Login
- Table of Contents
-
- 02-WLAN
- 00-Preface
- 01-AP management commands
- 02-Radio management commands
- 03-WLAN access commands
- 04-WLAN security commands
- 05-WLAN authentication commands
- 06-WIPS commands
- 07-WLAN QoS commands
- 08-WLAN roaming commands
- 09-WLAN load balancing commands
- 10-WLAN radio resource measurement commands
- 11-Channel scanning commands
- 12-Band navigation commands
- 13-WLAN high availability commands
- 14-802.11r commands
- 15-Wireless location commands
- 16-Hotspot 2.0 commands
- 17-WLAN RRM commands
- 18-WT commands
- 19-IoT AP commands
- 20-CM tunnel commands
- 21-Cloud connection commands
- 22-WLAN IP snooping commands
- 23-WLAN fast forwarding commands
- 24-WLAN forwarding commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-WLAN authentication commands | 92.09 KB |
client-security authentication fail-vlan
client-security authentication-location
client-security authentication-mode
client-security authorization-fail offline
client-security ignore-authentication
client-security ignore-authorization
client-security intrusion-protection action
client-security intrusion-protection enable
client-security intrusion-protection timer temporary-block
client-security intrusion-protection timer temporary-service-stop
display wlan client-security block-mac
WLAN authentication commands
This chapter describes WLAN-specific authentication commands. For more information about 802.1X and MAC authentication commands, see Security Command Reference.
client-security authentication fail-vlan
Use client-security authentication fail-vlan to configure an Auth-Fail VLAN for a service template.
Use undo client-security authentication fail-vlan to restore the default.
Syntax
client-security authentication fail-vlan vlan-id
undo client-security authentication fail-vlan
Default
No Auth-Fail VLAN is configured for a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
vlan-id: Specifies the ID of the Auth-Fail VLAN, in the range of 1 to 4094. Make sure the VLAN has been created.
Usage guidelines
A WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered wrong passwords. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure VLAN 10 as the Auth-Fail VLAN on service template 1.
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] client-security authentication fail-vlan 10
client-security authentication-location
Use client-security authentication-location to specify the authenticator for WLAN clients.
Use undo client-security authentication-location to restore the default.
Syntax
client-security authentication-location { ac | ap }
undo client-security authentication-location
Default
The AC acts as the authenticator to authenticate WLAN clients.
Views
Service template view
Predefined user roles
network-admin
Parameters
ac: Specifies the AC as the authenticator.
ap: Specifies the AP as the authenticator.
Usage guidelines
You cannot specify the AP as the authenticator if the AC is configured to forward client data traffic (by using the client forwarding-location command). For information about the client forwarding-location command, see "WLAN access commands."
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure the AC as the authenticator for WLAN clients on service template s1.
[Sysname] wlan service-template s1
[Sysname-wlan-st-s1] client-security authentication-location ac
Related commands
client forwarding-location
client-security authentication-mode
Use client-security authentication-mode to set the authentication mode for WLAN clients.
Use undo client-security authentication-mode to restore the default.
Syntax
undo client-security authentication-mode
Default
The WLAN authentication mode is Bypass. The device does not perform authentication for WLAN clients.
Views
Service template view
Predefined user roles
network-admin
Parameters
dot1x: Performs 802.1X authentication only.
dot1x-then-mac: Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed.
mac: Performs MAC authentication only.
mac-then-dot1x: Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed.
oui-then-dot1x: Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed.
Usage guidelines
A service template allows access of multiple authenticated clients in any authentication mode. To set the maximum number of 802.1X clients, use the dot1x max-user command. To set the maximum number of MAC authentication clients, use the mac-authentication max-user command.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Set the authentication mode to mac for WLAN clients on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security authentication-mode mac
client-security authorization-fail offline
Use client-security authorization-fail offline to enable the authorization-fail-offline feature.
Use undo client-security authorization-fail offline to disable the authorization-fail-offline feature.
Syntax
client-security authorization-fail offline
undo client-security authorization-fail offline
Default
The authorization-fail-offline feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.
