shut down VLAN-interface 1 on AC 1 and wait no longer than 3 minutes, during which service interruption occurs. (Details not shown.)

# Verify that the AP comes online on AC 2 and the AP state is R/M on AC 2. (Details not shown.)

# Bring up VLAN-interface 1 on AC 1. (Details not shown.)

# Verify that the AP comes online on AC 1 again and the AP state is R/M on AC 1 and R/B on AC 2. (Details not shown.)

Configuring AP load balancing

Overview

AP load balancing (LB) enables multiple ACs to form an IRF fabric to ensure centralized AP management and avoid wireless service interruption in case of AC failures.

AC roles

An AC has the following roles:

Role	Description
Master AC	Master in an IRF fabric. A master AC performs the following tasks: · Manages the entire IRF fabric. · Load balances APs among active ACs according to an LB algorithm. · Maintains an AP LB table that records the CAPWAP tunnel establishment relationships between APs and active ACs, and synchronizes the table among all ACs in the fabric.
Subordinate AC	Subordinate in an IRF fabric. A subordinate AC processes services, forwards packets, and acts as a backup for the master AC. When the master AC fails, the system automatically elects a new master AC from the subordinate ACs in the IRF fabric.
Active AC	An AC that can establish CAPWAP tunnels with APs and load balance APs with other active ACs. The master AC is always an active AC. It selects a specific number of active ACs from the subordinate ACs.
Non-active AC	An AC that cannot establish CAPWAP tunnels with APs. Non-active ACs can only be subordinate ACs. When an active AC fails, a non-active AC will be elected as an active AC.
Directly connected AC	An AC that receives the first packet from an AP when the AP launches a CAPWAP tunnel establishment process.

AP load balancing

After multiple ACs form an IRF fabric, the IRF fabric appears as one AC to APs. When the IRF fabric receives a CAPWAP tunnel establishment request, the master AC uses an LB algorithm to select an AC from the active ACs for tunnel establishment. Figure 84 shows the LB algorithm.

Figure 84 AP LB algorithm

As shown in Figure 85, AC 1, AC 2, and AC 3 form an IRF fabric. AC 1 is the master AC and also an active AC. AC 2 is an active AC and also a directly connected AC to AP 1. AC 3 is a non-active AC. AP 1 establishes a CAPWAP tunnel with the IRF fabric by using the following process:

1. The AP sends a discovery request.

2. Upon receiving the discovery request, AC 2 notifies AC 1.

3. AC 1 determines whether a CAPWAP tunnel can be established with the AP, and then selects AC 1, for example, for CAPWAP tunnel establishment by using the LB algorithm.

4. AC 1 records the CAPWAP tunnel establishment relationship between the AP and AC 1 in the AP LB table and synchronizes the table to all ACs in the IRF fabric.

5. After receiving the AP LB table, AC 2 sends a discovery response to the AP.

6. After receiving the discovery response, the AP sends a join request to the IRF fabric.

7. The AC that receives the join request examines the AP LB table and learns that it is AC 1 that will establish a CAPWAP tunnel with the AP. Then, the AC forwards the join request to AC 1.

8. After receiving the join request, AC 1 sends a join response to the AP.

Figure 85 AP load balancing

Feature and hardware compatibility

Hardware series	Model	AP load balancing compatibility
WX1800H series	WX1804H WX1810H WX1820H WX1840H	No
WX3800H series	WX3820H WX3840H	Yes
WX5800H	WX5860H	Yes

Configuration prerequisites

Before configuring AP load balancing, set up an IRF fabric for the target ACs. For information about IRF, see Virtual Technologies Configuration Guide.

Setting the number of active ACs

After you set the number of active ACs, the master AC will select an active AC among the non-active ACs according to the order in which they are saved to the AC information table. An AC has higher priority if its information is saved earlier.

When an active AC fails, the master AC randomly selects a new active AC from non-active ACs.

To set the number of active ACs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the number of active ACs.	wlan ap-backup active count number	By default, the number of active ACs is 1. Only the master AC can act as an active AC to establish CAPWAP tunnels with APs.

Setting the threshold and gap threshold for AP load balancing

The threshold and gap threshold are used in the LB algorithm to implement AP load balancing among active ACs in an IRF fabric. For information about the LB algorithm, see "AP load balancing."

To set the threshold and gap threshold for AP load balancing:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the threshold and gap threshold for AP load balancing.

wlan ap-backup load-balance threshold threshold-value gap gap-value

The following default setting applies:

· The AP load-balancing threshold is the maximum number of APs supported by the current AC.

· The gap threshold is a quarter of APs associated with the directly connected AC.

Displaying and maintaining AP load balancing

Execute display commands in any view.

Task	Command
Display AP LB status for all IRF member ACs.	display wlan ap backup multislot

AP load balancing configuration example

Network requirements

As shown in Figure 86, AC 1 and AC 2 form an IRF fabric. To implement central management of APs, configure both ACs as active ACs.

Figure 86 Network diagram

Configuration procedure

# Set up an IRF fabric. (Details not shown.)

For more information, see Virtual Technologies Configuration Guide.

# Set the number of active ACs to 2.

<AC> system-view

[AC] wlan ap-backup active count 2

Verifying the configuration

# Verify that both ACs can establish CAPWAP tunnels with APs and back up AP information for each other.

<AC> display wlan ap backup multislot

Borad Status

Total number of slots: 2

Slot ID State

1 active-only

2 active-only

Configuring WLAN uplink detection

Overview

When the uplink of an AC fails, clients cannot access external networks through the APs that are connected to the AC. WLAN uplink detection associates the uplink state of an AC with the radio state of the connected APs. When the uplink fails, the AC disables the radios of the APs. When the uplink recovers, the AC enables the radios of the APs. The association ensures that clients can associate with APs connected to another AC when the uplink of an AC fails.

This feature collaborates with a detection module and the Track module to function.

· When the track entry is in Positive state, the AC enables the radios of the connected APs.

· When the track entry is in Negative state, the AC disables the radios of the connected APs.

· When the track entry is in Invalid state, the AC does not change the radio state of the connected APs.

For more information about the track module, see High Availability Configuration Guide.

Associating a track entry with the WLAN uplink detection feature

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a detection module to detect the uplink state, and associate a track entry with the detection module.	For information about Track association with detection modules, see High Availability Configuration Guide.	N/A
3. Associate the track entry with the WLAN uplink detection feature.	wlan uplink track track-entry-number	By default, WLAN uplink detection is not associated with any track entry.

WLAN uplink detection configuration example

Network requirements

As shown in Figure 87, use an NQA operation to test the accessibility of each AC's uplink. Configure WLAN uplink detection on each AC, so that when the uplink of an AC fails, clients can associate with the AP connected to another AC that operates correctly.

Figure 87 Network diagram

Configuration procedure

1. Configure AC 1:

# Create an ICMP echo operation.

<AC1> system-view

[AC1] nqa entry admin test

[AC1-nqa-admin-test] type icmp-echo

# Specify 10.1.1.1 as the destination IP address of ICMP echo requests.

[AC1-nqa-admin-test-icmp-echo] destination ip 10.1.1.1

# Create reaction entry 1. If the number of consecutive probe failures reaches 5, collaboration is triggered.

[AC1-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only

[AC1-nqa-admin-test-icmp-echo] quit

# Start the ICMP echo operation.

[AC1] nqa schedule admin test start-time now lifetime forever

# Configure track entry 1, and associate it with reaction entry 1 of the NQA operation (with administrator admin, and operation tag test).

[AC1] track 1 nqa entry admin test reaction 1

# Associate track entry 1 with WLAN uplink detection.

[AC1] wlan uplink track 1

[AC1] quit

2. Configure AC 2:

# Create an ICMP echo operation.

<AC2> system-view

[AC2] nqa entry admin test

[AC2-nqa-admin-test] type icmp-echo

# Specify 11.1.1.1 as the destination IP address of ICMP echo requests.

[AC2-nqa-admin-test-icmp-echo] destination ip 11.1.1.1

# Create reaction entry 1. If the number of consecutive probe failures reaches 5, collaboration is triggered.

[AC2-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only

[AC2-nqa-admin-test-icmp-echo] quit

# Start the ICMP echo operation.

[AC2] nqa schedule admin test start-time now lifetime forever

# Configure track entry 1, and associate it with reaction entry 1 of the NQA operation (with administrator admin, and operation tag test).

[AC2] track 1 nqa entry admin test reaction 1

# Associate track entry 1 with WLAN uplink detection.

[AC2] wlan uplink track 1

[AC2] quit

Verifying the configuration

This example uses AC 1 to verify the configuration.

1. Verify that the radio of AP 1 is in Up state when the state of track entry 1 is Positive:

# Display information about track entry 1.

<AC1> display track 1

Track ID: 1

State: Positive

Duration: 0 days 1 hours 5 minutes 48 seconds

Notification delay: Positive 0, Negative 0 (in seconds)

Tracked object:

NQA entry: admin test

Reaction: 1

# Display detailed information about AP ap1.

<AC1> display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Online time : 0 days 2 hours 25 minutes 12 seconds

System up time : 0 days 1 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : US

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 83D5-AB43-67FF

IP address : 1.1.1.2

H/W version : Ver.C

S/W version : V700R001B62D001

Boot version : 1.01

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Jumbo frame value : Disabled

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Radio 1:

Basic BSSID : N/A

Admin state : Up

Radio type : 802.11n(5GHz)

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 64(auto)

Max power : 13 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Supported : 9, 18, 36, 48, 54 Mbps

Multicast : 24 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Radio 2:

Basic BSSID : N/A

Admin state : Up

Radio type : 802.11b

Antenna type : internal

Channel : 5(auto)

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2 Mbps

Multicast : Auto

Supported : 5.5, 11 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

2. Verify that the radio of AP 1 is in Down state when the state of track entry 1 is Negative:

# Display information about track entry 1.

<AC1> display track 1

Track ID: 1

State: Negative

Duration: 0 days 2 hours 5 minutes 48 seconds

Notification delay: Positive 0, Negative 0 (in seconds)

Tracked object:

NQA entry: admin test

Reaction: 1

# Display detailed information about AP ap1.

<AC1> display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Online time : 0 days 3 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA536-WW

Region code : US

Region code lock : Disable

Serial ID : 219801A1NQB117012935

MAC address : 83D5-AB43-67FF

IP address : 1.1.1.2

H/W version : Ver.C

S/W version : V700R001B62D001

Boot version : 1.01

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Jumbo frame value : Disabled

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

LED mode : Normal

Radio 1:

Basic BSSID : N/A

Admin state : Down

Radio type : 802.11n(5GHz)

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 64(auto)

Max power : 13 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Supported : 9, 18, 36, 48, 54 Mbps

Multicast : 24 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Radio 2:

Basic BSSID : N/A

Admin state : Down

Radio type : 802.11b

Antenna type : internal

Channel : 5(auto)

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2 Mbps

Multicast : Auto

Supported : 5.5, 11 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

Configuring 802.11r

This chapter describes how to configure 802.11r.

802.11r overview

802.11r fast BSS transition (FT) minimizes the delay when a client roams from a BSS to another BSS within the same ESS. During 802.11r FT, a client needs to exchange messages with the target AP. FT provides the following message exchanging methods:

· Over-the-air—The client communicates directly with the target AP for pre-roaming authentication.

· Over-the-DS—The client communicates with the target AP through the current AP for pre-roaming authentication.

802.11r operating mechanism

Intra-AC roaming through over-the-air FT

As shown in Figure 88, the client is associated with AP 1. Intra-AC roaming through over-the-air FT uses the following procedure:

1. The client sends an FT authentication request to AP 2.

2. AP 2 sends an FT authentication response to the client.

3. The client sends a reassociation request to AP 2.

4. AP 2 sends a reassociation response to the client.

5. The client roams to AP 2.

Figure 88 Intra-AC roaming through over-the-air FT

Inter-AC roaming through over-the-air FT

As shown in Figure 89, the client is associated with AP 1. Inter-AC roaming through over-the-air FT uses the following procedure:

1. After the client comes online, AC 1 sends roaming information for the client to AC 2. Roaming information includes the PMK and the client VLAN.

2. The client sends an FT authentication request to AP 2.

3. AP 2 sends an FT authentication response to the client.

4. The client sends a reassociation request to AP 2.

5. AP 2 sends a reassociation response to the client.

6. The client roams to AP 2.

Figure 89 Inter-AC roaming through over-the-air FT

Intra-AC roaming through over-the-DS FT

As shown in Figure 90, the client is associated with AP 1. Intra-AC roaming through over-the-DS FT uses the following procedure:

1. After the client comes online, the AC creates a roaming entry and saves it for the client.

2. The client sends an FT authentication request to AP 1.

3. AP 1 sends an FT authentication response to the client.

4. The client sends a reassociation request to AP 2.

5. AP 2 sends a reassociation response to the client.

6. The client roams to AP 2.

Figure 90 Intra-AC roaming through over-the-DS FT

Protocols and standards

802.11r IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

Configuring 802.11r

Follow these restrictions and guidelines when you configure 802.11r:

· To enable a client that does not support FT to access the WLAN, create two service templates using the same SSID, with one enabled with FT and the other not.

· To prevent a client from coming online every time the periodic reauthentication timer expires, do not enable FT and periodic reauthentication for the same service template. For more information about periodic reauthentication, see "Configuring WLAN authentication."

· PTK updates are not supported for clients that have been associated with a WLAN through FT. For more information about PTK updates, see "Configuring WLAN security."

To configure 802.11r:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable FT.	ft enable	By default, FT is disabled.
4. (Optional.) Set the FT method.	ft method { over-the-air \| over-the-ds }	By default, the FT method is over-the-air.
5. (Optional.) Set the reassociation timeout timer.	ft reassociation-timeout timeout	By default, the association timeout timer is 20 seconds. The roaming process is terminated if a client does not send any reassociation requests before the timeout timer expires.

802.11r configuration examples

Over-the-DS FT and PSK authentication configuration example

Network requirements

As shown in Figure 91, configure intra-AC roaming through over-the-DS FT to enable the client to roam between AP 1 and AP 2. Configure PSK as the authentication and key management mode.

Figure 91 Network diagram

Configuration procedures

# Create the service template acstname.

<AC> system-view

[AC] wlan service-template acstname

# Set the SSID to service.

[AC-wlan-st-acstname] ssid service

# Set the authentication and key management mode to PSK, and configure the simple string 12345678 as the PSK.

[AC-wlan-st-acstname] akm mode psk

[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678

# Set the CCMP cipher suite and enable the RSN IE in the beacon and probe responses.

[AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# Enable FT.

[AC-wlan-st-acstname] ft enable

# Set the reassociation timeout timer to 50 seconds.

[AC-wlan-st-acstname] ft reassociation-timeout 50

# Set the FT method to over-the-DS.

[AC-wlan-st-acstname] ft method over-the-ds

# Enable the service template.

[AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# Create AP 1, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 1

[AC-wlan-ap-1] radio 2

[AC-wlan-ap-1-radio-2] service-template acstname

[AC-wlan-ap-1-radio-2] radio enable

[AC-wlan-ap-1-radio-2] quit

[AC-wlan-ap-1] quit

# Create AP 2, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 2

[AC-wlan-ap-2] radio 2

[AC-wlan-ap-2-radio-2] service-template acstname

[AC-wlan-ap-2-radio-2] radio enable

[AC-wlan-ap-2-radio-2] quit

[AC-wlan-ap-2] quit

Verifying the configuration

# Verify that the service template is correctly configured.

[AC] display wlan service-template acstname verbose

Service template name : acstname

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : Not configured

Frame format : Dot3

Seamless-roam : Disabled

Seamless-roam RSSI threshold : 50

Seamless-roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : RSN

Cipher suite : CCMP

TKIP countermeasure time : 0 sec

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Disabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users : 4096

Max MAC-auth users : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : SHA1

PMF status : Disabled

Hotspot policy number : Not configured

Forward policy : Not configured

Forwarder : AC

FT Status : Enable

FT Method : over-the-ds

FT Reassociation Deadline : 50 sec

QoS trust : Port

QoS priority : 0

# Verify that the roaming status is N/A and the FT status is Active.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : 1

Radio ID : 2

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 65/65

Authentication method : Open system

Security mode : RSN

AKM mode : PSK

Encryption cipher : CCMP

User authentication mode : Bypass

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 41sec

FT status : Active

# Moves the client to the coverage of AP 2. (Details not shown.)

# Verify that the authentication method is FT and the roaming status is Intra-AC roam.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : 2

Radio ID : 2

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 0/0

Authentication method : FT

Security mode : RSN

AKM mode : PSK

Encryption cipher : CCMP

User authentication mode : Bypass

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : Intra-AC roam

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 27sec

FT status : Active

Over-the-air FT and PSK authentication configuration example

Network requirements

As shown in Figure 91, configure intra-AC roaming through over-the-air FT to enable the client to roam between AP 1 and AP 2. Configure PSK as the authentication and key management mode.

Configuration procedures

# Create the service template acstname.

<AC> system-view

[AC] wlan service-template acstname

# Set the SSID to service.

[AC-wlan-st-acstname] ssid service

# Set the authentication and key management mode to PSK, and configure the simple string 12345678 as the PSK.

[AC-wlan-st-acstname] akm mode psk

[AC-wlan-st-acstname] preshared-key pass-phrase simple 12345678

# Enable the RSN IE in the beacon and probe responses.

[AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# Enable FT.

[AC-wlan-st-acstname] ft enable

# Set the reassociation timeout to 50 seconds.

[AC-wlan-st-acstname] ft reassociation-timeout 50

# Enable the service template.

[AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# Create AP 1, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 1

[AC-wlan-ap-1] radio 2

[AC-wlan-ap-1-radio-2] service-template acstname

[AC-wlan-ap-1-radio-2] radio enable

[AC-wlan-ap-1-radio-2] quit

[AC-wlan-ap-1] quit

# Create AP 2, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 2

[AC-wlan-ap-2] radio 2

[AC-wlan-ap-2-radio-2] service-template acstname

[AC-wlan-ap-2-radio-2] radio enable

[AC-wlan-ap-2-radio-2] quit

[AC-wlan-ap-2] quit

Verifying the configuration

# Verify the following information:

· RSN IE is enabled.

· The AKM mode is PSK.

· The cipher suite is CCMP.

· The FT status is Active.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : 1

Radio ID : 2

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 65/65

Authentication method : Open system

Security mode : RSN

AKM mode : PSK

Encryption cipher : CCMP

User authentication mode : Bypass

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 41sec

FT status : Active

# Move the client to the coverage of AP 2. (Details not shown.)

# Verify that the authentication method is FT and the roaming status is Intra-AC roam.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : 2

Radio ID : 2

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 0/0

Authentication method : FT

Security mode : RSN

AKM mode : PSK

Encryption cipher : CCMP

User authentication mode : Bypass

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : Intra-AC roam

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 27sec

FT status : Active

Over-the-DS FT and 802.1X authentication configuration example

Network requirements

As shown in Figure 91, configure intra-AC roaming through over-the-DS FT to enable the client to roam between AP 1 and AP 2. Configure 802.1X as the authentication and key management mode.

Configuration procedures

# Create the service template acstname.

<AC> system-view

[AC] wlan service-template acstname

# Set the SSID to service.

[AC-wlan-st-acstname] ssid service

# Set the AKM mode to 802.1X.

[AC-wlan-st-acstname] akm mode dot1x

# Enable the RSN IE in the beacon and probe responses.

[AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# Set the authentication mode to 802.1X for clients.

[AC-wlan-st-acstname] client-security authentication-mode dot1x

[AC-wlan-st-acstname] dot1x domain imc

# Enable FT.

[AC-wlan-st-acstname] ft enable

# Set the FT method to over-the-DS.

[AC-wlan-st-acstname] ft method over-the-ds

# Enable the service template.

[AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# Set the 802.1X authentication mode to EAP.

[AC] dot1x authentication-method eap

# Create the RADIUS scheme imcc.

[AC] radius scheme imcc

# Set the IP address of the primary authentication and accounting servers to 10.1.1.3.

[AC-radius-imcc] primary authentication 10.1.1.3

[AC-radius-imcc] primary accounting 10.1.1.3

# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the ISP domain name from usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

# Create the ISP domain imc, and configure the domain to use the RADIUS scheme imcc for authentication, authorization, and accounting.

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

# Create AP 1, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 1

[AC-wlan-ap-1] radio 2

[AC-wlan-ap-1-radio-2] service-template acstname

[AC-wlan-ap-1-radio-2] radio enable

[AC-wlan-ap-1-radio-2] quit

[AC-wlan-ap-1] quit

# Create AP 2, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 2

[AC-wlan-ap-2] radio 2

[AC-wlan-ap-2-radio-2] service-template acstname

[AC-wlan-ap-2-radio-2] radio enable

[AC-wlan-ap-2-radio-2] quit

[AC-wlan-ap-2] quit

Verifying the configuration

# Verify that the service template is correctly configured.

[AC] display wlan service-template acstname verbose

Service template name : stname

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : Not configured

Frame format : Dot3

Seamless-roam : Disabled

Seamless-roam RSSI threshold : 50

Seamless-roam RSSI gap : 20

VLAN ID : 1

AKM mode : 802.1X

Security IE : RSN

Cipher suite : CCMP

TKIP countermeasure time : 0 sec

PTK lifetime : 43200 sec

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Disabled

User authentication mode : 802.1X

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : imc

MAC-auth domain : Not configured

Max 802.1X users : 4096

Max MAC-auth users : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : SHA1

PMF status : Disabled

Hotspot policy number : Not configured

Forward policy : Not configured

Forwarder : AC

FT Status : Enable

FT Method : over-the-ds

FT Reassociation Deadline : 20 sec

QoS trust : Port

QoS priority : 0

# Verify that the roaming status is N/A and the FT status is Active.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : w2

AID : 1

AP ID : 1

AP name : 1

Radio ID : 2

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 0/0

Authentication method : Open system

Security mode : RSN

AKM mode : 802.1X

Encryption cipher : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 7sec

FT status : Active

# Move the client to the coverage of AP 2. (Details not shown.)

# Verify that the authentication method is FT and the roaming status is Intra-AC roam.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : w2

AID : 1

AP ID : 2

AP name : 2

Radio ID : 2

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 0/0

Authentication method : FT

Security mode : RSN

AKM mode : 802.1X

Encryption cipher : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : Intra-AC roam

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 7sec

FT status : Active

Over-the-air FT and 802.1X authentication configuration example

Network requirements

As shown in Figure 91, configure intra-AC roaming through over-the-air FT to enable the client to roam between AP 1 and AP 2. Configure 802.1X as the authentication and key management mode.

Configuration procedures

# Create the service template acstname.

<AC> system-view

[AC]wlan service-template acstname

# Set the SSID to service.

[AC-wlan-st-acstname] ssid service

# Set the AKM mode to 802.1X.

[AC-wlan-st-acstname] akm mode dot1x

# Enable the RSN IE in the beacon and probe responses.

[AC-wlan-st-acstname] cipher-suite ccmp

[AC-wlan-st-acstname] security-ie rsn

# Set the authentication mode to 802.1X for clients.

[AC-wlan-st-acstname] client-security authentication-mode dot1x

[AC-wlan-st-acstname] dot1x domain imc

# Enable FT.

[AC-wlan-st-acstname] ft enable

# Enable the service template.

[AC-wlan-st-acstname] service-template enable

[AC-wlan-st-acstname] quit

# Set the 802.1X authentication mode to EAP.

[AC] dot1x authentication-method eap

# Create the RADIUS scheme imcc.

[AC] radius scheme imcc

# Set the IP address of the primary authentication and accounting servers to 10.1.1.3.

[AC-radius-imcc] primary authentication 10.1.1.3

[AC-radius-imcc] primary accounting 10.1.1.3

# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the ISP domain name from usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

# Create the ISP domain imc, and configure the domain to use the RADIUS scheme imcc for authentication, authorization, and accounting.

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

# Create AP 1, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 1

[AC-wlan-ap-1] radio 2

[AC-wlan-ap-1-radio-2] service-template acstname

[AC-wlan-ap-1-radio-2] radio enable

[AC-wlan-ap-1-radio-2] quit

[AC-wlan-ap-1] quit

# Create AP 2, and bind the service template acstname to radio 2 of the AP.

[AC] wlan ap 2

[AC-wlan-ap-2] radio 2

[AC-wlan-ap-2-radio-2] service-template acstname

[AC-wlan-ap-2-radio-2] radio enable

[AC-wlan-ap-2-radio-2] quit

[AC-wlan-ap-2] quit

Verifying the configuration

# Verify the following information:

· RSN IE is enabled.

· The AKM mode is 802.1X.

· The cipher suite is CCMP.

· The FT status is Active.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : w2

AID : 1

AP ID : 1

AP name : 1

Radio ID : 2

SSID : service

BSSID : 000f-e266-7788

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 0/0

Authentication method : Open system

Security mode : RSN

AKM mode : 802.1X

Encryption cipher : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 19sec

FT status : Active

# Move the client to the coverage of AP 2. (Details not shown.)

# Verify that the authentication method is FT and the roaming status is Intra-AC roam.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : fc25-3f03-8361

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : w2

AID : 1

AP ID : 2

AP name : 2

Radio ID : 2

SSID : service

BSSID : 000f-e211-2233

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

QoS mode : WMM

Listen interval : 20

RSSI : 0

Rx/Tx rate : 0/0

Authentication method : FT

Security mode : RSN

AKM mode : 802.1X

Encryption cipher : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : Intra-AC roam

Key derivation : SHA256

PMF status : N/A

Forward policy : N/A

Online time : 0hr 0min 7sec

FT status : Active

Configuring wireless location

Overview

Wireless location tracks 802.11 devices for medical monitoring, asset management, and logistics management.

Wireless location system

As shown in Figure 92, a wireless location system contains 802.11 devices, information receivers (802.11 APs), and a location server. 802.11 devices include Tags (small wireless devices that can only send 802.11 packets periodically) and MUs (all 802.11 devices except Tags).

Figure 92 Wireless location system

Wireless location mechanism

Wireless location operates as follows:

1. The 802.11 device sends a wireless packet.

2. Upon receiving the wireless packet, the APs encapsulate the collected location information (including RSSI and timestamp) in location packets, and then send the packets to the location server.

3. The location server calculates the location of the 802.11 device.

A location server needs location information from a minimum of three APs to locate an 802.11 device.

Configuration task list

Tasks at a glance
(Required.) Enabling RF fingerprinting
(Required.) Enabling radio-based location
(Required.) Specifying an IPv4 address and a port number for the location server
(Required.) Specifying a port to listen for messages from the location server
(Required.) Specifying a multicast MAC address for Tags
(Required.) Specifying the type of devices to locate
(Optional.) Configuring raw frame reporting
(Optional.) Configuring MU information reporting
(Optional.) Specifying the location packet format
(Optional.) Specifying the report mode for location packets
(Optional.) Configuring packet dilution
(Optional.) Enabling ignoring beacon frames
(Optional.) Enabling ignoring AP frames
(Optional.) Configuring RSSI-based packet filtering
(Optional.) Configuring client packet rate limiting
(Optional.) Configuring location packet rate limiting
(Optional.) Configuring wireless location keepalive
(Optional.) Enabling SNMP notifications for wireless location

Configuring WLAN location

Enabling RF fingerprinting

For an AP to send location packets to the location server, you must enable both RF fingerprinting and radio-based location.

Enabling RF fingerprinting in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable RF fingerprinting.	rfid-tracking fingerprint enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Enabling RF fingerprinting in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable RF fingerprinting.	rfid-tracking fingerprint enable	By default, an AP uses the configuration in global configuration view.

Enabling RF fingerprinting in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable RF fingerprinting.	rfid-tracking fingerprint enable	By default, RF fingerprinting is disabled.

Enabling radio-based location

For an AP to send location packets to the location server, you must enable both RF fingerprinting and radio-based location.

Enabling radio-based location in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable radio-based location.	rfid-tracking radio enable	By default, an AP uses the configuration in AP group radio view.

Enabling radio-based location in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable radio-based location.	rfid-tracking radio enable	By default, radio-based location is disabled.

Specifying an IPv4 address and a port number for the location server

APs send location packets to the specified IPv4 address and port number for communicating with the location server.

Specifying an IPv4 address and a port number for the location server in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify an IPv4 address and a port number for the location server.	rfid-tracking fingerprint engine-address engine-address engine-port engine-port	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Specifying an IPv4 address and a port number for the location server in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify an IPv4 address and a port number for the location server.	rfid-tracking fingerprint engine-address engine-address engine-port engine-port	By default, an AP uses the configuration in global configuration view.

Specifying an IPv4 address and a port number for the location server in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Specify an IPv4 address and a port number for the location server.	rfid-tracking fingerprint engine-address engine-address engine-port engine-port	By default, no IPv4 address and port number are specified for the location server.

Specifying a port to listen for messages from the location server

Perform this task for an AP to communicate with the location server.

Specifying a port to listen for messages from the location server in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify a port to listen for messages from the location server.	rfid-tracking fingerprint vendor-port vendor-port-number	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Specifying a port to listen for messages from the location server in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify a port to listen for messages from the location server.	rfid-tracking fingerprint vendor-port vendor-port-number	By default, an AP uses the configuration in global configuration view.

Specifying a port to listen for messages from the location server in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Specify a port to listen for messages from the location server.	rfid-tracking fingerprint vendor-port vendor-port-number	By default, the port to listen is port 1144.

Specifying a multicast MAC address for Tags

If you do not specify a multicast MAC address for Tags, an AP determines that all received 802.11 packets are from MUs.

Specifying a multicast MAC address for Tags in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify a multicast MAC address for Tags.	rfid-tracking fingerprint tag-multicast-address mac-address	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Specifying a multicast MAC address for Tags in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify a multicast MAC address for Tags.	rfid-tracking fingerprint tag-multicast-address mac-address	By default, an AP uses the configuration in global configuration view.

Specifying a multicast MAC address for Tags in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Specify a multicast MAC address for Tags.	rfid-tracking fingerprint tag-multicast-address mac-address	By default, no multicast MAC address is specified for Tags.

Specifying the type of devices to locate

This feature enables an AP to send location information about only the specified type of devices to the location server.

Specifying the type of devices to locate in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify the type of devices to locate.	rfid-tracking mode { mu \| tag } *	By default, an AP uses the configuration in AP group radio view.

Specifying the type of devices to locate in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify the type of devices to locate.	rfid-tracking mode { mu \| tag } *	By default, the type of devices to locate is not specified.

Configuring raw frame reporting

This feature enables an AP to encapsulate both the raw frames and the location information obtained from the frames in location packets.

Configuring raw frame reporting in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure raw frame reporting.	rfid-tracking fingerprint raw-frame-report { disable \| enable }	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring raw frame reporting in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure raw frame reporting.	rfid-tracking fingerprint raw-frame-report { disable \| enable }	By default, an AP uses the configuration in global configuration view.

Configuring raw frame reporting in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure raw frame reporting.	rfid-tracking fingerprint raw-frame-report { disable \| enable }	By default, raw frame reporting is disabled.

Configuring MU information reporting

This feature enables an AP to encapsulate MU information, including the IP address and the transmit rate of an MU in location packets.

Configuring MU information reporting in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure MU information reporting.	rfid-tracking fingerprint mu-report { disable \| enable }	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring MU information reporting in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure MU information reporting.	rfid-tracking fingerprint mu-report { disable \| enable }	By default, an AP uses the configuration in global configuration view.

Configuring MU information reporting in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure MU information reporting.	rfid-tracking fingerprint mu-report { disable \| enable }	By default, MU information reporting is disabled.

Specifying the location packet format

RF fingerprinting supports the following location packet formats:

· CUPID-hybrid—An AP encapsulates only clients' MAC addresses and RSSIs in location packets.

· General—This format is applicable to most scenarios. Most third-party location servers support only the general format.

· Lightweight—An AP encapsulates location information for several clients in one lightweight location packet to save bandwidth. This format is applicable to traffic-sensitive scenarios.

Specifying the location packet format in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify the location packet format.	rfid-tracking fingerprint report-format { cupid-hybrid \| general \| light-weight }	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Specifying the location packet format in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify the location packet format.	rfid-tracking fingerprint report-format { cupid-hybrid \| general \| light-weight }	By default, an AP uses the configuration in global configuration view.

Specifying the location packet format in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Specify the location packet format.	rfid-tracking fingerprint report-format { cupid-hybrid \| general \| light-weight }	By default, an AP sends location packets in general format.

Specifying the report mode for location packets

Both the AC (centralized report) and APs (local report) can report location packets to the location server. In centralized report mode, APs need to send location packets to the AC first.

Specifying the report mode for location packets in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify the report mode for location packets.	rfid-tracking fingerprint report-mode { central \| local }	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Specifying the report mode for location packets in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify the report mode for location packets.	rfid-tracking fingerprint report-mode { central \| local }	By default, an AP uses the configuration in global configuration view.

