Login
- Table of Contents
-
- 02-WLAN Configuration Guide
- 00-Preface
- 01-WLAN Interface Configuration
- 02-WLAN Access Configuration
- 03-WLAN Security Configuration
- 04-IACTP Tunnel and WLAN Roaming Configuration
- 05-WLAN RRM Configuration
- 06-WLAN IDS Configuration
- 07-WLAN QoS Configuration
- 08-WLAN Mesh Link Configuration
- 09-Advanced WLAN Configuration
- 10-WLAN High Availability Configuration
- 11-WLAN IPS Configuration
- 12-WLAN Optimization Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-WLAN Security Configuration | 458.47 KB |
Enabling an authentication method
Configuring the GTK rekey method
Specifying a key derivation type
Configuring management frame protection
Configuring the 802.1X client feature for an AP
Displaying and maintaining WLAN security
WLAN security configuration examples
PSK authentication configuration example
MAC and PSK authentication configuration example
802.1X authentication configuration example
Dynamic WEP encryption-802.1X authentication configuration example
Supported combinations for ciphers
Configuring WLAN security
Overview
This chapter describes WLAN security configuration.
Authentication modes
To secure wireless links, wireless clients must be authenticated before accessing the AP. 802.11 links define two authentication mechanisms: open system authentication and shared key authentication.
· Open system authentication
Open system authentication is the default authentication algorithm and is the simplest of the available authentication algorithms. It is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP determines if the wireless client passes the authentication and returns the result to the client.
Figure 1 Open system authentication process
· Shared key authentication
Figure 2 shows a shared key authentication process. The two parties have the same shared key configured.
Shared key authentication uses the following process.
a. The client sends an authentication request to the AP.
b. The AP randomly generates a challenge and sends it to the client.
c. The client uses the shared key to encrypt the challenge and sends the challenge to the AP.
d. The AP uses the shared key to de-encrypt the challenge and compares the result with the original challenge sent to the client. If they are identical, the client passes the authentication. If not, the authentication fails.
Figure 2 Shared key authentication process
WLAN data security
WLAN networks are more susceptible than wired networks to attacks because all WLAN devices share the same medium and every device can receive data from any other sending device. Plain-text data is transmitted over the WLAN if there is no security service.
To secure data transmission, 802.11 protocols provide encryption methods to ensure that devices without the correct key cannot read encrypted data.
· WEP encryption
Wired Equivalent Privacy (WEP) protects data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream encryption method) for confidentiality. WEP encryption is either static or dynamic depending on how a WEP key is generated.
¡ Static WEP encryption
With static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, all data that attackers receive is encrypted. In addition, periodical manual key update brings great management workload to administrators.
¡ Dynamic WEP encryption
With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key. The keys can be updated periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
· TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has several advantages over WEP, and provides more secure protection for WLAN.
¡ TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.
¡ TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered.
¡ TKIP offers MIC and countermeasures. If a packet fails the MIC, the data may be tampered, and the system could be attacked. If two packets fail the MIC in a specified period, the AP automatically takes countermeasures. For example, the AP will not provide services in a specified period to prevent attacks.
· AES-CCMP encryption
CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE 802.11 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, which improves security.
Client access authentication
· PSK authentication
To implement pre-shared key (PSK) authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass the PSK authentication.
· 802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls devices at the port level. A device that is connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication.
· MAC address authentication
MAC address authentication does not require any client software. The MAC address of a client is compared against a predefined list of allowed MAC addresses. If a match is found, the client can pass the authentication and access the WLAN. If no match is found, the authentication fails and access is denied. The user is not required to enter a username or password. This type of authentication is suited to small networks with fixed clients.
MAC address authentication can be done locally or through a RADIUS server.
¡ Local MAC address authentication—A list of usernames and passwords (the MAC addresses of allowed clients) is created on the wireless access device and the clients are authenticated by the wireless access device. Only clients whose MAC addresses are included in the list can pass the authentication and access the WLAN.
¡ MAC address authentication through RADIUS server—The wireless access device serves as the RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the client passes the authentication on the RADIUS server, the client can access the WLAN within the authorization assigned by the RADIUS server. In this authentication mode, if different domains are defined, authentication information of different SSIDs are sent to different RADIUS servers based on their domains.
For more information about access authentication, see Security Configuration Guide.
Protocols and standards
· IEEE Standard for Information technology—Telecommunications and information exchange between systems— Local and metropolitan area networks— Specific requirements -2004
· WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
· Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999
· IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X™- 2004
· 802.11i IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
Configuring WLAN security
To configure WLAN security in a service template, map the service template to a radio policy, and add radios to the radio policy. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure an SSID to support any combination of WPA, RSN, and Pre-RSN clients.
