Contents

WLAN security configuration commands· 1

authentication-method· 1

cipher-suite· 1

dot1x supplicant eap-method· 2

dot1x supplicant enable· 3

dot1x supplicant password· 3

dot1x supplicant username· 4

gtk-rekey client-offline enable· 4

gtk-rekey enable· 5

gtk-rekey method· 5

key-derivation· 6

pmf 6

pmf association-comeback· 7

pmf saquery retry· 8

pmf saquery timeout 8

ptk-lifetime· 9

security-ie· 9

tkip-cm-time· 10

wep default-key· 11

wep key-id· 12

wep mode· 12

 

WLAN security configuration commands

authentication-method

Use authentication-method to enable an 802.11 authentication method. You can enable open system authentication, shared key authentication, or both.

Use undo authentication-method to disable the authentication method.

Syntax

authentication-method { open-system | shared-key }

undo authentication-method { open-system | shared-key }

Default

The open system authentication method is enabled.

Views

Service template view

Default command level

2: System level

Parameters

open-system: Enables open system authentication.

shared-key: Enables shared key authentication.

Examples

# Enable open system authentication.

<Sysname> system-view

[Sysname] wlan service-template 1 clear

[Sysname-wlan-st-1] authentication-method open-system

# Enable shared key authentication.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] authentication-method shared-key

cipher-suite

Use cipher-suite to select the cipher suite used in the encryption of frames.

Use undo cipher-suite to disable the selected cipher suite.

Syntax

cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }*

undo cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }*

Default

No cipher suite is selected.

Views

Service template view

Default command level

2: System level

Parameters

ccmp: Enables the AES-CCMP cipher suite.

tkip: Enables the TKIP cipher suite.

wep40: Enables the WEP-40 cipher suite.

wep104: Enables the WEP-104 cipher suite.

wep128: Enables the WEP-128 cipher suite.

Examples

# Enable the TKIP cipher suite.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] cipher-suite tkip

dot1x supplicant eap-method

Use dot1x supplicant eap-method to specify an 802.1X client EAP authentication method.

Use undo dot1x supplicant eap-method to restore the default.

Syntax

dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 }

undo dot1x supplicant eap-method

Default

MD5 authentication is used as the 802.1X client EAP authentication method.

Views

AP provision view

Default command level

2: System level

Parameters

md5: Specifies the MD5 EAP authentication method.

peap-gtc: Specifies the PEAP-GTC EAP authentication method.

peap-mschapv2: Specifies the PEAP-MSCHAPv2 EAP authentication method

ttls-gtc: Specifies the TTLS-GTC EAP authentication method.

ttls-mschapv2: Specifies the TTLS-MSCHAPv2 EAP authentication method.

Examples

# Specify MD5 as the 802.1X client EAP authentication method for AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA3628i-AGN

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant eap-method md5

dot1x supplicant enable

Use dot1x supplicant enable to enable the 802.1X client feature.

Use undo dot1x supplicant enable to restore the default.

Syntax

dot1x supplicant enable

undo dot1x supplicant enable

Default

The 802.1X client feature is disabled.

Views

AP provision view

Default command level

2: System level

Examples

# Enable the 802.1X client feature for AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA3628i-AGN

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant enable

dot1x supplicant password

Use dot1x supplicant password to set the 802.1X client authentication password.

Use undo dot1x supplicant password to restore the default.

Syntax

dot1x supplicant password { cipher | simple } password

undo dot1x supplicant password

Default

No 802.1X client authentication password is set for an AP.

Views

AP provision view

Default command level

2: System level

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 127 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.

Examples

# Set the 802.1X client password to 123456 in plaintext form for AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA3628i-AGN

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant supplicant password simple 123456

dot1x supplicant username

Use dot1x supplicant username to configure an 802.1X client username.

Use undo dot1x supplicant username to restore the default.

Syntax

dot1x supplicant username username

undo dot1x supplicant username

Default

No 802.1X client username exists.

Views

AP provision view

Default command level

2: System level

Parameters

username: Specifies the 802.1X client username, a case-sensitive string of 1 to 253 characters.

Examples

# Configure the 802.1X client username as aaa for AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1 model WA3628i-AGN

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant username aaa

gtk-rekey client-offline enable

Use gtk-rekey client-offline enable to enable refreshing the GTK when a client goes offline. This function is effective when GTK rekey is enabled with the gtk-rekey enable command.

Use undo gtk-rekey client-offline to disable this feature.

Syntax

gtk-rekey client-offline enable

undo gtk-rekey client-offline

Default

The GTK is not refreshed when a client goes off-line.

Views

Service template view

Default command level

2: System level

Examples

# Enable GTK rekeying when a client goes off-line.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] gtk-rekey client-offline enable

gtk-rekey enable

Use gtk-rekey enable to enable GTK rekey.

Use undo gtk-rekey enable to disable GTK rekey.

Syntax

gtk-rekey enable

undo gtk-rekey enable

Default

GTK rekey is enabled.