Specifying the report mode for location packets in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan global-configuration	N/A
3. Specify the report mode for location packets.	rfid-tracking fingerprint report-mode { central \| local }	By default, the local report mode is used.

Configuring packet dilution

This feature takes effect only on MU clients.

If the dilution factor is 10 and the timeout timer is 5 seconds, the AP sends a location packet every time it receives 10 wireless packets, excluding management and broadcast packets, from an MU. If the AP fails to receive 10 packets from an MU client within the timeout timer, it sends the most recent wireless packet to the location server.

Configuring packet dilution in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable packet dilution.	rfid-tracking dilution enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.
4. Set the dilution factor and dilution timeout timer.	rfid-tracking dilution factor factor timeout timeout	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring packet dilution in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable packet dilution.	rfid-tracking dilution enable	By default, an AP uses the configuration in global configuration view.
4. Set the dilution factor and dilution timeout timer.	rfid-tracking dilution factor factor timeout timeout	By default, an AP uses the configuration in global configuration view.

Configuring packet dilution in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable packet dilution.	rfid-tracking dilution enable	By default, packet dilution is disabled.
4. Set the dilution factor and dilution timeout timer.	rfid-tracking dilution factor factor timeout timeout	By default, the dilution factor and dilution timeout timer are not configured.

Enabling ignoring beacon frames

This feature disables an AP from reporting the location information in beacon frames to the location server to prevent traffic flood caused by location packets.

Enabling ignoring beacon frames in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable the AP to ignore beacon frames.	rfid-tracking ignore beacon enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Enabling ignoring beacon frames in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable APs in the AP group to ignore beacon frames.	rfid-tracking ignore beacon enable	By default, an AP uses the configuration in global configuration view.

Enabling ignoring beacon frames in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable APs to ignore beacon frames.	rfid-tracking ignore beacon enable	By default, beacon frames are not ignored.

Enabling ignoring AP frames

AP frames are frames that an AP received from other APs. Configure this feature if you do not need to locate or monitor APs.

Enabling ignoring AP frames in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable the AP to ignore AP frames.	rfid-tracking ignore ap-frame enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Enabling ignoring AP frames in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable APs in the AP group to ignore AP frames.	rfid-tracking ignore ap-frame enable	By default, an AP uses the configuration in global configuration view.

Enabling ignoring AP frames in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable APs to ignore AP frames.	rfid-tracking ignore ap-frame enable	By default, AP frames are not ignored.

Configuring RSSI-based packet filtering

When RSSI-based packet filtering is enabled, an AP does not report location information in packets with an RSSI lower than the RSSI threshold. This feature enables an AP to not locate clients far away from the AP.

Configuring RSSI-based packet filtering in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable RSSI-based packet filtering.	rfid-tracking rssi enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.
4. Set the RSSI threshold.	rfid-tracking rssi threshold rssi-threshold	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring RSSI-based packet filtering in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable RSSI-based packet filtering.	rfid-tracking rssi enable	By default, an AP uses the configuration in global configuration view.
4. Set the RSSI threshold.	rfid-tracking rssi threshold rssi-threshold	By default, an AP uses the configuration in global configuration view.

Configuring RSSI-based packet filtering in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable RSSI-based packet filtering.	rfid-tracking rssi enable	By default, RSSI-based packet filtering is disabled.
4. Set the RSSI threshold.	rfid-tracking rssi threshold rssi-threshold	By default, the RSSI threshold is 5 (–123 dBm).

Configuring client packet rate limiting

If packet dilution is enabled, this feature limits the rate for diluted packets.

This feature enables an AP to not report location information from excessive client packets when both the CIR and CBS are exceeded. This practice ensures that the location information for each client can be sent to the location server and prevents client packets from flooding the AP.

Configuring client packet rate limiting in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable client packet rate limiting.	rfid-tracking client rate-limit enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.
4. Set the CIR and CBS for client packets.	rfid-tracking client rate-limit cir cir [ cbs cbs ]	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring client packet rate limiting in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable client packet rate limiting.	rfid-tracking client rate-limit enable	By default, an AP uses the configuration in global configuration view.
4. Set the CIR and CBS for client packets.	rfid-tracking client rate-limit cir cir [ cbs cbs ]	By default, an AP uses the configuration in global configuration view.

Configuring client packet rate limiting in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable client packet rate limiting.	rfid-tracking client rate-limit enable	By default, client packet rate limiting is disabled.
4. Set the CIR and CBS for client packets.	rfid-tracking client rate-limit cir cir [ cbs cbs ]	By default, the CIR and CBS for client packets are 0.

Configuring location packet rate limiting

This feature enables an AP to discard excessive location packets when both the CIR and CBS are exceeded. This practice prevents location packets from flooding the location server.

Configuring location packet rate limiting in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enable location packet rate limiting.	rfid-tracking rate-limit enable	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.
4. Set the CIR and CBS for location packets.	rfid-tracking rate-limit cir cir [ cbs cbs ]	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring location packet rate limiting in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable location packet rate limiting.	rfid-tracking rate-limit enable	By default, an AP uses the configuration in global configuration view.
4. Set the CIR and CBS for location packets.	rfid-tracking rate-limit cir cir [ cbs cbs ]	By default, an AP uses the configuration in global configuration view.

Configuring location packet rate limiting in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Enable location packet rate limiting.	rfid-tracking rate-limit enable	By default, location packet rate limiting is disabled.
4. Set the CIR and CBS for location packets.	rfid-tracking rate-limit cir cir [ cbs cbs ]	By default, the CIR and CBS for location packets are 0.

Configuring wireless location keepalive

This feature enables an AP to send Hello packets to the location server at an interval of 15 seconds. If the location server does not receive any packets from an AP within 30 seconds, the location server determines that the AP is offline.

Disable this feature to avoid bandwidth waste if the location server cannot process Hello packets.

Configuring wireless location keepalive in AP view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure wireless location keepalive.	rfid-tracking keepalive { disable \| enable }	By default, an AP uses the configuration in AP group view. If no setting is configured in AP group view, the AP uses the configuration in global configuration view.

Configuring wireless location keepalive in AP group view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure wireless location keepalive.	rfid-tracking keepalive { disable \| enable }	By default, an AP uses the configuration in global configuration view.

Configuring wireless location keepalive in global configuration view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure wireless location keepalive.	rfid-tracking keepalive { disable \| enable }	By default, wireless location keepalive is disabled.

Enabling SNMP notifications for wireless location

Perform this task for the device to report critical wireless location events to an NMS. For wireless location notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for wireless location:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for wireless location.	snmp-agent trap enable wlan location-aware	By default, SNMP notifications for wireless location is disabled.

Displaying and maintaining wireless location

Execute display commands in any view.

Task	Command
Display radio information for WLAN location.	display wlan rfid-tracking radio [ ap apname ]

Wireless location configuration example

Network requirements

As shown in Figure 93, configure RF fingerprinting for AP 1, AP 2, and AP 3 to locate the MUs.

Figure 93 Network diagram

Configuration procedure

1. Configure AP 1:

# Create manual AP ap1, and specify the AP model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC-wlan-ap-ap1] quit

# Enable RF fingerprinting.

[AC-wlan-ap-ap1] rfid-tracking fingerprint enable

# Specify an IPv4 address and a port number for the location server.

[AC-wlan-ap-ap1] rfid-tracking fingerprint engine-address 192.168.10.10 engine-port 1145

# Specify a port to listen for messages from the location server.

[AC-wlan-ap-ap1] rfid-tracking fingerprint vendor-port 3000

# Enable radio-based location.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rfid-tracking radio enable

# Specify the type of devices to locate as MU.

[AC-wlan-ap-ap1-radio-1] rfid-tracking mode mu

# Enable radio 1 of AP 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

[AC] quit

2. Configure AP 2 and AP 3 in the same way AP 1 is configured.

Verifying the configuration

# Verify that RF fingerprinting is enabled and the type of devices to locate is MU for each AP.

<AC> display wlan rfid-tracking radio

Wireless Locating

--------------------------------------------------------------------------------

AP Radio Type

--------------------------------------------------------------------------------

ap1 1 MU

ap2 1 MU

ap3 1 MU

--------------------------------------------------------------------------------

# Verify that you can view location information for the MUs by maps, forms, or reports provided by the graphics software. (Details not shown.)

Configuring Hotspot 2.0

Overview

Hotspot 2.0, developed by Wi-Fi Alliance, provides automatic network discovery, automated authentication, and seamless roaming for wireless clients.

Hotspot 2.0 contains two versions. Version 2 is fully compatible with version 1.

Hotspot 2.0 operating mechanism

Hotspot 2.0 operates as follows:

1. A client performs wireless scanning to discover Hotspot 2.0 networks.

2. The client exchanges Generic Advertisement Service (GAS) frames with APs to get Hotspot 2.0 information and select an optimal BSS.

3. The client performs online signup. This step is required only for version 2 of Hotspot 2.0.

Scanning

Active scanning

A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from probe responses.

As shown in Figure 94, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response that carries the available wireless network information.

Figure 94 Active scanning

Passive scanning

As shown in Figure 95, the clients periodically listen for beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Passive scanning is used when clients want to save power.

Figure 95 Passive scanning

GAS frame exchange

After discovering Hotspot 2.0 networks by active or passive scanning, a client exchanges GAS frames with APs to get APs' Hotspot 2.0 information. Based on the obtained Hotspot 2.0 information and local configuration, the client selects an optimal BSS.

As shown in Figure 96, a client exchanges GAS frames with an AP by using the following process:

1. The client sends a GAS initial request.

2. Upon receiving the request, the AP encapsulates Hotspot 2.0 information in a GAS initial response and examines the length of the response.

? If the length does not exceed the limit, the AP sends the GAS initial response to the client. The GAS frame exchange is complete and the client can send an authentication request.

? If the length exceeds the limit, the AP fragments the response and sends the first fragment in a GAS initial response to the client. The response notifies the client to request Hotspot 2.0 information after a comeback delay.

3. The client sends a GAS comeback request to the AP after a comeback delay.

4. The AP sends a GAS comeback response that carries the second fragment to the client.

5. If the length of the response exceeds the limit, the client and the AP repeat steps 3 and 4 until all fragments are sent to the client.

Figure 96 GAS frame exchange

Online signup

After GAS frame exchange, a client connects to the Online Sign Up (OSU) server through the OSU AP to sign up online. A signed-up client gets a credential and can automatically access a Hotspot 2.0 network without being re-authenticated. A client can associate with an OSU AP by using the following methods:

· Open OSU—No authentication.

· OSEN OSU—Layer 2 authentication.

As shown in Figure 97, online signup operates as follows:

1. The client obtains the OSU server list from the AP by exchanging GAS frames with the AP and selects an OSU server.

2. The client associates with the OSU AP through open OSU or OSEN OSU.

3. The OSU server sends a credential and authentication information to the client or updates the expired credential for the client.

4. Using the newly provisioned credential, the client disassociates from the OSU AP and associates with the AP that provides Hotspot 2.0 services.

Figure 97 Online signup

Protocols and standards

· IEEE Standard for Information technology—Telecommunications and information exchange between systems— Local and metropolitan area networks— Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 9: Interworking with External Networks

· Wi-Fi Alliance Technical Committee Hotspot 2.0 Technical Task Group Hotspot 2.0 (Release 2)Technical Specification Version 3.04

Configuration task list

Tasks at a glance	Remarks
(Required.) Configuring a Hotspot 2.0 policy	N/A
(Optional.) Configuring 3GPP information	N/A
(Optional.) Setting an HESSID	Required for version 2 of Hotspot 2.0.
(Optional.) Setting the access network type	N/A
(Optional.) Specifying a network authentication type	N/A
(Optional.) Setting the domain name	Required for version 2 of Hotspot 2.0.
(Optional.) Specifying an OI	Required for version 2 of Hotspot 2.0.
(Optional.) Configuring IP address availability	N/A
(Optional.) Specifying an authentication type for an NAI realm	N/A
(Optional.) Setting service provider information	N/A
(Optional.) Setting the port status for an IP protocol	N/A
(Optional.) Setting WAN link status parameters	N/A
(Optional.) Disabling the DGAF feature	N/A
(Optional.) Managing GAS frames	N/A
(Optional.) Configuring AP venue information	N/A
(Required.) Configuring a OSU server	Required only for version 2 of Hotspot 2.0.
(Required.) Setting an SSID for online signup services	Required only for version 2 of Hotspot 2.0.
(Required.) Managing OSU server icons	Required only for version 2 of Hotspot 2.0.
(Required.) Binding an OSU server to a Hotspot 2.0 policy	Required only for version 2 of Hotspot 2.0.

Configuring a Hotspot 2.0 policy

A Hotspot 2.0 policy defines a set of Hotspot 2.0 parameters.

To configure a Hotspot 2.0 policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a Hotspot 2.0 policy and enter its view.	wlan hotspot-policy policy-number	By default, no Hotspot 2.0 policy exists.
3. Specify a name for the Hotspot 2.0 policy.	policy-name name	By default, no name is specified for a Hotspot 2.0 policy.

Configuring 3GPP information

The 3rd Generation Partnership Project (3GPP) information contains a country code and a network code. The country code identifies a country, and the network code identifies a service provider in the country.

To configure 3GPP information:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure 3GPP information.	3gpp-info country-code mobile-country-code network-code mobile-network-code	By default, no country code and network code are configured.

Setting an HESSID

A homogenous ESS identifier (HESSID) and the SSID for the extended service set (ESS) together uniquely identify a WLAN. Set the HESSID to the same value as a BSSID in the ESS.

To set an HESSID:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set an HESSID.	hessid hessid	By default, no HESSID is set.

Setting the access network type

You can set the following access network types:

· 0—Private network.

· 1—Private network with guest access.

· 2—Chargeable public network.

· 3—Free public network.

· 4—Personal device network.

· 5—Emergency services only network.

· 14—Test or experimental.

· 15—Wildcard.

To set the access network type:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set the access network type.	network-type network-type [ access-internet ]	By default, no access network type is set.

Specifying a network authentication type

You can specify the following network authentication types:

· 0—Acceptance of terms and conditions.

· 1—On-line enrollment.

· 2—HTTP/HTTPS redirection.

· 3—DNS redirection.

To specify a network authentication type:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Specify a network authentication type.	authentication-type { 0 [ redirect-url redirect-url ] \| 1 \| 2 redirect-url redirect -url \| 3 }	By default, no network authentication type is specified.

Setting the domain name

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set the domain name.	domain-name domain-name	By default, the domain name is not set.

Specifying an OI

An organization identifier (OI) identifies a roaming consortium. If a client has the certificate to a roaming consortium, the client can roam to all wireless services provided by the roaming consortium.

To specify an OI:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Specify an OI.	roam-oi oi [ in-beacon ]	By default, no OI is specified.

Configuring IP address availability

Perform this task to configure IP address availability. IP address availability specifies the version and type of IP addresses that an AP assigns to associated clients.

· IPv4 address availability.

? 0—Address type not available.

? 1—Public IPv4 address available.

? 2—Port-restricted IPv4 address available.

? 3—Single NATed private IPv4 address available.

? 4—Double NATed private IPv4 address available.

? 5—Port-restricted IPv4 address and single NATed IPv4 address available.

? 6—Port-restricted IPv4 address and double NATed IPv4 address available.

? 7—Availability of the address type is not known.

· IPv6 address availability.

? 0—Address type not available.

? 1—Address type available.

? 2—Availability of the address type not known.

To configure IP address availability:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Configure IP address availability.	ip-type ipv4 ipv4-type ipv6 ipv6-type	By default, the availability is 1 for an IPv4 address and 2 for an IPv6 address.

Specifying an authentication type for an NAI realm

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Create an NAI realm and specify an authentication type for the NAI realm.	nai-realm realm-name eap-method eap-method-id auth-method auth-method-id authentication authentication	By default, no NAI realm is created.

Setting service provider information

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set service provider information.	operator-name operator-name lang-code lang-code	By default, no service provider information is set.

Setting the port status for an IP protocol

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set the port status for an IP protocol.	ip-protocol { esp \| icmp \| tcp \| udp } port-number port-number { closed \| open \| unknown }	By default, no port status is set for an IP protocol.

Setting WAN link status parameters

This feature enables Hotspot 2.0 to advertise uplink and downlink speeds and link status such as closed, testing, and enabled of the WAN.

To set WAN link status parameters:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set WAN link status parameters.	wan-metrics { link-down \| link-test \| link-up } [ asymmetric downlink-speed downlink-speed uplink-speed uplink-speed \| symmetric link-speed link-speed ]	By default, no WAN link status parameters are set.

Disabling the DGAF feature

The Downstream Group-Addressed Forwarding (DGAF) feature enables an AP to forward all downstream wireless broadcast ARP packets and wireless multicast packets. To prevent spoofing attacks by using downstream multicasts, you can disable the DGAF feature for the AP.

To avoid packet loss, enable proxy ARP and multicast optimization before disabling DGAF. For more information about proxy ARP, see Layer 3—IP Services Configuration Guide.

To disable the DGAF feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Disable the DGAF feature.	undo dgaf enable	By default, the DGAF feature is enabled. Before disabling DGAF, make sure all service templates bound to the Hotspot 2.0 policy are disabled.

Managing GAS frames

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Set the comeback delay.	comeback-delay value	By default, the comeback delay is 1 TU (1024 milliseconds). The comeback delay prevents clients from frequently sending GAS comeback requests.
4. Set the maximum number of GAS initial requests that clients can send within the specified interval.	gas-limit number number interval interval	By default, the number of GAS initial requests that clients can send is not limited. This command can ease the AC's burden.

Binding a Hotspot 2.0 policy to a service template

Before you bind a Hotspot 2.0 policy to a service template, make sure the following settings are configured for the service template:

· 802.1X authentication and key management mode.

· RSN IE.

· AES-CCMP cipher suite.

To bind a Hotspot 2.0 policy to a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Bind a Hotspot 2.0 policy to the service template.	hotspot-policy policy-number	By default, no Hotspot 2.0 policy is bound to a service template.

Configuring AP venue information

AP venue information indicates the location of APs and helps clients connect to an optimal AP.

To configure AP venue information:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Specify the venue group and venue type for the AP.	venue group venue-group-number type venue-type-number	By default, no venue group and venue type are specified for an AP.
4. Set a venue name for the AP.	venue name venue-name lang-code lang-code	By default, no venue name is set for an AP.

Configuring a OSU server

This task is required only for version 2 of Hotspot 2.0.

To configure an OSU server:

Step	Command	Remarks
5. Enter system view.	system-view	N/A
6. Create an OSU server and enter its view, or enter the view of an existing OSU server.	wlan osu-provider osu-provider-number	By default, no OSU server exists.
7. Set a name for the OSU server.	friendly-name friendly-name lang-code lang-code	By default, no name is set for an OSU server.
8. Specify the URI of the OSU server.	uri uri	By default, no URI is specified for an OSU server.
9. Specify a protocol for clients to communicate with the OSU server.	method method-id	By default, no method is specified for clients to communicate with an OSU server.
10. Specify an icon for the OSU server.	icon-file filename lang-code lang-code icon-type icon-type	By default, no icon is specified for an OSU server. Before specifying an icon for an OSU server, make sure directory icon has been created by using the mkdir command in the root directory where the version files are saved. Then use FTP or TFTP to download icon files to the directory.
11. (Optional.) Configure a description for the OSU server.	description description lang-code lang-code	By default, no description is configured for an OSU server.
12. (Optional.) Configure a Network Access Identifier (NAI) for the OSU server.	nai nai	By default, no NAI is configured for an OSU server.

Setting an SSID for online signup services

This task is required only for version 2 of Hotspot 2.0.

Hotspot 2.0 provides different SSIDs for online signup services and wireless services.

Make sure the configured SSID for online signup services is the same as the SSID for the online signup service template.

To set an SSID for online signup services:

Step	Command	Remarks
13. Enter system view.	system-view	N/A
14. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
15. Set an SSID for online signup services.	osu-ssid ssid-name	By default, no SSID is set for online signup services.

Managing OSU server icons

This task is required only for version 2 of Hotspot 2.0.

Perform this task to load all icon files specified for an OSU server to validate the changes when icon file changes occur or to invalidate icon files.

To manage an OSU server icon:

Step	Command
16. Enter system view.	system-view
17. Manage OSU server icon files.	· Load OSU server icon files: wlan hotspot osu-icon upload · Unload OSU server icon files: wlan hotspot osu-icon unload
17. Manage OSU server icon files.

Binding an OSU server to a Hotspot 2.0 policy

This task is required only for version 2 of Hotspot 2.0.

A Hotspot 2.0 policy can be bound to a maximum of 32 OSU servers.

Make sure all configuration required for an OSU server has been completed before binding the OSU server to a Hotspot 2.0 policy.

To bind an OSU server to a Hotspot 2.0 policy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Hotspot 2.0 policy view.	wlan hotspot-policy policy-number	N/A
3. Bind an OSU server to the Hotspot 2.0 policy.	osu-provider osu-provider-number	By default, no OSU server is bound to a Hotspot 2.0 policy.

Displaying and maintaining Hotspot 2.0

Execute display commands in any view.

Task	Command
Display service template information.	display wlan service-template [ service-template-name ] [ verbose ]
Display all the loaded OSU server icon files.	display wlan hotspot uploaded-osu-icon

Hotspot 2.0 configuration examples

iPhone application

Network requirements

As shown in Figure 98, configure Hotspot 2.0 to enable the phone to switch from the cellular network to the wireless network.

Figure 98 Network diagram

Configuration restrictions and guidelines

Make sure you have installed certificates and created a user account on the RADIUS server, so that client authentication, authorization, and accounting can operate correctly.

For more information about AAA, see Security Configuration Guide.

Configuration procedures

Configuring the AC

1. Configure a Hotspot 2.0 policy:

# Create the Hotspot 2.0 policy 1.

<AC> system-view

[AC] wlan hotspot-policy 1

# Configure EAP-TLS authentication.

[AC-wlan-hs-1] nai-realm h3c.com eap-method 6 auth-method 2 authentication 4

# Set the domain name to h3c.com.

[AC-wlan-hs-1] domain-name h3c.com

# Set the HESSID to 1232-ff23-0123.

[AC-wlan-hs-1] hessid 1232-ff23-0123

[AC-wlan-hs-1] quit

2. Configure 802.1X authentication and the RADIUS scheme:

# Configure the 802.1X authentication method as EAP.

[AC] dot1x authentication-method eap

# Create RADIUS scheme imcc.

[AC] radius scheme imcc

# Set the IP address and the port number of the primary authentication server to 10.18.1.88 and 1812, respectively.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

# Set the IP address and the port number of the primary accounting server to 10.18.1.88 and 1813, respectively.

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the domain name in the username sent to the RADIUS servers.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

3. Create the domain imc and configure the domain to use the RADIUS scheme imcc for authentication, authorization, and accounting.

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

Configuring the AP

# Create the service template service1.

<AC> system-view

[AC] wlan service-template service1

# Set the SSID to service.

[AC-wlan-st-service1] ssid service

# Bind the Hotspot 2.0 policy 1 to the service template.

[AC-wlan-st-service1] hotspot-policy 1

# Enable the RSN IE in beacons and probe responses.

[AC-wlan-st-service1] security-ie rsn

# Enable the AES-CCMP cipher suite.

[AC-wlan-st-service1] cipher-suite ccmp

# Set the authentication and key management mode to 802.1X.

[AC-wlan-st-service1] akm mode dot1x

# Set the authentication mode for WLAN clients to 802.1X.

[AC-wlan-st-service1] client-security authentication-mode dot1x

# Specify the domain imc as the authentication domain.

[AC-wlan-st-service1] dot1x domain imc

# Enable the service template.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Create the AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Bind the service template service1 to radio 2 of the AP.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] service-template service1

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

Configuring the RADIUS server (IMCv7)

This example was created on IMC PLAT 7.1 and IMC UAM 7.1.

To configure the IMC server:

1. Log in to the IMC platform.

2. Click the User tab.

3. Add an access device:

a. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

b. On the access device configuration page, click Add.

c. On the Add Access Device page, configure the following parameters:

- Set the shared key to 12345678.

- Select or manually add the device with the IP address 10.18.1.1 (IP address of the AC).

- Use the default settings for other parameters.

d. Click OK.

Figure 99 Adding an access device

英文增加接入设备图.jpg

4. Add an access policy:

a. From the navigation tree, select User Access Policy > Access Policy.

b. On the access policy configuration page, click Add.

c. On the Add Access Policy page, configure the following parameters:

- Set the access policy name to 802.1X_policy.

- Select EAP-PEAP Authentication from the Certificate Type list, and from the Certificate Sub-Type list, select the certificate sub-type, which must be the same as the authentication method for the client.

- Use the default settings for other parameters.

Figure 100 Adding an access policy

5. Add an access service:

a. From the navigation tree, select User Access Policy > Access Service.

b. On the access service configuration page, click Add.

c. On the Add Access Service page, configure the service name as 802.1X_ser, and use the 802.1X policy you have created as the default access policy.

d. Use the default settings for other parameters.

Figure 101 Adding an access service

6. Add an access user:

a. From the navigation tree, select Access User > All Access Users.

b. On the access user configuration page, click Add.

c. On the Add Access User page, click Add User.

d. On the Add User window, configure the following parameters:

- Set the username to admin.

- Set the account name to admin.

- Select the 802.1X user 802.1X_ser you have configured in the Access Service area..

Figure 102 Adding an access user

Configuring the phone

This example was created using an iPhone 5S.

To configure the phone:

1. Install the Apple Configurator App on the MacBook Air and connect iPhone 5S to the laptop.

Figure 103 Apply Configurator App

2. Open the Apple Configurator App and select Supervise from the top menu. Then click + under the Profiles list and select Create New Profile.

Figure 104 Creating a new profile

3. Click General on the left navigation tree, and enter h3c.com in the Name field. Other parameters are optional.

Figure 105 General settings

4. Click Wi-Fi on the left navigation tree and click Configure from the menu. Then select Passpoint from the Network Type list.

Figure 106 Enabling passpoint

5. On the page that appears, perform the following tasks:

? In the Accepted EAP Types area, select PEAP.

? Enter admin and 12345678 in the Username area and Password area, respectively.

? Select None from the Identity Certificate list.

? Enter admin in the Outer Identity area.

Figure 107 Configuring EAP-PEAP authentication

? Enter h3c.com in the Provider Display Name field and enter the domain name that you have configured in the hotspot policy on the AC.

Figure 108 Configuring the domain name

? Leave Roaming Consortium Ols, NAI Real Names, and MCC/MNC blank, or enter the values you have configured in the hotspot policy on the AC. Then click Save.

Figure 109 Configuring other options

6. Click Prepare and then click Install Profiles on the Settings tab.

Figure 110 Installing profiles

7. Click Next.

Figure 111 Installing profiles

8. Select the profile h3c.com and click Next.

Figure 112 Selecting the created profile

9. Click Install.

Figure 113 Installing the profile

After the installation is complete, the Apple Configurator page displays Install Succeeded and all configuration will be deployed to iPhone 5S. When the phone finds the service it needs, it automatically joins the WLAN.

Figure 114 Installation complete

Verifying the configuration

# Verify that the phone can automatically connect to the WLAN service.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : 6021-c05d-19e0

IPv4 address : 105.0.0.5

IPv6 address : N/A

Username : dongxixi

AID : 1

AP ID : 2

AP name : ap1

Radio ID : 2

SSID : dongxixi

BSSID : 70f9-6dd7-cfd0

VLAN ID : 1

Sleep count : 0

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Enabled

SM power save mode : Static

Short GI for 20MHz : Supported

Short GI for 40MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

Block Ack : TID 0 In

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7

Supported rates : 1, 2, 5.5, 6, 9, 11,

12, 18, 24, 36, 48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 49

Rx/Tx rate : 1/72.2 Mbps

Authentication method : Open system

Security mode : RSN

AKM mode : 802.1X

Cipher suite : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : N/A

Forwarding policy name : N/A

Online time : 0days 0hours 0minutes 36seconds

FT status : Inactive

Samsung application

Network requirements

As shown in Figure 115, configure Hotspot 2.0 to enable the phone to switch from the cellular network to the wireless network.

Figure 115 Network diagram

Configuration restrictions and guidelines

When you configure Hotspot 2.0, follow these restrictions and guidelines:

· Make sure you have installed certificates and created a user account on the RADIUS server, so that client authentication, authorization, and accounting can operate correctly.

· Make sure you have configured 802.1X and installed the certificate on the phone.

· For more information about AAA, see Security Configuration Guide.

Configuration procedures

Configuring the AC

1. Configure the Hotspot 2.0 policy:

# Create the Hotspot 2.0 policy 1.

<AC> system-view

[AC] wlan hotspot-policy 1

# Configure EAP-TLS authentication.

[AC-wlan-hs-1] nai-realm abc.com eap-method 6 auth-method 2 authentication 4

# Set the domain name to domain.abc.com.

[AC-wlan-hs-1] domain-name domain.abc.com

# Set the HESSID to 1232-ff23-0123, the MAC address of the AP.

[AC-wlan-hs-1] hessid 1232-ff23-0123

[AC-wlan-hs-1] quit

2. Configure 802.1X authentication and the RADIUS scheme:

# Configure the 802.1X authentication method as EAP.

[AC] dot1x authentication-method eap

# Create the RADIUS scheme imcc.

[AC] radius scheme imcc

# Set the IP address and the port number of the primary authentication server to 10.18.1.88 and 1812, respectively.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

# Set the IP address and the port number of the primary accounting server to 10.18.1.88 and 1813, respectively.

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for the AC to exchange packets with the authentication and accounting servers to 12345678.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the domain name in the username sent to the RADIUS servers.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

3. Create the domain imc and configure the domain to use the RADIUS scheme imcc for authentication, authorization, and accounting.

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

Configuring the AP

# Create the service template service1.

<AC> system-view

[AC] wlan service-template service1

# Set the SSID to service.

[AC-wlan-st-service1] ssid service

# Bind the Hotspot 2.0 policy 1 to the service template.

[AC-wlan-st-service1] hotspot-policy 1

# Enable the RSN IE in beacons and probe responses.

[AC-wlan-st-stname] security-ie rsn

# Enable the AES-CCMP cipher suite.

[AC-wlan-st-service1] cipher-suite ccmp

# Set the authentication and key management mode to 802.1X.

[AC-wlan-st-service1] akm mode dot1x

# Set the authentication mode for WLAN clients to 802.1X.

[AC-wlan-st-service1] client-security authentication-mode dot1x

# Specify the domain imc as the authentication domain.

[AC-wlan-st-service1] dot1x domain imc

# Enable the service template.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Create the AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Bind the service template service1 to radio 2 of the AP.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] service-template service1

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

Configuring the RADIUS server (IMCv7)

This example was created on IMC PLAT 7.1 and IMC UAM 7.1.

To configure the IMC server:

1. Log in to the IMC platform.

2. Click the User tab.

3. Add an access device:

a. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

b. On the access device configuration page, click Add.

c. On the Add Access Device page, configure the following parameters:

- Set the shared key to 12345678.

- Select or manually add the device with the IP address 10.18.1.1 (IP address of the AC).

- Use the default settings for other parameters.

d. Click OK.

Figure 116 Adding an access device

英文增加接入设备图.jpg

4. Add an access policy:

a. From the navigation tree, select User Access Policy > Access Policy.

b. On the access policy configuration page, click Add.

c. On the Add Access Policy page, configure the following parameters:

- Set the access policy name to 802.1X_policy.

- Use the default settings for other parameters.

Figure 117 Adding an access policy

5. Add an access service:

a. From the navigation tree, select User Access Policy > Access Service.

b. On the access service configuration page, click Add.

c. On the Add Access Service page, configure the service name as 802.1X_ser, and use the 802.1X policy you have created as the default access policy.

d. Use the default settings for other parameters.

Figure 118 Adding an access service

6. Add an access user:

a. From the navigation tree, select Access User > All Access Users.

b. On the access user configuration page, click Add.

c. On the Add Access User page, click Add User.

d. On the Add User window, configure the following parameters:

- Set the username to admin.

- Set the account name to admin.

- Select the 802.1X user 802.1X_ser you have configured in the Access Service area..

Figure 119 Adding an access user

Configuring the phone

IMPORTANT:

· Configure the same realm name and domain for both the phone and the Hotspot 2.0 policy on the AC.

· Configure the same username and password for both the phone and the RADIUS server.

· Configure the same authentication type for the phone, the Hotspot 2.0 policy on the AC, and the RADIUS server.

This example was created using Samsung S4.

To configure the phone:

1. Use a text editor to edit the Hotspot 2.0 configuration file and save it with the name cred.conf on a PC or on the phone.

cred={

realm="abc.com"

username="admin"

password="12345678"

domain="domain.abc.com"

eap=PEAP

phase2="auth=MSCHAPV2"

}

2. Save the configuration file in the root directory of the phone:

? If you edit the configuration file on a PC, use either of the following methods to import the configuration file to the phone and save it in the root directory:

- Connect the phone to a PC by using a USB cable, and save the file cred.conf in the phone.

