Contents

WLAN IDS configuration commands· 1

WLAN IDS rogue detection configuration commands· 1

countermeasures enable· 1

countermeasures mode· 1

countermeasures on-service interval 2

device aging-duration· 2

device attack mac-address· 3

device permit 4

device-detection enable· 4

display wlan ids attack-list 5

display wlan ids detected· 7

display wlan ids permitted· 11

display wlan ids rogue-history· 12

wlan ids· 13

work-mode monitor 14

reset wlan ids detected· 15

reset wlan ids rogue-history· 15

WLAN IDS attack detection configuration commands· 16

attack-detection enable· 16

display wlan ids history· 16

display wlan ids statistics· 18

reset wlan ids history· 19

reset wlan ids statistics· 19

Blacklist and whitelist configuration commands· 20

display wlan blacklist 20

display wlan whitelist 21

dynamic-blacklist enable· 22

dynamic-blacklist lifetime· 23

reset wlan dynamic-blacklist 23

static-blacklist mac-address· 24

whitelist mac-address· 24

 

WLAN IDS configuration commands

WLAN IDS rogue detection configuration commands

countermeasures enable

Use countermeasures enable to enable countermeasures against rogue devices present in the attack list.

Use undo countermeasures enable to restore the default.

Syntax

countermeasures enable

undo countermeasures enable

Default

No countermeasures are enabled.

Views

WLAN IDS view

Default command level

2: System level

Examples

# Enable countermeasures.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] countermeasures enable

countermeasures mode

Use countermeasures mode to set the countermeasures mode.

Use undo countermeasures mode to restore the default.

Syntax

countermeasures mode { all | { rogue | adhoc | config }* }

undo countermeasures mode

Default

The countermeasures mode is config.

Views

WLAN IDS view

Default command level

2: System level

Parameters

all: Takes countermeasures against all rogue devices present in the attack list.

rogue: Takes countermeasures against all rogue APs and clients.

adhoc: Takes countermeasures against all rogue ad hoc devices.

config: Takes countermeasures against statically configured rogue devices.

Usage guidelines

Wireless bridge devices are classified as rogues. Countermeasures are not taken against rogue wireless bridges.

Examples

# Set the countermeasures mode to rogue.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] countermeasures mode rogue

countermeasures on-service interval

Use countermeasures on-service interval to configure the interval at which the AP takes countermeasures against rogue devices and the maximum number of devices against which the AP can take countermeasures.

Use undo countermeasures on-service to restore the default.

Syntax

countermeasures on-service interval interval [ max-device max-device ]

undo countermeasures on-service

Views

WLAN IDS view

Default command level

2: System level

Parameters

interval: Specifies the interval at which the AP takes countermeasures against rogue devices, in the range of 100 to 5000 milliseconds. By default, the value is 5000 milliseconds.

max-device: Specifies the maximum number of devices against which the AP can take countermeasures, in the range of 1 to 256. By default, the value is 256.

Examples

# Configure the interval at which the AP takes countermeasures against rogue devices as 1000 milliseconds and the maximum number of devices against which the AP can take countermeasures as 5.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] countermeasures on-service interval 1000 max-device 5

device aging-duration

Use device aging-duration to set the age time for entries in the detected device table.

Use undo device aging-duration to restore the default.

Syntax

device aging-duration duration

undo device aging-duration

Default

The age time is 600 seconds.

Views

WLAN IDS view

Default command level

2: System level

Parameters

duration: Interval, in the range of 300 to 1800 seconds.

Usage guidelines

If an entry is not detected within the interval, it is deleted from the detected device table. If the deleted entry is that of a rogue, it is added to the rogue history table.

Examples

# Specify the age time for device entries as 1200 seconds.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] device aging-duration 1200

device attack mac-address

Use device attack mac-address to add an entry to the static attack list.

Use undo device attack mac-address to remove the specified entry or all entries from the static attack list.

Syntax

device attack mac-address mac-address

undo device attack mac-address [ mac-address ]

Views

WLAN IDS view

Default command level

2: System level

Parameters

mac-address: MAC address of an AP or client.

Usage guidelines

The maximum number of entries in the static attack list is 64.

Examples

# Add a MAC address to, and then remove it from, the static attack list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] device attack mac-address aabb-cc00-0001

[Sysname-wlan-ids] undo device attack mac-address aabb-cc00-0001

# Remove all entries from the static attack list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] undo device attack mac-address

device permit

Use device permit to add an entry to the permitted MAC address list, permitted SSID list, or permitted vendor list.

Use undo device permit to remove a specified entry, or, if no entry is specified, all entries from the permitted MAC address list, permitted SSID list, or permitted vendor list.