Configuration task list
|
Task |
Remarks |
|
Required. |
|
|
Optional. |
|
|
Optional. |
|
|
Required. |
|
|
Required. |
|
|
Required. |
|
|
Optional. |
|
|
Optional. |
|
|
Optional. |
Enabling an authentication method
You can enable open system or shared key authentication or both.
To enable an authentication method:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable the authentication method. |
authentication-method { open-system | shared-key } |
Optional. By default, open system authentication is adopted. · The shared-key authentication can be adopted only when WEP encryption is used, and you must configure the authentication-method shared-key command. · For RSN and WPA, the authentication method must be open system authentication. |
Configuring the PTK lifetime
A pairwise transient key (PTK) is generated through a four-way handshake. During the handshake process, the pairwise master key (PMK), an AP random value (ANonce), a site random value (SNonce), the AP's MAC address, and the client's MAC address are used.
To configure the PTK lifetime:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Configure the PTK lifetime. |
ptk-lifetime time |
Optional. By default, the PTK lifetime is 43200 seconds. |
Configuring the GTK rekey method
An AC generates a group temporal key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake or the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. The Robust Security Network (RSN) negotiates the GTK through the 4-way handshake or group key handshake, and Wi-Fi Protected Access (WPA) negotiates the GTK only through group key handshake.
The following GTK rekey methods can be configured:
· Time-based GTK rekey—After the specified interval elapses, GTK rekey occurs.
· Packet-based GTK rekey—After the specified number of packets is sent, GTK rekey occurs.
By default, time-based GTK rekey is adopted, and the rekey interval is 86400 seconds.
Configuring a new GTK rekey method overwrites the previous GTK rekey method. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect.
You can also configure the device to start GTK rekey when a client goes offline.
Configuring GTK rekey based on time
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable GTK rekey. |
gtk-rekey enable |
By default, GTK rekey is enabled. |
|
4. Configure the GTK rekey interval. |
gtk-rekey method time-based [ time ] |
By default, the interval is 86400 seconds. |
|
5. Configure the device to start GTK rekey when a client goes offline. |
gtk-rekey client-offline enable |
Optional. By default, the device does not start GTK rekey when a client goes offline. This command takes effect only when you execute the gtk-rekey enable command. |
Configuring GTK rekey based on packet
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable GTK rekey. |
gtk-rekey enable |
By default, GTK rekey is enabled. |
|
4. Configure GTK rekey based on packet. |
gtk-rekey method packet-based [ packet ] |
The default packet number is 10000000. |
|
5. Configure the device to start GTK rekey when a client goes offline. |
gtk-rekey client-offline enable |
Optional. By default, the device does not start GTK rekey when a client goes offline. This command takes effect only when you execute the gtk-rekey enable command. |
Configuring security IE
WPA ensures greater protection than WEP. WPA operates in either WPA-PSK (or Personal) mode or WPA-802.1X (or Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1X and RADIUS servers and the EAP are used for authentication.
Configuring WPA security IE
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable the WPA-IE in the beacon and probe responses. |
security-ie wpa |
By default, WPA-IE is disabled. |
Configuring RSN security IE
An RSN is a security network that only allows the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA.
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable the RSN-IE in the beacon and probe responses. |
security-ie rsn |
By default, RSN-IE is disabled. |
Configuring cipher suite
A cipher suite is used for data encapsulation and de-encapsulation. It uses the following encryption methods:
· WEP40/WEP104/WEP128
· TKIP
· AES-CCMP
Configuring WEP cipher suite
1. Configure static WEP encryption:
The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys.
You can use WEP with either open system or shared key authentication mode:
¡ In open system authentication mode, the WEP key is used for encryption only and not for authentication. A client can access the network without having the same key as the authenticator. However, if the receiver has a different key from the sender, it discards the packets received from the sender.
¡ In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot pass the authentication and the access of the client is denied.