Views

Service template view

Default command level

2: System level

Examples

# Disable GTK rekey.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] undo gtk-rekey enable

gtk-rekey method

Use gtk-rekey method to select a mechanism for rekeying the GTK. If option time-based is selected, the GTK will be refreshed after a specified period of time. If option packet-based is selected, the GTK will be refreshed after a specified number of packets are transmitted.

Use undo gtk-rekey method to restore the default.

Syntax

gtk-rekey method { packet-based [ packet ] | time-based [ time ] }

undo gtk-rekey method

Default

The GTK rekeying method is time-based, and the interval is 86400 seconds.

Views

Service template view

Default command level

2: System level

Parameters

packet-based: Indicates the GTK will be refreshed after a specified number of packets are transmitted.

packet: Number of multicast packets that are transmitted before the GTK is refreshed. The value is in the range of 5000 to 4294967295 and defaults to 10000000.

time-based: Indicates the GTK will be refreshed based on time.

time: Time after which the GTK is refreshed. The value is in the range of 180 to 604800 seconds defaults to 86400 seconds.

Usage guidelines

The method configured most recently overwrites the previous method. For example, if you configure the packet-based method and then configure the time-based method, the time-based method is enabled.

Examples

# Enable packet-based GTK rekeying and the packet number is 60000.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] gtk-rekey method packet-based 60000

key-derivation

Use key-derivation to specify a key derivation type.

Use undo key-derivation to restore the default.

Syntax

key-derivation { sha1 | sha1-and-sha256 | sha256 }

undo key-derivation

Default

The key derivation type is sha1.

Views

Service template view

Default command level

2: System level

Parameters

sha1: Specifies the HMAC-SHA1 hash algorithm.

sha1-and-sha256: Specifies the HMAC-SHA1 and the HMAC-SHA256 hash algorithms.

sha256: Specifies the HMAC-SHA256 hash algorithm.

Usage guidelines

A key derivation type takes effect only when the authentication type is PSK or 802.1X.

If the management frame protection status is mandatory, H3C recommends that you specify the key derivation type as sha256.

Examples

# Specify the key derivation type as sha1-and-sha256.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] key-derivation sha1-and-sha256

pmf

Use pmf to configure management frame protection.

Use undo pmf to disable management frame protection.

Syntax

pmf { mandatory | optional }

undo pmf

Default

Management frame protection is disabled.

Views

Service template view

Default command level

2: System level

Parameters

mandatory: Allows only clients supporting PMF to associate with the AP.

optional: Allows all clients to associate with the AP.

Examples

# Enable PMF to allow all clients to associate with the AP.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] pmf mandatory

pmf association-comeback

Use pmf association-comeback to configure the association comeback time.

Use undo pmf association-comeback to restore the default.

Syntax

pmf association-comeback value

undo pmf association-comeback

Default

The association comeback time is 1 second.

Views

Service template view

Default command level

2: System level

Parameters

value: Specifies the association comeback time in the range of 1 to 20 seconds. Within the association comeback time, the AP does not respond to any association or reassociation requests from the client.

Examples

# Configure the association comeback time as 2 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] pmf association-comeback 2

Related commands

·     pmf

·     pmf saquery retry

·     pmf saquery timeout

pmf saquery retry

Use pmf saquery retry to configure the retransmission time for the AP to send SA Query requests.

Use undo pmf saquery retry to restore the default.

Syntax

pmf saquery retry value

undo pmf saquery retry

Default

The retransmission time for the AP to send SA Query requests is 4.

Views

Service template view

Default command level

2: System level

Parameters

value: Specifies the retransmission time for the AP to send SA Query requests, in the range of 1 to 16.

Examples

# Configure the retransmission time for the AP to send SA Query requests as 3.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] pmf saquery retry 3

Related commands

·     pmf

·     pmf association-comeback

·     pmf saquery timeout

pmf saquery timeout

Use pmf saquery timeout to configure the timeout time for SA Query responses.

Use undo pmf saquery timeout to restore the default.

Syntax

pmf saquery timeout value

undo pmf saquery timeout

Default

The timeout time for SA Query responses is 200 milliseconds.

Views

Service template view

Default command level

2: System level

Parameters

value: Specifies the timeout time for SA Query responses, in the range of 100 to 500 milliseconds. If the AP does not receive any SA Query responses from the client within the timeout time, the AP resends the SA Query request.

Examples

# Configure the timeout time for SA Query responses as 300 milliseconds.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] pmf saquery timeout 300

Related commands

·     pmf

·     pmf saquery retry

·     pmf saquery timeout

ptk-lifetime

Use ptk-lifetime to configure the PTK lifetime.

Use undo ptk-lifetime to restore the default.

Syntax

ptk-lifetime time

undo ptk-lifetime

Default

The PTK lifetime is 43200 seconds.

Views

Service template view

Default command level

2: System level

Parameters

time: Specifies the PKI lifetime in the range of 180 to 604800 seconds.