Syntax

device permit { mac-address mac-address | ssid ssid | vendor oui }

undo device permit { mac-address [ mac-address ] | ssid [ ssid ] | vendor [ oui ] }

Views

WLAN IDS view

Default command level

2: System level

Parameters

mac-address: MAC address of an AP or client, such as known devices which are to be ignored during RF scan. The maximum number of entries in the permitted MAC address list is 256.

ssid: SSID to be added to the permitted SSID list, a case-sensitive string of characters. It is in the range of 1 to 32. The maximum number of entries in the permitted SSID list is 256.

oui: OUI of an AP, a string of six hexadecimal digits. The maximum number of entries in the permitted vendor list is 64.

Examples

# Add a MAC address to the MAC address list and then remove it from the list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] device permit mac-address aabb-cccc-dddd

[Sysname-wlan-ids] undo device permit mac-address aabb-cccc-dddd

device-detection enable

Use device-detection enable to set the AP to operate in hybrid mode.

Use undo device-detection enable to restore the default.

Syntax

device-detection enable

undo device-detection enable

Default

The AP operates in normal mode and only provides WLAN data services. For an AP in monitor mode, this command is invisible.

Views

AP template view, AP group view

Default command level

2: System level

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

If an AP is operating in hybrid mode, configure a service template for the AP.

Executed in AP template view, this command applies to the specified AP.

Executed in AP group view, this command applies to all APs in an AP group.

Examples

# Set an AP to operate in hybrid mode.

<Sysname> system-view

[Sysname] wlan ap 2 model WA3628i-AGN

[Sysname-wlan-ap2] device-detection enable

# Set all APs in AP group office to operate in hybrid mode.

<Sysname> system-view

[Sysname] wlan ap-group office

[Sysname-ap-group-office] device-detection enable

display wlan ids attack-list

Use display wlan ids attack-list to display attack list information in the order of MAC address.

Syntax

display wlan ids attack-list { config | all | ap ap-name } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

config: Displays the static attack list.

all: Displays the dynamic attack list established based on the rules for detection of rogue devices, for all APs. If the number of entries for an AP exceeds 256, only the first 256 entries will be sent and present in the attack list of that AP.

ap ap-name: Displays dynamic attack list information about the specified AP. Its name is a string of characters. If the number of entries for the AP exceeds 256, only the first 256 entries will be sent and present in the attack list of the AP.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display dynamic attack list information for all APs.

<Sysname> display wlan ids attack-list all

 Total Number of Entries: 2

 Flags: a = adhoc, w = ap, c = client

 #AP = number of active APs detecting, Ch = channel number

                               Attack List - All

--------------------------------------------------------------------------

 MAC Address    type #AP  Ch  Last Detected Time  SSID

--------------------------------------------------------------------------

 0009-5b94-2fb0 --c  1    1   2012-05-16/14:16:05 -

 001b-1109-a32b --c  1    5   2012-05-16/14:16:17 -

--------------------------------------------------------------------------

Table 1 Command output

Field	Description
MAC address	MAC address of the device that is to be attacked by the monitor AP.
Flags	Type of the device, which can be ad hoc, AP, or client.
#AP	Number of active APs that detect the device. If WIDS is enabled on multiple APs, these APs may detect the same device.
Ch	Channel in which the device was last detected.
Last Detected Time	Time at which the entry was last detected.
SSID	Service set identifier for the ESS of the entry.

 

# Display attack list information for AP 6.

<Sysname> display wlan ids attack-list ap ap6

 Total Number of Entries: 22

 Flags: a = adhoc, w = ap, c = client

 #AP = number of active APs detecting, Ch = channel number

                                Attack List - AP

--------------------------------------------------------------------------

 MAC Address    type #AP  Ch  Last Detected       SSID

--------------------------------------------------------------------------

 000b-6b8f-fc6a --c  1    11  2012-01-22/15:33:21 -

 000f-e000-0052 -w-  1    10  2012-01-22/15:33:58 "xxxx-xxxx-xxxx"

 000f-e200-0000 -w-  1    9   2012-01-22/15:33:59 "6103_kaifang"

 000f-e200-0001 -w-  1    9   2012-01-22/15:33:59 "6103_youxian"

 000f-e200-0002 -w-  1    9   2012-01-22/15:33:59 "6103_zhengshu"

 000f-e200-0003 -w-  1    9   2012-01-22/15:33:59 "6103_zhengshu+WPA2"

 000f-e200-00a2 --c  1    9   2012-01-22/15:33:29 -

 000f-e25d-f4b0 -w-  1    9   2012-01-22/15:33:58 "6103_kaifang"

 000f-e25d-f4b1 -w-  1    9   2012-01-22/15:33:59 "6103_youxian"

 000f-e25d-f4b2 -w-  1    9   2012-01-22/15:33:59 "6103_zhengshu"