To configure static WEP encryption:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable the WEP cipher suite. |
cipher-suite { wep40 | wep104 | wep128 } |
By default, no cipher suite is selected. |
|
4. Configure the WEP default key. |
wep default-key { 1 | 2 | 3 | 4 } { wep40 | wep104 | wep128 } { pass-phrase | raw-key } [ cipher | simple ] key |
By default, the WEP default key index number is 1. |
|
5. Specify a key index number. |
wep key-id { 1 | 2 | 3 | 4 } |
Optional. By default, the key index number is that configured with the wep default-key command. |
2. Configure dynamic WEP encryption:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable dynamic WEP encryption. |
wep mode dynamic |
By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. |
|
4. Enable the WEP cipher suite. |
cipher-suite { wep40 | wep104 | wep128 } |
Optional. With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. |
|
5. Configure the WEP default key. |
wep default-key { 1 | 2 | 3 | 4 } { wep40 | wep104 | wep128 } { pass-phrase | raw-key } [ cipher | simple ] key |
Optional. By default, no WEP default key is configured. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. |
|
6. Specify a key index number. |
wep key-id { 1 | 2 | 3 } |
Optional. By default, the key index number is that configured with the wep default-key command. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. |
Configuring TKIP cipher suite
Message integrity check (MIC) is used to prevent attackers from modifying data. It ensures data security by using the Michael algorithm. When a MIC error occurs, the device considers that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP is suspended during the countermeasure interval and no TKIP associations can be established.
The operating mode cannot be negotiated as 802.11n mode when clients that use TKIP cipher suite associate with an AP supporting 802.11n.
To configure TKIP cipher suite:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable the TKIP cipher suite. |
cipher-suite tkip |
By default, no cipher suite is selected. |
|
4. Configure the TKIP countermeasure interval. |
tkip-cm-time time |
Optional. The default countermeasure interval is 0 seconds. No countermeasures are taken. |
Configuring AES-CCMP cipher suite
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN service template view. |
wlan service-template service-template-number crypto |
N/A |
|
3. Enable the CCMP cipher suite. |
cipher-suite ccmp |
By default, no cipher suite is selected. |
Configuring port security
The authentication type configuration includes the following options:
· PSK
· 802.1X
· MAC
· PSK and MAC
This document describes only common port security modes. For more information about other port security modes, see Security Configuration Guide.
Before configuring port security, create the wireless port and enable port security.
Configuring PSK authentication
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN-ESS interface view. |
interface wlan-ess interface-number |
N/A |
|
3. Enable 802.11 key negotiation. |
port-security tx-key-type 11key |
By default, 802.11 key negotiation is not enabled. |
|
4. Configure the pre-shared key. |
port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key |
By default, no pre-shared key is configured. |
|
5. Enable the PSK port security mode. |
port-security port-mode psk |
N/A |
Configuring 802.1X authentication
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN-ESS interface view. |
interface wlan-ess interface-number |
N/A |
|
3. Enable 802.11 key negotiation. |
port-security tx-key-type 11key |
By default, 802.11 key negotiation is not enabled. |
|
4. Enable the 802.1X port security mode. |
port-security port-mode { userlogin-secure | userlogin-secure-ext } |
N/A |
Configuring MAC address authentication
802.11i does not support MAC address authentication.
To configure MAC address authentication:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter WLAN-ESS interface view. |
interface wlan-ess interface-number |
|
3. Enable MAC port security mode. |
port-security port-mode mac-authentication |
Configuring PSK and MAC address authentication
For more information about port security configuration commands, see Security Configuration Guide.
To configure PSK and MAC address authentication:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter WLAN-ESS interface view. |
interface wlan-ess interface-number |
N/A |
|
3. Enable 802.11 key negotiation. |
port-security tx-key-type 11key |
By default, 802.11 key negotiation is not enabled. |
|
4. Enable the PSK and MAC port security mode. |
port-security port-mode mac-and-psk |
N/A |
|
5. Configure the pre-shared key. |
port-security preshared-key { pass-phrase | raw-key } key |
The key is a string of 8 to 63 characters, or a 64-digit hex number. |
Specifying a key derivation type
A key derivation type takes effect only when the authentication type is PSK or 802.1X.
To specify a key derivation type:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a service template and enter its view. |
wlan service-template service-template-number crypto |
You cannot modify the type of a service template that already exists. |
|
3. Specify a key derivation type. |
key-derivation { sha1 | sha1-and-sha256 | sha256 } |
Optional. By default, the key derivation type is sha1. |
Configuring management frame protection
Perform this task to enable an AP to protect management frames, including deauthentication frames, deassociation frames, and some robust action frames.
Management frame protection uses the PTK encrypt method to ensure privacy, integrity, and replay protection of unicast management frames.
For multicast and broadcast management frames, this feature uses Broadcast Integrity Protocol (BIP) to ensure integrity and replay protection. BIP adds the Management MIC IE (MME) field to the end of the management frames to protect their privacy.
|
|
NOTE: You can only configure management frame protection on a service template whose: · Authentication type is PSK or 802.1X. · Cipher suite is AES-CCMP. · Security IE is RSN. |
Configuring management frame protection
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a service template and enter its view. |
wlan service-template service-template-number crypto |
You cannot modify the type of a service template that already exists. |
|
3. Enable management frame protection. |
pmf { mandatory | optional } |
By default, management frame protection is disabled. If you select mandatory, specify the key derivation type as sha256 as a best practice. |
Configuring auto SA Query
If management frame protection is enabled, the AP uses SA Query to secure connections with clients.