- Send an email to the phone with the file cred.conf attached and save the file in the phone.

? If you edit the file on the phone by using a text editor, save it in the root directory of the phone.

3. Turn on WLAN on the phone.

Figure 120 Turning on WLAN

4. Click Advanced.

Figure 121 Configuring advanced WLAN settings

5. On the Advanced page, enable Passpoint.

Figure 122 Enabling Passpoint

Verifying the configuration

# Verify that the phone can automatically connect to the WLAN service.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : 000f-e265-6400

IPv4 address : 10.1.1.114

IPv6 address : 2001::1234:5678:0102:0304

Username : admin

AP ID : 1

AP name : ap1

Radio ID : 1

SSID : service

BSSID : 0026-3e08-1150

VLAN ID : 1

Power save mode : Active

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Disabled

Short GI for 20MHz : Not supported

Short GI for 40MHz : Supported

Support MCS set : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Block Ack (TID 0) : In

QoS mode : N/A

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11 Mbps

Authentication method : Open system

Hotspot 2.0 configuration examples (for version 2)

Network requirements

As shown in Figure 123, configure Hotspot 2.0 to enable the phone to switch from the cellular network to the wireless network.

Figure 123 Network diagram

Configuration restrictions and guidelines

When you configure Hotspot 2.0, follow these restrictions and guidelines:

· For more information about AAA, see Security Configuration Guide.

· Before uploading the OSU server icon, make sure the icon file is in the root directory where the version files are saved. You can use FTP or TFTP to transmit the icon file.

Configuration procedures

1. Configure the OSU server:

# Create OSU server 1.

<AC> system-view

[AC] wlan osu-provider 1

# Set the name for the OSU server to osu_test.

[AC-wlan-osu-1] friendly-name osu_test lang-code eng

# Specify a URI for the OSU server.

[AC-wlan-osu-1] uri https://192.168.1.23:8088/service

# Set the protocol for clients to communicate with the OSU server to SOAP-XML SPP.

[AC-wlan-osu-1] method 1

# Specify an icon for the OSU server.

[AC-wlan-osu-1] icon-file test.png lang-code eng icon-type png

# Configure a description for the OSU server.

[AC-wlan-osu-1] description "The OSU provider." lang-code eng

# Configure the NAI.

[AC-wlan-osu-1] nai example.com

[AC-wlan-osu-1] quit

2. Configure a Hotspot 2.0 policy:

# Create Hotspot 2.0 policy 1.

[AC] wlan hotspot-policy 1

# Specify the authentication type for NAI realm example.com.

[AC-wlan-hs-1] nai-realm example.com eap-method 5 auth-method 2 authentication 4

# Set the access network type to Wildcard.

[AC-wlan-hs-1] network-type 15

# Set the OI to 80F62E and add the OI to beacons.

[AC-wlan-hs-1] roam-oi 80F62E in-beacon

# Set the domain name to domain.com.

[AC-wlan-hs-1] domain-name domain.com

# Set the availability to 1 for both IPv4 addresses and IPv6 addresses.

[AC-wlan-hs-1] ip-type ipv4 1 ipv6 1

# Set the SSID for online signup services to osu-ssid.

[AC-wlan-hs-1] osu-ssid osu-ssid

# Bind OSU server 1 to Hotspot 2.0 policy 1.

[AC-wlan-hs-1] osu-provider 1

[AC-wlan-hs-1] quit

# Upload the specified OSU server icons if a specified icon file changes.

[AC] wlan hotspot osu-icon upload

3. Configure a service template for online signup services:

# Create service template osu.

[AC] wlan service-template osu

# Set the SSID to osu-ssid.

[AC-wlan-st-osu] ssid osu-ssid

# Enable the service template.

[AC-wlan-st-osu] service-template enable

[AC-wlan-st-osu] quit

4. Configure 802.1X authentication and the RADIUS server:

# Configure the 802.1X authentication method as EAP.

[AC] dot1x authentication-method eap

# Create RADIUS scheme imcc.

[AC] radius scheme imcc

# Set the IP address and the port number of the primary authentication server to 192.168.1.23 and 1813, respectively.

[AC-radius-imcc] primary authentication 192.168.1.23 1812

# Set the IP address and the port number of the primary accounting server to 192.168.1.23 and 1813, respectively.

[AC-radius-imcc] primary accounting 192.168.1.23 1813

# Set the shared key for the AC to exchange packets with the authentication and accounting server to 12345678.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Configure the AC to remove the domain name in the username sent to the RADIUS servers.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

5. Configure ISP domain:

# Create domain imc and configure the domain to use RADIUS scheme imcc for authentication, authorization, and accounting.

[AC] domain imc

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

6. Configure a service template for wireless services:

# Create service template stname.

[AC] wlan service-template stname

# Set the SSID to service.

[AC-wlan-st-stname] ssid service

# Bind Hotspot 2.0 policy 1 to the service template.

[AC-wlan-st-stname] hotspot-policy 1

# Enable the RSN IE in beacons and probe responses.

[AC-wlan-st-stname] security-ie rsn

# Enable the AES-CCMP cipher suite.

[AC-wlan-st-stname] cipher-suite ccmp

[AC-wlan-st-stname] akm mode dot1x

# Set the authentication mode for WLAN clients to 802.1X.

[AC-wlan-st-stname] client-security authentication-mode dot1x

# Specify the domain imc as the authentication domain.

[AC-wlan-st-stname] dot1x domain imc

# Enable the service template.

[AC-wlan-st-stname] service-template enable

[AC-wlan-st-stname] quit

7. Configure the AP:

# Create AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Set a venue name for the AP.

[AC-wlan-ap-ap1] venue name "H3C lab" lang-code eng

# Bind service template stname to radio 2 of the AP.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] service-template stname

[AC-wlan-ap-ap1-radio-2] service-template osu

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify that the OSU server icon has been loaded.

[AC] display wlan hotspot uploaded-osu-icon

Total number of icons: 1

Icon name Icon type

--------------------------------------------------------------------------------

test.png png

# Verify that the phone can automatically connect to the WLAN service.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : d022-bee8-a267

IPv4 address : 192.168.1.52

IPv6 address : N/A

Username : abcd

AID : 2

AP ID : 1

AP name : ap1

Radio ID : 2

SSID : service

BSSID : 5866-ba74-e790

VLAN ID : 1

Sleep count : 37

Wireless mode : 802.11gn

Channel bandwidth : 20MHz

SM power save : Disabled

Short GI for 20MHz : Supported

Short GI for 40MHz : Not supported

STBC RX capability : Supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

Block Ack : TID 0 Both

TID 2 Out

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7

Supported rates : 1, 2, 5.5, 6, 9, 11,

12, 18, 24, 36, 48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 45

Rx/Tx rate : 72.2/72.2 Mbps

Authentication method : Open system

Security mode : RSN

AKM mode : 802.1X

Cipher suite : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : N/A

Forwarding policy name : N/A

Online time : 0days 0hours 1minutes 29seconds

FT status : Inactive

Configuring WLAN RRM

Overview

WLAN Radio Resource Management (RRM) provides an intelligent and scalable radio management solution. RRM enables the AC to monitor its associated radios and perform radio resource monitoring, dynamic frequency selection (DFS), and transmit power control (TPC). This allows a WLAN to adapt to environment changes and maintain the optimal radio resource condition.

Dynamic frequency selection

Two adjacent radios on the same channel might cause signal collision, and other radio sources such as radar signals and microwave ovens might interfere with the operation of radios. DFS can solve these problems.

With DFS, the AC selects an optimal channel for each radio in real time to avoid co-channel interference and interference from other radio sources.

The following factors will trigger DFS:

· Error code rate—Physical layer error code rate and CRC error rate. CRC error rate shows the proportion of packets with CRC errors among all 802.11 packets.

· Interference rate—Proportion of interference packets among all data packets. Interference packets are packets destined for other radios.

· Retransmission count—Data retransmissions caused by failure to receive ACK messages.

· Radar signal—Radar signals detected on the current channel. In this case, the AC selects a new channel and immediately notifies the radio to change its working channel.

The AC uses the following procedure to perform DFS for a radio:

1. Detects the current channel and selects an optimal channel when the CRC error threshold, the interference threshold, or the system-defined retransmission threshold is reached on the current channel.

2. Compares the quality between the current channel and the optimal channel. The radio does not use the optimal channel until the quality gap between the two channels exceeds the tolerance level.

Figure 124 shows a DFS example. When the quality of the channels for BSS 1, BSS 3, and BSS 5 reaches a DFS threshold, the AC selects an optimal channel for each of them. This ensures wireless service quality.

Figure 124 Dynamic frequency selection

Transmit power control

TPC enables the AC to dynamically control access point transmit power based on real-time WLAN conditions. It can achieve desired RF coverage while avoiding channel interference between radios.

The AC maintains a neighbor report for each radio on its associated APs to record information about other radios detected by this radio. The AC can manage only radios associated with the AC.

The AC uses the following procedure to perform TPC for a radio:

1. Determines whether the number of manageable radios detected by this radio reaches the adjacency factor.

If the number does not reach the adjacency factor, the radio uses the maximum transmit power.

If the number reaches the adjacency factor, the AC goes to step 2.

2. Ranks the radio's RSSIs stored in neighbor reports of other radios in descending order.

3. Compares the RSSI specified by the adjacency factor with the power adjustment threshold and takes one of the following actions:

? Decreases the radio's transmit power when the RSSI rises above the threshold.

? Increases the radio's transmit power when the RSSI drops below the threshold.

As shown in Figure 125, each AP has only one radio enabled. Before AP 4 joins, the radios use the maximum transmit power because the number of manageable radios detected by each radio has not reached adjacency factor 3. After AP 4 joins, the AC uses TPC to adjust the transmit powers for all radios because the number of manageable radios detected by each radio has reached adjacency factor 3.

Figure 125 Transmit power control

Spectrum management

Spectrum management is 802.11h compliant. It is used on 5 GHz WLANs to ensure that clients meet the regulatory requirements for operation in the 5 GHz band. It enables an AP to notify its associated clients of the allowed maximum transmit power. The AP can deny the association request from a client if the power and channel of the client do not meet the regulatory requirements.

Configuration restrictions and guidelines

The priorities for the configuration in AP view, AP group view, and global configuration view are in descending order.

WLAN RRM configuration task list

Tasks at a glance
Configuring DFS: · (Optional.) Configuring DFS trigger parameters · (Required.) Choose one of the following tasks: ? Configuring periodic auto-DFS ? Configuring scheduled auto-DFS ? Configuring on-demand DFS · (Optional.) Configuring an RRM holddown group
Configuring TPC: · (Optional.) Setting the TPC mode · (Optional.) Configuring TPC trigger parameters · (Optional.) Setting the minimum transmit power · (Required.) Choose either of the following tasks: ? Configuring periodic auto-TPC ? Configuring on-demand TPC · (Optional.) Configuring an RRM holddown group
Configuring spectrum management: · (Required.) Enabling spectrum management · (Optional.) Setting the power constraint mode · (Optional.) Setting the channel switch mode · (Optional.) Setting the transmit power capability match mode · (Optional.) Setting the channel capability match mode
(Optional.) Configuring a radio baseline
(Optional.) Enabling radio scanning
(Optional.) Enabling SNMP notifications for WLAN RRM

Configuring DFS

The AC supports the following DFS methods:

· Periodic auto-DFS—The AC automatically performs DFS for a radio at the channel calibration interval.

· Scheduled auto-DFS—The AC performs DFS at the specified time in a time range. Use this method when interference is severe to avoid affecting ongoing wireless services.

· On-demand DFS—The AC waits for a channel calibration interval and then performs DFS for all radios. You must perform this task every time you want the AC to perform DFS for radios.

Configuration restrictions and guidelines

For DFS to work, configure the AC to automatically select a channel for a radio and not lock the channel by using the channel auto unlock command. For more information about the channel { channel-number | auto { lock | unlock } } command, see WLAN Command Reference.

Configuring DFS trigger parameters

IMPORTANT:

As a best practice for accurate channel adjustment, configure the same DFS trigger parameters for all radios enabled with DFS.

Configuring DFS trigger parameters in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	Specify the AP model when you create an AP.
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the CRC error threshold.	crc-error-threshold percent	By default, the configuration in AP group RRM view is used.
6. Set the interference threshold.	interference-threshold percent	By default, the configuration in AP group RRM view is used.
7. Set the tolerance level.	tolerance-level percent	By default, the configuration in AP group RRM view is used.

Configuring DFS trigger parameters in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the CRC error threshold.	crc-error-threshold percent	By default, the CRC error threshold is 20.
7. Set the interference threshold.	interference-threshold percent	By default, the interference threshold is 50.
8. Set the tolerance level.	tolerance-level percent	By default, the tolerance level is 20.

Configuring periodic auto-DFS

Configuring periodic auto-DFS in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the channel calibration interval.	wlan rrm calibration-channel interval minutes	By default, the channel calibration interval is 8 minutes.
3. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, the configuration in AP group view RRM is used.
7. Set the auto-DFS mode to periodic.	calibrate-channel mode periodic	By default, the configuration in AP group RRM view is used.

Configuring periodic auto-DFS in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the channel calibration interval.	wlan rrm calibration-channel interval minutes	By default, the channel calibration interval is 8 minutes.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Enter RRM view.	rrm	N/A
7. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, auto-DFS is disabled.
8. Set the auto-DFS mode to periodic.	calibrate-channel mode periodic	By default, the auto-DFS mode is periodic.

Configuring scheduled auto-DFS

To configure scheduled auto-DFS, you must create a time range during which the AC collects statistics to generate channel reports and neighbor reports.

Configuring scheduled auto-DFS in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a time range.	time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] \| from time1 date1 [ to time2 date2 ] \| to time2 date2 }	By default, no time range exists.
3. Create a job and enter its view.	scheduler job job-name	By default, no job exists.
4. Assign commands to the job.	command 1 system-view command 2 wlan ap ap-name [ model model-name ] command 3 radio radio-id command 4 rrm command 5 calibrate-channel pronto	By default, no command is assigned to a job.
5. Return to system view.	quit	N/A
6. Create a schedule and enter its view.	scheduler schedule schedule-name	By default, no schedule exists.
7. Assign a job to the schedule.	job job-name	By default, no job is assigned to a schedule.
8. Assign a user role to the schedule.	user-role role-name	By default, the user role of the schedule creator is assigned to the schedule.
9. Specify an execution date and time for the schedule.	time at time date	Execute one of the three commands. By default, no execution time is specified for a schedule.
10. Specify one or more execution days and the execution time for the schedule.	time once at time [ month-date month-day \| week-day week-day&<1-7> ]
11. Specify the delay time for executing the schedule.	time once delay time
12. Return to system view.	quit	N/A
13. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
14. Enter radio view.	radio radio-id	N/A
15. Enter RRM view.	rrm	N/A
16. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, the configuration in AP group RRM view is used.
17. Set the auto-DFS mode to scheduled.	calibrate-channel mode scheduled	By default, the configuration in AP group RRM view is used.
18. Specify a time range for channel monitoring.	calibrate-channel monitoring time-range time-range-name	By default, the configuration in AP group RRM view is used.

Configuring scheduled auto-DFS in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a time range.	time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] \| from time1 date1 [ to time2 date2 ] \| to time2 date2 }	By default, no time range exists.
3. Create a job and enter its view.	scheduler job job-name	By default, no job exists.
4. Assign commands to the job.	command 1 system-view command 2 wlan ap-group group-name command 3 ap-model ap-model command 4 radio radio-id command 5 rrm command 6 calibrate-channel pronto	By default, no command is assigned to a job.
5. Return to system view.	quit	N/A
6. Create a schedule and enter its view.	scheduler schedule schedule-name	By default, no schedule exists.
7. Assign a job to the schedule.	job job-name	By default, no job is assigned to a schedule.
8. Assign a user role to the schedule.	user-role role-name	By default, the user role of the schedule creator is assigned to the schedule.
9. Specify an execution date and time for the schedule.	time at time date	Execute one of the three commands. By default, no execution time is specified for a schedule.
10. Specify one or more execution days and the execution time for the schedule.	time once at time [ month-date month-day \| week-day week-day&<1-7> ]
11. Specify the delay time for executing the schedule.	time once delay time
12. Return to system view.	quit	N/A
13. Enter AP group view.	wlan ap-group group-name	N/A
14. Enter AP model view.	ap-model ap-model	N/A
15. Enter radio view.	radio radio-id	N/A
16. Enter RRM view.	rrm	N/A
17. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, auto-DFS is disabled.
18. Set the auto-DFS mode to scheduled.	calibrate-channel mode scheduled	By default, the auto-DFS mode is periodic.
19. Specify a time range for channel monitoring.	calibrate-channel monitoring time-range time-range-name	By default, no time range is specified for channel monitoring.

Configuring on-demand DFS

IMPORTANT:

This feature consumes system resources. Use it with caution.

To configure on-demand DFS:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable on-demand DFS for radios of all APs.	wlan calibrate-channel pronto ap all	N/A
3. (Optional.) Set the channel calibration interval.	wlan rrm calibration-channel interval minutes	By default, the channel calibration interval is 8 minutes.

Configuring an RRM holddown group

To prevent frequent channel adjustments from affecting wireless services, you can add radios to an RRM holddown group. Each time the channel of a radio in the RRM holddown group changes, the system starts a channel holddown timer for the radio. The channel for the radio does not change until the channel holddown timer expires.

If you execute on-demand DFS, the system performs DFS when the calibration interval expires regardless of whether the channel holddown timer expires.

To configure an RRM holddown group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an RRM holddown group and enter its view.	wlan rrm-calibration-group group-id	By default, no RRM holddown group exists.
3. (Optional.) Set a description for the RRM holddown group.	description text	By default, no description is set for the RRM holddown group.
4. Add a radio to the RRM holddown group.	ap ap-name radio radio-id	By default, no radio exists in the RRM holddown group.
5. (Optional.) Set the channel holddown time.	channel holddown-time minutes	By default, the channel holddown time is 720 minutes.

Configuring TPC

The AC supports the following TPC methods:

· Periodic auto-TPC—The AC automatically performs TPC for a radio at the power calibration interval.

· On-demand TPC—The AC waits for a power calibration interval and then performs TPC for all radios. You must perform this task every time you want the AC to perform TPC for radios.

Configuration restrictions and guidelines

Make sure the power lock feature is disabled before configuring TPC. For more information about power lock, see "Configuring radio management."

Setting the TPC mode

The AC supports the density, coverage, and custom TPC modes. To avoid interference among APs, use the density mode. To increase signal coverage performance, use the coverage mode. If these two modes cannot meet your network requirements, use the custom mode to customize power adjustment settings.

In either density or coverage mode, power adjustment settings are defined by the system and cannot be changed.

Setting the TPC mode in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the TPC mode.	calibrate-power mode { coverage \| custom \| density }	By default, the configuration in AP group RRM view is used.

Setting the TPC mode in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the TPC mode.	calibrate-power mode { coverage \| custom \| density }	By default, the TPC mode is custom.

Configuring TPC trigger parameters

IMPORTANT:

As a best practice for accurate power adjustment, configure the same TPC trigger parameters for all radios enabled with TPC.

The adjacency factor and power adjustment threshold determine TPC for a radio. The adjacency factor defines the quantity of manageable detected radios that trigger TPC and the ranking of the RSSI used for comparison with the power adjustment threshold. Set an appropriate adjacency factor as needed.

Configuring TPC trigger parameters in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the adjacency factor.	adjacency-factor neighbor	By default, the configuration in AP group RRM view is used.
6. Set the power adjustment threshold.	calibrate-power threshold value	By default, the configuration in AP group RRM view is used.

Configuring TPC trigger parameters in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the adjacency factor.	adjacency-factor neighbor	By default, the adjacency factor is 3.
7. Set the power adjustment threshold.	calibrate-power threshold value	By default, the power adjustment threshold is 65 dBm.

Setting the minimum transmit power

This feature ensures that a radio can still be detected after TPC is performed.

Setting the minimum transmit power in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the minimum transmit power.	calibrate-power min tx-power	By default, the configuration in AP group RRM view is used.

Setting the minimum transmit power in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the minimum transmit power.	calibrate-power min tx-power	By default, the minimum transmit power is 1 dBm.

Configuring periodic auto-TPC

Configuring periodic auto-TPC in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the power calibration interval.	wlan rrm calibration-power interval minutes	By default, the power calibration interval is 8 minutes.
3. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Enable periodic auto-TPC.	calibrate-power self-decisive enable	By default, the configuration in AP group RRM view is used.

Configuring periodic auto-TPC in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the power calibration interval.	wlan rrm calibration-power interval minutes	By default, the power calibration interval is 8 minutes.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Enter RRM view.	rrm	N/A
7. Enable periodic auto-TPC.	calibrate-power self-decisive enable	By default, periodic auto-TPC is disabled.

Configuring on-demand TPC

IMPORTANT:

This feature consumes system resources. Use it with caution.

To configure on-demand TPC:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable on-demand TPC for radios of all APs.	wlan calibrate-power pronto ap all	N/A
3. (Optional.) Set the power calibration interval.	wlan rrm calibration-power interval minutes	By default, the power calibration interval is 8 minutes.

Configuring an RRM holddown group

To prevent frequent power adjustments from affecting wireless services, you can add radios to an RRM holddown group. Each time the power of a radio in the RRM holddown group changes, the system starts a power holddown timer for the radio. The power for the radio does not change until the power holddown timer expires.

If you execute on-demand DFS, the system performs DFS when the calibration interval expires regardless of whether the power holddown timer expires.

To configure an RRM holddown group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an RRM holddown group and enter its view.	wlan rrm-calibration-group group-id	By default, no RRM holddown group exists.
3. (Optional.) Set a description for the RRM holddown group.	description text	By default, no description is set for the RRM holddown group.
4. Add a radio to the RRM holddown group.	ap ap-name radio radio-id	By default, no radio exists in the RRM holddown group.
5. (Optional.) Set the power holddown time.	power holddown-time minutes	By default, the power holddown time is 60 minutes.

Configuring spectrum management

Enabling spectrum management

This feature is available only on 5 GHz radios.

Enabling spectrum management in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable spectrum management.	spectrum-management enable	By default, the configuration in AP group radio view is used.

Enabling spectrum management in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable spectrum management.	spectrum-management enable	By default, spectrum management is disabled.

Setting the power constraint mode

This feature is available only on 5 GHz radios.

This feature enables a radio to restrict the transmit power of its associated clients to avoid interference to other wireless devices. Upon receiving a beacon frame or probe response that contains the power constraint value from the radio, a client uses its new local maximum transmit power to transmit traffic. The new local maximum transmit power is the maximum transmit power level specified for the channel minus the power constraint value.

You can set the following power constraint modes for a radio:

· Manual—You specify a power constraint value.

· Auto—The radio automatically calculates the power constraint value.

Setting the power constraint mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the power constraint mode.	power-constraint mode { auto [ anpi-interval anpi-interval-value ] \| manual power-constraint }	By default, the configuration in AP group view radio is used. Power constraint takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource management."

Setting the power constraint mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the power constraint mode.	power-constraint mode { auto [ anpi-interval anpi-interval-value ] \| manual power-constraint }	By default, the power constraint mode is auto. Power constraint takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource management."

Setting the channel switch mode

This feature enables a radio to send a channel switch announcement to the associated clients when the radio is changing to a new channel. The announcement contains the new channel number and information about whether the clients can continue sending frames.

Setting the channel switch mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the channel switch mode.	channel-switch mode { continuous \| suspend }	By default, the configuration in AP group radio view is used.

Setting the channel switch mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the channel switch mode.	channel-switch mode { continuous \| suspend }	By default, the channel switch mode is suspend. Online clients stop sending frames during channel switch.

Setting the transmit power capability match mode

This feature allows clients to associate with a radio based on the predefined match criteria. Transmit power capability refers to the minimum and maximum powers with which a client and a radio can transmit frames in the current channel. The device supports the following client power capability match modes:

· All—A client is allowed to associate with a radio only when each of its transmit power capabilities matches each of the radio's transmit power capabilities.

· None—Client transmit power capabilities are not checked.

· Partial—A client is allowed to associate with a radio as long as one of its transmit power capabilities matches any transmit power capabilities of the radio.

Setting the transmit power capability match mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the transmit power capability match mode.	power-capability mode { all \| none \| partial }	By default, the configuration in AP group radio view is used. The transmit power capability match mode takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource management."

Setting the transmit power capability match mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the power capability match mode.	power-capability mode { all \| none \| partial }	By default, client transmit power capabilities are not checked. The transmit power capability match mode takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource management."

Setting the channel capability match mode

This feature is available only on 5 GHz radios.

This feature allows clients to associate with a radio based on the predefined match criteria. Channel capability refers to the channels a client and a radio each support. The device provides the following client channel capability match modes:

· All—A client is allowed to associate with a radio only when each of its supported channels match each of the radio's supported channels.

· None—Client channel capabilities are not checked.

· Partial—A client is allowed to associate with a radio as long as one of its supported channels matches any supported channels of the radio.

Setting the client channel capability match mode in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the client channel capability match mode.	power-capability mode { all \| none \| partial }	By default, the configuration in AP group radio view is used.

Setting the client channel capability match mode in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the channel capability match mode.	power-capability mode { all \| none \| partial }	By default, client channel capabilities are not checked.

Configuring a radio baseline

A radio baseline saves the working channel, transmit rate, and other radio attributes for radios. You can create a radio baseline by saving the current radio settings and apply the baseline to use these settings as needed.

A radio baseline is saved in a .csv file in the file system on the AC.

A radio baseline cannot be applied to a radio when one of the following conditions is met:

· The radio is down.

· No service template is bound to the radio or the bound service template is disabled.

· The channel in the baseline is illegal.

· The radio uses a manually specified channel.

· The working channel or the transmit power of the radio is locked.

· The channel or power holddown timer for the radio has not expired.

· The channel in the baseline does not match the specified channel gap.

· The transmit power in the baseline is lower than the specified minimum transmit power for the radio.

· The transmit power in the baseline is higher than the specified maximum transmit power for the radio.

· The radio mode, location identifier, or bandwidth in the baseline does not match the radio mode, location identifier, or bandwidth of the radio.

To configure a radio baseline:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a radio baseline by saving the current radio settings.	wlan rrm baseline save name baseline-name { ap ap-name radio radio-id \| ap-group group-name ap-model ap-model radio radio-id \| global }	N/A
3. Apply the baseline.	wlan rrm baseline apply name baseline-name	N/A
4. (Optional.) Delete a radio baseline.	wlan rrm baseline remove name baseline-name	N/A

Enabling radio scanning

This feature enables APs to scan the WLAN environment and report collected statistics to the AC at the specified interval. The AC uses the statistics to generate channel reports and neighbor reports.

To view the channel reports and neighbor reports, use the display wlan rrm-status ap command.

If you have configured periodic auto-DFS, scheduled auto-DFS, or periodic auto-TPC, do not need to enable this feature.

Enabling radio scanning in RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Enable radio scanning.	scan-only enable	By default, the configuration in AP group RRM view is used.

Enabling radio scanning in AP group RRM view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Enable radio scanning.	scan-only enable	By default, radio scanning is disabled.

Enabling SNMP notifications for WLAN RRM

To report critical WLAN RRM events to an NMS, enable SNMP notifications for WLAN RRM. For WLAN RRM event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for WLAN RRM:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN RRM.	snmp-agent trap enable wlan rrm	By default, SNMP notifications are disabled for WLAN RRM.

Displaying and maintaining WLAN RRM

Execute display commands in any view.

Task	Command
Display radio baseline information.	display wlan rrm baseline { all \| name baseline-name } [ verbose ]
Display the most recent application result of a radio baseline.	display wlan rrm baseline apply-result
Display the channel and power adjustment history.	display wlan rrm-history ap { all \| name ap-name }
Display WLAN RRM information.	display wlan rrm-status ap { all \| name ap-name }
Display RRM holddown group information.	display wlan rrm-calibration-group { all \| group-id }

WLAN RRM configuration examples

Periodic auto-DFS configuration example

Network requirements

As shown in Figure 126, configure periodic auto-DFS to adjust channels for radios of the APs when a channel adjustment trigger condition is met. Add radio 1 of AP 1 to an RRM holddown group to avoid frequent channel adjustments.

Figure 126 Network diagram

Configuration procedure

# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)

# Enable auto-DFS for AP ap1 and set the auto-DFS mode to periodic.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rrm

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel self-decisive enable

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel mode periodic

# Configure DFS trigger parameters.

[AC-wlan-ap-ap1-radio-1-rrm] crc-error-threshold 20

[AC-wlan-ap-ap1-radio-1-rrm] interference-threshold 50

[AC-wlan-ap-ap1-radio-1-rrm] tolerance-level 20

[AC-wlan-ap-ap1-radio-1-rrm] quit

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create RRM holddown group 10.

[AC] wlan rrm-calibration-group 10

# Add radio 1 of AP ap1 to RRM holddown group 10.

[AC-wlan-rc-group-10] ap name ap1 radio 1

# Set the channel holddown time to 600 minutes.

[AC-wlan-rc-group-10] channel holddown-time 600

# Configure auto-DFS for AP 2 and AP 3 in the same way auto-DFS is configured for AP 1. (Details not shown.)

Verifying the configuration

# Execute the display wlan rrm-status ap all command. Verify that the working channels for radios of the APs change when a channel adjustment trigger condition is met and the calibration interval is reached. (Details not shown.)

Use the display wlan rrm-history ap all command to view the channel adjustment reason. (Details not shown.)

# Verify that the channel for radio 1 on AP 1 remains unchanged within 600 minutes after the first DFS. (Details not shown.)

Scheduled auto-DFS configuration example

Network requirements

As shown in Figure 127, configure scheduled auto-DFS to adjust channels for radios of the APs when a channel adjustment trigger condition is met.

Figure 127 Network diagram

Configuration procedure

# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)

# Create a time range.

<AC> system-view

[AC] time-range time1 from 15:20 2016/04/17 to 18:20 2016/04/17

# Create a job and assign commands to the job.

[AC] scheduler job calibratechannel

[AC-job-calibratechannel] command 1 system-view

[AC-job-calibratechannel] command 2 wlan ap ap1

[AC-job-calibratechannel] command 3 radio 1

[AC-job-calibratechannel] command 4 rrm

[AC-job-calibratechannel] command 5 calibrate-channel pronto

[AC-job-calibratechannel] quit

# Create a schedule and assign the job to the schedule.

[AC] scheduler schedule schedule1

[AC-schedule-schedule1] job calibratechannel

# Specify an execution date and time for the schedule.

[AC-schedule-schedule1] time at 20:20 2016/04/17

[AC-schedule-schedule1] quit

# Enable auto-DFS for AP ap1 and set the auto-DFS mode to scheduled.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rrm

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel self-decisive enable

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel mode scheduled

# Configure AP ap1 to perform channel monitoring during time range time1.

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel monitoring time-range time1

# Configure auto-DFS attributes.

[AC-wlan-ap-ap1-radio-1-rrm] crc-error-threshold 10

[AC-wlan-ap-ap1-radio-1-rrm] interference-threshold 40

[AC-wlan-ap-ap1-radio-1-rrm] tolerance-level 15

[AC-wlan-ap-ap1-radio-1-rrm] quit

# Configure auto-DFS for AP 2 and AP 3 in the same way auto-DFS is configured for AP 1. (Details not shown.)

Verifying the configuration

# Use the display wlan rrm-history ap all command to view the channel adjustment reason. (Details not shown.)

Periodic auto-TPC configuration example

Network requirements

As shown in Figure 128, configure periodic auto-TPC and set the adjacency factor to 3 to enable the AC to perform periodic auto-TPC when AP 4 joins. Add radio 1 of AP 1 to an RRM holddown group to avoid frequent power adjustments.

Figure 128 Network diagram

Configuration procedure

# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)

# Enable periodic auto-TPC for AP ap1.

<AC> system-view

[AC] wlan ap ap1 model WA536-WW

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rrm

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power self-decisive enable

# Configure TPC trigger parameters.

[AC-wlan-ap-ap1-radio-1-rrm] adjacency-factor 3

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power threshold 80

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power min 1

[AC-wlan-ap-ap1-radio-1-rrm] quit

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create RRM holddown group 10.

[AC] wlan rrm-calibration-group 10

# Add radio 1 of AP ap1 to RRM holddown group 10.

[AC-wlan-rc-group-10] ap name ap1 radio 1

# Set the power holddown time to 100 minutes.

[AC-wlan-rc-group-10] power holddown-time 100

# Configure periodic auto-TPC for AP 2, AP 3, and AP 4 in the same way periodic auto-TPC is configured for AP 1. (Details not shown.)

Verifying the configuration

# Assume that the radio of AP 4 is the power-detecting radio and this step use the name of an AP to refer to its radio. Use the display wlan rrm-status ap all command to verify the following information:

· AP 1 increases its transmit power when AP 4 detects that the power of AP 1 is lower than the power adjustment threshold.