 000f-e25d-f4b3 -w-  1    9   2012-01-22/15:33:59 "6103_zhengshu+WPA2"

 000f-e26c-2250 -w-  1    11  2012-01-22/15:33:59 "bjwifidata"

 000f-e26c-2251 -w-  1    11  2012-01-22/15:33:58 "bjwifivoice"

 000f-e26c-2252 -w-  1    11  2012-01-22/15:33:58 "voice"

 000f-e26c-28d0 -w-  1    11  2012-01-22/15:33:58 "wyg3000"

 000f-e278-8020 -w-  1    6   2012-01-22/15:33:58 "test11"

 000f-e278-8181 -w-  1    7   2012-01-22/15:33:59 "nsw-wep"

 000f-e27b-3f80 -w-  1    6   2012-01-22/15:33:38 "ytj-a"

 000f-e27b-4230 -w-  1    4   2012-01-22/15:33:58 "test2"

 0011-9548-4007 --c  1    7   2012-01-22/15:33:49 -

 0019-5bcf-cce3 --c  1    5   2012-01-22/15:33:25 -

 001a-9228-2d3e --c  1    11  2012-01-22/15:33:53 -

--------------------------------------------------------------------------

See Table 1 for related information.

display wlan ids detected

Use display wlan ids detected to display detected devices in the WLAN in the order of MAC address or SSID.

Syntax

display wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Displays all devices detected (rogues and friends) in the WLAN.

rogue: Displays rogue devices detected (AP or clients) in the WLAN.

ap: Displays all rogue APs detected in the WLAN.

client: Displays all rogue clients detected in the WLAN.

adhoc: Displays clients that belong to adhoc networks detected in the WLAN.

ssid: Displays all SSIDs detected in the WLAN.

mac-address mac-address: Displays information about an AP or client.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about all detected devices.

<Sysname> display wlan ids detected all

 Total Number of Entries : 18

 Flags: r = rogue, p = permit, a = adhoc, w = ap, b = wireless-bridge,

        c = client

 #AP = number of active APs detecting, Ch = channel number

                          Detected Device(s) List

--------------------------------------------------------------------------

 MAC Address    Vendor        Type  #AP  Ch  Last Detected       SSID

--------------------------------------------------------------------------

 000f-e281-1322 XEROX CORP... -p-w- 1    4   2012-05-16/10:49:15 "cyh-psk2"

 000f-e281-1323 XEROX CORP... -p-w- 1    4   2012-05-16/10:49:05 "cyh-ccmp"

 000f-e281-1460 XEROX CORP... -p-w- 1    6   2012-05-16/10:49:26 "fl"

 000f-e281-1461 XEROX CORP... -p-w- 1    6   2012-05-16/10:49:26 "fg2"

 0012-f0cc-4789 XEROX CORP... -p--c 1    1   2012-05-16/10:49:11 -

 0013-f702-dbd2 XEROX CORP... -p--c 1    7   2012-05-16/10:46:58 -

 0016-6f99-fbf6 XEROX CORP... -p--c 1    11  2012-05-16/10:49:02 -

 0016-6f99-fc21 XEROX CORP... -p--c 1    6   2012-05-16/10:49:25 -

 0017-9a00-7986 XEROX CORP... -p--c 1    8   2012-05-16/10:48:04 -

 0017-9a00-79bd XEROX CORP... -p--c 1    7   2012-05-16/10:47:18 -

 0017-9a00-7b47 XEROX CORP... r---c 1    10  2012-05-16/10:48:49 -

 0017-9a00-7cb8 XEROX CORP... -p--c 1    1   2012-05-16/10:49:20 -

 0019-5bcf-ccfd XEROX CORP... -p--c 1    11  2012-05-16/10:49:24 -

 001b-111d-b46f XEROX CORP... -p--c 1    6   2012-05-16/10:48:56 -

 001c-f017-41dc XEROX CORP... -p--c 1    6   2012-05-16/10:48:00 -

 001c-f017-41dd XEROX CORP... -p--c 1    6   2012-05-16/10:49:19 -

 001d-0f32-4305 XEROX CORP... -p--c 1    1   2012-05-16/10:48:33 -

 0810-741a-1b4c XEROX CORP... -p--c 1    11  2012-05-16/10:49:04 -

--------------------------------------------------------------------------

Table 2 Command output

Field	Description
MAC Address	MAC address of the device detected.
Vendor	Vendor of the detected device.
Flags	Whether the device detected is an AP, wireless bridge, ad hoc, or client, and whether it is permitted or a rogue.
#AP	Number of active APs that detect the device. If WIDS is enabled on multiple APs, these APs may detect the same device.
Ch	Channel in which the device was last detected.
Last Detected	Time at which the entry was last detected.
SSID	Service set identifier for the ESS of the entry.