A WLAN client fails ACL or user profile authorization in the following situations:
· The device or server fails to authorize the specified ACL or user profile to the client.
· The authorized ACL or user profile does not exist.
If this feature is disabled, the device does not log off WLAN clients that fail ACL or user profile authorization. However, the device outputs logs to report the failure.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the authorization-fail-offline feature for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security authorization-fail offline
client-security ignore-authentication
Use client-security ignore-authentication to configure the device to ignore the 802.1X or MAC authentication failures.
Use undo client-security ignore-authentication to restore the default.
Syntax
client-security ignore-authentication
undo client-security ignore-authentication
Default
The device does not ignore the authentication failures for wireless clients that perform 802.1X authentication or perform RADIUS-based MAC authentication.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command applies to the following clients:
· Clients that perform 802.1X authentication.
This command enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.
· Clients that perform both RADIUS-based MAC authentication and portal authentication.
Typically, a client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.
This command simplifies the authentication process for a client as follows:
¡ If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.
¡ If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failures and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server. At the next authentication attempt, the client will pass MAC authentication and access network resources without performing portal authentication.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
For RSN + 802.1X clients to roam to a new AP, do not use this command.
Examples
# Configure the device to ignore 802.1X or MAC authentication failures on service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security ignore-authentication
client-security ignore-authorization
Use client-security ignore-authorization to configure the device to ignore the authorization information received from the authentication server (a RADIUS server or the local device).
Use undo client-security ignore-authorization to restore the default.
Syntax
client-security ignore-authorization
undo client-security ignore-authorization
Default
The device uses the authorization information from the server.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
After a client passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the device to use these authorization attributes for clients, configure this command to ignore the authorization information from the server.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure the device to ignore the authorization information from the authentication server for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security ignore-authorization
client-security intrusion-protection action
Use client-security intrusion-protection action to configure the intrusion protection action that the device takes when intrusion protection detects illegal frames.
Use undo client-security intrusion-protection action to restore the default.
Syntax
undo client-security intrusion-protection action
Default
The intrusion protection action is temporary-block.
Views
Service template view
Predefined user roles
network-admin
Parameters
service-stop: Stops the BSS where an illegal frame is received until the BSS is enabled manually on the radio interface.
temporary-block: Adds the source MAC address of an illegal frame to the blocked MAC address list for a period. To set the period, use the client-security intrusion-protection timer temporary-block command.
temporary-service-stop: Stops the BSS where an illegal frame is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
For this command to take effect, you must also use the client-security intrusion-protection enable command to enable the intrusion protection feature.
Examples
# Configure the device to stop the BSS where intrusion protection detects illegal frames for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
[Sysname-wlan-st-service1] client-security intrusion-protection action service-stop
Related commands
· client-security intrusion-protection enable
· client-security intrusion-protection timer temporary-block
· client-security intrusion-protection timer temporary-service-stop
client-security intrusion-protection enable
Use client-security intrusion-protection enable to enable the intrusion protection feature.
Use undo client-security intrusion-protection enable to disable the intrusion protection feature.
Syntax
client-security intrusion-protection enable
undo client-security intrusion-protection enable
Default
The intrusion protection feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
When the device receives an association request from an illegal client, the device takes the predefined protection action on the BSS where the request is received. A client is illegal if its MAC address fails WLAN authentication. To set the protection action, use the client-security intrusion-protection action command.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the intrusion protection feature for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
Related commands
client-security intrusion-protection action
client-security intrusion-protection timer temporary-block
Use client-security intrusion-protection timer temporary-block to set the period during which a MAC address is blocked by intrusion protection.
Use undo client-security intrusion-protection timer temporary-block to restore the default.
Syntax
client-security intrusion-protection timer temporary-block time
undo client-security intrusion-protection timer temporary-block
Default
An illegal MAC address is blocked for 180 seconds.
Views
Service template view
Predefined user roles
network-admin
Parameters
time: Sets the period during which a MAC address is blocked. The value range is 60 to 300 seconds.