· AP 1 decreases its transmit power when AP 4 detects that the power of AP 1 is higher than the power adjustment threshold.

· The adjusted power of AP 1 is not lower than the minimum transmit power (1 dBm in this example).

# Verify that the power of radio 1 on AP 1 remains unchanged within 100 minutes after the first TPC.

Spectrum management configuration example

Network requirements

As shown in Figure 129, configure spectrum management to restrict the transmit power of the client and allow the client to continue sending frames during channel switch.

Figure 129 Network diagram

Configuration procedure

# Enable spectrum management.

<AC> system-view

[AC] wlan ap officeap model WA536-WW

[AC-wlan-ap-officeap] radio 1

[AC-wlan-ap-officeap-radio-1] spectrum-management enable

# Set the channel capability match mode to all.

[AC-wlan-ap-officeap-radio-1] channel-capability mode all

# Set the transmit power capability match mode to all.

[AC-wlan-ap-officeap-radio-1] power-capability mode all

# Set the power constraint mode to manual and set the power constraint value to 5 dBm.

[AC-wlan-ap-officeap-radio-1] power-constraint mode manual 5

# Set the channel switch mode to continuous.

[AC-wlan-ap-officeap-radio-1] channel-switch mode continuous

Verifying the configuration

# Execute the display wlan client command to verify that the client can successfully associate with the radio. (Details not shown.)

Configuring IoT APs

An Internet of Things (IoT) AP is an AP that can communicate with IoT modules installed on the AP or connected to the AP through network cables.

An IoT AP manages IoT modules and communicates with an IoT server on behalf of the modules. The modules connect things to the Internet for intelligent identification, locating, tracking, monitoring, and management of the things.

You can apply IoT APs in different fields of the IoT by connecting them to the following IoT modules:

· RFID modules—Medical. For example, the IoT APs can provide the following medical services through identifying RFID devices:

? Infant protection through identifying mother and infant tags.

? Patients' body temperature monitoring through identifying temperature tags.

· BLE modules—Managing iBeacon devices or acting as iBeacon devices. The iBeacon technology is an Apple-developed BLE technology. This technology enables an iBeacon device to broadcast a unique identifier to nearby application software. After receiving the identifier, the application software takes actions according to the identifier to fulfill software functions.

Feature and hardware compatibility

This feature is restricted to Hong Kong and Macao.

Support for IoT capability depends on the AP model.

Configuration task list

Tasks at a glance
(Required.) Specifying a serial number for a module
(Required.) Enabling a module
(Required.) Specifying the supported module type
(Optional.) Setting the transmit power level for a module
(Optional.) Upgrading the firmware of a module
(Optional.) Restoring the factory settings for a module
(Optional.) Restarting a module
(Optional.) Configuring iBeacon transmission for a BLE module

Specifying a serial number for a module

You must specify a serial number for a module when the module connects to an IoT AP through network cables. The module can come online on the AP only when the specified serial number is the same as the actual serial number of the module. A module installed on an IoT AP can come online directly no matter whether the configured serial number is the same as the module's serial number or not.

Configuration restrictions and guidelines

Deleting the serial number or specifying a different serial number than the actual serial number of an online module logs off the module if the module connects to an IoT AP through network cables.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	The AP must be an IoT AP.
3. Enter module view.	module module-id	N/A
4. Specify a serial number for the module.	serial-number serial-number	By default, no serial number is specified for a module.

Enabling a module

Enabling a module for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	The AP must be an IoT AP.
3. Enter module view.	module module-id	N/A
4. Enable the module.	module enable	By default, an AP uses the configuration in AP group's module view.

Enabling a module for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	The AP model must represent an IoT AP.
4. Enter module view.	module module-id	N/A
5. Enable the module.	module enable	By default, a module is disabled.

Specifying the supported module type

For a module to operate correctly, make sure the specified module type is the same as the actual module type of the module.

The following module types are available:

· BLE—H3C-developed modules that support the Bluetooth protocol.

· IoT—IoT modules that are developed by third-party vendors.

Specifying the supported module type for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	The AP must be an IoT AP.
3. Enter module view.	module module-id	N/A
4. Specify the supported module type.	type { ble \| iot }	By default, an AP uses the configuration in AP group's module view.

Specifying the supported module type for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	The AP model must represent an IoT AP.
4. Enter module view.	module module-id	N/A
5. Specify the supported module type.	type { ble \| iot }	By default, no supported module type is specified.

Setting the transmit power level for a module

A module has the following levels of transmit power:

· Level 1 (4 dBm).

· Level 2 (–1 dBm).

· Level 3 (–5 dBm).

· Level 4 (–9 dBm).

Setting the transmit power level for a module in module view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter module view.	module module-id	N/A
4. Set the transmit power level for the module.	tx-power power	By default, a module uses the configuration in AP group's module view.

Setting the transmit power level for a module in AP group's module view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter module view.	module module-id	N/A
5. Set the transmit power level for the module.	tx-power power	By default, the transmit power level is 1, which indicates a transmit power of 4 dBm.

Upgrading the firmware of a module

You can use either of the following methods to upgrade the firmware of a module:

· Manual upgrade—Use the specified image file to manually upgrade the module's firmware.

· Automatic upgrade—Configure the automatic firmware upgrade feature to enable the module to immediately upgrade its firmware if its firmware version is different from the version stored in the AP's image file. After you enable this feature for a module, this feature takes effect every time the connected IoT AP restarts.

If you want the module's firmware version to be consistent with the version stored in the AP's image file, use automatic upgrade. In other cases, use manual upgrade.

Configuring automatic module firmware upgrade

Configuring automatic module firmware upgrade in module view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter module view.	module module-id	N/A
4. Configure automatic module firmware upgrade.	module firmware-upgrade { disable \| enable }	By default, a module uses the configuration in AP group's module view.

Configuring automatic module firmware upgrade in AP group's module view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter module view.	module module-id	N/A
5. Configure automatic module firmware upgrade.	rfid-tracking ble advertisement { disable \| enable }	By default, automatic module firmware upgrade is disabled for a BLE module.

Manually upgrading the firmware of a module

When you perform a manual firmware upgrade for a module, follow these restrictions and guidelines:

· Save the module's image file to the AC's local folder.

· Make sure the automatic firmware upgrade feature is disabled for the module. Automatic firmware upgrade performs version consistency check every time the connected IoT AP restarts and upgrades the module's firmware to the version stored in the AP's image file as necessary.

To manually upgrade the firmware of a module:

Step	Command
1. Enter system view.	system-view
2. Manually upgrade the firmware of a module.	wlan execute module firmware-upgrade { ap ap-name \| ap-group group-name ap-model ap-model } module module-id firmware-path filepath

Restoring the factory settings for a module

Step	Command
1. Enter system view.	system-view
2. Restore the factory settings for a module.	wlan execute module restore-factory ap ap-name module module-id

Restarting a module

Step	Command
1. Enter system view.	system-view
2. Restart a module.	wlan execute module reset ap ap-name module module-id

Configuring iBeacon transmission for a BLE module

This feature enables a BLE module to periodically broadcast iBeacon advertisements. An iBeacon advertisement contains a UUID, a Major ID, a Minor ID, and measured power. Application software that receives the iBeacon advertisement will take specific actions according to the advertisement information to fulfill software functions.

Configuring iBeacon transmission for a BLE module in module view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Enter module view.	module module-id	N/A
4. Configure iBeacon transmission for a BLE module.	rfid-tracking ble advertisement { disable \| enable }	By default, a module uses the configuration in AP group's module view.
5. Configure the advertisement information.	rfid-tracking ble advertisement { major-id major-id \| measured-power \| minor-id minor-id \| uuid uuid }	By default, a module uses the configuration in AP group's module view.
6. Set the interval for the BLE module to broadcast iBeacon advertisements.	rfid-tracking ble advertisement interval interval	By default, a module uses the configuration in AP group's module view.

Configuring iBeacon transmission for a BLE module in AP group's module view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter module view.	module module-id	N/A
5. Configure iBeacon transmission for a BLE module.	rfid-tracking ble advertisement { disable \| enable }	By default, iBeacon transmission is disabled for a BLE module.
6. Configure the advertisement information.	rfid-tracking ble advertisement { major-id major-id \| measured-power \| minor-id minor-id \| uuid uuid }	By default, the UUID is 0, Major ID is 1, Minor ID is 1, and measured power is -58 dBm in an iBeacon advertisement.
7. Set the interval for the BLE module to broadcast iBeacon advertisements.	rfid-tracking ble advertisement interval interval	By default, a BLE module broadcasts iBeacon advertisements every 100 centiseconds (1 second).

Displaying and maintaining IoT APs

Execute display commands in any view.

Task	Command
Display firmware upgrade information for modules.	display wlan module firmware-upgrade history { all \| ap ap-name module module-id }
Display module information for an AP.	display wlan module-information ap ap-name module module-id

Configuring CM tunnels

This feature is restricted to Hong Kong and Macao.

Overview

A cloud management tunnel (CM tunnel) is a management tunnel established between a local device and the H3C Oasis server. It enables you to manage the local device from the H3C Oasis server without accessing the network where the device resides.

CM tunnel establishment

This section uses an AC and the H3C Oasis server as an example. The CM tunnel is established as follows:

1. The AC sends a registration request to the H3C Oasis server.

2. The H3C Oasis server sends a registration success packet to the AC.

The H3C Oasis server sends a registration success packet to the AC only if the serial number of the AC has been added to the H3C Oasis server.

NOTE:

If the serial number of the AC has not been added to the H3C Oasis server, the H3C Oasis server sends a registration failure packet to the AC. After receiving the registration failure packet, the AC starts the re-establishment timer and requests to re-establish the CM tunnel when the timer expires.

3. The AC sends a CM tunnel request to the H3C Oasis server.

4. The H3C Oasis server sends a CM tunnel response to the AC.

5. The AC uses the CM tunnel interface to establish a CM tunnel with the H3C Oasis server.

Figure 130 CM tunnel establishment

Configuring a CM tunnel

For a successful CM tunnel establishment, add the serial number of the device to be managed to the H3C Oasis server.

To configure a CM tunnel:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the domain name of the H3C Oasis server.	cmtunnel server domain domain-name	By default, the domain name of the H3C Oasis server is not configured.

Displaying and maintaining CM tunnels

Execute display commands in any view.

Task	Command
Display CM tunnel state information.	display cmtunnel state

CM tunnel configuration example

Network requirements

As shown in Figure 131, configure the AC to establish a CM tunnel with the H3C Oasis server.

Figure 131 Network diagram

Configuration procedure

1. Configure IP addresses for interfaces as shown in Figure 131, and configure a routing protocol to make sure the devices can reach each other. (Details not shown.)

2. Log in to the H3C Oasis server to add the serial number of the AC to the server. (Details not shown.)

3. Configure the domain name of the H3C Oasis server as lvzhou.h3c.com.

<AC> system-view

[AC] cmtunnel server domain-name lvzhou.h3c.com

NOTE:

The DNS service is provided by the ISP DNS server.

Verifying the configuration

# Verify that the AC and the H3C Oasis server have established a CM tunnel.

[AC] display cmtunnel state

Server address : 10.1.1.1

Server name : lvzhou.h3c.com

Local port : 80

Connection state : Established

Device state : Request_success

Configuring cloud connections

This feature is restricted to Hong Kong and Macao.

Overview

A cloud connection is a management tunnel established between a local device and the H3C Oasis server. It enables you to manage the local device from the H3C Oasis server without accessing the network where the device resides.

The service modules on the local device can establish multiple subconnections with the microservices on the H3C Oasis server. These subconnections are independent from each other and provide separate communication channels for different services. This mechanism avoids interference among different services.

Cloud connection establishment

This section uses an AC and the H3C Oasis server as an example. The cloud connection is established as follows:

1. The AC sends an authentication request to the H3C Oasis server.

2. The H3C Oasis server sends an authentication success packet to the AC.

The AC passes the authentication only if the serial number of the AC has been added to the H3C Oasis server. If the authentication fails, the H3C Oasis server sends an authentication failure packet to the AC.

3. The AC sends a registration request to the H3C Oasis server.

4. The H3C Oasis server sends a registration response to the AC.

The registration response contains the uniform resource locator (URL) used to establish a cloud connection.

5. The AC uses the URL to send a handshake request (changing the protocol from HTTP to WebSocket) to the H3C Oasis server.

6. The H3C Oasis server sends a handshake response to the AC to finish establishing the cloud connection.

NOTE:

After the cloud connection is established, the AC automatically obtains the subconnection URLs and establishes subconnections with the H3C Oasis server based on the service needs.

Figure 132 Establishing a cloud connection

Configuring a cloud connection

For a successful cloud connection establishment, add the serial number of the device to be managed to the H3C Oasis server.

To configure a cloud connection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the domain name of the H3C Oasis server.	cloud-management server domain domain-name	By default, the domain name of the H3C Oasis server is not configured.
3. Set the keepalive interval.	cloud-management keepalive interval	By default, the keepalive interval is 180 seconds. If the local device does not receive a response from the H3C Oasis server within three keepalive intervals, the device sends a registration request to re-establish the cloud connection.
4. Specify the TCP port number used to establish cloud connections.	cloud-management server port port-number	By default, the TCP port number used to establish cloud connections is 443.

Displaying and maintaining cloud connections

Execute display commands in any view.

Task	Command
Display cloud connection state information.	display cloud-management state

Cloud connection configuration example

Network requirements

As shown in Figure 133, configure the AC to establish a cloud connection with the H3C Oasis server.

Figure 133 Network diagram

Configuration procedure

1. Configure IP addresses for interfaces as shown in Figure 133, and configure a routing protocol to make sure the devices can reach each other. (Details not shown.)

2. Log in to the H3C Oasis server to add the serial number of the AC to the server. (Details not shown.)

3. Configure the domain name of the H3C Oasis server as lvzhouv3.h3c.com.

<AC> system-view

[AC] cloud-management server domain lvzhouv3.h3c.com

NOTE:

The DNS service is provided by the ISP DNS server.

Verifying the configuration

# Verify that the AC and the H3C Oasis server have established a cloud connection.

[AC] display cloud-management state

Cloud connection state : Established

Device state : Request_success

Cloud server address : 10.1.1.1

Cloud server domain name : lvzhouv3.h3c.com

Local port : 443

Connected at : Wed Jan 27 14:18:40 2016

Duration : 00d 00h 02m 01s

Process state : DNS not parsed

Failure reason : DNS parse failed

Last down reason : socket connection error (Details:N/A)

Last down at : Wed Jan 27 13:18:40 2016

Last report failure reason : SSL sending failure (Details:ssl msg = ssl error read ,system msg = No such file or directory)

Last report failure at : Wed Jan 27 13:18:40 2016

Dropped packets after reaching buffer limit : 0

Total dropped packets : 1

Last report incomplete reason : N/A

Last report incomplete at : N/A

Buffer full count : 0

Configuring WLAN IP snooping

Overview

WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, and HTTP packets and generate snooping entries that record IP addresses, MAC addresses, and learning method. The entries will be used by IP Source Guard to determine whether to forward client packets. For more information about IP Source Guard, see Security Configuration Guide.

Client IPv4 address learning

An AP learns client IPv4 addresses by using the following methods:

· Snooping DHCPv4 packets exchanged between client and server.

For more information about DHCP, see Layer 3—IP Services Configuration Guides.

· Snooping ARP packets sent by clients.

For more information about ARP, see Layer 3—IP Services Configuration Guides.

· Snooping HTTP requests redirected to the portal server.

For more information about portal authentication, see Security Configuration Guides.

The priorities for learning IP addresses through snooping DHCPv4 packets, ARP packets, and HTTP requests are in descending order.

Client IPv6 address learning

An AP learns client IPv6 addresses by using the following methods:

· Snooping DHCPv6 packets exchanged between client and server.

For more information about DHCPv6, see Layer 3—IP Services Configuration Guides.

· Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.

For more information about ND, see Layer 3—IP Services Configuration Guides.

· Snooping HTTP requests redirected to the portal server.

For more information about portal authentication, see Security Configuration Guides.

The priorities for learning IPv6 addresses through snooping DHCPv6 packets, ND packets, and HTTP requests are in descending order.

WLAN IP snooping configuration task list

Tasks at a glance
(Optional.) Disabling snooping ARP packets
(Optional.) Disabling snooping ND packets
(Optional.) Disabling SNMP from getting client IPv6 addresses learned from ND packets
(Optional.) Enabling snooping HTTP requests redirected to the portal server

Disabling snooping ARP packets

About ARP packet snooping

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Disable snooping ARP packets.	undo client ipv4-snooping arp-learning enable	By default, snooping ARP packets is enabled.

Disabling snooping ND packets

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Disable snooping ND packets.	undo client ipv6-snooping nd-learning enable	By default, snooping ND packets is enabled.

Disabling SNMP from getting client IPv6 addresses learned from ND packets

This feature enables SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.

To disable SNMP from getting client IPv6 addresses learned from ND packets:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Disable SNMP from getting client IPv6 addresses learned from ND packets.	undo client ipv6-snooping snmp-nd-report enable	By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.

Enabling snooping HTTP requests redirected to the portal server

The AC can use this method to learn IP addresses of portal-authenticated clients.

To enable snooping HTTP requests redirected to the portal server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Enable snooping HTTP requests redirected to the portal server.	client ip-snooping http-learning enable	By default, snooping HTTP requests is disabled.

WLAN IP snooping configuration example

Network requirements

As shown in Figure 134, configure the AP to learn the client's IPv6 address only from DHCPv6 packets.

Figure 134 Network diagram

Configuration procedure

# Configure wireless services. (Details not shown.)

For more information, see "Managing APs" and "Configuring WLAN access."

# Disable snooping ND packets.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] undo client ipv6-snooping nd-learning enable

Configuring WLAN fast forwarding

Overview

WLAN fast forwarding enhances forwarding performance. When fast forwarding is enabled, the AC performs concurrent forwarding by using the multi-core CPU and the 5-tuple table. The AC learns the source IP, source port, destination IP, destination port, and protocol during forwarding and uses high-speed buffer technology to save the information in the 5-tuple table.

Feature and hardware compatibility

Hardware series	Model	Fast forwarding compatibility
WX1800H series	WX1804H WX1810H WX1820H WX1840H	No
WX3800H series	WX3820H WX3840H	Yes
WX5800H series	WX5860H	Yes

Configuring WLAN fast forwarding

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable WLAN fast forwarding.	wlan fast-forwarding enable	By default, WLAN fast forwarding is enabled.

Displaying and maintaining WLAN fast forwarding

Execute display commands in any view.

Task	Command
Display WLAN fast forwarding status.	display wlan fast-forwarding status

Configuring WLAN probe

Overview

WLAN probe enables APs to monitor the WLAN and collect information about wireless devices in the WLAN. Then, the APs send the collected information to the specified server for further analysis.

WLAN probe system

As shown in Figure 135, a WLAN probe system contains the following devices:

· Sensors—APs enabled with WLAN probe. They scan the channels, collect wireless device information, and report the information to the server.

· AC—Manages sensors and reports information received from sensors to the server.

· Server—Analyzes the information received from sensors and the AC.

Figure 135 WLAN probe system

Work mechanism

A WLAN probe system operates as follows:

1. Wireless devices send 802.11 packets.

2. Sensors collect wireless device information, such as MAC address, device type, RSSI, and time stamp from the packets.

3. Sensors send collected device information to the AC or server.

4. The server analyzes the received information.

WLAN probe configuration task list

Tasks at a glance
(Required.) Enabling WLAN probe
(Required.) Specifying a server to receive wireless device information
(Optional.) Configuring sensors to report wireless device information to the AC
(Optional.) Enabling real-time reporting of wireless device information to the UDP server
(Optional.) Setting the coordinates for a sensor
(Optional.) Configuring wireless device filtering
(Optional.) Setting device entry timers

Enabling WLAN probe

To enable WLAN probe in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable WLAN probe.	client-proximity-sensor enable	By default, a radio uses the configuration in AP group radio view.

To enable WLAN probe in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable WLAN probe.	client-proximity-sensor enable	By default, WLAN probe is disabled.

Specifying a server to receive wireless device information

About specifying a server to receive wireless device information

Perform this task to specify a server for a sensor or the AC to report wireless device information.

Restrictions and guidelines

For the AC to report device information to the server, you must enable sensors to report information about detected devices to the AC.

Procedure

To specify an HTTPS server:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Specify an HTTPS server to receive wireless device information.	client-proximity-sensor server string [ window-time window-time-value \| partner partner-value ] *	By default, no HTTPS server is specified.

To specify a UDP server for the AC:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Specify a UDP server to receive wireless device information.	client-proximity-sensor udp-server ip-address port port-number [ interval interval \| preshared-key [ cipher \| simple ] key-string ] *	By default, no UDP server is specified.

To specify a UDP server for a sensor:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Specify a UDP server to receive wireless device information.	client-proximity-sensor ap-udp-server ip-address port port-number [ interval interval \| preshared-key [ cipher \| simple ] key-string ] *	By default, no UDP server is specified.

Configuring sensors to report wireless device information to the AC

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable sensors to report information about detected devices to the AC.	client-proximity-sensor report-ac enable	By default, sensors do not report information about detected devices to the AC.
3. (Optional.) Set the interval at which sensors report information about detected devices to the AC.	client-proximity-sensor report-ac-interval interval	By default, sensors report information about detected devices to the AC every 3000 milliseconds.

Enabling real-time reporting of wireless device information to the UDP server

About real-time reporting of wireless device information to the UDP server

After you enable this feature, the device information is reported to the UDP server in real time, rather than at the specified intervals.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable real-time reporting of wireless device information to the UDP server.	client-proximity-sensor rt-report enable	By default, real-time reporting of wireless device information to the UDP server is disabled.

Setting the coordinates for a sensor

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the longitude and latitude of the sensor.	client-proximity-sensor coordinates longitude longitude-value latitude latitude-value	By default, the longitude and latitude are not set.

Configuring wireless device filtering

About wireless device filtering

Perform this task to configure whether the information about the specified devices is reported or not.

Procedure

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Configure the MAC address filtering list.	client-proximity-sensor filter-list list	By default, the MAC address filtering list is not configured.
3. Set the RSSI threshold for clients or APs.	client-proximity-sensor rssi-threshold { ap ap-rssi-value \| client client-rssi-value }	By default, the RSSI thresholds for clients and APs are not set.
4. Set the RSSI difference threshold for wireless device information reporting.	client-proximity-sensor rssi-change-threshold threshold-value	By default, the RSSI difference threshold is 100.
5. Enable reporting of information about Apple terminals that use a random MAC address.	client-proximity-sensor random-mac-report enable	By default, information about Apple terminals that use a random MAC address is not reported.
6. Enable reporting of AP information to the UDP server.	client-proximity-sensor report-ap enable	By default, the information about APs is not reported to the UDP server.

Setting device entry timers

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the AP entry timers.	client-proximity-sensor ap-timer inactive inactive-value aging aging-value	By default, the inactive time and aging time for AP entries are 300 seconds and 600 seconds, respectively.
3. Set the client entry timers.	client-proximity-sensor client-timer inactive inactive-value aging aging-value	By default, the inactive time and aging time for client entries are 300 seconds and 600 seconds, respectively.

Displaying and maintaining WLAN probe

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about wireless devices detected by sensors.	display client-proximity-sensor device [ ap \| client \| mac-address mac-address ] [ verbose ]
Display information about sensors.	display client-proximity-sensor sensor
Display information received from sensors.	display client-proximity-sensor statistics receive
Clear wireless device information.	reset client-proximity-sensor device { ap \| client \| mac-address mac-address \| all }
Clear information received from sensors.	reset client-proximity-sensor statistics

WLAN probe configuration examples

WLAN probe configuration example

Network requirements

As shown in Figure 136, AP 1 and AP 2 provide wireless services for clients through SSID abc.

Enable WLAN probe on the sensor, and configure the AC to report the received wireless device information to the server.

Figure 136 Network diagram

Configuration procedure

# Configure wireless service settings on the AC. (Details not shown.)

For more information, see "Configuring WLAN access."

# Create AP Sensor, and enable WLAN probe for the AP.

<AC> system-view

[AC] wlan ap Sensor model WA536-WW

[AC-wlan-ap-Sensor] serial-id 219801A1NQB117012935

[AC-wlan-ap-Sensor] radio 1

[AC-wlan-ap-Sensor-radio-1] radio enable

[AC-wlan-ap-Sensor-radio-1] client-proximity-sensor enable

[AC-wlan-ap-Sensor-radio-1] quit

[AC-wlan-ap-Sensor] radio 2

[AC-wlan-ap-Sensor-radio-2] radio enable

[AC-wlan-ap-Sensor-radio-2] client-proximity-sensor enable

[AC-wlan-ap-Sensor-radio-1] quit

[AC-wlan-ap-Sensor] quit

# Configure the sensor to report wireless device information to the AC.

[AC] client-proximity-sensor report-ac enable

# Configure the AC to report wireless device information to the UDP server with IP address 192.168.1.123 and port number 1234, and set the report interval to 20 seconds.

[AC] client-proximity-sensor udp-server 192.168.1.123 port 1234 interval 20

Verifying the configuration

# Display wireless device information detected by the sensor.

[AC] display client-proximity-sensor device

Total 3 detected devices

MAC address Type Duration Sensors Channel Status

0021-632F-E9E5 Client 00h 10m 46s 1 11 Active

0021-6330-148B Client 00h 10m 46s 1 6 Active

0212-34B8-A8E0 Client 00h 10m 46s 1 1 Active

# On the management console of the server, view the wireless device information received from the AC. (Details not shown.)

Configuring WLAN process maintenance

Overview

WLAN process maintenance enables the system to monitor and collect the CPU usage, memory usage, and thread status of WLAN processes for administrators to troubleshoot the WLAN. It provides the following features:

· Memory usage monitoring—Records the memory usage of each monitored process every five minutes and performs a calculation every 2 hours. The system determines that memory leakage occurs and outputs a log entry when the memory usage of a process exceeds the threshold and shows an upward trend in the past seven days.

· CPU usage monitoring—Periodically records the CPU usage of each monitored process and performs a calculation. If the calculated usage exceeds 5%, the system outputs a log entry.

· Thread state monitoring—Sends a message to the thread of each monitored process every 30 seconds. If the system fails to receive any response within a specific period, it determines that the thread is in defunct state and outputs a log entry.

Enabling WLAN process maintenance

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable WLAN process maintenance.	maintain enable	By default, WLAN process maintenance is enabled.

Setting the inactive timeout

About the inactive timeout

When WLAN process maintenance is enabled, the system periodically sends a message to each monitored process to examine the process state. If the system fails to receive any response from a process when the inactive timeout expires, the system determines that the process is in defunct state.

Restrictions and guidelines

The configuration starts to take effect the first time the system sends a message upon execution of the command.

You can set the inactive timeout only for the apmgr, stamgr, and portal processes.

The feature takes effect only when WLAN process maintenance is enabled.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the inactive timeout for a process.	maintain process process-name inactive-time value	By default, the inactive timeout is 10 minutes.

Setting the memory usage threshold

About the memory usage threshold

The system outputs a log entry when the memory usage of the specified process exceeds the threshold.

Restrictions and guidelines

This feature takes effect only when WLAN process maintenance is enabled.

You can set the threshold only for the apmgr, stamgr, and portal processes.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the memory usage threshold.	maintain process process-name memory-threshold value	By default, the memory usage threshold is 300 MB.

Displaying and maintaining WLAN process maintenance

Execute display commands in any view.

Task	Command
Display the CPU usage history of WLAN processes.	display maintain cpu-usage history process process-name [ days-ago days ] [ start-time value ] [ interval interval ]
Display memory usage history of WLAN processes.	display maintain memory-usage history process process-name [ days-ago days ] [ start-time value ] [ interval interval ]

Index

Numerics

3GPP

Hotspot 2.0 3GPP information configuration, 350

802.11, 49, See also under 802

802.11a radio mode, 49

802.11a radio transmission rate, 50

802.11ac bandwidth mode set, 88

802.11ac configuration, 86

802.11ac NSS set, 86

802.11ac radio mode, 49

802.11ac radio transmission rate, 50

802.11b radio mode, 49

802.11b radio transmission rate, 50

802.11g protection configuration, 74

802.11g radio mode, 49

802.11g radio transmission rate, 50

802.11n A-MPDU aggregation method, 78

802.11n A-MSDU aggregation method, 78

802.11n bandwidth mode set, 83

802.11n configuration, 77, 96

802.11n energy saving configuration, 85

802.11n LDPC configuration, 79

802.11n MCS index set, 81

802.11n MIMO mode, 84

802.11n protection configuration, 85

802.11n radio mode, 49

802.11n radio transmission rate, 50

802.11n short GI configuration, 79

802.11n STBC configuration, 80

802.11r configuration, 313

AP group configuration, 46

AP management, 1, 4, 25

auto AP configuration, 41

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

inter-AC roaming, 255

intra-AC roaming, 252

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

radio AP collision avoidance mode, 73

radio basic configuration, 92

radio management configuration, 49, 59, 92

radio MCS, 51

radio mode specify, 62

radio modes, 49

radio RTS threshold set, 74

radio transmission rate, 50

radio VHT-MCS, 54

SVP mapping, 241

traffic differentiation, 242

WIPS configuration, 194, 218

wireless location configuration, 328, 328, 343

WLAN 802.11r configuration, 310

WLAN access configuration, 100, 105, 124

WLAN dual-link backup mode configuration, 296

WLAN Hotspot 2.0 configuration, 377

WLAN QoS CAC configuration, 240

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

WLAN radio resource measurement, 277

WLAN resource measurement, 281

WLAN roaming, 252

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-TPC, 392

WLAN RRM TPC configuration, 389

WLAN RRM TPC min transmit power, 391

WLAN RRM TPC mode configuration, 390

WLAN RRM TPC trigger parameters, 390

802.11ac

allowingaccess for only 802.11ac clients, 88

configuring access for only 802.11n and 802.11ac clients, 82

802.11b

configuring 802.11b client access, 71

802.11n

configuring access for only 802.11n and 802.11ac clients, 82

802.11r

operation, 310

protocols and standards, 312

802.1X

authentication initiation, 161

authentication process, 161

authentication request attempts max, 171

authentication timers, 171

EAP mode, 173

EAP relay, 161

EAP relay authentication, 161

EAP relay enable, 170

EAP relay termination, 163

EAP termination, 161

EAP termination enable, 170

WLAN authentication, 160

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

WLAN authentication authenticator, 174

WLAN authentication configuration, 169, 169, 181

WLAN authentication mode, 165, 173

WLAN online user handshake, 176

WLAN security 802.1X AKM configuration, 148

WLAN security configuration, 128, 136, 142

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK+MAC authentication configuration, 146

WLAN security RSNA mechanism, 129

WLAN security RSNA mechanism (authentication), 129

WLAN security RSNA mechanism (key management), 129

WLAN service template authentication domain, 177

WLAN service template clients max, 177

active AC number set, 300

AP AC connection priority, 6

AP preprovisioned settings auto assignment, 21

AP request retransmission, 13

CAPWAP AC discovery, 1

CAPWAP tunnel, 1

CAPWAP tunnel configuration, 11

CAPWAP tunnel establishment, 2

CAPWAP tunnel establishment configuration, 5

CAPWAP tunnel latency detection, 11

channel scanning blacklist or whitelist configuration, 286

default power level configuration, 15

inter-AC roaming through over-the-air FT, 311

intra-AC roaming through over-the-air FT, 310

intra-AC roaming through over-the-DS FT, 311

management frame protection, 140

PSK authentication and bypass authentication configuration, 144

radio 802.11n configuration, 77

radio disable, 61

radio enable, 61

remote AP configuration, 14

service anomaly detection, 23

shared key authentication configuration, 142

SNMP gets ND-learned client IPv6 address disable, 420

unicast discovery request response enable, 7

WLAN absolute forwarding preferred configuration, 288

WLAN access client idle timeout, 113

WLAN access permitted AP group client access, 118

WLAN access permitted SSID client access, 118

WLAN band navigation, 290, 292

WLAN bandwidth-mode load balancing configuration, 268, 273

WLAN channel scanning configuration, 284

WLAN channel scanning configuration (on an AC), 288

WLAN fast forwarding configuration, 422

WLAN high availability backup, 295

WLAN Inter-AC roaming topology, 248

WLAN Intra-AC roaming topology, 247

WLAN IP snooping ARP packets disable, 420

WLAN IP snooping configuration, 419, 421

WLAN IP snooping HTTP request redirected to portal server, 420

WLAN IP snooping ND packets disable, 420

WLAN load balancing configuration, 260

WLAN load balancing configuration (for a load balancing group), 270

WLAN load balancing configuration (for radios), 265

WLAN process maintenance, 430

WLAN relative forwarding preferred configuration, 288

WLAN RRM configuration, 381, 384, 399

WLAN RRM DFS, 381

WLAN RRM DFS configuration, 384

WLAN RRM DFS trigger parameter, 385

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand DFS configuration, 389

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-DFS configuration, 385, 399