 

# Display information about detected rogue APs.

<Sysname> display wlan ids detected rogue ap

Total Number of Entries : 6                                              

#AP = number of active APs detecting, Ch = channel number

                           Detected Rogue AP(s) List                     

--------------------------------------------------------------------------

 MAC Address    Vendor     #AP Ch  Last Detected Time   SSID   

--------------------------------------------------------------------------

 000B-8580-738F Aires...  1   10  2012-03-16/12:44:11  "Diamond"

 000F-E212-1230 Hangz...  1   5   2012-03-16/12:44:11  "1"     

 000F-E234-0200 Hangz...  1   11  2012-03-16/12:44:11  "VClear"

 000F-E2AA-CC04 Hangz...  1   12  2012-03-16/12:44:11  "baba"  

 000F-E2BB-CCD0 Hangz...  1   1   2012-03-16/12:44:11  "Rogue AP Team B..."

 000F-E2F2-2230 Hangz...  1   7   2012-03-16/12:44:11  "int-RT"

--------------------------------------------------------------------------

See Table 2 for the command output description.

# Display information about the detected rogue clients.

<Sysname> display wlan ids detected rogue client

Total Number of Entries : 1

#AP = number of active APs detecting, Ch = channel number

                         Detected Rogue Client(s) List

--------------------------------------------------------------------------

 MAC Address    Vendor        #AP  Ch  Last Detected       SSID

--------------------------------------------------------------------------

 0017-9a00-7b47 XEROX CORP... 1    9   2012-05-16/10:49:30 -

--------------------------------------------------------------------------

See Table 2 for the command output description.

# Display information about all the detected adhoc devices.

<Sysname> display wlan ids detected adhoc

Total Number of Entries : 4

#AP = number of active APs, Ch = channel number

                           Detected Adhoc(s) List

----------------------------------------------------------------------

 MAC Address    Vendor   #AP Ch  Last Detected Time SSID

----------------------------------------------------------------------

 000F-E212-1230 Hangz... 1   5   2012-03-16/12:44:11 -

 000F-E234-0200 Hangz... 1   11  2012-03-16/12:44:11 -

 000F-E2AA-CC04 Hangz... 1   12  2012-03-16/12:44:11 -

 000F-E2BB-CCD0 Hangz... 1   1   2012-03-16/12:44:11 -...

----------------------------------------------------------------------

See Table 2 for the command output description.

# Display information about all detected SSIDs.

<Sysname> display wlan ids detected ssid

 Total Number of Entries : 7                                             

 #Device = number of devices using SSID                              

                             Detected SSID List                       

--------------------------------------------------------------------------

 SSID                             #Device Last Detected Time             

--------------------------------------------------------------------------

 "Crywep"                           1     2012-03-16/12:44:37            

 "H3COMTEST11"                      1     2012-03-16/12:44:37

 "autowep"                          2     2012-03-16/12:44:37            

 "baba"                             2     2012-03-16/12:44:37            

 "s1"                               1     2012-03-16/12:44:37            

 "s2"                               1     2012-03-16/12:44:37            

 "s4crypto"                         1     2012-03-16/12:43:48           

--------------------------------------------------------------------------

See Table 2 for the command output description.

# Display the detailed information about a device detected.

<Sysname> display wlan ids detected mac-address 000F-E2BB-CCD0

                            Detected Device Profile

--------------------------------------------------------------------------

 MAC Address                         : 000F-E2BB-CCD0

 BSSID                               : 000F-E2BB-CCD0

 Type                                : Rogue-AP

 SSID                                : "H3C"

 Vendor                              : New H3C Tech. Co., Ltd

 Number of APs detected it           : 2

 Channel                             : 11

 Maximum RSSI Detected               : 47

 Beacon Interval                     : 100

 First Detected(yyyy-mm-dd/hh:mm:ss) : 2012-03-16/11:32:54

 Reported AP 1

   MAC Address                       : 000F-E210-2000

   AP Name                           : ap1

   Radio Type                        : 11g

   RSSI                              : 75

   Last Detected(yyyy-mm-dd/hh:mm:ss): 2012-03-16/12:43:37

 Reported AP 2:

   MAC Address                       : 000F-E210-2001

   AP Name                           : ap12

   Radio Type                        : 11g

   RSSI                              : 75

   Last Detected(yyyy-mm-dd/hh:mm:ss): 2012-03-16/12:44:37                    

--------------------------------------------------------------------------

Table 3 Command output

Field	Description
MAC Address	MAC address of the device detected.
BSSID	Basic service set identifier of the detected device.
Type	Whether the device detected is an AP, wireless bridge, ad hoc device, or client, and whether it is permitted or a rogue.
SSID	Service set identifier for the ESS of the entry.
Vendor	Vendor for the detected device.
Number of APs detected it	Number of active APs that detected the device. If WIDS is enabled on multiple APs, these APs may detect the same device. In this output, the value indicates that there are two APs detecting the device with the MAC address 000F-E2BB-CCD0, and considering the device as a rogue device.
Channel	Channel in which the device was last detected.
RSSI	Maximum detected RSSI of the device.
Beacon Interval	Beacon interval for the detected AP.
First Detected	Time at which the entry was first detected.
Mac Address	MAC address of the AP that detected the device.
AP name	Name of the AP.
Radio type	Radio type of the AP.
RSSI	Maximum detected RSSI of the device.
Last Detected (yyyy-mm-dd/hh:mm:ss)	Time at which the rogue AP was detected.

 

display wlan ids permitted

Use display wlan ids permitted to display the list of permitted MAC addresses, permitted SSIDs, or permitted vendor OUIs.

Syntax

display wlan ids permitted { mac-address | ssid | vendor } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

mac-address: Displays the permitted MAC address list.

ssid: Displays the permitted SSID list.

vendor: Displays the permitted vendor OUI list.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the permitted MAC-address list.

<Sysname> display wlan ids permitted mac-address

Total Number of Entries: 4  

Flags: a = adhoc, w = ap, b = wireless-bridge, c = client                   

                                  Permitted Mac Address(s)

--------------------------------------------------------------------------

 MAC Address    Detected Type                                               

--------------------------------------------------------------------------

 0000-0000-0001 Yes      a--                                                

 0000-1111-1111 Yes      -b-                                            

 0000-1111-1234 No       -                                               

 0000-1111-5634 Yes      --c                                                 

--------------------------------------------------------------------------

Table 4 Command output

Field	Description
MAC address	MAC address of the device permitted.
Detected	Whether the device is detected or not.
Type	Type of the device, which can be adhoc, wireless bridge, AP, or client.

 

# Display information about the permitted SSID list.

<Sysname> display wlan ids permitted ssid

Total Number of Entries: 5                                                    

                               Permitted SSID(s)                               

--------------------------------------------------------------------------

 SSID                               Detected      

--------------------------------------------------------------------------

 "s1"                              Yes                                             

 "s2"                              Yes                                            

 "s3"                              Yes                                            

 "s4"                              Yes                                            

 "s5"                              No                                            

--------------------------------------------------------------------------

Table 5 Command output

Field	Description
SSID	Service set identifier for the ESS.
Detected	Whether the device has been detected or not.

 

# Display information about the permitted OUI list.

<Sysname> display wlan ids permitted vendor

Total Number of Entries: 3

                              Permitted Vendor(s)

--------------------------------------------------------------------------------

 OUI      Vendor Name

--------------------------------------------------------------------------------

New H3C Tech. Co., Ltd.Netgear Inc.Cisco Systems, Inc.

--------------------------------------------------------------------------------

Table 6 Command output

Field	Description
OUI	OUI (organizational unique identifier) of the AP.
Vendor	Vendor of the device.

 

display wlan ids rogue-history

Use display wlan ids rogue-history to display all expired rogue devices which have been deleted from the list of detected rogue devices because they cannot be detected within the device aging duration.

Syntax

display wlan ids rogue-history [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about all expired rogue devices.

<Sysname> display wlan ids rogue-history

 Total Number of Entries: 6

 Flags: a = adhoc, w = ap, b = wireless-bridge, c = client

 Ch = channel number

                              Rogue History List

--------------------------------------------------------------------------

MAC Address    Vendor   Type   Ch  Last Detected       SSID

--------------------------------------------------------------------------

 00E0-9855-1D9A AboCo... -w-   11  2012-03-16/11:38:22 "ATNet"

 000F-E2CC-0005 Hangz... -b-   4   2012-03-16/11:37:06  -

 000F-E2CC-0004 Hangz... --c   4   2012-03-16/11:36:20  -

 000F-E2CC-DD00 Hangz... -w-   2   2012-03-16/11:36:17  "AKHIL"

 000F-E2CC-0003 Hangz... --c   4   2012-03-16/11:35:34  -

 0013-4651-23E7 D-Lin... -w-   6   2012-03-16/11:35:10  "home"

--------------------------------------------------------------------------

Table 7 Command output

Field	Description
MAC Address	MAC address of the device.
Vendor	Vendor for the device.
Flags	Type of the device, which can be ad hoc, wireless bridge, AP, or client.
Ch	Channel in which the device was last detected.
Last Time Heard	Time at which the entry was last detected.
SSID	Service set identifier for the ESS of the entry.

 

wlan ids

Use wlan ids to enter WLAN IDS view.

