Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-WLAN Security Commands | 96.01 KB |
authentication-method
Use authentication-method to enable an 802.11 authentication method. You can enable open system authentication, shared key authentication or both.
Use undo authentication-method to disable the selected authentication method.
Syntax
authentication-method { open-system | shared-key }
undo authentication-method { open-system | shared-key }
Default
The open system authentication method is enabled.
Views
Service template view
Default command level
2: System level
Parameters
open-system: Enables open system authentication.
shared-key: Enables shared key authentication.
Examples
# Enable open system authentication.
<Sysname> system-view
[Sysname] wlan service-template 1 clear
[Sysname-wlan-st-1] authentication-method open-system
# Enable shared key authentication.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] authentication-method shared-key
cipher-suite
Use cipher-suite to select the cipher suite used in the encryption of frames.
Use undo cipher-suite to disable the selected cipher suite.
Syntax
cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }*
undo cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }*
Default
No cipher suite is selected.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
ccmp: Enables the AES-CCMP cipher suite.
tkip: Enables the TKIP cipher suite.
wep40: Enables the WEP-40 cipher suite.
wep104: Enables the WEP-104 cipher suite.
wep128: Enables the WEP-128 cipher suite.
Examples
# Enable the TKIP cipher suite.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] cipher-suite tkip
gtk-rekey client-offline enable
Use gtk-rekey client-offline enable to enable refreshing the GTK when some client goes offline. This function is effective when GTK rekey is enabled with the gtk-rekey enable command.
Use undo gtk-rekey client-offline to disable this feature.
Syntax
gtk-rekey client-offline enable
undo gtk-rekey client-offline
Default
The GTK is not refreshed when some client goes off-line.
Views
Service template view (crypto type)
Default command level
2: System level
Examples
# Enable GTK rekeying when some client goes off-line.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] gtk-rekey client-offline enable
gtk-rekey enable
Use gtk-rekey enable to enable GTK rekey.
Use undo gtk-rekey enable to disable GTK rekey.
Syntax
gtk-rekey enable
undo gtk-rekey enable
Default
GTK rekey is enabled.
Views
Service template view (crypto type)
Default command level
2: System level
Examples
# Disable GTK rekey.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] undo gtk-rekey enable
gtk-rekey method
Use gtk-rekey method to select a mechanism for re-keying the GTK. If option time-based is selected, the GTK will be refreshed after a specified period of time. If option packet-based is selected, the GTK will be refreshed after a specified number of packets are transmitted.
Use undo gtk-rekey method to restore the default.
Syntax
gtk-rekey method { packet-based [ packet ] | time-based [ time ] }
undo gtk-rekey method
Default
The GTK rekeying method is time-based, and the interval is 86400 seconds.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
packet-based: Indicates the GTK will be refreshed after a specified number of packets are transmitted.
packet: Number of packets (including multicasts and broadcasts) that are transmitted before the GTK is refreshed. The value is in the range of 5000 to 4294967295 and defaults to 10000000.
time-based: Indicates the GTK will be refreshed based on time.
time: Time after which the GTK is refreshed. The value is in the range of 180 to 604800 seconds defaults to 86400 seconds.
Usage guidelines
The method configured later overwrites the previous one. For example, if you configure the packet-based method and then configure the time-based method, the time-based method is enabled.
Examples
# Enable packet-based GTK rekeying and the packet number is 60000.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] gtk-rekey method packet-based 60000
key-derivation
Use key-derivation to set the key derivation function (KDF).
Use undo key-derivation to restore the default.
Syntax
key-derivation { sha1 | sha1-and-sha256 | sha256 }
undo key-derivation
Default
The KDF is the HMAC-SHA1 algorithm.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
sha1: Specifies the HMAC-SHA1 algorithm as the KDF.
sha256: Specifies the HMAC-SHA256 algorithm as the KDF.
sha1-and-sha256: Specifies the HMAC-SHA1 algorithm and the HMAC-SHA256 algorithm as the KDFs.
Usage guidelines
KDFs take effect only for a network that uses the PSK or 802.1X authentication mode.
The HMAC-SHA256 algorithm is used if you set the mandatory management frame protection mode.
Examples
# Configure the HMAC-SHA256 or HMAC-SHA1 algorithm as the KDF.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] key-derivation sha1-and-sha256
pmf
pmf
Use pmf to enable management frame protection.
Use undo pmf to restore the default.
Syntax
pmf { mandatory | optional }
undo pmf
Default
Management frame protection is disabled.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
mandatory: Specifies the mandatory mode. Only clients that support management frame protection can access the WLAN.
optional: Specifies the optional mode. All clients can access the WLAN.
Usage guidelines
Management frame protection must be used with the PSK or 802.1X authentication mode, the CCMP cipher suite, and the RSN security information element.
Examples
# Enable management frame protection in mandatory mode.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] pmf mandatory
pmf association-comeback
Use pmf association-comeback to set the association comeback time.
Use undo pmf association-comeback to restore the default.
Syntax
pmf association-comeback value
undo pmf association-comeback
Default
The association comeback time is 1 second.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
value: Specifies the association comeback time in the range of 1 to 20 seconds.
Examples
# Set the association comeback time to 2 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] pmf association-comeback 2
· pmf
· pmf saquery retry
· pmf saquery timeout
pmf saquery retry
Use pmf saquery retry to maximum retransmission attempts for SA query requests.
Use undo pmf saquery retry to restore the default.
Syntax
pmf saquery retry value
undo pmf saquery retry
Default
The maximum retransmission attempt number is 4 for SA query requests.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
value: Specifies the maximum retransmission attempts for SA query requests, in the range of 1 to 16.