WLAN RRM periodic auto-TPC, 392

WLAN RRM periodic auto-TPC configuration, 402

WLAN RRM scheduled auto-DFS configuration, 386, 401

WLAN RRM TPC, 382

WLAN RRM TPC configuration, 389

WLAN RRM TPC min transmit power, 391

WLAN RRM TPC mode configuration, 390

WLAN RRM TPC trigger parameters, 390

WLAN security 802.1X AKM configuration, 148

WLAN security configuration, 128, 136, 142

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK+MAC authentication configuration, 146

WLAN session-mode load balancing configuration, 265, 270

WLAN traffic-mode load balancing configuration, 267, 272

AC role

active AC, 298

direct connected AC, 298

master AC, 298

non-active AC, 298

subordinate AC, 298

access

WLAN authentication BYOD, 168

WLAN authentication configuration, 169, 169, 181

WLAN authentication overview, 160

Access Point Information Database. See APDB

accessing

WLAN client access control, 102

WLAN client access control (AP group-based), 102

WLAN client access control (blacklist-based), 104

WLAN client access control (SSID-based), 103

WLAN client access control (whitelist-based), 104

accounting

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

ACL

WLAN authentication ACL assignment, 168

active

WLAN access scanning process, 100, 346

Adaptive Noise Immunity. Use ANI

adding

mobility group member, 250

WLAN access client to blacklist (static)(on AC), 119

WLAN access client to whitelist, 118

aggregating

radio MPDU aggregation, 50

radio MSDU aggregation, 50

aging

WLAN client cache aging time, 108

AKM

WLAN security 802.1X AKM configuration, 148

WLAN security AKM mode configuration, 137

allowing

access for only 802.11ac clients, 88

A-MPDU

radio 802.11n A-MPDU aggregation method, 78

A-MSDU

radio 802.11n A-MSDU aggregation method, 78

antenna

radio antenna gain set, 65

radio antenna type set, 64

802.11r, 312, 312

802.11r configuration, 313

AC connection priority, 6

AC rediscovery, 3, 7

AC request retransmission, 13

AC unicast discovery request response enable, 7

AP configuration method, 3

AP group creation, 18

AP preprovisioned settings assignment, 20

APDB, 3

APDB hardware-software version mapping, 10

APDB user script load, 22

authentication mode for IACTP control messages, 249

auto AP configuration, 41

auto AP management, 5

BLE iBeacon transmission, 409

CAPWAP tunnel, 1

CAPWAP tunnel configuration, 11

CAPWAP tunnel establishment, 2

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

CAPWAP tunnel establishment configuration, 5

CAPWAP tunnel latency detection, 11

classification, 199

configuring AP provision, 19

configuring network settings for AP, 19

configuring network settings for AP group, 20

control tunnel keepalive time set, 11

creation (manual), 5

data tunnel keepalive time set, 12

default power level configuration, 15

group configuration, 18, 46

group configuration restrictions, 18

Hotspot 2.0 AP venue information, 355

Hotspot 2.0 GAS frame exchange, 347

Hotspot 2.0 online signup, 348

iBeacon transmission (AP group module view), 410

iBeacon transmission (module view), 410

inter-AC roaming, 255

inter-AC roaming through over-the-air FT, 311

intra-AC roaming, 252

intra-AC roaming through over-the-air FT, 310

intra-AC roaming through over-the-DS FT, 311

IoT AP automatic module firmware upgrade, 408

IoT AP configuration, 405

IoT AP module enable, 406

IoT AP module enable (for AP group), 406

IoT AP module enable (for AP), 406

IoT AP module factory setting restore, 409

IoT AP module firmware upgrade, 408

IoT AP module restart, 409

IoT AP module transmit power level, 407

IoT AP supported module type, 406

IoT AP supported module type (for AP group), 407

IoT AP supported module type (for AP), 407

IoT module serial number, 405

IP address type for IACTP tunnels, 250

IPv6 preference for AC rediscovery, 7

management, 1, 4, 25

management display, 24

management information clear, 25

management information display, 24

management maintain, 24

match mode for client radio resource measurement capabilities, 280

maximum CAPWAP fragment size, 12

module firmware manual upgrade, 409

OSU server, 356

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

preferred AP image file location, 10

preprovisioned setting auto loading, 21

preprovisioned settings auto assignment, 21

radio client-AP association max set, 71

radio disable, 61

radio DTIM interval set, 70

radio enable, 61

radio mode specify, 62

radio resource measurement duration and interval, 279

radio transmission rate set, 67

radio working channel specify, 62

remote AP configuration, 14

renaming manual AP, 17

reset, 17

saving network settings, 21

service anomaly detection, 23

SNMP gets ND-learned client IPv6 address disable, 420

SNMP notifications enable, 22

software version upgrade, 9, 9, 9, 9

source IP address for establishing IACTP tunnels, 250

statistics report interval set, 14

TCP MSS, 13

USB interfaces, 16

WIPS configuration, 194, 218

wireless location AP frame ignore, 338

wireless location monitored port, 331

WLAN absolute forwarding preferred configuration, 288

WLAN access AP broadcast probe request response, 112

WLAN access AP service template inheritance, 114

WLAN access AP traffic processing, 116

WLAN access client idle timeout, 113

WLAN access configuration file on AP, 120

WLAN access NAS-ID, 114

WLAN access permitted AP group client access, 118

WLAN access permitted SSID client access, 118

WLAN access region code, 111

WLAN band navigation, 290, 292

WLAN band navigation for AP, 291

WLAN bandwidth-mode load balancing configuration, 268, 273

WLAN channel scanning configuration, 284

WLAN channel scanning configuration (on an AC), 288

WLAN client access control (AP group-based), 102

WLAN client keepalive configuration, 113

WLAN high availability AP connection priority, 295

WLAN high availability backup AC, 295

WLAN Inter-AC roaming topology, 248

WLAN Intra-AC roaming topology, 247

WLAN IP snooping configuration, 419, 421

WLAN load balancing configuration, 260

WLAN load balancing configuration (for a load balancing group), 270

WLAN load balancing configuration (for radios), 265

WLAN process maintenance, 430

WLAN relative forwarding preferred configuration, 288

WLAN roaming, 252

WLAN roaming maintain, 252

WLAN RRM configuration, 381, 384, 399

WLAN RRM DFS, 381

WLAN RRM DFS configuration, 384

WLAN RRM DFS trigger parameter, 385

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand DFS configuration, 389

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-DFS configuration, 385, 399

WLAN RRM periodic auto-TPC, 392

WLAN RRM periodic auto-TPC configuration, 402

WLAN RRM radio baseline, 397

WLAN RRM scheduled auto-DFS configuration, 386, 401

WLAN RRM spectrum management, 383

WLAN RRM spectrum management configuration, 393, 403

WLAN RRM spectrum management enabling, 393

WLAN RRM spectrum management power constraint mode, 394

WLAN RRM TPC, 382

WLAN RRM TPC configuration, 389

WLAN RRM TPC min transmit power, 391

WLAN RRM TPC mode configuration, 390

WLAN RRM TPC trigger parameters, 390

WLAN session-mode load balancing configuration, 265, 270

WLAN traffic-mode load balancing configuration, 267, 272

AP flood attack

AP flood attack detection, 199

AP impersonation attack

AP impersonation attack detection, 198

AP load balancing

threshold+gap threshold, 301

AP load sharing

active AC number set, 300

APDB

hardware-software version mapping, 10

user script load, 22

user script load restrictions, 22

application

WLAN authentication, 160

applying

WIPS attack detection policy, 209, 212

WIPS countermeasure policy, 215

WLAN access forwarding policy to service template, 117

WLAN access user profile forwarding policy, 117

assigning

AP preprovisioned settings, 20

WLAN authentication ACL assignment, 168

WLAN user profile assignment, 168

associating

radio client-AP association max set, 71

WLAN access client association, 102

WLAN high availability uplink detection and track entry, 303

association/reassociation DoS attack

association/reassociation DoS attack detection, 198

attack detection

WIPS, 204

attack detection policy

WIPS, 209, 211, 212

authenticating

802.1X authentication request attempts max, 171

802.1X EAP relay authentication, 161

802.1X EAP relay enable, 170

802.1X EAP termination, 163

802.1X EAP termination enable, 170

802.1X initiation, 161

802.1X periodic online user reauthentication, 178

802.1X timers, 171

802.1X WLAN service template authentication domain, 177

dynamic WEP mechanism, 141

Hotspot 2.0 configuration, 346, 349, 358

Hotspot 2.0 configuration (iPhone application), 358

Hotspot 2.0 configuration (Samsung application), 369

Hotspot 2.0 NAI realm authentication type, 353

Hotspot 2.0 network authentication type, 351

MAC authentication (RADIUS-based), 188

WLAN authentication 802.1X authentication failures, 174

WLAN authentication MAC authentication failures, 174

WLAN authentication modes, 165

WLAN authentication OUI set, 170

WLAN authentication VLAN authorization, 166

WLAN security open system authentication, 128

WLAN security RSNA mechanism (authentication), 129

WLAN security RSNA mechanism (key management), 129

WLAN security shared key authentication, 128

WLAN VLAN manipulation, 166

authentication

WLAN 802.1X CHAP local authentication configuration, 181

WLAN 802.1X EAP-PEAP authentication configuration, 183

WLAN authentication configuration, 169, 169, 181

WLAN authentication display, 181

WLAN authentication maintain, 181

WLAN authentication overview, 160

authenticator

WLAN authentication, 174

Auth-Fail VLAN

WLAN authentication, 167

WLAN configuration, 175

authorizing

WLAN authentication authorization-fail-offline, 175

WLAN authentication server authorization information, 175

auto

AP group configuration, 46

AP management, 5

auto AP configuration, 41

IoT AP automatic module firmware upgrade, 408

preprovisioned setting auto loading configure, 21

renaming manual AP, 17

WLAN RRM periodic auto-DFS configuration, 385

WLAN RRM periodic auto-TPC, 392

WLAN RRM scheduled auto-DFS configuration, 386

availability

Hotspot 2.0 IP address, 352

backing up

WLAN high availability backup AC, 295

WLAN high availability dual-link backup, 294, 294

band navigation

configuration task list, 290

bandwidth

radio 802.11ac bandwidth mode set, 88

radio 802.11n bandwidth mode set, 83

WLAN band navigation, 290, 292

WLAN bandwidth-mode load balancing, 261

WLAN bandwidth-mode load balancing configuration, 268, 268, 273, 273

WLAN load balancing configuration, 260

WLAN load balancing configuration (for a load balancing group), 270

WLAN load balancing configuration (for radios), 265

WLAN QoS bandwidth guaranteeing, 231

WLAN session-mode load balancing configuration, 265, 270

WLAN traffic-mode load balancing configuration, 267, 272

beacon

radio beacon frame interval set, 70

binding

Hotspot 2.0 policy+service template, 355

OSU server to Hotspot 2.0 policy, 357

WLAN access service template > radio (in AP group radio view), 110

WLAN access service template > radio (in AP radio view), 110

blacklisting

radio channel selection blacklist/whitelist, 64

WLAN access blacklist (dynamic)(on AC), 119

WLAN access blacklist configuration (static)(on AC), 126

WLAN access client add to blacklist (static)(on AC), 119

WLAN client access control (blacklist-based), 104

BLE

BLE iBeacon transmission, 409

iBeacon transmission (AP group module view), 410

iBeacon transmission (module view), 410

broadcast

WLAN access AP broadcast probe request response, 112

broadcast disassociation/deauthentication attack

broadcast disassociation/deauthentication attack detection, 197

BSS

WLAN access SSID setting, 106

BSSID

Hotspot 2.0 HESSID set, 351

BYOD

WLAN authentication access control, 168

CAC

WLAN QoS WMM CAC admission policies, 230

CAPWAP

AC discovery, 1

AP management, 1, 4, 25

AP preprovisioned settings auto assignment, 21

protocols and standards, 4

tunnel, 1

tunnel configuration, 11

tunnel establishment, 2

tunnel establishment (DHCP), 25

tunnel establishment (DHCPv6), 31

tunnel establishment (DNS), 36

tunnel establishment configuration, 5

WLAN 802.11r configuration, 310

WLAN access configuration, 100, 105, 124

WLAN dual-link backup mode configuration, 296

WLAN high availability dual-link backup, 294

WLAN radio resource measurement, 277

CAPWAP tunnel

WLAN master CAPWAP tunnel preemption configuration, 295

CAPWAP tunnel configuration, 11

CAPWAP tunnel establishment configuration, 5

CCMP

WLAN security cipher suite, 138

WLAN security RSNA mechanism (cipher suite), 134

channel

radio, 49

radio channel selection blacklist/whitelist, 64

WLAN RRM channel capability match mode, 397

WLAN RRM DFS configuration, 384

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand DFS configuration, 389

WLAN RRM periodic auto-DFS configuration, 385

WLAN RRM scheduled auto-DFS configuration, 386

channel scanning

maximum service period setting, 285

scanning period setting, 285

service idle timeout setting, 286

WLAN absolute forwarding preferred configuration, 288

WLAN configuration, 284

WLAN configuration (on an AC), 288

WLAN relative forwarding preferred configuration, 288

channel scanning blacklist or whitelist configuration, 286

cipher

WLAN security cipher suite, 138

WLAN security RSNA mechanism (cipher suite), 134

WLAN security TKIP MIC failure hold time, 140

WLAN security WEP key, 140

Cipher suite

CCMP, 134

TKIP, 134

Clear to Send. Use CTS

clearing

AP management information, 25

client

802.1X authentication client timer, 171

802.1X authentication initiation, 161

802.1X authentication process, 161

classification, 202

radio client-AP association max set, 71

wireless location MU information reporting, 334

wireless location raw frame reporting, 333

WLAN access client association, 102

WLAN access client data frame encapsulation format, 109

WLAN client access control, 102

WLAN client access control (AP group-based), 102

WLAN client access control (blacklist-based), 104

WLAN client access control (SSID-based), 103

WLAN client access control (whitelist-based), 104

clients with the 40 MHz bandwidth mode disabled

detection on clients with the 40 MHz bandwidth mode disabled, 197

cloud

cloud connection configuration, 415, 416, 417

cloud connection establishment, 415

CM tunnel configuration, 412, 413, 413

CM tunnel establishment, 412

collision avoidance mode (radio), 73

configuration file

WLAN access configuration file on AP, 120

configuring

802.11b client access, 71

802.11b client access (in AP group radio view), 72

802.11b client access (in AP radio view), 72

access for only 802.11ac clients (in AP group radio view), 88

access for only 802.11ac clients (in AP radio view), 88

access for only 802.11n and 802.11ac clients, 82

access for only 802.11n and 802.11ac clients (in AP group radio view), 83

access for only 802.11n and 802.11ac clients (in AP radio view), 82

alarm-ignored device list, 210

AP AC rediscovery (AP group view), 8

AP AC rediscovery (AP view), 7

AP AC rediscovery (global configuration view), 8

AP AC request retransmission, 13

AP AC request retransmission (in AP group view), 14

AP AC request retransmission (in AP view), 13

AP group, 46

AP preprovisioned settings auto assignment, 21

AP preprovisioned settings auto load (for AP group), 22

AP preprovisioned settings auto load (for AP), 21

AP software version upgrade (in AP group view), 9

AP software version upgrade (in AP view), 9

AP software version upgrade (in global configuration view), 9

auto AP, 41

bandwidth guaranteeing, 236

bandwidth guranteeing, 243

CAPWAP tunnel, 11

CAPWAP tunnel establishment, 5

CAPWAP tunnel latency detection, 11

channel scanning blacklist or whitelist, 286

client rate limiting, 237, 245

client rate limiting (client-ype-based), 238

client rate limiting (radio-based), 237

client rate limiting (service-template-based), 237

clients to prefer authorization VLAN after roaming, 107

cloud connection, 415, 416, 417

CM tunnel, 412, 413, 413

default power level (in AP group's AP model view), 16

default power level (in AP view), 16

detection filtering, 216

detection on other attacks, 207

device classification and countermeasures, 218

dynamic WEP mechanism, 154

Hotspot 2.0, 346, 349, 358, 377

Hotspot 2.0 (iPhone application), 358

Hotspot 2.0 (Samsung application), 369

Hotspot 2.0 3GPP information, 350

Hotspot 2.0 AP venue information, 355

Hotspot 2.0 IP address availability, 352

Hotspot 2.0 policy, 350

iBeacon transmission (AP group module view), 410

iBeacon transmission (module view), 410

inter-AC roaming, 255

intra-AC roaming, 252

IoT AP, 405, 405

IoT AP automatic module firmware upgrade (AP group module view), 408

IoT AP automatic module firmware upgrade (module view), 408

IP snooping, 419

IPv6 preference for AC rediscovery, 7

MAC authentication user account format, 172

malformed packet and flood attack detection, 220

management frame protection, 140, 151

module firmware manual upgrade, 409

OSU server, 356

packet trust type, 235

port priority, 235

preprovisioned setting auto loading, 21

PSK authentication and bypass authentication, 144

radio, 59

radio 802.11ac, 86

radio 802.11ac smart antenna (in AP group radio view), 91

radio 802.11ac smart antenna (in AP radio view), 91

radio 802.11g protection (in AP group radio view), 75

radio 802.11g protection (in AP radio view), 75

radio 802.11n, 77, 96

radio 802.11n energy saving (in AP group radio view), 85

radio 802.11n energy saving (in AP radio view), 85

radio 802.11n LDPC (in AP group radio view), 80

radio 802.11n LDPC (in AP radio view), 80

radio 802.11n protection (in AP group radio view), 86

radio 802.11n protection (in AP radio view), 86

radio 802.11n short GI (in AP group radio view), 79

radio 802.11n short GI (in AP radio view), 79

radio 802.11n STBC (in AP group radio view), 80

radio 802.11n STBC (in AP radio view), 80

radio ANI (in AP group radio view), 72

radio ANI (in AP radio view), 72

radio basics, 62, 92

radio channel selection blacklist/whitelist (in AP group radio view), 64

radio channel selection blacklist/whitelist (in AP radio view), 64

radio management, 49, 92

radio power lock (in AP group radio view), 67

radio power lock (in AP radio view), 66

remote AP, 14

remote AP (in AP group view), 15

remote AP (in AP view), 15

shared key authentication, 142

signature-based user-defined attack detection, 225

smart antenna, 91

SVP mapping, 235, 241

traffic differentiation, 242

TxBF, 90

TxBF (in AP group radio view), 90

TxBF (in AP radio view), 90

user-defined attack detection based on signatures, 209

WIPS, 194, 218

WIPS attack detection, 204

WIPS attack detection policy, 211

WIPS countermeasure policy, 213

WIPS countermeasures, 213

WIPS device classification, 211

WIPS device entry attack detection, 206

WIPS flood attack detection, 204

WIPS malformed packet detection, 205

wireless device filtering, 426

wireless device information report to the AC, 425

wireless location, 328, 328, 329, 343

wireless location client packet rate limit (in AP group view), 340

wireless location client packet rate limit (in AP view), 340

wireless location client packet rate limit (in global configuration view), 341

wireless location keepalive (in AP group view), 342

wireless location keepalive (in global configuration view), 343

wireless location MU information reporting (in AP group view), 334

wireless location MU information reporting (in AP view), 334

wireless location MU information reporting (in global configuration view), 335

wireless location packet dilution (in AP group view), 337

wireless location packet dilution (in AP view), 337

wireless location packet dilution (in global configuration view), 337

wireless location packet rate limiting (in AP group view), 341

wireless location packet rate limiting (in AP view), 341

wireless location packet rate limiting (in global configuration view), 342

wireless location raw frame reporting (in AP group view), 334

wireless location raw frame reporting (in AP view), 333

wireless location raw frame reporting (in global configuration view), 334

wireless location RSSI-based packet filtering (in AP group view), 339

wireless location RSSI-based packet filtering (in AP view), 339

wireless location RSSI-based packet filtering (in global configuration view), 340

WLAN 802.11r, 310

WLAN 802.1X CHAP local authentication, 181

WLAN 802.1X EAP-PEAP authentication, 183

WLAN 802.1X online user handshake, 176

WLAN absolute forwarding preferred, 288

WLAN access, 100, 105, 124

WLAN access AP service template inheritance, 114

WLAN access blacklist (dynamic)(on AC), 119

WLAN access blacklist (static)(on AC), 126

WLAN access client keepalive (AP group view), 114

WLAN access client keepalive (AP view), 113

WLAN access forwarding policy, 116

WLAN access policy-based forwarding, 116

WLAN access service template, 106

WLAN access service template description, 106

WLAN access uplink client rate limit, 121

WLAN access whitelist, 126

WLAN authentication, 169, 169, 181

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

WLAN authentication intrusion protection, 176

WLAN authentication parameters, 173

WLAN authentication parameters (global), 170

WLAN Auth-Fail VLAN, 175

WLAN band navigation, 290, 290, 290, 292

WLAN band navigation load balancing, 291

WLAN band navigation parameters, 291

WLAN bandwidth-mode load balancing, 268, 273

WLAN channel scanning, 284, 284

WLAN channel scanning (on an AC), 288

WLAN dual-link backup mode, 296

WLAN fast forwarding, 422, 422

WLAN high availability dual-link backup, 294

WLAN high availability master CAPWAP tunnel preemption (for AP group), 296

WLAN high availability master CAPWAP tunnel preemption (for AP), 295

WLAN high availability master CAPWAP tunnel preemption (globally), 296

WLAN high availability uplink detection track entry association, 303

WLAN IP snooping, 419, 421

WLAN load balancing, 260, 263, 263

WLAN load balancing (for a load balancing group), 270

WLAN load balancing (for radios), 265

WLAN load balancing group, 264

WLAN load balancing parameters, 264

WLAN MAC authentication (RADIUS-based), 188

WLAN probe, 423, 423, 427, 427

WLAN process maintenance, 430

WLAN QoS, 229, 239

WLAN QoS CAC, 240

WLAN QoS WMM, 239

WLAN radio resource measurement, 276, 277

WLAN relative forwarding preferred, 288

WLAN resource measurement, 281

WLAN roaming, 247, 252

WLAN RRM, 381, 384, 399

WLAN RRM DFS, 384, 399

WLAN RRM DFS trigger parameter (in AP group RRM view), 385

WLAN RRM DFS trigger parameter (in AP RRM view), 385

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand DFS, 389

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-DFS (in AP group RRM view), 386

WLAN RRM periodic auto-DFS (in AP RRM view), 385

WLAN RRM periodic auto-TPC, 402

WLAN RRM periodic auto-TPC (in AP group RRM view), 392

WLAN RRM periodic auto-TPC (in AP RRM view), 392

WLAN RRM radio baseline, 397

WLAN RRM scheduled auto-DFS, 401

WLAN RRM scheduled auto-DFS (in AP group RRM view), 387

WLAN RRM scheduled auto-DFS (in AP RRM view), 386

WLAN RRM spectrum management, 393, 403

WLAN RRM spectrum management power constraint mode, 394

WLAN RRM TPC, 389

WLAN RRM TPC trigger parameters (in AP group RRM view), 391

WLAN RRM TPC trigger parameters (in AP RRM view), 391

WLAN security, 128, 136, 142

WLAN security 802.1X AKM, 148

WLAN security AKM mode, 137

WLAN security GTK update, 139

WLAN security private PSK+MAC authentication, 157

WLAN security PSK+MAC authentication, 146

WLAN session-mode load balancing, 265, 270

WLAN traffic-mode load balancing, 267, 272

WLAN uplink detection, 303, 303

WMM, 231

connecting

AP AC connection priority, 6

connection

WLAN high availability AP connection priority, 295

Connection Admission Control. Use CAC

Control and Provisioning of Wireless Access Points. Use CAPWAP

controlling

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-TPC, 392

WLAN RRM TPC, 382

WLAN RRM TPC configuration, 389

WLAN RRM TPC mode configuration, 390

countermeasure policy

WIPS, 213, 215

countermeasures

WIPS, 213

WLAN, 203

country code

Hotspot 2.0 3GPP information configuration, 350

creating

AP (manual), 5

AP group, 18

WLAN mobility group, 249

delimiter (802.1X domain name), 170

Delivery Traffic Indication Map. Use DTIM

deploying

configuration file to AP (in AP group AP model view), 121

configuration file to AP (in AP view), 120

WLAN access configuration file on AP, 120

detecting

clients with NAT configured, 217

service anomaly, 23

WIPS configuration, 194, 218

wireless attack detection, 194

device

802.11r configuration, 313

802.1X authentication initiation, 161

802.1X authentication process, 161

AP creation (manual), 5

AP group configuration, 46

AP management, 1, 4, 25

auto AP configuration, 41

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

inter-AC roaming, 255

intra-AC roaming, 252

IP snooping client IPv4 address learning, 419

IP snooping client IPv6 address learning, 419

IP snooping configuration, 419

MAC authentication, 165

MAC authentication (RADIUS-based), 188

mobility group, 251

mobility group member, 250

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

radio 802.11n configuration, 96

radio basic configuration, 62, 92

radio management configuration, 49, 59, 92

radio resource measurement, 278

WIPS configuration, 194, 218

wireless location configuration, 328, 328

wireless location device type, 333

wireless location monitored port, 331

WLAN 802.1X CHAP local authentication configuration, 181

WLAN 802.1X EAP-PEAP authentication configuration, 183

WLAN authentication 802.1X authentication failures, 174

WLAN authentication configuration, 169

WLAN authentication MAC authentication failures, 174

WLAN authentication parameter configuration (global), 170

WLAN authentication parameters, 173

WLAN authentication server authorization information, 175

WLAN Hotspot 2.0 configuration, 377

WLAN resource measurement, 281

WLAN roaming, 252

device classification

WIPS, 211

device entry attack

device entry attack detection, 199

device entry attack detection

WIPS, 206

DFS

WLAN RRM, 381

WLAN RRM configuration, 384

WLAN RRM DFS trigger parameter, 385

WLAN RRM on-demand DFS configuration, 389

WLAN RRM periodic auto-DFS configuration, 385, 399

WLAN RRM scheduled auto-DFS configuration, 386, 401

DGAF

Hotspot 2.0 DGAF feature disable, 354

DHCP

CAPWAP tunnel establishment (DHCP), 25

diluting

wireless location packet dilution, 337

disabling

AP USB interfaces (in AP group' AP model view), 17

AP USB interfaces (in AP view), 17

Hotspot 2.0 DGAF feature, 354

radio (in AP group radio view), 61

radio (in AP radio view), 61

radio (in system view), 61

WLAN access AP broadcast probe request response (in AP group view), 112

WLAN access AP broadcast probe request response (in AP view), 112

WLAN IP snooping ARP packets, 420

WLAN IP snooping ND packets, 420

discovering

AC unicast discovery request response enable, 7

CAPWAP AC discovery, 1

discovery

AP AC rediscovery, 3, 7

IPv6 preference for AC rediscovery, 7

displaying

AP management, 24

AP management information, 24

cloud connection, 416

CM tunnel, 413

Hotspot 2.0, 357

IoT APs, 410

radio management, 92

WIPS, 217

wireless location, 343

WLAN access, 123

WLAN authentication, 181

WLAN fast forwarding, 422

WLAN high availability AP load balancing, 301

WLAN load balancing, 265

WLAN probe, 427

WLAN process maintenance, 431

WLAN QoS WMM, 238

WLAN radio resource measurement, 281

WLAN roaming, 252

WLAN RRM, 399

WLAN security, 141

distance

radio transmission distance max set, 69

DNS

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

domain

802.1X supported domain name delimiters, 170

802.1X WLAN service template authentication domain, 177

Hotspot 2.0 domain name, 352

MAC authentication (global), 172

MAC authentication (service-specific), 179

Downstream Group-Addressed Forwarding. Use DGAF

DTIM

radio DTIM interval set, 70

dual-link

WLAN high availability AP connection priority, 295

WLAN high availability backup AC, 295

WLAN high availability dual-link backup, 294, 294

dynamic

frequency selection. See DFS

EAP

802.1X EAP mode, 173

802.1X EAP relay enable, 170

802.1X EAP termination enable, 170

802.1X relay authentication, 161

802.1X relay termination, 163

echo

AP AC rediscovery, 3, 7

EDCA

WLAN QoS WMM EDCA parameters, 229

enabling

802.1X EAP relay, 170

802.1X EAP termination, 170

802.1X periodic online user reauthentication, 178

AC unicast discovery request response enable, 7

AP USB interfaces (in AP group' AP model view), 17

AP USB interfaces (in AP view), 17

dynamic WEP mechanism, 141

fast learning of client association entries, 216

IoT AP module (for AP group), 406

IoT AP module (for AP), 406

mobility group, 251

radio (in AP group radio view), 61

radio (in AP radio view), 61

radio (in system view), 61

radio resource measurement, 278

real-time reporting of wireless device information to the UDP server, 425

service anomaly detection, 23

SNMP notifications, 22, 141

unassociated client detection, 216

wireless location (RF fingerprinting)(in AP group view), 329

wireless location (RF fingerprinting)(in AP view), 329

wireless location (RF fingerprinting)(in global configuration view), 330

wireless location AP frame ignore (in AP group view), 339

wireless location AP frame ignore (in AP view), 338

wireless location AP frame ignore (in global configuration view), 339

wireless location beacon frame ignore (in AP group view), 338

wireless location beacon frame ignore (in AP view), 338

wireless location beacon frame ignore (in global configuration view), 338

wireless radio-based location (in AP group view), 330

wireless radio-based location (in AP view), 330

WLAN access client association at AC,AP, 108

WLAN access client traffic forwarding, 109

WLAN access service template, 110

WLAN access service template quick association, 109

WLAN access SNMP notification, 122

WLAN access specific-format client log generation, 122

WLAN authentication authorization-fail-offline, 175

WLAN band navigation for AP, 291

WLAN band navigation globally, 291

WLAN IP snooping HTTP request redirected to portal server, 420

WLAN IPS, 203

WLAN load balancing, 263

WLAN load balancing SNMP notifications, 265

WLAN location SNMP notification, 343

WLAN mobility group tunnel isolation, 251

WLAN probe, 424

WLAN process maintenance, 430

WLAN roaming SNMP notifications, 251

WLAN RRM radio scanning (in AP group RRM view), 398

WLAN RRM radio scanning (in RRM view), 398

WLAN RRM SNMP notification, 399

WLAN RRM spectrum management, 393

WLAN RRM spectrum management (in AP group radio view), 394

WLAN RRM spectrum management (in AP radio view), 393

WMM, 231

enabling spectrum management

WLAN RRM spectrum management configuration, 393

encapsulating

Hotspot 2.0 GAS frame exchange, 347

wireless location location packet format, 335

wireless location report mode for location packet, 336

WLAN access client data frame encapsulation format, 109

energy

radio 802.11n energy saving configuration, 85

Enhanced Distributed Channel Access. Use EDCA

error

WLAN RRM DFS error code rate, 381

establishing

CAPWAP tunnel, 2

CAPWAP tunnel (DHCP), 25

CAPWAP tunnel (DHCPv6), 31

CAPWAP tunnel (DNS), 36

fat AP

scanning all channels, 287

file

AP file management, 17

WLAN access configuration file on AP, 120

file system

AP file management, 17

filtering

wireless location RSSI-based packet filtering, 339

firmware

802.11r, 312

IoT AP automatic module firmware upgrade, 408

fit AP

WLAN IP snooping configuration, 421

flood

flood attack detection, 194

flood attack detection

WIPS, 204

format

MAC authentication user account, 172

WLAN access client data frame encapsulation format, 109

forwarding

WLAN access client traffic forwarder, 108

WLAN access client traffic forwarding, 109

WLAN access forwarding policy, 116

WLAN access forwarding policy application to service template, 117

WLAN access policy-based forwarding, 116

WLAN access user profile forwarding policy, 117

fragment

maximum CAPWAP fragment size, 12

fragmenting

radio fragmentation threshold, 75

frame

Hotspot 2.0 GAS frame exchange, 347

Hotspot 2.0 GAS frame management, 354

Hotspot 2.0 online signup, 348

radio beacon frame interval set, 70

wireless location AP frame ignore, 338

WLAN access client data frame encapsulation format, 109

gain

radio antenna gain set, 65

GAS

Hotspot 2.0 GAS frame exchange, 347

Hotspot 2.0 GAS frame management, 354

Generic Advertisement Service. Use GAS

global

AP firmware version upgrade (in global configuration view), 9

group

AP group configuration, 18

WLAN client access control (AP group-based), 102

WLAN mobility group creation, 249

WLAN mobility group tunnel isolation enable, 251

GTK

WLAN security GTK update, 139

guard interval (GI)