SA Query includes active SA Query and passive SA Query.
· Active SA Query.
If the AP receives spoofing association or reassociation requests, this mechanism can prevent the AP from responding to clients.
As shown in Figure 3, active SA Query operates as follows:
a. The client sends an association or a reassociation request to the AP.
b. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate later. The response contains an association comeback time specified by the pmf association-comeback command.
c. The AP sends an SA Query request to the client.
- If the AP receives an SA Query response within the timeout time, it determines that the client is online.
- If the AP receives no SA Query response within the timeout time, it resends the request. If the AP receives an SA Query response within the retransmission time, it determines that the client is online.
If the client is online, the AP does not respond to any association or reassociation request from the client within the association comeback time.
- If the AP receives no SA Query response within the retransmission time, it determines that the client is offline. The AP allows the client to reassociate.
· Passive SA Query.
If a client receives unencrypted deassociation or deauthentication frames with failure code 6 or 7, this mechanism can prevent the client from going offline abnormally.
As shown in Figure 4, passive SA Query operates as follows:
a. The client triggers the SA Query mechanism upon receiving an unencrypted deassociation or deauthentication frame.
b. The client sends an SA Query request to the AP.
c. The AP responds with an SA Query response.
d. The client determines the AP is online because it receives the SA Query response. The client does not go offline.
To configure active SA Query:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a service template and enter its view. |
wlan service-template service-template-number crypto |
You cannot modify the type of a service template that already exists. |
|
3. Configure the timeout time for SA Query responses. |
pmf saquery timeout value |
Optional. By default, the timeout time for SA Query responses is 200 milliseconds. |
|
4. Configure the retransmission time for the AP to send SA Query requests. |
pmf saquery retry value |
Optional. By default, the retransmission time for the AP to send SA Query requests is 4. |
|
5. Configure the association comeback time. |
pmf association-comeback value |
Optional. By default, the association comeback time is 1 second. |
Configuring the 802.1X client feature for an AP
To prevent rogue APs from associating with the AC, enable 802.1X authentication on the access device of APs and configure the APs to act as 802.1X clients. After the configuration, only APs that passed 802.1X authentication can associate with the AC.
Make sure the AP has already established a tunnel with the AC before the configuration.
After the configuration, perform the following tasks to make the settings take effect:
· Save the settings to the configuration file of the AP. For more information, see "Configuring AP provision (for an AC only)."
· Enable 802.1X authentication on the access device of the AP.
· Restart the AP.
To configure the 802.1X client feature for an AP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter AP template view. |
wlan ap ap-name [ model model-name [ id ap-id ] ] |
You must specify the model name when you create an AP. |
|
3. Enter AP provision view. |
provision |
· After you create AP provision view, the device automatically adds the vlan untagged 1 command for the AP. · This command also enables the AP provision function. · An auto AP cannot be configured with the AP provision function. |
|
4. Specify the 802.1X client username. |
dot1x supplicant username username |
By default, no 802.1X client username is specified for an AP. |
|
5. Set the 802.1X client authentication password. |
dot1x supplicant password { simple | cipher } password |
By default, no 802.1X client authentication password is set for an AP. |
|
6. Set the 802.1X client authentication method. |
dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 } |
Optional. By default, MD5 is used for 802.1X client authentication. |
|
7. Enable the 802.1X client feature for the AP. |
dot1x supplicant enable |
By default, the 802.1X client feature is disabled. |
Displaying and maintaining WLAN security
For more information about related display commands, see Security Command Reference.
|
Task |
Command |
Remarks |
|
Display WLAN service template information. |
display wlan service-template [ service-template-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display client information. |
display wlan client { ap ap-name [ radio radio-number ] | mac-address mac-address | service-template service-template-number } [ verbose ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display MAC address authentication information. |
display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the MAC address information of port security. |
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the PSK user information of port security. |
display port-security preshared-key user [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the configuration information, running state and statistics of port security. |
display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display 802.1X session information or statistics. |
display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
WLAN security configuration examples
PSK authentication configuration example
Network requirements
As shown in Figure 5, an AC is connected to an AP through a Layer 2 switch, and they are in the same network. Perform PSK authentication with key 12345678 on the client.