Examples

# Specify the PTK lifetime as 86400 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] ptk-lifetime 86400

security-ie

Use security-ie to enable the WPA-IE, RSN-IE, or both in beacon and probe responses.

Use undo security-ie to disable the WPA-IE or RSN-IE in beacon and probe responses.

Syntax

security-ie { rsn | wpa }

undo security-ie { rsn | wpa }

Default

Both WPA-IE and RSN-IE are disabled.

Views

Service template view

Default command level

2: System level

Parameters

rsn: Enables the RSN information element in beacon and probe response frames. The RSN IE advertises the RSN capabilities of APs.

wpa: Enables the WPA Information element in beacon and probe response frames. The WPA IE advertises the WPA capabilities of APs.

Examples

# Enable the WPA-IE in beacon and probe responses.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] security-ie wpa

tkip-cm-time

Use tkip-cm-time to set the TKIP countermeasure time.

Use undo tkip-cm-time to restore the default.

Syntax

tkip-cm-time time

undo tkip-cm-time

Default

The TKIP countermeasure time is 0 seconds. No countermeasures are taken.

Views

Service template view

Default command level

2: System level

Parameters

time: TKIP countermeasure time in seconds. The value is in the range of 0 to 3600 seconds.

Usage guidelines

If more than two MIC failures occur within a certain time after TKIP countermeasures are enabled, the TKIP associations are disassociated, and new associations can be established only after the specified TKIP countermeasure time expires.

Examples

# Set the TKIP countermeasure time to 90 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] tkip-cm-time 90

wep default-key

Use wep default-key to configure the WEP default key.

Use undo wep default-key to delete the configured WEP default key.

Syntax

wep default-key key-index { wep40 | wep104 | wep128} { pass-phrase | raw-key } [ cipher | simple ] key

undo wep default-key key-index

Default

The WEP default key index number is 1.

Views

Service template view

Default command level

2: System level

Parameters

key-index: The key index values can be:

1: Configures the 1st WEP default key.

2: Configures the 2nd WEP default key.

3: Configures the 3rd WEP default key.

4: Configures the 4th WEP default key.

wep40: Indicates the WEP40 key option.

wep104: Indicates the WEP104 key option.

wep128: Indicates the WEP128 key option.

pass-phrase: Inputs a character-string pre-shared key.

raw-key: Inputs a hexadecimal-string pre-shared key.

cipher: Sets a ciphertext key.

simple: Sets a plaintext key.

key: Specifies the key string. The length of a ciphertext key is in the range of 24 to 88 characters. If neither cipher nor simple is specified, you set a plaintext key string. The length of a plaintext key depends on the key options selected:

·     For wep40 pass-phrase, the key length is 5 alphanumeric characters.

·     For wep104 pass-phrase, the key length is 13 alphanumeric characters.

·     For wep128 pass-phrase, the key length is 16 alphanumeric characters.

·     For wep40 raw-key, the key length is a 10-digit hexadecimal number.

·     For wep104 raw-key, the key length is a 26-digit hexadecimal number.

·     For wep128 raw-key, the key length is a 32-digit hexadecimal number.

Usage guidelines

When security IE is configured, WEP default key 1 is not allowed for configuration.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text.

Examples

# Specify the first WEP default key as a simple text key 12345.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase simple 12345

wep key-id

Use wep key-id to specify the default WEP key used in the encryption and decryption of broadcast and multicast frames. There are four static keys in WEP. The key index can be 1, 2, 3, or 4. The key corresponding to the specified key index will be used for encrypting and decrypting broadcast and multicast frames.

Use undo wep key-id to restore the default.

Syntax

wep key-id { 1 | 2 | 3 | 4 }

undo wep key-id

Default

The key index number is the one configured with the wep default-key command.

Views

Service template view

Default command level

2: System level

Parameters

1: Specifies key index 1.

2: Specifies key index 2.

3: Specifies key index 3.

4: Specifies key index 4.

Examples

# Specify the index of the key for broadcast/multicast encryption and decryption as 2.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep key-id 2

Related commands

wep default-key

wep mode

Use wep mode to enable WEP encryption.

Use undo wep mode to restore the default.

Syntax

wep mode dynamic

undo wep mode

Default

Static WEP encryption is enabled.

Views

Service template view

Default command level

2: System level

Parameters

dynamic: Enables dynamic WEP encryption.

Usage guidelines

Dynamic WEP encryption must be used together with 802.1X authentication, and the WEP key ID cannot be configured as 4.

The device automatically uses the WEP 104 encryption method when dynamic WEP encryption is configured. To change the encryption method, use the cipher-suite command.

The WEP key used to encrypt unicast frames is negotiated between client and server when dynamic WEP encryption is configured. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If the WEP default key is not configured, the device randomly generates a multicast WEP key.

Examples

# Specify the WEP encryption mode as dynamic.

<Sysname> system-view

[Sysname] wlan service-template 1 crypto

[Sysname-wlan-st-1] wep mode dynamic

Related commands

·     wep key-id

·     cipher-suite