Syntax

wlan ids

Views

System view

Default command level

2: System level

Usage guidelines

This view enables you to configure WLAN IDS parameters, such as scan parameters and device lists.

Examples

# Enter WLAN IDS view.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids]

work-mode monitor

Use work-mode monitor to configure the AP to operate in monitor mode to scan rogue devices.

Use undo work-mode to restore the default.

Syntax

work-mode monitor

undo work-mode

Default

The AP operates in normal mode to provide WLAN data services.

Views

AP template view, AP group view

Default command level

2: System level

Parameters

monitor: Configures the AP to operate in monitor mode.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Executed in AP template view, this command applies to the specified AP.

Executed in AP group view, this command applies to all APs in an AP group.

If the AP operates in monitor mode, it can only operate as a monitor AP. It cannot operate as an access AP, and cannot provide WLAN services.

The maximum number of APs that can operate in monitor mode is the maximum number of APs that the AC supports. Make sure the sum of APs operating in monitor mode configured in AP template view and those configured in AP group view does not exceed the maximum number of APs operating in monitor mode supported by the AC. For example, the maximum number of APs operating in monitor mode supported by an AC is 32, and you have configured 30 APs to operate in monitor mode. If there are 5 APs in an AP group, when you execute the work-mode monitor command in AP group view, only the two APs with the smallest ID can operate in monitor mode.

Before you change the operating mode of an AP from hybrid to monitor, execute the undo device-detection enable command.

Examples

# Set the monitor operation mode for the AP.

<Sysname> system-view

[Sysname] wlan ap ap2 model WA3628i-AGN

[Sysname-wlan-ap-ap2] work-mode monitor

# Configure all APs in AP group office to operate in monitor mode.

<Sysname> system-view

[Sysname] wlan ap-group office

[Sysname-ap-group-office] work-mode monitor

reset wlan ids detected

Use reset wlan ids detected to clear information about specified device or all devices detected in the WLAN.

Syntax

reset wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address }

Views

User view

Default command level

1: Monitor level

Parameters

all: Clears information about all devices detected in the WLAN.

rogue: Clears information about detected rogue devices (AP or clients) in the WLAN.

ap: Clears information about rogue APs detected in the WLAN.

client: Clears information about rogue clients detected in the WLAN.

adhoc: Clears information about ad hoc devices detected in the WLAN.

ssid: Clears information about SSIDs detected in the WLAN.

mac-address mac-address: Clears information about the device (AP or client) detected in the WLAN.

Examples

# Clear information about all devices (permitted and non-permitted) detected in the WLAN.

<Sysname> reset wlan ids detected all

reset wlan ids rogue-history

Use reset wlan ids rogue-history to delete all entries from the rogue history table.

Syntax

reset wlan ids rogue-history

Views

User view

Default command level

1: Monitor level

Examples

# Delete all entries from the rogue history table.

<Sysname> reset wlan ids rogue-history

WLAN IDS attack detection configuration commands

attack-detection enable

Use attack-detection enable to enable the WIDS-IPS detection of various DoS attacks.

Use undo attack-detection enable to restore the default.

Syntax

attack-detection enable { all | flood | spoof | weak-iv }

undo attack-detection enable

Default

No WIDS-IPS detection is enabled.

Views

WLAN IDS view

Default command level

2: System level

Parameters

all: Enables detection of all kinds of attacks.

flood: Enables detection of flood attacks.

spoof: Enables detection of spoof attacks.

weak-iv: Enables weak-IV detection.

Examples

# Enable spoof attack detection.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] attack-detection enable spoof

display wlan ids history

Use display wlan ids history to display the history of attacks detected in the WLAN system. It supports a maximum of 512 entries.

Syntax

display wlan ids history [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display attack history.

<Sysname> display wlan ids history

 Total Number of Entries: 5

  Flags:

   act = Action Frame             asr = Association Request

   aur = Authentication Request   daf = Deauthentication Frame

   dar = Disassociation Request   ndf = Null Data Frame

   pbr = Probe Request            rar = Reassociation Request

   saf = Spoofed Disassociation Frame

   sdf = Spoofed Deauthentication Frame    

   wiv = Weak IV Detected

   AT - Attack Type, Ch - Channel Number, AR - Average RSSI

                              WIDS History Table

--------------------------------------------------------------------------

 MAC Address      AT    Ch    AR    Detected Time          AP

--------------------------------------------------------------------------

 0027-E699-CA71   asr   8     44    2010-06-12/19:47:54    ap12

 0015-E9A4-D7F4   wiv   8     45    2010-06-12/19:45:28    ap48

 0027-E699-CA71   asr   8     20    2010-06-12/19:18:17    ap12

 003d-B5A6-539F   pbr   8     43    2010-06-12/19:10:48    ap56

 0015-E9A4-D7F4   wiv   8     50    2010-06-12/19:01:28    ap48

--------------------------------------------------------------------------

Table 8 Command output

Field	Description
MAC-Address/BSSID	In case of spoof attacks, this field provides the BSSID which was spoofed. In case of other attacks, this field provides the MAC address of the device which initiated the attack.
AT	Type of attack.
Ch	Channel in which the attack was detected.
AR	Average RSSI of the attack frames.
Detected time	Time at which this attack was detected.
AP	Name of the AP that detected this attack.