Configuration procedure
1. Configure a username and a password on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)
2. Configure the 802.1X client. (Details not shown.)
3. Configure the AC:
# Configure port security.
<AC> system-view
[AC] port-security enable
# Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as 12345678.
[AC] interface wlan-ess 10
[AC-WLAN-ESS10] port-security port-mode psk
[AC-WLAN-ESS10] port-security preshared-key pass-phrase 12345678
[AC-WLAN-ESS10] port-security tx-key-type 11key
[AC-WLAN-ESS10] quit
# Create service template 10 of crypto type, configure its SSID as psktest, and bind WLAN-ESS10 to service template 10.
[AC] wlan service-template 10 crypto
[AC-wlan-st-10] ssid psktest
[AC-wlan-st-10] bind WLAN-ESS 10
[AC-wlan-st-10] security-ie rsn
[AC-wlan-st-10] cipher-suite ccmp
[AC-wlan-st-10] authentication-method open-system
[AC-wlan-st-10] service-template enable
[AC-wlan-st-10] quit
# Create an AP template named ap1 and its model is WA3628i-AGN, and configure the serial ID of AP 1 as 210235A29G007C000020.
[AC] wlan ap ap1 model WA3628i-AGN
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 10 to radio 1.
[AC-wlan-ap-ap1] radio 1 type dot11an
[AC-wlan-ap-ap1-radio-1] service-template 10
[AC-wlan-ap-ap1-radio-1] radio enable
|
|
NOTE: For more information about the AAA and RADIUS commands in this section, see Security Command Reference. |
4. Verify the configuration:
¡ Configure the same PSK key on the client. After that, the client can associate with the AP and access the WLAN.
¡ You can use the display wlan client verbose command and display port-security preshared-key user command to view the online clients.
MAC and PSK authentication configuration example
Network requirements
Perform MAC and PSK authentication on the client.
Figure 6 Network diagram
Configuring the AC
# Enable port security.
<AC> system-view
[AC] port-security enable
# Configure WLAN port security, using MAC-and-PSK authentication.
[AC] interface wlan-ess 2
[AC-WLAN-ESS2] port-security port-mode mac-and-psk
[AC-WLAN-ESS2] port-security tx-key-type 11key
[AC-WLAN-ESS2] port-security preshared-key pass-phrase 12345678
[AC-WLAN-ESS2] quit
# Create service template 2 of crypto type, configure its SSID as mactest, and bind WLAN-ESS2 to service template 2.
[AC] wlan service-template 2 crypto
[AC-wlan-st-2] ssid mactest
[AC-wlan-st-2] bind wlan-ess 2
[AC-wlan-st-2] authentication-method open-system
[AC-wlan-st-2] cipher-suite ccmp
[AC-wlan-st-2] security-ie rsn
[AC-wlan-st-2] service-template enable
[AC-wlan-st-2] quit
# Create an AP template named ap1 and its model is WA3628i-AGN, and configure the serial ID of AP 1 as 210235A29G007C000020.
[AC] wlan ap ap1 model WA3628i-AGN
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 2 to radio 1.
[AC-wlan-ap-ap1] radio 1 type dot11an
[AC-wlan-ap-ap1-radio-1] service-template 2
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Create a RADIUS scheme rad, and specify the extended RADIUS server type.
[AC] radius scheme rad
[AC-radius-rad] server-type extended
# Configure the IP addresses of the primary authentication server and accounting server as 10.18.1.88.
[AC-radius-rad] primary authentication 10.18.1.88
[AC-radius-rad] primary accounting 10.18.1.88
# Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[AC-radius-rad] key authentication 12345678
[AC-radius-rad] key accounting 12345678
[AC-radius-rad] user-name-format without-domain
[AC-radius-rad] quit
# Configure AAA domain cams by referencing RADIUS scheme rad.
[AC] domain cams
[AC-isp-cams] authentication lan-access radius-scheme rad
[AC-isp-cams] authorization lan-access radius-scheme rad
[AC-isp-cams] accounting lan-access radius-scheme rad
[AC-isp-cams] quit
# Configure the MAC address authentication domain by referencing AAA domain cams.
[AC] mac-authentication domain cams
# Configure MAC address authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server).
[AC] mac-authentication user-name-format mac-address without-hyphen
Configuring the RADIUS server on IMC 3.6
This section uses IMC PLAT 3.20-R2606 and IMC UAM 3.60-E6206.
1. Add the AC to the IMC Platform as an access device:
a. Log in to IMC, click the Service tab, and select Access Service > Access Device from the navigation tree.