radio 802.11n short GI configuration, 79

handshaking

WLAN 802.1X online user handshake, 176

HESSID

Hotspot 2.0, 351

high availability

WLAN AP connection priority, 295

WLAN AP load balancing, 298, 298, 301

WLAN AP load balancing display, 301

WLAN backup AC, 295

WLAN dual link backup, 294, 294

WLAN master CAPWAP tunnel preemption configuration, 295

homogenous ESS identifier. Use HESSID

honeypot AP

honeypot AP detection, 198

Hotspot 2.0

3GPP information configuration, 350

access network type, 351

AP venue information, 355

binding OSU server to a Hotspot 2.0 policy, 357

configuration, 346, 349, 358

configuration (iPhone application), 358

configuration (Samsung application), 369

configuration restrictions (iPhone application), 358

configuration restrictions (Samsung application), 369

DGAF feature disable, 354

display, 357

domain name, 352

GAS frame exchange, 347

GAS frame management, 354

HESSID set, 351

IP address availability, 352

IP protocol port status, 353

NAI realm authentication type, 353

network authentication type, 351

online signup, 348

operation, 346

organization identifier (OI), 352

OSU server, 356

OSU server icons, 357

policy configuration, 350

policy+service template bind, 355

protocols and standards, 349

service provider information, 353

SSID for online signup services, 356

WAN link status parameters, 354

hotspot attack

hotspot attack detection, 198

HT-greenfield AP

HT-greenfield AP detection, 198

IACTP

inter-AC roaming, 255

intra-AC roaming, 252

WLAN roaming, 252

WLAN roaming configuration, 247

identifier

Hotspot 2.0 organization identifier (OI), 352

ignoring

wireless location AP frame ignore, 338

WLAN authentication 802.1X authentication failures, 174

WLAN authentication MAC authentication failures, 174

WLAN authentication server authorization information, 175

index

radio 802.11n MCS index set, 81

radio MCS, 51

radio VHT-MCS, 54

information

WLAN security information element, 137

information center

WLAN access specific-format client log generation, 122

initiating

802.1X authentication, 161

Inter-AC Tunneling Protocol. See IACTP

interface

AP USB interfaces, 16

interference

radio ANI configuration, 72

WLAN RRM DFS, 381

Internet

of Things. Use IoT

interval

AP statistics report interval, 14

radio beacon frame interval set, 70

radio DTIM interval set, 70

intrusion protection

WLAN authentication, 166

WLAN authentication service-stop mode, 176

WLAN authentication temporary-block mode, 176

WLAN authentication temporary-service-stop mode, 176

IoT AP

automatic module firmware upgrade, 408

BLE iBeacon transmission, 409

configuration, 405

module enable, 406

module enable (for AP group), 406

module enable (for AP), 406

module factory setting restore, 409

module firmware manual upgrade, 409

module firmware upgrade, 408

module restart, 409

module transmit power level, 407

supported module type, 406

supported module type (for AP group), 407

supported module type (for AP), 407

Hotspot 2.0 IP protocol port status, 353

IP addressing

Hotspot 2.0 IP address availability, 352

wireless location server IPv4 address+port number, 330

IP snooping

client IPv4 address learning, 419

client IPv6 address learning, 419

configuration, 419

iPhone

Hotspot 2.0 configuration (iPhone application), 358

IPS

WLAN, 194, 218

IPv4

wireless location server IPv4 address+port number, 330

WLAN radio resource measurement configuration, 276

WLAN roaming configuration, 247

IPv6

WLAN radio resource measurement configuration, 276

WLAN roaming configuration, 247

ISP

Hotspot 2.0 service provider information, 353

KDF

WLAN security KDF set, 138

keepalive

AP control tunnel keepalive time, 11

AP data tunnel keepalive time, 12

wireless location keepalive, 342

WLAN client keepalive configuration, 113

key

WLAN security 802.1X AKM configuration, 148

WLAN security GTK update, 139

WLAN security KDF set, 138

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK set, 138

WLAN security PSK+MAC authentication configuration, 146

WLAN security PTK lifetime, 139

WLAN security RSNA mechanism (key management), 129

WLAN security RSNA mechanism (key management-EAPOL-Key packet), 130

WLAN security RSNA mechanism (key management-key updates), 133

WLAN security RSNA mechanism (key management-PTK, GTK), 130

WLAN security RSNA mechanism (key management-RSN key negotiation), 133

WLAN security RSNA mechanism (key management-WPA key negotiation), 132

WLAN security shared key authentication, 128

WLAN security WEP key, 140

LDPC

radio 802.11n LDPC configuration, 79

lighting mode

LED lighting mode set, 24

limiting

wireless location client packet rate limit, 340

wireless location packet rate limiting, 341

link

Hotspot 2.0 WAN link status parameters, 354

WLAN high availability dual-link backup, 294, 294

load

WLAN high availability AP load balancing, 298, 298, 301

load balancing

WLAN band navigation, 291

WLAN bandwidth-mode configuration, 268, 273

WLAN bandwidth-mode load balancing, 261

WLAN configuration, 260

WLAN configuration (for a load balancing group), 270

WLAN configuration (for radios), 265

WLAN high availability AP load balancing, 298, 298, 301

WLAN load balancing group based load balancing, 262

WLAN radio based load balancing, 262

WLAN session-mode configuration, 265, 270

WLAN session-mode load balancing, 261

WLAN traffic-mode configuration, 267, 272

WLAN traffic-mode load balancing, 261

load balancing group

WLAN load balancing group based load balancing, 262

local

MAC authentication, 165

WLAN 802.1X CHAP local authentication configuration, 181

locating

wireless location client packet rate limit, 340

wireless location configuration, 328, 328

wireless location device type, 333

wireless location keepalive, 342

wireless location location packet format, 335

wireless location packet rate limiting, 341

wireless location report mode for location packet, 336

locking

radio power lock configuration, 66

Low-Density Parity Check. Use LDPC

MAC

Protocol Data Unit. Use MPDU

Service Data Unit. Use MSDU

WLAN authentication configuration, 169, 169, 181

MAC addressing

MAC authentication (RADIUS-based), 188

wireless location multicast MAC address for Tag, 332

MAC authentication

domain specification (global), 172

domain specification (service-specific), 179

local authentication, 165

RADIUS-based, 165, 188

server timeout timer, 173

user account format, 172

user account policies, 164

WLAN authentication, 164

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

WLAN authentication authenticator, 174

WLAN authentication mode, 165, 173

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK+MAC authentication configuration, 146

WLAN service template clients max, 178

maintaining

AP management, 24

IoT APs, 410

WIPS, 217

WLAN access, 123

WLAN authentication, 181

WLAN load balancing, 265

WLAN probe, 427

WLAN QoS WMM, 238

WLAN radio resource measurement, 281

WLAN roaming, 252

maintenance

WLAN process maintenance, 430, 430

malformed packet

malformed packet detection, 195

malformed packet detection

WIPS, 205

managing

AP, 1, 4, 25

AP files, 17

auto AP, 5

Hotspot 2.0 GAS frames, 354

OSU server icons, 357

WLAN RRM radio baseline, 397

WLAN RRM spectrum, 383

mapping

radio MCS, 51

radio VHT-MCS, 54

maximum number of hardware retransmissions

setting, 76

MCS

radio, 51

radio 802.11n MCS index set, 81

radio VHT-MCS, 54

measurement

on-demand channel usage measurement, 76

mechanism

WLAN Inter-AC, 247

WLAN Inter-peer-group, 247

WLAN Intra-AC, 247

WLAN Intra-peer-group, 247

memory

memory usage threshold, 431

method

AP configuration method, 3

MIC

WLAN security TKIP MIC failure hold time, 140

MIMO

radio 802.11n MIMO mode, 84

MITM attack

MITM attack detection, 198

mobile service, 1, 49, 169, 310, See also wireless

802.11r configuration, 313

AP AC connection priority, 6

AP AC rediscovery, 3, 7

AP control tunnel keepalive time, 11

AP data tunnel keepalive time, 12

AP group configuration, 46

AP management, 1, 4, 25

AP USB interfaces, 16

authentication mode for IACTP control messages, 249

auto AP configuration, 41

bandwidth guranteeing, 243

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

client rate limiting, 245

dynamic WEP mechanism configuration, 154

inter-AC roaming, 255

intra-AC roaming, 252

IoT AP configuration, 405

IP address type for IACTP tunnels, 250

IP snooping client IPv4 address learning, 419

IP snooping client IPv6 address learning, 419

IP snooping configuration, 419

IPv6 preference for AC rediscovery, 7

management frame protection configuration, 151

mobility group, 251

mobility group member, 250

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

PSK authentication and bypass authentication configuration, 144

radio management configuration, 49, 59, 92

shared key authentication configuration, 142

source IP address for establishing IACTP tunnels, 250

SVP mapping, 241

traffic differentiation, 242

WLAN 802.11r configuration, 310

WLAN absolute forwarding preferred configuration, 288

WLAN access blacklist configuration (static)(on AC), 126

WLAN access configuration, 100, 105, 124

WLAN access whitelist configuration, 126

WLAN authentication configuration, 169, 169, 181

WLAN authentication overview, 160

WLAN bandwidth-mode load balancing configuration, 268, 273

WLAN channel scanning configuration, 284

WLAN channel scanning configuration (on an AC), 288

WLAN dual-link backup mode configuration, 296

WLAN fast forwarding configuration, 422

WLAN Hotspot 2.0 configuration, 377

WLAN IP snooping configuration, 419, 421

WLAN load balancing configuration, 260

WLAN load balancing configuration (for a load balancing group), 270

WLAN load balancing configuration (for radios), 265

WLAN mobility group creation, 249

WLAN probe configuration, 423, 423, 427, 427

WLAN process maintenance, 430

WLAN QoS CAC configuration, 240

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

WLAN radio resource measurement, 277

WLAN radio resource measurement configuration, 276

WLAN relative forwarding preferred configuration, 288

WLAN roaming, 252

WLAN roaming configuration, 247

WLAN RRM configuration, 381, 384, 399

WLAN RRM periodic auto-DFS configuration, 399

WLAN RRM periodic auto-TPC configuration, 402

WLAN RRM scheduled auto-DFS configuration, 401

WLAN security 802.1X AKM configuration, 148

WLAN security configuration, 128, 136, 142

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK+MAC authentication configuration, 146

WLAN session-mode load balancing configuration, 265, 270

WLAN traffic-mode load balancing configuration, 267, 272

WLAN uplink detection configuration, 303

mode

radio 802.11a, 49

radio 802.11ac, 49

radio 802.11ac bandwidth mode set, 88

radio 802.11b, 49

radio 802.11g, 49

radio 802.11n, 49

radio 802.11n bandwidth mode set, 83

radio 802.11n MIMO, 84

radio AP collision avoidance CTS-to-self, 73

radio AP collision avoidance RTS/CTS, 73

WLAN authentication, 165, 173

WLAN authentication intrusion protection service-stop mode, 176

WLAN authentication intrusion protection temporary-block mode, 176

WLAN authentication intrusion protection temporary-service-stop mode, 176

WLAN bandwidth-mode load balancing, 261

WLAN bandwidth-mode load balancing configuration, 268, 273

WLAN RRM channel capability match mode, 397

WLAN RRM channel switch mode set, 395

WLAN RRM transmit power capability match mode, 396

WLAN security AKM configuration, 137

WLAN security GTK update offline-triggered, 139

WLAN security GTK update packet-based, 139

WLAN security GTK update time-based, 139

WLAN session-mode load balancing, 261

WLAN session-mode load balancing configuration, 265, 270

WLAN traffic-mode load balancing, 261

WLAN traffic-mode load balancing configuration, 267, 272

Modulation and Coding Scheme. Use MCS

module

AP IoT module serial number, 405

BLE iBeacon transmission, 409

iBeacon transmission (AP group module view), 410

iBeacon transmission (module view), 410

IoT AP automatic module firmware upgrade, 408

IoT AP configuration, 405

IoT AP enable, 406

IoT AP enable (for AP group), 406

IoT AP enable (for AP), 406

IoT AP module factory setting restore, 409

IoT AP module firmware upgrade, 408

IoT AP module restart, 409

IoT AP module transmit power level, 407

IoT AP supported module type, 406

IoT AP supported module type (for AP group), 407

IoT AP supported module type (for AP), 407

module firmware manual upgrade, 409

MPDU

aggregation, 50, See also A-MPDU

radio 802.11n A-MPDU aggregation method, 78

radio aggregation, 50

MSDU

aggregation, 50, See also A-MSDU

radio 802.11n A-MSDU aggregation method, 78

radio aggregation, 50

multicast

radio 802.11ac NSS set, 86

Multiple-Input and Multiple-Output. Use MIMO

NAI

Hotspot 2.0 NAI realm authentication type, 353

naming

Hotspot 2.0 domain name, 352

NAS

WLAN access NAS-ID, 114

network

802.1X authentication, 161

802.1X authentication process, 161

802.1X authentication request attempts max, 171

802.1X authentication server timer, 171

802.1X EAP relay authentication, 161

802.1X EAP relay enable, 170

802.1X EAP termination, 163

802.1X EAP termination enable, 170

802.1X periodic online user reauthentication, 178

802.1X WLAN service template clients max, 177

AC unicast discovery request response enable, 7

active AC number set, 300

AP AC connection priority, 6

AP AC rediscovery, 3, 7

AP control tunnel keepalive time, 11

AP data tunnel keepalive time, 12

AP file management, 17

AP group configuration, 18, 46

AP group creation, 18

AP preprovisioned settings assignment, 20

AP preprovisioned settings auto assignment, 21

AP USB interfaces, 16

APDB, 3

APDB hardware-software version mapping, 10

authentication mode for IACTP control messages, 249

auto AP configuration, 41

auto AP management, 5

binding OSU server to a Hotspot 2.0 policy, 357

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

CAPWAP tunnel latency detection, 11

cloud connection configuration, 416

CM tunnel configuration, 413

configuring AP provision, 19

configuring network settings for AP, 19

configuring network settings for AP group, 20

continuous mode enabling, 77

default power level configuration, 15

detecting clients with NAT configured, 217

dynamic WEP mechanism, 141

enabling fast learning of client association entries, 216

European channel gap for auto channel selection, 63

Hotspot 2.0 3GPP information configuration, 350

Hotspot 2.0 access network type, 351

Hotspot 2.0 AP venue information, 355

Hotspot 2.0 configuration (iPhone application), 358

Hotspot 2.0 configuration (Samsung application), 369

Hotspot 2.0 DGAF feature disable, 354

Hotspot 2.0 domain name, 352

Hotspot 2.0 GAS frame exchange, 347

Hotspot 2.0 GAS frame management, 354

Hotspot 2.0 HESSID set, 351

Hotspot 2.0 IP address availability, 352

Hotspot 2.0 IP protocol port status, 353

Hotspot 2.0 NAI realm authentication type, 353

Hotspot 2.0 network authentication type, 351

Hotspot 2.0 organization identifier (OI), 352

Hotspot 2.0 policy configuration, 350

Hotspot 2.0 policy+service template bind, 355

Hotspot 2.0 service provider information, 353

Hotspot 2.0 WAN link status parameters, 354

inter-AC roaming, 255

intra-AC roaming, 252

IoT AP automatic module firmware upgrade, 408

IoT AP module enable, 406

IoT AP module factory setting restore, 409

IoT AP module firmware upgrade, 408

IoT AP module restart, 409

IoT AP module transmit power level, 407

IoT AP supported module type, 406

IP address type for IACTP tunnels, 250

IPv6 preference for AC rediscovery, 7

load balancing threshold+gap threshold, 301

MAC authentication (RADIUS-based), 188

MAC authentication domain (global), 172

MAC authentication domain (service-specific), 179

MAC authentication methods, 165

MAC authentication server timeout timer, 173

MAC authentication user account format, 172

MAC authentication WLAN service template clients max, 178

management frame protection, 140

match mode for client radio resource measurement capabilities, 280

maximum CAPWAP fragment size, 12

memory usage threshold, 431

on-demand channel usage measurement, 76

OSU server, 356

OSU server icons management, 357

preferred AP image file location, 10

preprovisioned setting auto loading configure, 21

process maximum inactive timeout, 430

radio 802.11ac bandwidth mode set, 88

radio 802.11ac configuration, 86

radio 802.11ac NSS set, 86

radio 802.11g protection configuration, 74

radio 802.11n A-MPDU aggregation method, 78

radio 802.11n A-MSDU aggregation method, 78

radio 802.11n bandwidth mode set, 83

radio 802.11n configuration, 77, 96

radio 802.11n energy saving configuration, 85

radio 802.11n LDPC configuration, 79

radio 802.11n MCS index set, 81

radio 802.11n MIMO mode, 84

radio 802.11n protection configuration, 85

radio 802.11n short GI configuration, 79

radio 802.11n STBC configuration, 80

radio ANI configuration, 72

radio antenna gain set, 65

radio antenna type set, 64

radio AP collision avoidance mode, 73

radio basic configuration, 62, 92

radio beacon frame interval set, 70

radio channel selection blacklist/whitelist, 64

radio client-AP association max set, 71

radio disable, 61

radio DTIM interval set, 70

radio enable, 61

radio fragmentation threshold, 75

radio MCS, 51

radio power lock configuration, 66

radio preamble type set, 68

radio resource measurement duration and interval, 279

radio RTS threshold set, 74

radio transmission distance max set, 69

radio transmission rate set, 67

radio transmit power, 50

radio transmit power max set, 66

radio VHT-MCS, 54

radio working channel specify, 62

remote AP configuration, 14

renaming manual AP, 17

saving network settings, 21

service anomaly detection, 23

SNMP gets ND-learned client IPv6 address disable, 420

SNMP notifications, 141

source IP address for establishing IACTP tunnels, 250

SSID for online signup services, 356

WIPS, 203

wireless location AP frame ignore, 338

wireless location beacon frame ignore, 338

wireless location client packet rate limit, 340

wireless location configuration, 329

wireless location device type, 333

wireless location enable (RF fingerprinting), 329

wireless location keepalive, 342

wireless location location packet format, 335

wireless location monitored port, 331

wireless location MU information reporting, 334

wireless location multicast MAC address for Tag, 332

wireless location operation, 328

wireless location packet dilution, 337

wireless location packet rate limiting, 341

wireless location raw frame reporting, 333

wireless location report mode for location packet, 336

wireless location RSSI-based packet filtering, 339

wireless location server IPv4 address+port number, 330

wireless location system, 328

wireless radio-based location enable, 330

WLAN 802.11r overview, 310

WLAN 802.1X CHAP local authentication configuration, 181

WLAN 802.1X EAP-PEAP authentication configuration, 183

WLAN 802.1X online user handshake, 176

WLAN access blacklist configuration (static)(on AC), 126

WLAN access SNMP notification, 122

WLAN access specific-format client log generation, 122

WLAN access Web server, 122

WLAN access whitelist configuration, 126

WLAN AP reset, 17

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

WLAN authentication application scenarios, 160

WLAN authentication authenticator, 174

WLAN authentication intrusion protection, 176

WLAN authentication mode, 165, 173

WLAN authentication parameter configuration (global), 170

WLAN authentication parameters, 173

WLAN authentication security authorization-fail-offline, 175

WLAN authentication VLAN authorization, 166

WLAN Auth-Fail VLAN, 167, 175

WLAN band navigation, 290, 292

WLAN fast forwarding configuring, 422

WLAN high availability AP connection priority, 295

WLAN high availability AP load balancing, 298, 301

WLAN high availability backup AC, 295

WLAN high availability dual-link backup, 294, 294

WLAN high availability master CAPWAP tunnel preemption configuration, 295

WLAN high availability uplink detection association with track entry, 303

WLAN IP snooping ARP packet snooping disable, 420

WLAN IP snooping HTTP request redirected to portal server, 420

WLAN IP snooping ND packet snooping disable, 420

WLAN location SNMP notification, 343

WLAN mobility group creation, 249

WLAN mobility group tunnel isolation enable, 251

WLAN process maintenance, 430

WLAN RRM channel capability match mode, 397

WLAN RRM channel switch mode set, 395

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-DFS configuration, 399

WLAN RRM periodic auto-TPC, 392

WLAN RRM periodic auto-TPC configuration, 402

WLAN RRM radio baseline, 397

WLAN RRM radio scanning enable, 398

WLAN RRM scheduled auto-DFS configuration, 401

WLAN RRM SNMP notification enable, 399

WLAN RRM spectrum management, 383

WLAN RRM spectrum management power constraint mode, 394

WLAN RRM TPC, 382

WLAN RRM TPC configuration, 389

WLAN RRM TPC min transmit power, 391

WLAN RRM TPC mode configuration, 390

WLAN RRM TPC trigger parameters, 390

WLAN RRM transmit power capability match mode, 396

WLAN security AKM mode configuration, 137

WLAN security cipher suite, 138

WLAN security dynamic WEP mechanism, 135

WLAN security GTK update, 139

WLAN security information element, 137

WLAN security KDF set, 138

WLAN security management frame protection, 134

WLAN security open system authentication, 128

WLAN security PSK set, 138

WLAN security PTK lifetime, 139

WLAN security RSNA mechanism, 129

WLAN security RSNA mechanism (authentication), 129

WLAN security RSNA mechanism (cipher suite), 134

WLAN security RSNA mechanism (key management), 129

WLAN security shared key authentication, 128

WLAN security TKIP MIC failure hold time, 140

WLAN security WEP key, 140

WLAN VLAN manipulation, 166

network management

802.11r configuration, 313

802.11r operation, 310

AP management, 1, 4, 25

bandwidth guranteeing, 243

CCMP, 134

client rate limiting, 245

cloud connection configuration, 415, 417

CM tunnel configuration, 412, 413

dynamic WEP mechanism, 154

Hotspot 2.0 configuration, 346, 349, 358

Hotspot 2.0 operation, 346

IoT AP configuration, 405, 405

IP snooping client IPv4 address learning, 419

IP snooping client IPv6 address learning, 419

IP snooping configuration, 419

management frame protection configuration, 151

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

Pre-RSNA mechanism, 128

PSK authentication and bypass authentication configuration, 144

radio management configuration, 49, 59, 92

shared key authentication configuration, 142

SVP mapping, 241

TCP MSS, 13

TKIP, 134

traffic differentiation, 242

WIPS configuration, 194, 218

wireless location configuration, 328, 328

WLAN 802.11h measurement, 276

WLAN 802.11k measurement, 276

WLAN 802.11r configuration, 310

WLAN absolute forwarding preferred configuration, 288

WLAN access configuration, 100, 105, 124

WLAN authentication configuration, 169, 169, 181

WLAN bandwidth-mode load balancing configuration, 268, 273

WLAN channel scanning configuration, 284

WLAN channel scanning configuration (on an AC), 288

WLAN dual-link backup mode configuration, 296

WLAN fast forwarding configuration, 422

WLAN Hotspot 2.0 configuration, 377

WLAN IP snooping configuration, 419, 421

WLAN load balancing configuration, 260

WLAN load balancing configuration (for a load balancing group), 270

WLAN load balancing configuration (for radios), 265

WLAN probe configuration, 423, 423, 427, 427

WLAN process maintenance, 430

WLAN QoS CAC configuration, 240

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

WLAN radio resource measurement, 277

WLAN radio resource measurement configuration, 276

WLAN relative forwarding preferred configuration, 288

WLAN resource measurement, 281

WLAN roaming, 252

WLAN roaming configuration, 247

WLAN RRM configuration, 381, 384, 399

WLAN security 802.1X AKM configuration, 148

WLAN security configuration, 128, 136, 142

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK+MAC authentication configuration, 146

WLAN session-mode load balancing configuration, 265, 270

WLAN traffic-mode load balancing configuration, 267, 272

WLAN uplink detection configuration, 303

noise

radio ANI configuration, 72

notifying

WLAN access SNMP notification, 122

WLAN access Web server, 122

WLAN location SNMP notification, 343

WLAN RRM SNMP notification enable, 399

NQA

WLAN uplink detection configuration, 303

NSS

radio 802.11ac NSS set, 86

OFDM

radio 802.11n short GI configuration, 79

offline

WLAN authentication authorization-fail-offline, 175

WLAN security GTK update (offline-triggered), 139

Omerta attack

Omerta attack detection, 197

online

802.1X periodic online user reauthentication, 178

WLAN 802.1X online user handshake, 176

Online Sign Up. See OSU

open system authentication, 128

OUI

WLAN authentication configuration, 169, 169, 181

WLAN authentication set, 170

OUI authentication

WLAN authentication, 165

packet

802.11r configuration, 313

AP group configuration, 46

AP management, 1, 4, 25

auto AP configuration, 41

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

inter-AC roaming, 255

intra-AC roaming, 252

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

radio preamble type set, 68

SVP mapping, 241

traffic differentiation, 242

wireless location beacon frame ignore, 338

wireless location client packet rate limit, 340

wireless location keepalive, 342

wireless location packet dilution, 337

wireless location packet rate limiting, 341

wireless location RSSI-based packet filtering, 339

WLAN 802.11r configuration, 310

WLAN access configuration, 100, 105, 124

WLAN dual-link backup mode configuration, 296

WLAN QoS CAC configuration, 240

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

WLAN radio resource measurement, 277

WLAN resource measurement, 281

WLAN roaming, 252

WLAN security GTK update (packet-based), 139

parameter

Hotspot 2.0 WAN link status parameters, 354

WLAN authentication parameter configuration (global), 170

WLAN authentication parameters, 173

WLAN band navigation parameters, 291

WLAN QoS WMM EDCA parameters, 229

WLAN RRM DFS trigger parameter, 385

WLAN RRM TPC trigger parameters, 390

parity

radio 802.11n LDPC configuration, 79

passive

WLAN access scanning process, 101, 346

policy

Hotspot 2.0 access network type, 351

Hotspot 2.0 DGAF feature disable, 354

Hotspot 2.0 domain name, 352

Hotspot 2.0 GAS frame management, 354

Hotspot 2.0 HESSID set, 351

Hotspot 2.0 IP address availability, 352

Hotspot 2.0 IP protocol port status, 353

Hotspot 2.0 NAI realm authentication type, 353

Hotspot 2.0 network authentication type, 351

Hotspot 2.0 organization identifier (OI), 352

Hotspot 2.0 policy configuration, 350

Hotspot 2.0 policy+service template bind, 355

Hotspot 2.0 service provider information, 353

Hotspot 2.0 WAN link status parameters, 354

MAC authentication user account policies, 164

WLAN access forwarding policy, 116

WLAN access forwarding policy application to service template, 117

WLAN access policy-based forwarding, 116

WLAN access user profile forwarding policy, 117

WLAN QoS WMM ACK policy, 230

WLAN QoS WMM CAC admission policies, 230

port

Hotspot 2.0 IP protocol port status, 353

wireless location monitored port, 331

wireless location server IPv4 address+port number, 330

power

European channel gap for auto channel selection, 63

IoT AP module transmit power level, 407

radio 802.11n energy saving configuration, 85

radio power lock configuration, 66

radio transmit power, 50

radio transmit power max set, 66

WLAN QoS WMM U-APSD power-save mechanism, 230

WLAN RRM channel capability match mode, 397

WLAN RRM channel switch mode set, 395

WLAN RRM holddown group, 389, 393

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-TPC, 392

WLAN RRM spectrum management power constraint mode, 394

WLAN RRM TPC, 382

WLAN RRM TPC configuration, 389

WLAN RRM TPC min transmit power, 391

WLAN RRM TPC mode configuration, 390

WLAN RRM TPC trigger parameters, 390

WLAN RRM transmit power capability match mode, 396

power level

default power level configuration, 15

power save attack

power save attack detection, 197

prerequisites

WLAN high availability dual-link backup configuration, 294

WLAN load balancing, 260

priority

AP AC connection priority, 6

WLAN high availability AP connection priority, 295

probe

coordinates for sensor, 426

real-time reporting of wireless device information to the UDP server, 425

setting device entry timers, 427

wireless device filtering, 426

WLAN probe configuration, 423, 423, 427, 427

WLAN probe enabling, 424

WLAN probe server specifying, 424

WLAN probe system, 423

WLAN probe wireless device information report to the AC, 425

WLAN probe work mechanism, 423

procedure

adding mobility group member, 250

adding WLAN access client to blacklist (static)(on AC), 119

adding WLAN access client to whitelist, 118

allowing access for only 802.11ac clients, 88

applying WIPS attack detection policy, 209, 212

applying WIPS countermeasure policy, 215

applying WLAN access forwarding policy to service template, 117

applying WLAN access user profile forwarding policy, 117

associating WLAN high availability uplink detection with track entry, 303

binding OSU server to a Hotspot 2.0 policy, 357

binding WLAN access service template > radio (in AP group radio view), 110

binding WLAN access service template > radio (in AP radio view), 110

clearing AP management information, 25

configuration default power level (in AP group's AP model view), 16

configuration default power level (in AP view), 16

configuration remote AP (in AP group view), 15

configuration remote AP (in AP view), 15

configuring 802.11b client access, 71

configuring 802.11b client access (in AP group radio view), 72

configuring 802.11b client access (in AP radio view), 72

configuring 802.11r, 312, 313

configuring access for only 802.11ac clients (in AP group radio view), 88

configuring access for only 802.11ac clients (in AP radio view), 88

configuring access for only 802.11n and 802.11ac clients, 82

configuring access for only 802.11n and 802.11ac clients (in AP group radio view), 83

configuring access for only 802.11n and 802.11ac clients (in AP radio view), 82

configuring alarm-ignored device list, 210

configuring AP AC rediscovery (AP group view), 8

configuring AP AC rediscovery (AP view), 7

configuring AP AC rediscovery (global configuration view), 8

configuring AP AC request retransmission (in AP group view), 14

configuring AP AC request retransmission (in AP view), 13

configuring AP group, 18, 46

configuring AP preprovisioned settings auto assignment, 21

configuring AP preprovisioned settings auto load (for AP group), 22

configuring AP preprovisioned settings auto load (for AP), 21

configuring AP provision, 19

configuring AP software version upgrade (in AP group view), 9

configuring AP software version upgrade (in AP view), 9

configuring AP software version upgrade (in global configuration view), 9

configuring auto AP, 41

configuring bandwidth guaranteeing, 236

configuring bandwidth guranteeing, 243

configuring CAPWAP tunnel establishment (DHCP), 25

configuring CAPWAP tunnel establishment (DHCPv6), 31

configuring CAPWAP tunnel establishment (DNS), 36

configuring CAPWAP tunnel latency detection, 11

configuring channel scanning blacklist or whitelist configuration, 286

configuring client rate limiting, 237, 245

configuring client rate limiting (client-type-based), 238

configuring client rate limiting (radio-based), 237

configuring client rate limiting (service-template-based), 237

configuring clients to prefer authorization VLAN after roaming, 107

configuring cloud connection, 416

configuring CM tunnel, 413

configuring detection on other attacks, 207

configuring device classification and countermeasures, 218

configuring dynamic WEP mechanism, 154

configuring Hotspot 2.0, 349

configuring Hotspot 2.0 (iPhone application), 358

configuring Hotspot 2.0 (Samsung application), 369

configuring Hotspot 2.0 3GPP information, 350

configuring Hotspot 2.0 AP venue information, 355

configuring Hotspot 2.0 IP address availability, 352

configuring Hotspot 2.0 policy, 350

configuring iBeacon transmission (AP group module view), 410

configuring iBeacon transmission (module view), 410

configuring inter-AC roaming, 255

configuring intra-AC roaming, 252

configuring IoT AP, 405

configuring IoT AP automatic module firmware upgrade (AP group module view), 408

configuring IoT AP automatic module firmware upgrade (module view), 408

configuring IPv6 preference for AC rediscovery, 7

configuring MAC authentication (RADIUS-based), 188

configuring MAC authentication user account format, 172

configuring malformed packet and flood attack detection, 220

configuring management frame protection, 140

configuring management frame protection authentication, 151

configuring network settings for AP, 19

configuring network settings for AP group, 20

configuring OSU server, 356

configuring over-the-air FT and 802.1X authentication, 324

configuring over-the-air FT and PSK authentication, 317

configuring over-the-DS FT and 802.1X authentication, 320

configuring over-the-DS FT and PSK authentication, 313

configuring packet trust type, 235

configuring port priority, 235

configuring preprovisioned setting auto loading, 21

configuring PSK authentication and bypass authentication, 144

configuring radio 802.11ac, 86

configuring radio 802.11ac smart antenna (in AP group radio view), 91

configuring radio 802.11ac smart antenna (in AP radio view), 91

configuring radio 802.11g protection (in AP group radio view), 75

configuring radio 802.11g protection (in AP radio view), 75

configuring radio 802.11n, 77, 96

configuring radio 802.11n energy saving (in AP group radio view), 85

configuring radio 802.11n energy saving (in AP radio view), 85

configuring radio 802.11n LDPC (in AP group radio view), 80

configuring radio 802.11n LDPC (in AP radio view), 80

configuring radio 802.11n protection (in AP group radio view), 86

configuring radio 802.11n protection (in AP radio view), 86

configuring radio 802.11n short GI (in AP group radio view), 79

configuring radio 802.11n short GI (in AP radio view), 79

configuring radio 802.11n STBC (in AP group radio view), 80

configuring radio 802.11n STBC (in AP radio view), 80

configuring radio ANI (in AP group radio view), 72

configuring radio ANI (in AP radio view), 72

configuring radio basics, 62, 92

configuring radio channel selection blacklist/whitelist (in AP group radio view), 64