Examples
# Set the number of maximum retransmission attempt to 3 for SA query requests.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] pmf saquery retry 3
Related commands
· pmf
· pmf association-comeback
· pmf saquery timeout
pmf saquery timeout
Use pmf saquery timeout to set the interval for sending SA query requests.
Use undo pmf saquery timeout to restore the default.
Syntax
pmf saquery timeout value
undo pmf saquery timeout
Default
The interval for sending SA query requests is 200 milliseconds.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
value: Specifies the interval for the AP to send SA query requests, in the range of 100 to 500 milliseconds.
Examples
# Set the interval for sending SA query requests to 300 milliseconds.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] pmf saquery timeout 300
Related commands
· pmf
· pmf association-comeback
· pmf saquery retry
ptk-lifetime
Use ptk-lifetime to configure the PTK lifetime.
Use undo ptk-lifetime to restore the default.
Syntax
ptk-lifetime time
undo ptk-lifetime
Default
The PTK lifetime is 43200 seconds.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
time: Time, in the range of 180 to 604800 seconds.
Examples
# Specify the PTK lifetime as 86400 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] ptk-lifetime 86400
security-ie
Use security-ie to enable the WPA-IE, RSN-IE, or both in the beacon and probe responses.
Use undo security-ie to disable the WPA-IE or RSN-IE in the beacon and probe responses.
Syntax
security-ie { rsn | wpa }
undo security-ie { rsn | wpa }
Default
Both WPA-IE and RSN-IE are disabled.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
rsn: Enables the RSN information element in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.
wpa: Enables the WPA Information element in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.
Examples
# Enable the WPA-IE in the beacon and probe responses.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] security-ie wpa
tkip-cm-time
Use tkip-cm-time to set the TKIP countermeasure time.
Use undo tkip-cm-time to restore the default.
Syntax
tkip-cm-time time
undo tkip-cm-time
Default
The TKIP counter measure time is 0 seconds. No counter measures are taken.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
time: TKIP counter measure time in seconds. The value is in the range of 0 to 3600 seconds.
Usage guidelines
After TKIP countermeasures are enabled, if more than two MIC failures occur within a certain time, the TKIP associations are disassociated, and new associations are allowed to establish only after the specified TKIP counter measure time expires.
Examples
# Set the TKIP counter measure time to 90 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] tkip-cm-time 90
wep default-key
Use wep default-key to configure the WEP default key.
Use undo wep default-key to delete the configured WEP default key.
Syntax
wep default-key key-index { wep40 | wep104 | wep128} { pass-phrase | raw-key } [ cipher | simple ] key
undo wep default-key key-index
Default
The WEP default key index number is 1.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
key-index: The key index values can be:
1: Configures the 1st WEP default key.
2: Configures the 2nd WEP default key.
3: Configures the 3rd WEP default key.
4: Configures the 4th WEP default key.
wep40: Indicates the WEP40 key option.
wep104: Indicates the WEP104 key option.
wep128: Indicates the WEP128 key option.
pass-phrase: Inputs a character-string pre-shared key.
raw-key: Inputs a hexadecimal-string pre-shared key.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
key: Specifies the key string. The length of a ciphertext key is in the range of 24 to 88 characters. If neither cipher nor simple is specified, you set a plaintext key string. The length of a plaintext key depends on the key options selected:
· For wep40 pass-phrase, the key length is 5 alphanumeric characters.
· For wep104 pass-phrase, the key length is 13 alphanumeric characters.
· For wep128 pass-phrase, the key length is 16 alphanumeric characters.
· For wep40 raw-key, the key length is a 10-digit hexadecimal number.
· For wep104 raw-key, the key length is a 26-digit hexadecimal number.
· For wep128 raw-key, the key length is a 32-digit hexadecimal number.
Usage guidelines
When security IE is configured, WEP default key 1 is not allowed for configuration.
For secrecy, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Specify the first WEP default key as a simple text key 12345.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase simple 12345
wep key-id
Use wep key-id to specify the default WEP key used in the encryption and decryption of broadcast and multicast frames. There are 4 static keys in WEP. The key index can be 1, 2, 3, or 4. The key corresponding to the specified key index will be used for encrypting and decrypting broadcast and multicast frames.
Use undo wep key-id to restore the default.
Syntax
wep key-id { 1 | 2 | 3 | 4 }
undo wep key-id
Default
The key index number is 1.
Views
Service template view (crypto type)
Default command level
2: System level
Parameters
· 1: Key index 1.
· 2: Key index 2.
· 3: Key index 3.
· 4: Key index 4.
Examples
# Specify the index of the key for broadcast/multicast encryption and decryption as 2.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep key-id 2
wep mode
Use wep mode to enable WEP encryption.
Use undo wep mode to restore the default.
Syntax
wep mode dynamic
undo wep mode
Default
Static WEP encryption is enabled.
Views
Service template view
Default command level
2: System level
Parameters
dynamic: Enables dynamic WEP encryption.
Usage guidelines
· Dynamic WEP encryption must be used together with 802.1X authentication, and the WEP key ID cannot be configured as 4.
· With dynamic WEP encryption configured, the device automatically uses the WEP 104 encryption method. To change the encryption method, use the cipher-suite command.
· With dynamic WEP encryption configured, the WEP key used to encrypt unicast frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key.
Examples
# Specify the WEP encryption mode as dynamic.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep mode dynamic
Related commands
· cipher-suite
· wep key-id