The Access Device page appears.
b. Click Add.
c. The Add Access Device page appears, as shown in Figure 7.
d. In the Access Configuration area, enter 12345678 in the Shared Key field, 1812 in the Authentication Port field, and 1813 in the Accounting Port field, select LAN Access Service from the Service Type list and H3C from the Access Device Type list, and select or manually add an access device with the IP address 10.18.1.1, and click OK.
Figure 7 Adding an access device
2. Add service:
a. Click the Service tab, and then select Access Service > Service Configuration from the navigation tree.
The Service Configuration page appears.
b. Click Add.
The Add Service Configuration page appears, as shown in Figure 8.
c. Set the service name to mac, keep the default values for other parameters, and click Apply.
3. Add an account:
a. Click the User tab, and then select Access User View > All Access Users from the navigation tree.
The All Access Users page appears.
b. Click Add.
The Add Access User page appears, as shown in Figure 9.
c. Enter a username 00146c8a43ff, enter an account and password 00146c8a43ff, select the service mac, and click OK.
Figure 9 Adding an access user account
Configuring the RADIUS server on IMC 5.0
This section uses IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03).
1. Add the AC to the IMC Platform as an access device:
a. Log in to IMC, click the Service tab, and then select User Access Manager > Access Device Management > Access Device from the navigation tree.
The Access Device page appears.
b. Click Add.
The Add Access Device page appears, as shown in Figure 10.
c. In the Access Configuration area, enter 12345678 as the Shared Key, keep the default values for other parameters, and select or manually add the access device with the IP address 10.18.1.1, and click OK.
Figure 10 Adding an access device
2. Add a service:
a. Click the Service tab and then select User Access Manager > Service Configuration from the navigation tree.
The Service Configuration page appears.
b. Click Add.
The Add Service Configuration page appears, as shown in Figure 11.
c. Set the service name to mac, keep the default values for other parameters, and click OK.
3. Add an account:
a. Click the User tab, and then select Access User View > All Access Users from the navigation tree.
The All Access User page appears.
b. Click Add.
The Add Access User page appears, as shown in Figure 12.
c. In the Access Information area, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click OK.
Figure 12 Adding an access user account
Verifying the configuration
· After the client passes the MAC address authentication, the client can associate with the AP and access the WLAN.
· You can use the display wlan client verbose command, the display connection command, and the display mac-authentication command to view the online clients.
802.1X authentication configuration example
Network requirements
As shown in Figure 13, perform 802.1X authentication on the client.
Configuring the AC
# Enable port security.
<AC> system-view
[AC] port-security enable
# Configure the 802.1X authentication mode as EAP.
[AC] dot1x authentication-method eap
# Create a RADIUS scheme rad, and specify the extended RADIUS server type.
[AC] radius scheme rad
[AC-radius-rad] server-type extended
# Configure the IP addresses of the primary authentication server and accounting server as 10.18.1.88.
[AC-radius-rad] primary authentication 10.18.1.88
[AC-radius-rad] primary accounting 10.18.1.88
# Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[AC-radius-rad] key authentication 12345678
[AC-radius-rad] key accounting 12345678
[AC-radius-rad] user-name-format without-domain
[AC-radius-rad] quit
# Configure AAA domain cams by referencing RADIUS scheme rad.
[AC] domain cams
[AC-isp-cams] authentication lan-access radius-scheme rad
[AC-isp-cams] authorization lan-access radius-scheme rad
[AC-isp-cams] accounting lan-access radius-scheme rad
[AC-isp-cams] quit
# Specify a mandatory 802.1X authentication domain on the interface WLAN-ESS 1.
[AC] interface WLAN-ESS 1
[AC-WLAN-ESS1] dot1x mandatory-domain cams
# Set the port mode for WLAN-ESS 1 to userlogin-secure-ext, and enable 802.11 key negotiation.
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
[AC-WLAN-ESS1] port-security tx-key-type 11key
# Disable the multicast trigger function and the online user handshake function.
[AC-WLAN-ESS1] undo dot1x multicast-trigger
[AC-WLAN-ESS1] undo dot1x handshake
[AC-WLAN-ESS1] quit
# Create service template 1 of crypto type, configure its SSID as dot1x, and configure the tkip and ccmp cipher suite.
[AC] wlan service-template 1 crypto
[AC-wlan-st-1] ssid dot1x
[AC-wlan-st-1] bind WLAN-ESS 1
[AC-wlan-st-1] authentication-method open-system
[AC-wlan-st-1] cipher-suite tkip
[AC-wlan-st-1] cipher-suite ccmp
[AC-wlan-st-1] security-ie rsn
[AC-wlan-st-1] security-ie wpa
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create an AP template named ap1 and its model is WA3628i-AGN, and configure the serial ID of AP 1 as 210235A29G007C000020.