configuring radio channel selection blacklist/whitelist (in AP radio view), 64

configuring radio management, 59

configuring radio power lock (in AP group radio view), 67

configuring radio power lock (in AP radio view), 66

configuring shared key authentication, 142

configuring signature-based user-defined attack detection, 225

configuring smart antenna, 91

configuring SVP mapping, 235, 241

configuring the WLAN dual-link backup mode, 296

configuring traffic differentiation, 242

configuring TxBF, 90

configuring TxBF (in AP group radio view), 90

configuring TxBF (in AP radio view), 90

configuring uplink client rate limit, 121

configuring uplink detection, 303

configuring user-defined attack detection based on signatures, 209

configuring WIPS attack detection, 204

configuring WIPS attack detection policy, 211

configuring WIPS countermeasure policy, 213

configuring WIPS countermeasures, 213

configuring WIPS detection filtering, 216

configuring WIPS device classification, 211

configuring WIPS device entry attack detection, 206

configuring WIPS flood attack detection, 204

configuring WIPS malformed packet detection, 205

configuring wireless device filtering, 426

configuring wireless location, 328, 343

configuring wireless location client packet rate limit (in AP group view), 340

configuring wireless location client packet rate limit (in AP view), 340

configuring wireless location client packet rate limit (in global configuration view), 341

configuring wireless location keepalive (in AP group view), 342, 342

configuring wireless location keepalive (in global configuration view), 343

configuring wireless location MU information reporting (in AP group view), 334

configuring wireless location MU information reporting (in AP view), 334

configuring wireless location MU information reporting (in global configuration view), 335

configuring wireless location packet dilution (in AP group view), 337

configuring wireless location packet dilution (in AP view), 337

configuring wireless location packet dilution (in global configuration view), 337

configuring wireless location packet rate limiting (in AP group view), 341

configuring wireless location packet rate limiting (in AP view), 341

configuring wireless location packet rate limiting (in global configuration view), 342

configuring wireless location raw frame reporting (in AP group view), 334

configuring wireless location raw frame reporting (in AP view), 333

configuring wireless location raw frame reporting (in global configuration view), 334

configuring wireless location RSSI-based packet filtering (in AP group view), 339

configuring wireless location RSSI-based packet filtering (in AP view), 339

configuring wireless location RSSI-based packet filtering (in global configuration view), 340

configuring WLAN 802.1X CHAP local authentication, 181

configuring WLAN 802.1X EAP-PEAP authentication, 183

configuring WLAN 802.1X online user handshake, 176

configuring WLAN absolute forwarding preferred, 288

configuring WLAN access, 105, 124

configuring WLAN access AP service template inheritance, 114

configuring WLAN access blacklist (dynamic)(on AC), 119

configuring WLAN access blacklist configuration (static)(on AC), 126

configuring WLAN access client keepalive (AP group view), 114

configuring WLAN access client keepalive (AP view), 113

configuring WLAN access forwarding policy, 116

configuring WLAN access policy-based forwarding, 116

configuring WLAN access service template, 106

configuring WLAN access service template description, 106

configuring WLAN access whitelist, 126

configuring WLAN authentication, 169

configuring WLAN authentication accounting-start trigger, 179

configuring WLAN authentication accounting-update trigger, 180

configuring WLAN authentication intrusion protection, 176

configuring WLAN authentication parameters, 173

configuring WLAN authentication parameters (global), 170

configuring WLAN Auth-Fail VLAN, 175

configuring WLAN band navigation, 290, 290, 290, 292

configuring WLAN band navigation load balancing, 291

configuring WLAN band navigation parameters, 291

configuring WLAN bandwidth-mode load balancing, 268, 273

configuring WLAN channel scanning (on an AC), 288

configuring WLAN fast forwarding, 422

configuring WLAN high availability AP load balancing, 301

configuring WLAN high availability dual-link backup, 294

configuring WLAN high availability master CAPWAP tunnel preemption (for AP group), 296

configuring WLAN high availability master CAPWAP tunnel preemption (for AP), 295

configuring WLAN high availability master CAPWAP tunnel preemption (globally), 296

configuring WLAN Hotspot 2.0, 377

configuring WLAN IP snooping, 419, 421

configuring WLAN load balancing (for a load balancing group), 270

configuring WLAN load balancing (for radios), 265

configuring WLAN load balancing group, 264

configuring WLAN load balancing parameters, 264

configuring WLAN probe, 423, 427, 427

configuring WLAN QoS, 239

configuring WLAN QoS CAC, 240

configuring WLAN QoS WMM, 239

configuring WLAN radio resource measurement, 277

configuring WLAN relative forwarding preferred, 288

configuring WLAN resource measurement, 281

configuring WLAN roaming, 252

configuring WLAN RRM, 384, 399

configuring WLAN RRM DFS, 384

configuring WLAN RRM DFS trigger parameters (in AP group RRM view), 385

configuring WLAN RRM DFS trigger parameters (in AP RRM view), 385

configuring WLAN RRM holddown group, 389, 393

configuring WLAN RRM on-demand DFS, 389

configuring WLAN RRM on-demand TPC, 393

configuring WLAN RRM periodic auto-DFS, 399

configuring WLAN RRM periodic auto-DFS (in AP group RRM view), 386

configuring WLAN RRM periodic auto-DFS (in AP RRM view), 385

configuring WLAN RRM periodic auto-TPC, 402

configuring WLAN RRM periodic auto-TPC (in AP group RRM view), 392

configuring WLAN RRM periodic auto-TPC (in AP RRM view), 392

configuring WLAN RRM radio baseline, 397

configuring WLAN RRM scheduled auto-DFS, 401

configuring WLAN RRM scheduled auto-DFS (in AP group RRM view), 387

configuring WLAN RRM scheduled auto-DFS (in AP RRM view), 386

configuring WLAN RRM spectrum management, 393, 403

configuring WLAN RRM spectrum management power constraint mode, 394

configuring WLAN RRM TPC, 389

configuring WLAN RRM TPC trigger parameters (in AP group RRM view), 391

configuring WLAN RRM TPC trigger parameters (in AP RRM view), 391

configuring WLAN security, 136, 142

configuring WLAN security 802.1X AKM, 148

configuring WLAN security AKM mode, 137

configuring WLAN security GTK update, 139

configuring WLAN security private PSK+MAC authentication, 157

configuring WLAN security PSK+MAC authentication, 146

configuring WLAN session-mode load balancing, 265, 270

configuring WLAN traffic-mode load balancing, 267, 272

configuring WMM, 231

creating AP (manual), 5

creating AP group, 18

creating WLAN mobility group, 249

deploying configuration file to AP (in AP group AP model view), 121

deploying configuration file to AP (in AP view), 120

deploying WLAN access configuration file on AP, 120

detecting clients with NAT configured, 217

disabling all radios (in system view), 61

disabling AP USB interfaces (in AP group' AP model view), 17

disabling AP USB interfaces (in AP view), 17

disabling ARP packet snooping, 420

disabling Hotspot 2.0 DGAF feature, 354

disabling ND packet snooping, 420

disabling radio (in AP group radio view), 61

disabling radio (in AP radio view), 61

disabling SNMP gets ND-learned client IPv6 address, 420

disabling WLAN access AP broadcast probe request response (in AP group view), 112

disabling WLAN access AP broadcast probe request response (in AP view), 112

displaying AP management, 24

displaying AP management information, 24

displaying cloud connection, 416

displaying CM tunnel, 413

displaying Hotspot 2.0, 357

displaying IoT APs, 410

displaying radio management, 92

displaying WIPS, 217

displaying wireless location, 343

displaying WLAN access, 123

displaying WLAN authentication, 181

displaying WLAN fast forwarding, 422

displaying WLAN high availability AP load balancing, 301

displaying WLAN load balancing, 265

displaying WLAN probe, 427

displaying WLAN process maintenance, 431

displaying WLAN QoS WMM, 238

displaying WLAN radio resource measurement, 281

displaying WLAN roaming, 252

displaying WLAN RRM, 399

displaying WLAN security, 141

enabling 802.1X EAP relay, 170

enabling 802.1X EAP termination, 170

enabling 802.1X periodic online user reauthentication, 178

enabling AC unicast discovery request response, 7

enabling all radios (in system view), 61

enabling AP USB interfaces (in AP group' AP model view), 17

enabling AP USB interfaces (in AP view), 17

enabling dynamic WEP mechanism, 141

enabling fast learning of client association entries, 216

enabling IoT AP module (for AP group), 406

enabling IoT AP module (for AP), 406

enabling mobility group, 251

enabling radio (in AP group radio view), 61

enabling radio (in AP radio view), 61

enabling radio resource measurement, 278

enabling service anomaly detection, 23

enabling SNMP notifications, 22, 141

enabling snooping HTTP request redirected to portal server, 420

enabling unassociated client detection, 216

enabling WIPS, 203

enabling wireless location (RF fingerprinting)(in AP group view), 329

enabling wireless location (RF fingerprinting)(in AP view), 329

enabling wireless location (RF fingerprinting)(in global configuration view), 330

enabling wireless location AP frame ignore (in AP group view), 339

enabling wireless location AP frame ignore (in AP view), 338

enabling wireless location AP frame ignore (in global configuration view), 339

enabling wireless location beacon frame ignore (in AP group view), 338

enabling wireless location beacon frame ignore (in AP view), 338

enabling wireless location beacon frame ignore (in global configuration view), 338

enabling wireless radio-based location (in AP group view), 330

enabling wireless radio-based location (in AP view), 330

enabling WLAN access client association at AC,AP, 108

enabling WLAN access client traffic forwarder, 109

enabling WLAN access service template, 110

enabling WLAN access service template quick association, 109

enabling WLAN access SNMP notification, 122

enabling WLAN access specific-format client log generation, 122

enabling WLAN authentication authorization-fail-offline, 175

enabling WLAN band navigation for AP, 291

enabling WLAN band navigation globally, 291

enabling WLAN load balancing SNMP notifications, 265

enabling WLAN location SNMP notification, 343

enabling WLAN mobility group tunnel isolation, 251

enabling WLAN probe, 424

enabling WLAN process maintenance, 430

enabling WLAN roaming SNMP notifications, 251

enabling WLAN RRM radio scanning (in AP group RRM view), 398

enabling WLAN RRM radio scanning (in RRM view), 398

enabling WLAN RRM SNMP notification, 399

enabling WLAN RRM spectrum management, 393

enabling WLAN RRM spectrum management (in AP group radio view), 394

enabling WLAN RRM spectrum management (in AP radio view), 393

enabling WMM, 231

establishing CAPWAP tunnel, 2

ignoring WLAN authentication 802.1X authentication failures, 174

ignoring WLAN authentication MAC authentication failures, 174

ignoring WLAN authentication server authorization information, 175

loading APDB user script, 22

maintaining AP management, 24

maintaining IoT APs, 410

maintaining WIPS, 217

maintaining WLAN access, 123

maintaining WLAN authentication, 181

maintaining WLAN load balancing, 265

maintaining WLAN probe, 427

maintaining WLAN QoS WMM, 238

maintaining WLAN radio resource measurement, 281

maintaining WLAN roaming, 252

managing AP, 4

managing AP files, 17

managing auto AP, 5

managing Hotspot 2.0 GAS frames, 354

managing Hotspot 2.0 policy+service template bind, 355

managing OSU server icons, 357

renaming manual AP, 17

reporting real-time wireless device information to the UDP server, 425

reporting wireless device information to the AC, 425

resetting AP, 17

restarting IoT AP module, 409

restoring IoT AP module factory setting, 409

saving network settings, 21

scanning all channels, 287

setting 802.1X authentication request attempts max, 171

setting 802.1X authentication timers, 171

setting 802.1X concurrent WLAN service template clients max, 177

setting AP AC connection priority (in AP view), 6, 6

setting AP control tunnel keepalive time (for AP in AP group view), 12

setting AP control tunnel keepalive time (for AP in AP view), 11

setting AP data tunnel keepalive time (for AP in AP group view), 12

setting AP data tunnel keepalive time (for AP in AP view), 12

setting AP statistics report interval (in AP group view), 14

setting AP statistics report interval (in AP view), 14

setting authentication mode for IACTP control messages, 249

setting channel scanning maximum service period, 285

setting channel scanning period, 285

setting channel scanning service idle timeout, 286

setting coordinates for sensor, 426

setting device entry timers, 427

setting EDCA parameters, 232

setting EDCA parameters of AC-BE or AC-BK queues for clients, 233

setting EDCA parameters of AC-VI or AC-VO queues for clients, 234

setting Hotspot 2.0 access network type, 351

setting Hotspot 2.0 domain name, 352

setting Hotspot 2.0 HESSID, 351

setting Hotspot 2.0 IP protocol port status, 353

setting Hotspot 2.0 service provider information, 353

setting Hotspot 2.0 WAN link status parameters, 354

setting IoT AP module transmit power level (AP group module view), 408

setting IoT AP module transmit power level (module view), 407

setting LED lighting mode, 24

setting load balancing threshold+gap threshold, 301

setting MAC authentication concurrent WLAN service template clients max, 178

setting MAC authentication server timeout timer, 173

setting match mode for client radio resource measurement capabilities, 280

setting maximum CAPWAP fragment size (in AP view), 12

setting maximum CAPWAP fragment size (in group AP view), 13

setting maximum number of hardware retransmissions, 76

setting maximum number of hardware retransmissions (in AP group radio view), 76

setting maximum number of hardware retransmissions (in AP radio view), 76

setting memory usage threshold, 431

setting radio 802.11ac bandwidth mode (in AP group radio view), 89

setting radio 802.11ac bandwidth mode (in AP radio view), 89

setting radio 802.11ac NSS (in AP group radio view), 87

setting radio 802.11ac NSS (in AP radio view), 87

setting radio 802.11n bandwidth mode (in AP group radio view), 84

setting radio 802.11n bandwidth mode (in AP radio view), 83

setting radio 802.11n MCS index (in AP group radio view), 82

setting radio 802.11n MCS index (in AP radio view), 81

setting radio antenna gain (in AP group radio view), 65

setting radio antenna gain (in AP radio view), 65

setting radio antenna type (in AP group radio view), 65

setting radio antenna type (in AP radio view), 64

setting radio beacon frame interval (in AP group radio view), 70

setting radio beacon frame interval (in AP radio view), 70

setting radio client-AP association max (in AP group radio view), 71

setting radio client-AP association max (in AP radio view), 71

setting radio DTIM interval set (in AP group radio view), 71

setting radio DTIM interval set (in AP radio view), 70

setting radio fragmentation threshold (in AP group radio view), 75

setting radio fragmentation threshold (in AP radio view), 75

setting radio preamble type (in AP group radio view), 69

setting radio preamble type (in AP radio view), 68

setting radio resource measurement duration and interval, 279

setting radio RTS threshold (in AP group radio view), 74

setting radio RTS threshold (in AP radio view), 74

setting radio transmission distance max (in AP group radio view), 69

setting radio transmission distance max (in AP radio view), 69

setting radio transmission rate (in AP group radio view), 67

setting radio transmission rate (in AP radio view), 67

setting radio transmit power max (in AP group radio view), 66

setting radio transmit power max (in AP radio view), 66

setting SSID for online signup services, 356

setting TCP MSS, 13

setting WIPS wireless device information report interval, 215

setting WLAN access AP traffic processing, 116

setting WLAN access client data frame encapsulation format, 109

setting WLAN access client idle timeout (in AP group view), 113

setting WLAN access client idle timeout (in AP view), 113

setting WLAN access idle period before client reauthentication, 120

setting WLAN access NAS ID (global), 116

setting WLAN access NAS-ID (AP group view), 115

setting WLAN access NAS-ID (AP view), 115

setting WLAN access SSID, 106

setting WLAN authentication mode, 173

setting WLAN authentication OUI, 170

setting WLAN client cache aging time, 108

setting WLAN load balancing mode, 263

setting WLAN RRM channel capability match mode (on AC in AP group radio view), 397

setting WLAN RRM channel capability match mode (on AC in AP radio view), 397

setting WLAN RRM channel switch mode (in AP group radio view), 395

setting WLAN RRM channel switch mode (in AP radio view), 395

setting WLAN RRM power constraint mode (in AP group radio view), 395

setting WLAN RRM power constraint mode (in AP radio view), 394

setting WLAN RRM TPC min transmit power (in AP group RRM view), 392

setting WLAN RRM TPC min transmit power (in AP RRM view), 391

setting WLAN RRM TPC mode, 390

setting WLAN RRM TPC mode (in AP group RRM view), 390

setting WLAN RRM TPC mode (in AP RRM view), 390

setting WLAN RRM transmit power capability match mode (in AP group radio view), 396

setting WLAN RRM transmit power capability match mode (in AP radio view), 396

setting WLAN security cipher suite, 138

setting WLAN security information element, 137

setting WLAN security KDF, 138

setting WLAN security PSK, 138

setting WLAN security PTK lifetime, 139

setting WLAN security TKIP MIC failure hold time, 140

setting WLAN security WEP key, 140

specifying 802.1X EAP mode, 173

specifying 802.1X supported domain name delimiters, 170

specifying 802.1X WLAN service template authentication domain, 177

specifying AP IoT module serial number, 405

specifying APDB hardware-software version mapping, 10

specifying Hotspot 2.0 NAI realm authentication type, 353

specifying Hotspot 2.0 network authentication type, 351

specifying Hotspot 2.0 organization identifier (OI), 352

specifying IoT AP supported module type (for AP group), 407

specifying IoT AP supported module type (for AP), 407

specifying IP address type for IACTP tunnels, 250

specifying MAC authentication domain (global), 172

specifying MAC authentication domain (service-specific), 179

specifying preferred AP image file location, 10

specifying process maximum inactive timeout, 430

specifying radio 802.11n A-MPDU aggregation method (in AP group radio view), 78

specifying radio 802.11n A-MPDU aggregation method (in AP radio view), 78

specifying radio 802.11n A-MSDU aggregation method (in AP group radio view), 78

specifying radio 802.11n A-MSDU aggregation method (in AP radio view), 78

specifying radio 802.11n MIMO mode (in AP group radio view), 84

specifying radio 802.11n MIMO mode (in AP radio view), 84

specifying radio AP collision avoidance mode (in AP group radio view), 73

specifying radio AP collision avoidance mode (in AP radio view), 73

specifying radio mode (in AP group radio view), 62

specifying radio mode (in AP radio view), 62

specifying radio working channel (in AP group radio view), 63

specifying radio working channel (in AP radio view), 63

specifying source IP address for establishing IACTP tunnels, 250

specifying wireless location device type (in AP group view), 333

specifying wireless location device type (in AP view), 333

specifying wireless location location packet format (in AP group view), 335

specifying wireless location location packet format (in AP view), 335

specifying wireless location location packet format (in global configuration view), 336

specifying wireless location monitored port (in AP group view), 332

specifying wireless location monitored port (in AP view), 331

specifying wireless location monitored port (in global configuration view), 332

specifying wireless location multicast MAC address for Tag (in AP group view), 332

specifying wireless location multicast MAC address for Tag (in AP view), 332

specifying wireless location multicast MAC address for Tag (in global configuration view), 332

specifying wireless location report mode for location packet (in AP group view), 336

specifying wireless location report mode for location packet (in AP view), 336

specifying wireless location report mode for location packet (in global configuration view), 336

specifying wireless location server IPv4 address+port number (in AP group view), 331

specifying wireless location server IPv4 address+port number (in AP view), 331

specifying wireless location server IPv4 address+port number (in global configuration view), 331

specifying WLAN access client traffic forwarder, 108

specifying WLAN access global region code, 112

specifying WLAN access permitted AP group client access, 118

specifying WLAN access permitted SSID client access, 118

specifying WLAN access region code (in AP group view), 111

specifying WLAN access region code (in AP view), 111

specifying WLAN access VLAN allocation method for clients, 107

specifying WLAN access Web server, 122

specifying WLAN authentication authenticator, 174

specifying WLAN high availability AP connection priority, 295

specifying WLAN high availability backup AC, 295

specifying WLAN high availability backup AC (for AP group), 295

specifying WLAN high availability backup AC (for AP), 295

specifying WLAN probe server, 424

WLAN RRM radio scanning enable, 398

proceduring

configuring module firmware manual upgrade, 409

setting active AC number, 300

process

802.1X authentication, 161

authenticating with 802.1X EAP relay, 161

authenticating with 802.1X EAP termination, 163

process maximum inactive timeout, 430

WLAN process maintenance, 430

prohibited channel

prohibited channel detection, 197

protecting

radio 802.11n protection configuration, 85

protocol

802.1X EAP mode, 173

protocols and standards

802.11r, 312

CAPWAP, 4

Hotspot 2.0, 349

Hotspot 2.0 IP protocol port status, 353

WLAN QoS, 231

WLAN QoS WMM, 229

WLAN QoS WMM SVP, 231

provision

AP preprovisioned settings assignment, 20

PSK

WLAN security PSK set, 138

WLAN security RSNA mechanism, 129

WLAN security RSNA mechanism (authentication), 129

WLAN security RSNA mechanism (key management), 129

WLAN security shared key authentication, 128

PTK

WLAN security PTK lifetime, 139

QoS

configuring WMM, 231

enabling WMM, 231

WLAN bandwidth guranteeing, 243

WLAN client rate limiting, 245

WLAN QoS bandwidth guaranteeing, 231

WLAN QoS CAC configuration, 240

WLAN QoS client rate limiting, 231

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

WLAN SVP mapping, 241

WLAN traffic differentiation, 242

radio

802.11ac bandwidth mode set, 88

802.11ac configuration, 86

802.11ac NSS set, 86

802.11b client access configuring, 71

802.11g protection configuration, 74

802.11h measurement, 276

802.11k measurement, 276

802.11n A-MPDU aggregation method, 78

802.11n A-MSDU aggregation method, 78

802.11n bandwidth mode set, 83

802.11n configuration, 77, 96

802.11n energy saving configuration, 85

802.11n LDPC configuration, 79

802.11n MCS index set, 81

802.11n MIMO mode, 84

802.11n protection configuration, 85

802.11n short GI configuration, 79

802.11n STBC configuration, 80

allowing access for only 802.11ac clients, 88

ANI configuration, 72

antenna gain set, 65

antenna type set, 64

AP collision avoidance mode, 73

basic configuration, 62, 92

beacon frame interval set, 70

channel, 49

channel selection blacklist/whitelist, 64

client-AP association max set, 71

configuring access for only 802.11n and 802.11ac clients, 82

continuous mode enabling, 77

disable, 61

DTIM interval set, 70

enable, 61

European channel gap for auto channel selection, 63

fragmentation threshold, 75

management configuration, 49, 59, 92

management display, 92

maximum number of hardware retransmissions setting, 76

MCS, 51

mode, 49

mode specify, 62

MPDU aggregation, 50

MSDU aggregation, 50

on-demand channel usage measurement, 76

power lock configuration, 66

preamble type set, 68

radio resource measurement, 278

radio-based location enable, 330

resource management. See WLAN RRM

RTS threshold set, 74

smart antenna configuration, 91

transmission distance max set, 69

transmission rate, 50

transmission rate set, 67

transmit power, 50

transmit power max set, 66

TxBF configuring, 90

VHT-MCS, 54

WLAN access AP broadcast probe request response, 112

WLAN access AP service template inheritance, 114

WLAN access AP traffic processing, 116

WLAN access blacklist (dynamic)(on AC), 119

WLAN access client add to blacklist (static)(on AC), 119

WLAN access client add to whitelist, 118

WLAN access client idle timeout, 113

WLAN access idle period before client reauthentication, 120

WLAN access NAS-ID, 114

WLAN access permitted AP group client access, 118

WLAN access permitted SSID client access, 118

WLAN access service template bind > radio, 110

WLAN band navigation, 290, 292

WLAN client keepalive configuration, 113

WLAN radio based load balancing, 262

WLAN radio resource measurement configuration, 276

WLAN roaming configuration, 247

working channel specify, 62

Radio resource measurement, 276

RADIUS

802.1X EAP relay enable, 170

802.1X EAP termination enable, 170

MAC authentication, 165

MAC authentication (RADIUS-based), 188

WLAN access NAS-ID, 114

rate

radio transmission, 50

radio transmission rate set, 67

rate limiting

wireless location client packet rate limit, 340

wireless location packet rate limiting, 341

WLAN QoS client rate limiting, 231

region

WLAN access region code, 111

renaming

manual AP, 17

reporting

AP statistics report interval, 14

wireless location MU information reporting, 334

wireless location raw frame reporting, 333

Request to Send. Use RTS

requesting

AP AC request retransmission, 13

resetting

AP, 17

restarting

IoT AP module, 409

restoring

IoT AP module factory setting, 409

restrictions

AP group configuration, 18

APDB user script load, 22

Hotspot 2.0 configuration (iPhone application), 358

Hotspot 2.0 configuration (Samsung application), 369

WLAN roaming configuration, 248

retransmitting

AP AC request retransmission, 13

RF fingerprinting

configuration, 329

enable, 329

RFID

wireless location configuration, 328, 328

roaming

Hotspot 2.0 configuration, 346, 349, 358

Hotspot 2.0 configuration (iPhone application), 358

Hotspot 2.0 configuration (Samsung application), 369

mobility group, 251

mobility group member, 250

WLAN configuration restrictions, 248

WLAN mobility group creation, 249

WLAN mobility group tunnel isolation enable, 251

WLAN roaming, 252

WLAN roaming configuration, 247

role

WLAN IRF member role, 298

RSNA

CCMP, 134

TKIP, 134

RSSI

wireless location RSSI-based packet filtering, 339

RTS

radio RTS threshold set, 74

Samsung

Hotspot 2.0 configuration (Samsung application), 369

saving

radio 802.11n energy saving configuration, 85

scanning

all channels, 287

WIPS configuration, 194, 218

WLAN access scanning process, 100, 346

scanning all channels, 287

scripting

APDB user script load, 22

security

802.1X authentication, 161

802.1X authentication process, 161

802.1X authentication request attempts max, 171

802.1X authentication server timer, 171

802.1X EAP relay enable, 170

802.1X EAP termination enable, 170

802.1X periodic online user reauthentication, 178

802.1X supported domain name delimiters, 170

802.1X WLAN service template authentication domain, 177

802.1X WLAN service template clients max, 177

dynamic WEP mechanism, 141

dynamic WEP mechanism configuration, 154

MAC authentication (RADIUS-based), 188

MAC authentication domain (global), 172

MAC authentication domain (service-specific), 179

MAC authentication methods, 165

MAC authentication server timeout timer, 173

MAC authentication user account format, 172

MAC authentication user account policies, 164

MAC authentication WLAN service template clients max, 178

management frame protection, 140

SNMP notifications, 141

WIPS, 203

WIPS configuration, 194, 218

WLAN 802.1X CHAP local authentication configuration, 181

WLAN 802.1X EAP-PEAP authentication configuration, 183

WLAN 802.1X online user handshake, 176

WLAN access blacklist configuration (static)(on AC), 126

WLAN access whitelist configuration, 126

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

WLAN authentication intrusion protection, 176

WLAN authentication overview, 160

WLAN authentication parameter configuration (global), 170

WLAN authentication parameters, 173

WLAN authentication VLAN authorization, 166

WLAN Auth-Fail VLAN, 167, 175

WLAN client access control, 102

WLAN client access control (AP group-based), 102

WLAN client access control (blacklist-based), 104

WLAN client access control (SSID-based), 103

WLAN client access control (whitelist-based), 104

WLAN dynamic WEP mechanism, 135

WLAN management frame protection configuration, 151

WLAN security 802.1X AKM configuration, 148

WLAN security AKM mode configuration, 137

WLAN security cipher suite, 138

WLAN security configuration, 128, 136, 142

WLAN security GTK update, 139

WLAN security information element, 137

WLAN security KDF set, 138

WLAN security management frame protection, 134

WLAN security open system authentication, 128

WLAN security private PSK+MAC authentication configuration, 157

WLAN security PSK set, 138

WLAN security PSK+MAC authentication configuration, 146

WLAN security PTK lifetime, 139

WLAN security RSNA mechanism, 129

WLAN security RSNA mechanism (authentication), 129

WLAN security RSNA mechanism (cipher suite), 134

WLAN security RSNA mechanism (key management), 129

WLAN security shared key authentication, 128

WLAN security TKIP MIC failure hold time, 140

WLAN security WEP key, 140

sensor

enabling fast learning of client association entries, 216

server

802.1X authentication server timer, 171

MAC authentication server timeout timer, 173

WLAN authentication authorization information, 175

service

service anomaly detection, 23

service template

WLAN Auth-Fail VLAN, 175

session

WLAN session-mode load balancing, 261

WLAN session-mode load balancing configuration, 265, 270

setting

AP AC connection priority (in AP view), 6, 6

AP control tunnel keepalive time, 11

EDCA parameters, 232

EDCA parameters of AC-BE or AC-BK queues for clients, 233

EDCA parameters of AC-VI or AC-VO queues for clients, 234

Hotspot 2.0 access network type, 351

Hotspot 2.0 domain name, 352

Hotspot 2.0 HESSID, 351

Hotspot 2.0 IP protocol port status, 353

Hotspot 2.0 service provider information, 353

Hotspot 2.0 WAN link status parameters, 354

load balancing threshold+gap threshold, 301

MAC authentication server timeout timer, 173

match mode for client radio resource measurement capabilities, 280

maximum number of hardware retransmissions, 76

maximum number of hardware retransmissions (in AP group radio view), 76

maximum number of hardware retransmissions (in AP radio view), 76

memory usage threshold, 431

radio antenna type (in AP group radio view), 65

radio antenna type (in AP radio view), 64

radio fragmentation threshold (in AP group radio view), 75

radio fragmentation threshold (in AP radio view), 75

radio preamble type (in AP group radio view), 69

radio preamble type (in AP radio view), 68

radio transmission rate (in AP group radio view), 67

radio transmission rate (in AP radio view), 67

WLAN access AP traffic processing, 116

WLAN access client idle timeout (in AP group view), 113

WLAN access client idle timeout (in AP view), 113

WLAN authentication mode, 173

WLAN RRM channel capability match mode (on AC in AP group radio view), 397

WLAN RRM channel capability match mode (on AC in AP radio view), 397

WLAN RRM channel switch mode (in AP group radio view), 395

WLAN RRM channel switch mode (in AP radio view), 395

WLAN RRM power constraint mode (in AP group radio view), 395

WLAN RRM power constraint mode (in AP radio view), 394

WLAN RRM transmit power capability match mode (in AP group radio view), 396

WLAN RRM transmit power capability match mode (in AP radio view), 396

WLAN security cipher suite, 138

WLAN security KDF, 138

WLAN security PSK, 138

WLAN security PTK lifetime, 139

WLAN security TKIP MIC failure hold time, 140

Setting

active AC number, 300

setting

802.1X authentication request attempts max, 171

802.1X authentication timers, 171

802.1X WLAN service template clients max, 177

AP control tunnel keepalive time (for AP in AP group view), 12

AP control tunnel keepalive time (for AP in AP view), 11

AP data tunnel keepalive time, 12

AP data tunnel keepalive time (for AP in AP group view), 12

AP data tunnel keepalive time (for AP in AP view), 12

AP statistics report interval, 14

AP statistics report interval (in AP group view), 14

AP statistics report interval (in AP view), 14

authentication mode for IACTP control messages, 249

coordinates for sensor, 426

device entry timers, 427

IoT AP module transmit power level (AP group module view), 408

IoT AP module transmit power level (module view), 407

LED lighting mode, 24

MAC authentication WLAN service template clients max, 178

maximum CAPWAP fragment frame size (in AP group view), 13

maximum CAPWAP fragment frame size (in AP view), 12

radio 802.11ac bandwidth mode (in AP group radio view), 89

radio 802.11ac bandwidth mode (in AP radio view), 89

radio 802.11ac NSS (in AP group radio view), 87

radio 802.11ac NSS (in AP radio view), 87

radio 802.11n bandwidth mode (in AP group radio view), 84

radio 802.11n bandwidth mode (in AP radio view), 83

radio 802.11n MCS index (in AP group radio view), 82

radio 802.11n MCS index (in AP radio view), 81

radio antenna gain (in AP group radio view), 65

radio antenna gain (in AP radio view), 65

radio beacon frame interval (in AP group radio view), 70

radio beacon frame interval (in AP radio view), 70

radio client-AP association max (in AP group radio view), 71

radio client-AP association max (in AP radio view), 71

radio DTIM interval set (in AP group radio view), 71

radio DTIM interval set (in AP radio view), 70

radio resource measurement duration and interval, 279

radio RTS threshold (in AP group radio view), 74

radio RTS threshold (in AP radio view), 74

radio transmission distance max (in AP group radio view), 69

radio transmission distance max (in AP radio view), 69

radio transmit power max (in AP group radio view), 66

radio transmit power max (in AP radio view), 66

SSID for online signup services, 356

TCP MSS, 13

WIPS wireless device information report interval, 215

WLAN access client data frame encapsulation format, 109

WLAN access idle period before client reauthentication, 120

WLAN access NAS ID (global), 116

WLAN access NAS-ID (AP group view), 115

WLAN access NAS-ID (AP view), 115

WLAN access SSID, 106

WLAN authentication OUI, 170

WLAN channel scanning maximum service period, 285

WLAN channel scanning period, 285

WLAN channel scanning service idle timeout, 286

WLAN client cache aging time, 108

WLAN load balancing mode, 263

WLAN RRM TPC min transmit power (in AP group RRM view), 392

WLAN RRM TPC min transmit power (in AP RRM view), 391

WLAN RRM TPC mode, 390

WLAN RRM TPC mode (in AP group RRM view), 390

WLAN RRM TPC mode (in AP RRM view), 390

WLAN security information element, 137

WLAN security WEP key, 140

shared key authentication, 128

signature

user-defined attack detection based on signatures, 199

SNMP

WLAN access SNMP notification, 122

WLAN location SNMP notification, 343

WLAN RRM SNMP notification enable, 399

soft AP

soft AP detection, 197

software

802.11r, 312

AP software version upgrade, 9, 9

Space-Time Block Coding. Use STBC

specifying

802.1X EAP mode, 173

802.1X supported domain name delimiters, 170

802.1X WLAN service template authentication domain, 177

AP IoT module serial number, 405

APDB hardware-software version mapping, 10

Hotspot 2.0 NAI realm authentication type, 353

Hotspot 2.0 network authentication type, 351

Hotspot 2.0 organization identifier (OI), 352

IoT AP supported module type (for AP group), 407

IoT AP supported module type (for AP), 407

IP address type for IACTP tunnels, 250

MAC authentication domain (global), 172

MAC authentication domain (service-specific), 179

preferred AP image file location, 10

process maximum inactive timeout, 430, 430

radio 802.11n A-MPDU aggregation method (in AP group radio view), 78

radio 802.11n A-MPDU aggregation method (in AP radio view), 78

radio 802.11n A-MSDU aggregation method (in AP group radio view), 78

radio 802.11n A-MSDU aggregation method (in AP radio view), 78

radio 802.11n MIMO mode (in AP group radio view), 84

radio 802.11n MIMO mode (in AP radio view), 84

radio AP collision avoidance mode (in AP group radio view), 73

radio AP collision avoidance mode (in AP radio view), 73

radio mode (in AP group radio view), 62

radio mode (in AP radio view), 62

radio working channel (in AP group radio view), 63

radio working channel (in AP radio view), 63

source IP address for establishing IACTP tunnels, 250

wireless location device type (in AP group view), 333

wireless location device type (in AP view), 333

wireless location location packet format (in AP group view), 335

wireless location location packet format (in AP view), 335

wireless location location packet format (in global configuration view), 336

wireless location monitored port (in AP group view), 332

wireless location monitored port (in AP view), 331

wireless location monitored port (in global configuration view), 332

wireless location multicast MAC address for Tag (in AP group view), 332

wireless location multicast MAC address for Tag (in AP view), 332

wireless location multicast MAC address for Tag (in global configuration view), 332

wireless location report mode for location packet (in AP group view), 336

wireless location report mode for location packet (in AP view), 336

wireless location report mode for location packet (in global configuration view), 336

wireless location server IPv4 address+port number (in AP group view), 331

wireless location server IPv4 address+port number (in AP view), 331

wireless location server IPv4 address+port number (in global configuration view), 331