 

display wlan ids statistics

Use display wlan ids statistics to display the count of attacks detected.

Syntax

display wlan ids statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display WLAN IDS statistics.

<Sysname> display wlan ids statistics

 Current attack tracking since: 2010-06-21/12:46:33                      

----------------------------------------------------------------------

 Type                                            Current       Total      

----------------------------------------------------------------------

 Probe Request Frame Flood Attack                2             7         

 Authentication Request Frame Flood Attack       0             0          

 Deauthentication Frame Flood Attack             0             0         

 Association Request Frame Flood Attack          1             1         

 Disassociation Request Frame Flood Attack       4             8         

 Reassociation Request Frame Flood Attack        0             0          

 Action Frame Flood Attack                       0             0          

 Null Data Frame Flood Attack                    0             0          

 Weak IVs Detected                               12            21        

 Spoofed Deauthentication Frame Attack           0             0         

 Spoofed Disassociation Frame Attack             0             2         

----------------------------------------------------------------------

Table 9 Command output

Field	Description
Current	Provides the count of attacks detected since the time specified by the current attack tracking time (specified in the "Current attack tracking since:" field). The current attack tracking time is started at the system startup and is refreshed each hour subsequently.
Total	Provides the total count of the attacks detected since the system startup.
Probe Request Frame Flood Attack	Number of probe request frame flood attacks detected.
Authentication Request Frame Flood Attack	Number of authentication request frame flood attack detected.
Deauthentication Frame Flood Attack	Number of deauthentication frame flood attacks detected.
Association Request Frame Flood Attack	Number of association request frame flood attacks detected.
Disassociation Request Frame Flood Attack	Number of disassociation request frame flood attacks detected.
Reassociation Request Frame Flood Attack	Number of reassociation request frame flood attacks detected.
Action Frame Flood Attack	Number of action frame flood attacks detected.
Null Data Frame Flood Attack	Number of null data frame flood attacks detected.
Weak IVs Detected	Number of weak IVs detected.
Spoofed Deauthentication Frame Attack	Number of spoofed deauthentication frame attacks detected.
Spoofed Disassociation Frame Attack	Number of spoofed disassociation frame attacks detected.

 

reset wlan ids history

Use reset wlan ids history to clear the history information of attacks detected in the WLAN.

Syntax

reset wlan ids history

Views

User view

Default command level

1: Monitor level

Usage guidelines

After this command is executed, all the history information regarding attacks will be cleared, and the history table will be empty.

Examples

# Clear all history information of attacks.

<Sysname> reset wlan ids history

reset wlan ids statistics

Use reset wlan ids statistics to clear the statistics of attacks detected in the WLAN system.

Syntax

reset wlan ids statistics

Views

User view

Default command level

1: Monitor level

Usage guidelines

This command clears both the "current" and "total" of all attack types in the WLAN IDS statistics table.

Examples

# Clear WLAN IDS statistics.

<Sysname>reset wlan ids statistics

Blacklist and whitelist configuration commands

display wlan blacklist

Use display wlan blacklist to display the static or dynamic blacklist entries.

Syntax

display wlan blacklist { static | dynamic } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

static: Displays static blacklist entries.

dynamic: Displays dynamic blacklist entries.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about the static blacklist.

<Sysname> display wlan blacklist static

Total Number of Entries: 3

                               Static Blacklist

--------------------------------------------------------------------------

 MAC-Address

--------------------------------------------------------------------------

 0014-6c8a-43ff

 0016-6F9D-61F3

 0019-5B79-F04A

--------------------------------------------------------------------------

Table 10 Command output

Field	Description
MAC-Address	MAC addresses of clients.

 

# Display information about the dynamic blacklist.

<Sysname> display wlan blacklist dynamic

Total Number of Entries: 3

                               Dynamic Blacklist

-------------------------------------------------------------------------------

 MAC-Address    APID Lifetime(s) Blacklisted For (hh:mm:ss)   Reason

-------------------------------------------------------------------------------

 000f-e2cc-0001 1    60          00:02:11                     Assoc-Flood

 000f-e2cc-0002 2    60          00:01:17                     Deauth-Flood

 000f-e2cc-0003 3    60          00:02:08                     Auth-Flood

Table 11 Command output

Field	Description
MAC-Address	MAC address of the device inserted into the dynamic blacklist.
APID	AP ID of the corresponding entry in the dynamic blacklist.
Lifetime(s)	Lifetime of the corresponding entry in seconds.
Blacklisted For (hh:mm:ss)	Time elapsed since the entry was last updated.
Reason	Reason why the entry was added into the dynamic blacklist.