[AC] wlan ap ap1 model WA3628i-AGN
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 1.
[AC-wlan-ap-ap1] radio 1 type dot11an
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] radio enable
Configuring the RADIUS server on IMC 3.6
This section uses IMC PLAT 3.20-R2606 and IMC UAM 3.60-E6206.
1. Add the AC to the IMC Platform as an access device:
a. Log in to IMC, click the Service tab, and select Access Service > Access Device from the navigation tree.
The Access Device page appears.
b. Click Add.
c. The Add Access Device page appears, as shown in Figure 14.
d. In the Access Configuration area, enter 12345678 in the Shared Key field, 1812 in the Authentication Port field, and 1813 in the Accounting Port field, select LAN Access Service from the Service Type list and H3C from the Access Device Type list, and select or manually add an access device with the IP address 10.18.1.1, and click OK.
Figure 14 Adding an access device
2. Add service:
a. Click the Service tab, and select Access Service > Service Configuration from the navigation tree.
The Service Configuration page appears.
b. Click Add.
c. The Add Service Configuration page appears, as shown in Figure 15.
d. Set the service name to dot1x, select EAP-PEAP as the certificate type, and select MS-CHAPV2 as the certificate sub-type.
e. Click Apply.
3. Add an account:
a. Click the User tab, and select Access User View > All Access Users from the navigation tree.
The All Access Users page appears.
b. Click Add.
c. The Add Access User page appears, as shown in Figure 16.
d. Enter a username user, add an account user and password dot1x, and select the service dot1x, and click Apply.
Figure 16 Adding an access user account
Configuring the RADIUS server on IMC 5.0)
This section uses IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03).
1. Add the AC to the IMC Platform as an access device:
a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree.
The Access Device page appears.
b. Click Add.
The Add Access Device page appears, as shown in Figure 17.
c. In the Access Configuration area, enter 12345678 as the Shared Key, keep the default values for other parameters, and select or manually add the access device with the IP address 10.18.1.1, and click OK.
Figure 17 Adding an access device
2. Add a service:
a. Click the Service tab and select User Access Manager > Service Configuration from the navigation tree.
The Service Configuration page appears.
b. Click Add.
The Add Service Configuration page appears, as shown in Figure 18.
c. Set the service name as dot1x and click OK.
3. Add an account:
a. Click the User tab, and select Access User View > All Access Users from the navigation tree.
The All Access User page appears.
b. Click Add.
The Add Access User page appears, as shown in Figure 19.
c. In the Access Information area, enter username user, set the account name as user and password as dot1x, select the service dot1x, and click OK.
Figure 19 Adding an access user account
Verifying the configuration
1. The client can pass 802.1X authentication and associate with the AP.
2. You can use the display wlan client verbose command, the display connection command, and the display dot1x command to view the online clients.
Dynamic WEP encryption-802.1X authentication configuration example
Network requirements
As shown in Figure 20, perform dynamic WEP encryption.
Configuration procedure
1. Configure the AC:
# Enable port security.
<AC> system-view
[AC] port-security enable
# Configure the 802.1X authentication mode as EAP.
[AC] dot1x authentication-method eap
# Create a RADIUS scheme rad, and specify the extended RADIUS server type.
[AC] radius scheme rad
[AC-radius-rad] server-type extended
# Configure the IP addresses of the primary authentication and accounting servers as 10.18.1.88.
[AC-radius-rad] primary authentication 10.18.1.88
[AC-radius-rad] primary accounting 10.18.1.88
# Configure the shared key for RADIUS authentication/accounting as 12345678.
[AC-radius-rad] key authentication 12345678
[AC-radius-rad] key accounting 12345678
[AC-radius-rad] user-name-format without-domain
[AC-radius-rad] quit
# Configure AAA domain bbb by referencing RADIUS scheme rad.
[AC] domain bbb
[AC-isp-bbb] authentication lan-access radius-scheme rad
[AC-isp-bbb] authorization lan-access radius-scheme rad
[AC-isp-bbb] accounting lan-access radius-scheme rad
[AC-isp-bbb] quit
# Specify a mandatory 802.1X authentication domain on the interface WLAN-ESS 1.
[AC] interface WLAN-ESS 1
[AC-WLAN-ESS1] dot1x mandatory-domain bbb
# Set the port mode for WLAN-ESS 1 to userlogin-secure-ext.
[AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext
# Disable the multicast trigger function and the online user handshake function.
[AC-WLAN-ESS1] undo dot1x multicast-trigger
[AC-WLAN-ESS1] undo dot1x handshake
[AC-WLAN-ESS1] quit
# Create service template 1 of crypto type, configure its SSID as dot1x, and configure dynamic WEP encryption.
[AC] wlan service-template 1 crypto
[AC-wlan-st-1] ssid dot1x
[AC-wlan-st-1] wep mode dynamic
[AC-wlan-st-1] authentication-method open-system
[AC-wlan-st-1] bind WLAN-ESS 1
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create an AP template named ap1, and specify its model as WA3628i-AGN, and serial ID as 210235A29G007C000020.