Usage guidelines
This command takes effect only when the intrusion protection action is temporary-block.
If you change the blocking period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.
Examples
# Configure service template service1 to block illegal MAC addresses for 120 seconds.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-block
[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-block 120
Related commands
· client-security intrusion-protection action
· client-security intrusion-protection enable
client-security intrusion-protection timer temporary-service-stop
Use client-security intrusion-protection timer temporary-service-stop to set the BSS silence period for intrusion protection.
Use undo client-security intrusion-protection timer temporary-service-stop to restore the default.
Syntax
client-security intrusion-protection timer temporary-service-stop time
undo client-security intrusion-protection timer temporary-service-stop
Default
The BSS silence period is 20 seconds.
Views
Service template view
Predefined user roles
network-admin
Parameters
time: Sets the period during which a BSS is disabled. The value range is 10 to 300 seconds.
Usage guidelines
This command takes effect only when the intrusion protection action is temporary-service-stop.
If you change the BSS silence period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.
Examples
# Set the BSS silence period to 30 seconds for intrusion protection on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-service-stop
[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-service-stop 30
Related commands
· client-security intrusion-protection action
· client-security intrusion-protection enable
display wlan client-security block-mac
Use display wlan client-security block-mac to display blocked MAC address information for WLAN clients.
Syntax
display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-). If you do not specify this option, the command displays information about all blocked MAC addresses.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify this option, the command displays blocked MAC address information for all radios on the specified AP.
Usage guidelines
A MAC address that fails authentication is added to the blocked MAC address list when the intrusion protection action is temporary-block.
Examples
# Display information about all blocked MAC addresses.
<Sysname> display wlan client-security block-mac
MAC address AP ID RADIO ID BSSID
0002-0002-0002 1 1 00ab-0de1-0001
000d-88f8-0577 1 1 0ef1-0001-02c1
Total entries: 2
Table 1 Command output
|
Field |
Description |
|
MAC address |
Blocked MAC address, in the format of H-H-H. |
|
AP ID |
AP ID of the blocked MAC address. |
|
RADIO ID |
Radio ID of the blocked MAC address. |
|
BSSID |
BSS ID of the blocked MAC address, in the format of H-H-H. |
|
Number of blocked MAC addresses. |
Related commands:
· client-security intrusion-protection action
· client-security intrusion-protection timer temporary-block
dot1x domain
Use dot1x domain to specify an authentication domain for 802.1X clients on a service template.
Use undo dot1x domain to restore the default.
Syntax
Default
No authentication domain is specified for 802.1X clients on a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
802.1X chooses an authentication domain for WLAN clients in the following order:
1. Authentication domain specified on the service template.
2. Domain specified by username.
3. Default authentication domain.
Examples
# Specify domain my-domain as the authentication domain for 802.1X clients on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x domain my-domain
dot1x eap
Use dot1x eap to specify an EAP mode for 802.1X authentication.
Use undo dot1x eap to restore the default.
Syntax
dot1x eap { extended | standard }
undo dot1x eap
Default
The EAP mode is standard.
Views
Service template view
Predefined user roles
network-admin
Parameters
extended: Specifies the extended EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the proprietary EAP protocol.
standard: Specifies the standard EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
When you configure this command, specify the extended keyword for iNode clients and the standard keyword for other clients.
This command is required only when an IMC server is used as the RADIUS server.
Examples
# Set the EAP mode for 802.1X authentication to extended on service template 1.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] dot1x eap extended
dot1x handshake enable
Use dot1x handshake enable to enable the 802.1X online user handshake feature.
Use undo dot1x handshake enable to disable the 802.1X online user handshake feature.
Syntax
Default
The 802.1X online user handshake feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
The online user handshake feature checks the connection status of online 802.1X clients by periodically sending handshake messages to the clients. The device sets a client to the offline state if it does not receive responses from the client after making the maximum handshake attempts within the handshake timer. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the online user handshake feature for 802.1X clients on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x handshake enable
Related commands
· dot1x handshake secure enable
· dot1x retry (Security Command Reference)
· dot1x timer handshake-period (Security Command Reference)
dot1x handshake secure enable
Use dot1x handshake secure enable to enable the 802.1X online user handshake security feature.