 

display wlan whitelist

Use display wlan whitelist to display the configured whitelist.

Syntax

display wlan whitelist [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the whitelist.

<Sysname> display wlan whitelist

Total Number of Entries: 3

                               Whitelist

--------------------------------------------------------------------------

 MAC-Address

--------------------------------------------------------------------------

 000e-35b2-000e

 0019-5b8e-b709

 001c-f0bf-9c92

 0000-0000-00EE

 0400-0000-0000

 0400-0000-00EE

--------------------------------------------------------------------------

Table 12 Command output

Field	Description
MAC-Address	MAC addresses of clients in the whitelist.

 

dynamic-blacklist enable

Use dynamic-blacklist enable to enable the dynamic blacklist feature.

Use undo dynamic-blacklist enable to disable the dynamic blacklist feature.

Syntax

dynamic-blacklist enable

undo dynamic-blacklist enable

Default

The dynamic blacklist feature is disabled.

Views

WLAN IDS view

Default command level

2: System level

Parameters

enable: Enables the dynamic blacklist feature.

Usage guidelines

With this feature, a WLAN device, upon detecting flood attacks from a device, adds the device to the dynamic blacklist, and denies any packets from this device until the dynamic blacklist entry ages out.

The maximum number of entries in the dynamic blacklists depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Enable the dynamic blacklist feature.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] dynamic-blacklist enable

dynamic-blacklist lifetime

Use dynamic-blacklist lifetime to set the lifetime for dynamic blacklist entries.

Use undo dynamic-blacklist lifetime to restore the default.

Syntax

dynamic-blacklist lifetime lifetime

undo dynamic-blacklist lifetime

Default

The lifetime is 300 seconds.

Views

WLAN IDS view

Default command level

2: System level

Parameters

lifetime: Interval, in the range of 60 to 3600 seconds.

Usage guidelines

If a dynamic blacklist entry is not detected within the lifetime, the entry is removed from the dynamic blacklist.

Examples

# Specify a lifetime of 1200 seconds for dynamic blacklist entries.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] dynamic-blacklist lifetime 1200

reset wlan dynamic-blacklist

Use reset wlan dynamic-blacklist to remove a specified entry or all entries from the dynamic blacklist.

Syntax

reset wlan dynamic-blacklist { mac-address mac-address | all }

Views

User view

Default command level

1: Monitor level

Parameters

mac-address mac-address: Removes an entry with the specified MAC address from the dynamic blacklist.

all: Removes all entries from the dynamic blacklist.

Usage guidelines

The maximum number of entries in the dynamic blacklist is 128.

Examples

# Remove a client with MAC address 001d-0f31-87d from the dynamic blacklist.

<Sysname> reset wlan dynamic-blacklist mac-address 001d-0f31-87d

static-blacklist mac-address

Use static-blacklist mac-address to add a client with a specified MAC address to the static blacklist.

Use undo static-blacklist to remove the client with the specified MAC address or all clients from the static blacklist.

Syntax

static-blacklist mac-address mac-address

undo static-blacklist { mac-address mac-address | all }

Views

WLAN IDS view

Default command level

2: System level

Parameters

mac-address: Adds or deletes a client to or from the static blacklist.

all: Deletes all entries from the static blacklist.

Default

No static blacklist exists.

Usage guidelines

Clients in the static blacklist cannot get associated with the AP.

The maximum number of entries in the static blacklist depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Add the client with MAC address 0014-6c8a-43ff to the static blacklist.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] static-blacklist mac-address 0014-6c8a-43ff

whitelist mac-address

Use whitelist mac-address to add a client with a specified MAC address to the whitelist.

Use undo whitelist to remove the client with the specified MAC address or all clients from the whitelist.

Syntax

whitelist mac-address mac-address

undo whitelist { mac-address mac-address | all }

Views

WLAN IDS view

Default command level

2: System level

Parameters

mac-address: Adds or deletes the client with the MAC address to or from the whitelist.

all: Deletes all entries from the whitelist.

Default

No whitelist exists.

Usage guidelines

Clients in the whitelist can be associated with the AP.

The maximum number of entries in the whitelist varies with device models (see About the H3C Access Controllers Command References).

Examples

# Add the client with MAC address 001c-f0bf-9c92 to the whitelist.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] whitelist mac-address 001c-f0bf-9c92