[AC] wlan ap ap1 model WA3628i-AGN
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 1.
[AC-wlan-ap-ap1] radio 1 type dot11an
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] radio enable
2. Configure the RADIUS server (IMCv3):
See "Configuring the RADIUS server on IMC 3.6."
3. Configure the RADIUS server (IMCv5):
See "Configuring the RADIUS server on IMC 5.0)."
4. Configure the wireless card:
a. Double click the 
icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.
b. Click the Properties button on the General tab.
The Wireless Network Connection Properties window appears.
c. On the Wireless Networks tab, select the wireless network with the SSID dot1x.
Verifying the configuration
· After you enter the username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.
· You can use the display wlan client verbose command, the display connection command, and the display dot1x command to view online client information.
Supported combinations for ciphers
This section introduces the combinations that can be used during the cipher suite configuration.
RSN
For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for RSN. (WEP40, WEP104 and WEP128 are mutually exclusive).
|
Unicast cipher |
Broadcast cipher |
Authentication method |
Security Type |
|
CCMP |
WEP40 |
PSK |
RSN |
|
CCMP |
WEP104 |
PSK |
RSN |
|
CCMP |
WEP128 |
PSK |
RSN |
|
CCMP |
TKIP |
PSK |
RSN |
|
CCMP |
CCMP |
PSK |
RSN |
|
TKIP |
WEP40 |
PSK |
RSN |
|
TKIP |
WEP104 |
PSK |
RSN |
|
TKIP |
WEP128 |
PSK |
RSN |
|
TKIP |
TKIP |
PSK |
RSN |
|
CCMP |
WEP40 |
802.1X |
RSN |
|
CCMP |
WEP104 |
802.1X |
RSN |
|
CCMP |
WEP128 |
802.1X |
RSN |
|
CCMP |
TKIP |
802.1X |
RSN |
|
CCMP |
CCMP |
802.1X |
RSN |
|
TKIP |
WEP40 |
802.1X |
RSN |
|
TKIP |
WEP104 |
802.1X |
RSN |
|
TKIP |
WEP128 |
802.1X |
RSN |
|
TKIP |
TKIP |
802.1X |
RSN |
WPA
For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for WPA (WEP40, WEP104 and WEP128 are mutually exclusive).
|
Unicast cipher |
Broadcast cipher |
Authentication method |
Security Type |
|
CCMP |
WEP40 |
PSK |
WPA |
|
CCMP |
WEP104 |
PSK |
WPA |
|
CCMP |
WEP128 |
PSK |
WPA |
|
CCMP |
TKIP |
PSK |
WPA |
|
CCMP |
CCMP |
PSK |
WPA |
|
TKIP |
WEP40 |
PSK |
WPA |
|
TKIP |
WEP104 |
PSK |
WPA |
|
TKIP |
WEP128 |
PSK |
WPA |
|
TKIP |
TKIP |
PSK |
WPA |
|
CCMP |
WEP40 |
802.1X |
WPA |
|
CCMP |
WEP104 |
802.1X |
WPA |
|
CCMP |
WEP128 |
802.1X |
WPA |
|
CCMP |
TKIP |
802.1X |
WPA |
|
CCMP |
CCMP |
802.1X |
WPA |
|
TKIP |
WEP40 |
802.1X |
WPA |
|
TKIP |
WEP104 |
802.1X |
WPA |
|
TKIP |
WEP128 |
802.1X |
WPA |
|
TKIP |
TKIP |
802.1X |
WPA |
Pre-RSN
For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and WEP128 are mutually exclusive).
|
Unicast cipher |
Broadcast cipher |
Authentication method |
Security Type |
|
WEP40 |
WEP40 |
Open system |
no Sec Type |
|
WEP104 |
WEP104 |
Open system |
no Sec Type |
|
WEP128 |
WEP128 |
Open system |
no Sec Type |
|
WEP40 |
WEP40 |
Shared key |
no Sec Type |
|
WEP104 |
WEP104 |
Shared key |
no Sec Type |
|
WEP128 |
WEP128 |
Shared key |
no Sec Type |