Use undo dot1x handshake secure enable to disable the 802.1X online user handshake security feature.
Syntax
undo dot1x handshake secure enable
Default
The online user handshake security feature is disabled for 802.1X clients.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
For the online user handshake security feature to take effect, you must enable online user handshake.
The online user handshake security feature protects only authenticated online 802.1X clients.
Examples
# Enable the online user handshake security feature for 802.1X clients on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x handshake enable
[Sysname-wlan-st-service1] dot1x handshake secure enable
Related commands
dot1x max-user
Use dot1x max-user to set the maximum number of concurrent 802.1X clients on a service template.
Use undo dot1x max-user to restore the default.
Syntax
Default
A maximum of 4096 concurrent 802.1X clients are allowed on a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
count: Sets the maximum number of concurrent 802.1X clients. The value range is 1 to 4096.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
When the maximum number is reached, the service template denies subsequent 802.1X clients.
Examples
# Set the maximum number of concurrent 802.1X clients to 32 on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x max-user 500
dot1x re-authenticate enable
Use dot1x re-authenticate enable to enable the 802.1X periodic online user reauthentication feature on a service template.
Use undo dot1x re-authenticate enable to disable the feature on a service template.
Syntax
undo dot1x re-authenticate enable
Default
The 802.1X periodic online user reauthentication feature is disabled on a service template.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Periodic reauthentication enables the device to periodically authenticate online 802.1X clients on a service template. This feature checks the connection status of online clients and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.
You can use the dot1x timer reauth-period command to configure the interval for reauthentication.
The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) together can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).
· If the termination action is Default (logoff), periodic online user reauthentication on the template takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.
· If the termination action is Radius-request, the periodic online user reauthentication configuration on the template does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.
Examples
# Enable the 802.1X periodic online user reauthentication feature on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x re-authenticate enable
Related commands
dot1x timer (Security Command Reference)
mac-authentication domain
Use mac-authentication domain to specify an authentication domain for MAC authentication clients on a service template.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
Default
No authentication domain is specified for MAC authentication clients on a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
MAC authentication chooses an authentication domain for WLAN clients in the following order:
1. Authentication domain specified on the service template.
2. Global authentication domain specified in system view.
3. Default authentication domain.
Examples
# Specify the domain my-domain as the authentication domain for MAC authentication clients on service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] mac-authentication domain my-domain
mac-authentication max-user
Use mac-authentication max-user to set the maximum number of concurrent MAC authentication clients on a service template.
Use undo mac-authentication max-user to restore the default.
Syntax
mac-authentication max-user count
undo mac-authentication max-user
Default
A maximum of 4096 concurrent MAC authentication clients are allowed on a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
count: Sets the maximum number of concurrent MAC authentication clients. The value range for this argument is 1 to 4096.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
When the maximum number is reached, the service template denies subsequent MAC authentication clients.
Examples
# Configure service template service1 to support a maximum of 32 concurrent MAC authentication clients.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] mac-authentication max-user 32
port-security oui
Use port-security oui to configure an OUI value for OUI authentication.
Use undo port-security oui to delete the OUI value with the specified OUI index.
Syntax
port-security oui index index-value mac-address oui-value
undo port-security oui index index-value
Default
No OUI values are configured.
Views
System view
Predefined user roles
network-admin
Parameters
index-value: Sets the OUI index in the range of 1 to 16.
oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.
Usage guidelines
You can configure a maximum of 16 OUI values.
An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to specify the OUI of vendor A.
The OUI values configured by using this command apply only when the authentication mode is oui-or-dot1x. A port in oui-or-dot1x mode permits frames from one 802.1X authenticated user and one user whose MAC address contains a specific OUI.
Examples
# Configure an OUI value of 000d2a, and set the index to 4.
<Sysname> system-view
[Sysname] port-security oui index 4 mac-address 000d-2a10-003