WLAN access client traffic forwarder, 108

WLAN access global region code, 112

WLAN access permitted AP group client access, 118

WLAN access permitted SSID client access, 118

WLAN access region code (in AP group view), 111

WLAN access region code (in AP view), 111

WLAN access VLAN allocation method for clients, 107

WLAN access Web server, 122

WLAN authentication authenticator, 174

WLAN high availability AP connection priority, 295

WLAN high availability backup AC, 295

WLAN high availability backup AC (for AP group), 295

WLAN high availability backup AC (for AP), 295

WLAN probe server, 424

SpectraLink Voice Priority. Use SVP

spectrum

WLAN RRM spectrum management, 383

WLAN RRM spectrum management configuration, 393, 403

spectrum management

WLAN RRM configuration, 393

WLAN RRM spectrum management configuration, 403

SSID

Hotspot 2.0 HESSID set, 351

SSID for online signup services, 356

WLAN access permitted SSID client access, 118

WLAN access SSID setting, 106

WLAN client access control (SSID-based), 103

statistics

AP statistics report interval, 14

STBC

radio 802.11n STBC configuration, 80

SVP

WLAN QoS WMM ACK policy, 230

WLAN QoS WMM SVP, 231

synchronizing

radio preamble type set, 68

system administration

AP file management, 17

TCP

WLAN dual-link backup mode configuration, 296

template

Hotspot 2.0 policy+service template bind, 355

WLAN access AP service template inheritance, 114

WLAN access client association at AC,AP, 108

WLAN access client data frame encapsulation format, 109

WLAN access client traffic forwarder, 108

WLAN access forwarding policy application to service template, 117

WLAN access service template bind > radio, 110

WLAN access service template configuration, 106

WLAN access service template description configuration, 106

WLAN access service template enable, 110

WLAN access service template enable quick association, 109

threshold

load balancing threshold+gap threshold, 301

on-demand channel usage measurement, 76

radio fragmentation threshold, 75

time

WLAN security GTK update (time-based), 139

WLAN security TKIP MIC failure hold time, 140

timeout

802.1X authentication, 171

MAC authentication server timeout, 173

WLAN access client idle timeout, 113

timer

802.1X authentication, 171

MAC authentication server timeout, 173

timestamp

wireless location location packet format, 335

wireless location report mode for location packet, 336

TKIP

WLAN security cipher suite, 138

WLAN security RSNA mechanism (cipher suite), 134

WLAN security TKIP MIC failure hold time, 140

topology

inter-AC roaming through over-the-air FT, 311

intra-AC roaming through over-the-air FT, 310

intra-AC roaming through over-the-DS FT, 311

WLAN Inter-AC, 248

WLAN Intra-AC, 247

TPC

WLAN RRM periodic auto-TPC configuration, 402

track entry

WLAN uplink detection configuration, 303

traffic

bandwidth guranteeing, 243

client rate limiting, 245

SVP mapping, 241

traffic differentiation, 242

WLAN access AP traffic processing, 116

WLAN access client traffic forwarder, 108

WLAN access client traffic forwarding, 109

WLAN QoS CAC configuration, 240

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

WLAN traffic-mode load balancing, 261

WLAN traffic-mode load balancing configuration, 267, 272

Transmit Beamforming, 90

transmit power control. See TPC

transmitting

AP AC request retransmission, 13

continuous mode enabling, 77

radio transmission distance max set, 69

radio transmission rate set, 67

radio transmit power max set, 66

WLAN RRM DFS retransmission, 381

WLAN RRM on-demand TPC, 393

WLAN RRM periodic auto-TPC, 392

WLAN RRM spectrum management power constraint mode, 394

WLAN RRM TPC, 382

WLAN RRM TPC configuration, 389

WLAN RRM TPC min transmit power, 391

WLAN RRM TPC mode configuration, 390

WLAN RRM TPC trigger parameters, 390

trapping

WLAN access SNMP notification, 122

WLAN access Web server, 122

WLAN location SNMP notification, 343

WLAN RRM SNMP notification enable, 399

triggering

WLAN authentication accounting-start trigger, 179

WLAN authentication accounting-update trigger, 180

WLAN RRM DFS trigger parameter, 385

WLAN RRM TPC trigger parameters, 390

WLAN security GTK update (offline-triggered), 139

tunnel

TCP MSS, 13

WLAN mobility group tunnel isolation, 251

tunneling

802.11r configuration, 313

AP group configuration, 46

AP management, 1, 4, 25

auto AP configuration, 41

CAPWAP, 1

CAPWAP tunnel configuration, 11

CAPWAP tunnel establishment, 2

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

CAPWAP tunnel establishment configuration, 5

cloud connection configuration, 415, 417

cloud connection establishment, 415

CM tunnel configuration, 412, 413

CM tunnel establishment, 412

inter-AC roaming, 255

intra-AC roaming, 252

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

WLAN access configuration, 100, 105, 124

WLAN dual-link backup mode configuration, 296

WLAN high availability dual-link backup, 294

WLAN radio resource measurement configuration, 276

WLAN resource measurement, 281

WLAN roaming, 252

WLAN roaming configuration, 247

TxBF

configuring, 90

type

WLAN load balancing group based load balancing, 262

WLAN radio based load balancing, 262

U-APSD

WLAN QoS WMM U-APSD power-save mechanism, 230

UDP

AP group configuration, 46

AP management, 1, 4, 25

auto AP configuration, 41

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

inter-AC roaming, 255

intra-AC roaming, 252

WLAN access configuration, 100, 105, 124

WLAN resource measurement, 281

WLAN roaming, 252

unencrypted device

unencrypted device detection, 197

unicast

AC unicast discovery request response enable, 7

radio 802.11ac NSS set, 86

Unscheduled Automatic Power-Save Delivery. Use U-APSD

upgrading

AP software version upgrade, 9, 9

IoT AP automatic module firmware upgrade, 408

module firmware manual upgrade, 409

uplink

WLAN high availability uplink detection association with track entry, 303

USB

AP USB interfaces, 16

user

802.1X periodic online user reauthentication, 178

user account

MAC authentication user account format, 172

MAC authentication user account policies, 164

user profile

WLAN access user profile forwarding policy, 117

WLAN user profile assignment, 168

venue

Hotspot 2.0 AP venue information, 355

version

802.11r, 312

AP software version upgrade, 9, 9

Very High Throughput Modulation and Coding Scheme. See VHT-MCS

VHT-MCS

radio, 54

radio 802.11ac NSS set, 86

VLAN

configuring clients to prefer authorization VLAN after roaming, 107

WLAN access VLAN allocation method for clients, 107

WLAN authentication VLAN authorization, 166

WLAN Auth-Fail VLAN, 167, 175

WLAN VLAN manipulation, 166

WAN

Hotspot 2.0 WAN link status parameters, 354

weak IV

weak IV detection, 196

WEP

WLAN security cipher suite, 138

WLAN security RSNA mechanism (cipher suite), 134

WLAN security WEP key, 140

whitelisting

radio channel selection blacklist/whitelist, 64

WLAN access client add to whitelist, 118

WLAN access whitelist configuration, 126

WLAN client access control (whitelist-based), 104

Wi-Fi Multimedia. Use WMM

Windows bridge

Windows bridge detection, 197

WIPS

alarm-ignored device list, 210

attack detection configuration, 204

attack detection policy applying, 209, 212

attack detection policy configuring, 211

configuration, 203

countermeasure policy applying, 215

countermeasure policy configuring, 213

countermeasures configuration, 213

detection filtering configuration, 216

detection on other attacks, 207

device classification and countermeasures configuration, 218

device classification configuration, 211

device entry attack detection configuration, 206

flood attack detection configuration, 204

malformed packet and flood attack detection, 220

malformed packet detection configuration, 205

signature-based user-defined attack detection, 225

unassociated client detection enabling, 216

user-defined attack detection based on signatures, 209

wireless device information report interval configuration, 215

wireless

intrusion prevention system, 194, 218

wireless location, 343

wireless attack detection

AP flood attack detection, 199

AP impersonation attack detection, 198

association/reassociation DoS attack detection, 198

broadcast disassociation/deauthentication attack detection, 197

detection on clients with the 40 MHz bandwidth mode disabled, 197

device entry attack detection, 199

flood attack detection, 194

honeypot AP detection, 198

hotspot attack detection, 198

HT-greenfield AP detection, 198

malformed packet detection, 195

MITM attack detection, 198

Omerta attack detection, 197

power save attack detection, 197

prohibited channel detection, 197

soft AP detection, 197

unencrypted device detection, 197

user-defined attack detection based on signatures, 199

weak IV detection, 196

Windows bridge detection, 197

wireless bridge detection, 198

wireless bridge

wireless bridge detection, 198

wireless device

classification, 199

wireless device classification

AP classification, 199

client classification, 202

wireless location

AP frame ignore, 338

client packet rate limit, 340

configuration, 328, 328, 329

device type, 333

display, 343

enable (RF fingerprinting), 329

how it works, 328

ignore beacon frame, 338

keepalive, 342

location packet format, 335

location system, 328

monitored port, 331

MU information reporting, 334

multicast MAC address for Tag, 332

packet dilution, 337

packet rate limiting, 341

radio-based location enable, 330

raw frame reporting, 333

report mode for location packet, 336

RSSI-based packet filtering, 339

server IPv4 address+port number, 330

wireless service, 1, 49, 169, 310, See also mobile

802.11r configuration, 313

AP group configuration, 46

AP management, 1, 4, 25

auto AP configuration, 41

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

Hotspot 2.0 configuration, 346, 349, 358

Hotspot 2.0 configuration (iPhone application), 358

Hotspot 2.0 configuration (Samsung application), 369

inter-AC roaming, 255

intra-AC roaming, 252

IP snooping client IPv4 address learning, 419

IP snooping client IPv6 address learning, 419

IP snooping configuration, 419

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

radio 802.11ac configuration, 86

radio 802.11ac NSS set, 86

radio 802.11n configuration, 77

radio management configuration, 49, 59, 92

WLAN 802.11r configuration, 310

WLAN access AP broadcast probe request response, 112

WLAN access AP service template inheritance, 114

WLAN access AP traffic processing, 116

WLAN access blacklist (dynamic)(on AC), 119

WLAN access client add to blacklist (static)(on AC), 119

WLAN access client add to whitelist, 118

WLAN access client idle timeout, 113

WLAN access configuration, 100, 105, 124

WLAN access idle period before client reauthentication, 120

WLAN access NAS-ID, 114

WLAN access permitted AP group client access, 118

WLAN access permitted SSID client access, 118

WLAN access region code, 111

WLAN access service template, 110

WLAN access service template bind > radio, 110

WLAN access service template configuration, 106

WLAN access service template description configuration, 106

WLAN access service template quick association, 109

WLAN authentication configuration, 169, 169, 181

WLAN authentication overview, 160

WLAN client keepalive configuration, 113

WLAN dual-link backup mode configuration, 296

WLAN Hotspot 2.0 configuration, 377

WLAN IP snooping configuration, 419, 421

WLAN radio resource measurement, 277

WLAN resource measurement, 281

WLAN roaming, 252

WLAN uplink detection configuration, 303, 303

WLAN

802.11h measurement, 276

802.11k measurement, 276

802.11r, 312

802.11r configuration, 313

802.11r protocols and standards, 312

802.1X EAP mode, 173

absolute forwarding preferred configuration, 288

AC unicast discovery request response enable, 7

access AP broadcast probe request response, 112

access AP service template inheritance, 114

access AP traffic processing, 116

access blacklist (dynamic)(on AC), 119

access blacklist configuration (static)(on AC), 126

access client add to blacklist (static)(on AC), 119

access client add to whitelist, 118

access client association, 102

access client association at AC,AP, 108

access client data frame encapsulation format, 109

access client idle timeout, 113

access client keepalive configuration, 113

access client traffic forwarder, 108

access client traffic forwarding, 109

access configuration, 100, 105, 124

access configuration file on AP, 120

access configuration whitelist, 126

access display, 123

access forwarding policy, 116

access forwarding policy application to service template, 117

access maintain, 123

access NAS-ID, 114

access permitted AP group client access, 118

access permitted SSID client access, 118

access policy-based forwarding, 116

access region code, 111

access scanning process, 100, 346

access service template bind > radio, 110

access service template configuration, 106

access service template enable, 110

access service template enable quick association, 109

access SNMP notification, 122

access specific-format client log generation, 122

access SSID setting, 106

access user profile forwarding policy, 117

access Web server, 122

allowing access for only 802.11ac clients, 88

AP AC connection priority, 6

AP AC rediscovery, 3, 7

AP AC request retransmission, 13

AP control tunnel keepalive time, 11

AP data tunnel keepalive time, 12

AP group configuration, 18, 46

AP group creation, 18

AP IoT module serial number, 405

AP management, 1, 4, 25

AP management display, 24

AP management information clear, 25

AP management information display, 24

AP management maintain, 24

AP preprovisioned settings assignment, 20

AP preprovisioned settings auto assignment, 21

AP reset, 17

AP software version upgrade, 9, 9

AP statistics report interval, 14

AP USB interfaces, 16

APDB, 3

APDB hardware-software version mapping, 10

APDB user script load, 22

authentication accounting-start trigger, 179

authentication accounting-update trigger, 180

authentication mode for IACTP control messages, 249

authentication OUI set, 170

Auth-Fail VLAN, 167

Auth-Fail VLAN configuration, 175

auto AP configuration, 41

auto AP management, 5

band navigation, 290, 290, 290, 292

band navigation AP enable, 291

band navigation global enable, 291

band navigation load balancing, 291

band navigation parameters, 291

bandwidth guranteeing, 243

bandwidth-mode load balancing configuration, 268, 273

binding OSU server to a Hotspot 2.0 policy, 357

BLE iBeacon transmission, 409

BYOD access control, 168

CAPWAP protocols and standards, 4

CAPWAP tunnel, 1

CAPWAP tunnel configuration, 11

CAPWAP tunnel establishment, 2

CAPWAP tunnel establishment (DHCP), 25

CAPWAP tunnel establishment (DHCPv6), 31

CAPWAP tunnel establishment (DNS), 36

CAPWAP tunnel establishment configuration, 5

CAPWAP tunnel latency detection, 11

CCMP, 134

channel scanning blacklist or whitelist configuration, 286

channel scanning configuration, 284, 284

channel scanning configuration (on an AC), 288

channel scanning maximum service period setting, 285

channel scanning period setting, 285

channel scanning service idle timeout setting, 286

client access control, 102

client access control (AP group-based), 102

client access control (blacklist-based), 104

client access control (SSID-based), 103

client access control (whitelist-based), 104

client cache aging time, 108

client rate limiting, 245

cloud connection configuration, 415, 416, 417

cloud connection display, 416

cloud connection establishment, 415

cloud management (CM) tunnel configuration, 412, 413, 413

cloud management (CM) tunnel display, 413

cloud management (CM) tunnel establishment, 412

configuring 802.11b client access, 71

configuring access for only 802.11n and 802.11ac clients, 82

configuring AP provision, 19

configuring clients to prefer authorization VLAN after roaming, 107

configuring network settings for AP, 19

configuring network settings for AP group, 20

continuous mode enabling, 77

coordinates for sensor, 426

countermeasures, 203

default power level configuration, 15

detecting clients with NAT configured, 217

displaying load balancing, 265

displaying QoS WMM, 238

displaying WIPS, 217

dynamic WEP mechanism, 135, 141, 154

enabling fast learning of client association entries, 216

European channel gap for auto channel selection, 63

fast forwarding configuration, 422

fast forwarding configuring, 422

fast forwarding display, 422

high availability AP connection priority, 295

high availability AP load balancing, 298, 298, 301

high availability AP load balancing display, 301

high availability backup AC, 295

high availability dual-link backup, 294, 294

high availability dual-link backup configuration prerequisites, 294

high availability master CAPWAP tunnel preemption configuration, 295

high availability uplink detection association with track entry, 303

Hotspot 2.0 3GPP information configuration, 350

Hotspot 2.0 access network type, 351

Hotspot 2.0 AP venue information, 355

Hotspot 2.0 configuration, 346, 349, 358, 377

Hotspot 2.0 configuration (iPhone application), 358

Hotspot 2.0 configuration (Samsung application), 369

Hotspot 2.0 DGAF feature disable, 354

Hotspot 2.0 display, 357

Hotspot 2.0 domain name, 352

Hotspot 2.0 GAS frame exchange, 347

Hotspot 2.0 GAS frame management, 354

Hotspot 2.0 HESSID set, 351

Hotspot 2.0 IP address availability, 352

Hotspot 2.0 IP protocol port status, 353

Hotspot 2.0 NAI realm authentication type, 353

Hotspot 2.0 network authentication type, 351

Hotspot 2.0 online signup, 348

Hotspot 2.0 organization identifier (OI), 352

Hotspot 2.0 policy configuration, 350

Hotspot 2.0 policy+service template bind, 355

Hotspot 2.0 protocols and standards, 349

Hotspot 2.0 service provider information, 353

Hotspot 2.0 WAN link status parameters, 354

idle period before client reauthentication, 120

ignoring 802.1X authentication failures, 174

ignoring MAC authentication failures, 174

inter-AC roaming, 255

intra-AC roaming, 252

IoT AP automatic module firmware upgrade, 408

IoT AP configuration, 405, 405

IoT AP display, 410

IoT AP maintain, 410

IoT AP module enable, 406

IoT AP module factory setting restore, 409

IoT AP module firmware upgrade, 408

IoT AP module restart, 409

IoT AP module transmit power level, 407

IoT AP supported module type, 406

IP address type for IACTP tunnels, 250

IP snooping ARP packet snooping disable, 420

IP snooping client IPv4 address learning, 419

IP snooping client IPv6 address learning, 419

IP snooping configuration, 419, 421

IP snooping HTTP request redirected to portal server, 420

IP snooping ND packet snooping disable, 420

IPv6 preference for AC rediscovery, 7

load balancing configuration, 260, 263, 263

load balancing configuration (for a load balancing group), 270

load balancing configuration (for radios), 265

load balancing enabling, 263

load balancing group configuration, 264

load balancing mode setting, 263

load balancing modes, 261

load balancing parameters configuration, 264

load balancing SNMP notifications enabling, 265

load balancing types, 262

location SNMP notification, 343

maintaining load balancing, 265

maintaining QoS WMM, 238

maintaining WIPS, 217

management frame protection. Use Management frame protection

management frame protection configuration, 151

match mode for client radio resource measurement capabilities, 280

maximum CAPWAP fragment size, 12

maximum number of hardware retransmissions setting, 76

memory usage threshold, 431

mobility group creation, 249

mobility group tunnel isolation enable, 251

module firmware manual upgrade, 409

on-demand channel usage measurement, 76

open system authentication, 128

OSU server, 356

OSU server icons, 357

over-the-air FT and 802.1X authentication, 324

over-the-air FT and PSK authentication, 317

over-the-DS FT and 802.1X authentication, 320

over-the-DS FT and PSK authentication, 313

preferred AP image file location, 10

preprovisioned setting auto loading configure, 21

Pre-RSNA mechanism, 128

probe configuration, 423, 423, 427, 427

probe display, 427

probe maintain, 427

process maximum inactive timeout, 430

PSK authentication and bypass authentication configuration, 144

QoS bandwidth guaranteeing, 231

QoS CAC configuration, 240

QoS client rate limiting, 231

QoS configuration, 229, 239

QoS protocols and standards, 231

QoS terminology, 229

QoS WMM ACK policy, 230

QoS WMM CAC admission policies, 230

QoS WMM configuration, 239

QoS WMM EDCA parameters, 229

QoS WMM protocol, 229

QoS WMM SVP, 231

QoS WMM U-APSD power-save mechanism, 230

radio 802.11ac bandwidth mode set, 88

radio 802.11ac configuration, 86

radio 802.11ac NSS set, 86

radio 802.11g protection configuration, 74

radio 802.11n A-MPDU aggregation method, 78

radio 802.11n A-MSDU aggregation method, 78

radio 802.11n bandwidth mode set, 83

radio 802.11n configuration, 77, 96

radio 802.11n energy saving configuration, 85

radio 802.11n LDPC configuration, 79

radio 802.11n MCS index set, 81

radio 802.11n MIMO mode, 84

radio 802.11n protection configuration, 85

radio 802.11n short GI configuration, 79

radio 802.11n STBC configuration, 80

radio ANI configuration, 72

radio antenna gain set, 65

radio antenna type set, 64

radio AP collision avoidance mode, 73

radio basic configuration, 62, 92

radio beacon frame interval set, 70

radio channel, 49

radio channel selection blacklist/whitelist, 64

radio client-AP association max set, 71

radio disable, 61

radio DTIM interval set, 70

radio enable, 61

radio fragmentation threshold, 75

radio management configuration, 49, 59, 92

radio management display, 92

radio MCS, 51

radio mode, 49

radio mode specify, 62

radio MPDU aggregation, 50

radio MSDU aggregation, 50

radio power lock configuration, 66

radio preamble type set, 68

radio resource measurement configuration, 276

radio resource measurement duration and interval, 279

radio RTS threshold set, 74

radio transmission distance max set, 69

radio transmission rate, 50

radio transmission rate set, 67

radio transmit power, 50

radio transmit power max set, 66

radio VHT-MCS, 54

radio working channel specify, 62

real-time reporting of wireless device information to the UDP server, 425

relative forwarding preferred configuration, 288

remote AP configuration, 14

renaming manual AP, 17

roaming configuration, 247

roaming configuration restrictions, 248

roaming mechanism, 247

roaming SNMP notifications enabling, 251

roaming terminology, 247

RRM channel capability match mode, 397

RRM channel switch mode set, 395

RRM configuration, 381, 384, 399

RRM DFS, 381

RRM DFS configuration, 384

RRM DFS trigger parameter, 385

RRM display, 399

RRM holddown group, 389, 393

RRM on-demand DFS configuration, 389

RRM on-demand TPC configuration, 393

RRM periodic auto-DFS configuration, 385, 399

RRM periodic auto-TPC configuration, 392, 402

RRM radio baseline, 397

RRM radio scanning enable, 398

RRM scheduled auto-DFS configuration, 386, 401

RRM SNMP notification enable, 399

RRM spectrum management, 383

RRM spectrum management configuration, 393, 393, 403

RRM spectrum management power constraint mode, 394

RRM TPC, 382

RRM TPC configuration, 389

RRM TPC min transmit power, 391

RRM TPC mode configuration, 390

RRM TPC trigger parameter configuration, 390

RRM transmit power capability match mode, 396

RSNA mechanism, 129

RSNA mechanism (authentication), 129

RSNA mechanism (cipher suite), 134

RSNA mechanism (key management), 129

saving network settings, 21

scanning all channels, 287

security 802.1X AKM configuration, 148

security AKM mode configuration, 137

security cipher suite, 138

security configuration, 128, 136, 142

security display, 141

security GTK update, 139

security information element, 137

security KDF set, 138

security private PSK+MAC authentication configuration, 157

security PSK set, 138

security PSK+MAC authentication configuration, 146

security PTK lifetime, 139

security TKIP MIC failure hold time, 140

security WEP key, 140

service anomaly detection, 23

session-mode load balancing configuration, 265, 270

setting device entry timers, 427

shared key authentication, 128

shared key authentication configuration, 142

smart antenna configuration, 91

SNMP gets ND-learned client IPv6 address disable, 420

SNMP notification enable, 22

SNMP notifications, 141

source IP address for establishing IACTP tunnels, 250

SSID for online signup services, 356

SVP mapping, 241

TCP MSS, 13

TKIP, 134

traffic differentiation, 242

traffic-mode load balancing configuration, 267, 272

TxBF configuring, 90

uplink client rate limit configuring, 121

user profile assignment, 168

VLAN allocation method for clients, 107

VLAN manipulation, 166

WIPS, 203

WIPS configuration, 194, 203, 218

wireless attack detection, 194

wireless device classification, 199

wireless device filtering, 426

wireless device information report to the AC, 425

wireless location AP frame ignore, 338

wireless location beacon frame ignore, 338

wireless location client packet rate limit, 340

wireless location configuration, 328, 328, 329, 343

wireless location device type, 333

wireless location display, 343

wireless location enable (RF fingerprinting), 329

wireless location keepalive, 342

wireless location location packet format, 335

wireless location MU information reporting, 334

wireless location multicast MAC address for Tag, 332

wireless location packet dilution, 337

wireless location packet rate limiting, 341

wireless location raw frame reporting, 333

wireless location report mode for location packet, 336

wireless location RSSI-based packet filtering, 339

wireless location server IPv4 address+port number, 330

wireless radio-based location enable, 330

WLAN authentication configuration, 169, 169, 181

WLAN authentication overview, 160

WLAN authentication parameters, 173

WLAN IP snooping configuration, 419

WLAN probe enabling, 424

WLAN probe server specifying, 424

WLAN probe system, 423

WLAN probe work mechanism, 423

WLAN process maintenance, 430, 430

WLAN process maintenance display, 431

WLAN resource measurement, 281

WLAN roaming, 252

WLAN roaming display, 252

WLAN roaming maintain, 252

WLAN 802.11r

overview, 310

WLAN authentication

802.1X, 160

802.1X CHAP local authentication configuration, 181

802.1X EAP-PEAP authentication configuration, 183

802.1X periodic online user reauthentication, 178

802.1X WLAN service template authentication domain, 177

802.1X WLAN service template clients max, 177

802.1X-supported domain name delimiters, 170

ACL assignment, 168

application scenarios, 160

authentication modes, 165

authenticator specifying, 174

authorization-fail-offline, 175

BYOD access control, 168

configuration, 169, 169, 181

display, 181

feature cooperation, 168

intrusion protection, 166, 176

MAC authentication, 164

MAC authentication WLAN service template clients max, 178

maintain, 181

mode set, 173

OUI authentication, 165

overview, 160

parameter configuration (global), 170

parameters, 173

server authorization information, 175

VLAN authorization, 166

WLAN CAPWAP tunnel

AC role, 298

WLAN IP snooping

configuration, 419, 421

enable snooping HTTP request redirected to portal server, 420

SNMP gets ND-learned client IPv6 address disable, 420

snooping ARP packets disable, 420

snooping ND packets disable, 420

WLAN IRF

AC role, 298

WLAN load balancing

work mechanism, 260

WLAN QoS

configuring bandwidth guaranteeing, 236

configuring client rate limiting, 237

configuring client rate limiting (client-type-based), 238

configuring client rate limiting (radio-based), 237

configuring client rate limiting (service-template-based), 237

configuring packet trust type, 235

configuring port priority, 235

configuring SVP mapping, 235

configuring WMM, 231

enabling WMM, 231

setting EDCA parameters, 232

setting EDCA parameters of AC-BE or AC-BK queues for clients, 233

setting EDCA parameters of AC-VI or AC-VO queues for clients, 234

WLAN roaming

configuring 802.11r, 310

WLAN security

802.1X authentication, 160

intrusion protection, 166

MAC authentication, 164

OUI authentication, 165

WMM

ACK policy, 230

CAC admission policies, 230

displaying, 238

EDCA parameters, 229

maintaining, 238

protocol, 229

SVP, 231

SVP mapping, 241

traffic differentiation, 242

U-APSD power-save mechanism, 230

WLAN QoS CAC configuration, 240

WLAN QoS configuration, 229, 239

WLAN QoS WMM configuration, 239

work mechanism

WLAN load balancing, 260

02-WLAN

AC rediscovery

Enabling the auto AP feature

Converting auto APs to manual APs

Setting the AP connection priority in AP view

Setting the AP connection priority in AP group view

Enabling an AP to prefer discovering ACs by IPv6 address in AP provision view

Enabling an AP to prefer discovering ACs by IPv6 address in AP group provision view

Configuring software upgrade in AP view

Configuring software upgrade in AP group view

Configuring software upgrade in global configuration view

Configuration restrictions and guidelines

Configuration procedure

Configuring a CAPWAP tunnel

Setting the control tunnel keepalive time for an AP in AP view

Setting the control tunnel keepalive time for APs in AP group view

Setting the data tunnel keepalive time for an AP in AP view

Setting the data tunnel keepalive time for APs in AP group view

Setting the maximum fragment size for CAPWAP packets in AP view

Setting the maximum fragment size for CAPWAP packets in AP group view

About setting the TCP MSS

Procedure

Preprovisioning APs

Saving the network settings to the configuration file on an AP

Configuring auto loading of preprovisioned settings for an AP

Configuring auto loading of preprovisioned settings for an AP group

Setting a LED lighting mode in AP view

Setting a LED lighting mode in AP group view

CAPWAP tunnel establishment through DHCP configuration example

Network requirements

Configuration procedures

Verifying the configuration

CAPWAP tunnel establishment through DHCPv6 configuration example

Network requirements

Configuration procedures

Verifying the configuration

CAPWAP tunnel establishment through DNS configuration example

Network requirements

Configuration procedures

Verifying the configuration

Network requirements

Configuration procedures

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Specifying a radio mode

Specifying a radio mode in radio view

Specifying a radio mode in AP group radio view

Specifying a working channel in radio view

Configuring the channel selection blacklist or whitelist in radio view

Configuring the channel selection blacklist or whitelist in AP group radio view

Setting the antenna type in radio view

Setting the antenna type in AP group radio view

Setting the antenna gain in radio view

Setting the antenna gain in AP group radio view