Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-WLAN Security Commands | 90.42 KB |
authentication-method
Syntax
authentication-method { open-system | shared-key }
undo authentication-method { open-system | shared-key }
View
Service template view
Default level
2: System level
Parameters
open-system: Enables open system authentication.
shared-key: Enables shared key authentication.
Description
Use authentication-method to enable an 802.11 authentication method. You can enable open system authentication, shared key authentication or both.
Use undo authentication-method to disable the selected authentication method.
By default, the open system authentication method is enabled.
Examples
# Enable open system authentication.
<Sysname> system-view
[Sysname] wlan service-template 1 clear
[Sysname-wlan-st-1] authentication-method open-system
# Enable shared key authentication.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] authentication-method shared-key
cipher-suite
Syntax
cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }*
undo cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }*
View
Service template view
Default level
2: System level
Parameters
ccmp: Enables the CCMP cipher suite.
tkip: Enables the TKIP cipher suite.
wep40: Enables the WEP-40 cipher suite.
wep104: Enables the WEP-104 cipher suite.
wep128: Enables the WEP-128 cipher suite.
Description
Use cipher-suite to select the cipher suite used in the encryption of frames. The cipher suites supported are CCMP, TKIP, WEP40, WEP104, and WEP128.
Use undo cipher-suite to disable the selected cipher suite.
By default, no cipher suite is selected.
Examples
# Enable the TKIP cipher suite.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] cipher-suite tkip
gtk-rekey client-offline enable
Syntax
gtk-rekey client-offline enable
undo gtk-rekey client-offline
View
Service template view
Default level
2: System level
Parameters
None
Description
Use gtk-rekey client-offline enable to enable refreshing the GTK when some client goes offline. This function is effective when GTK rekey is enabled with the gtk-rekey enable command.
Use undo gtk-rekey client-offline to disable this feature.
By default, the GTK is not refreshed when some client goes off-line.
Examples
# Enable GTK rekeying when some client goes off-line.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] gtk-rekey client-offline enable
gtk-rekey enable
Syntax
gtk-rekey enable
undo gtk-rekey enable
View
Service template view
Default level
2: System level
Parameters
None
Description
Use gtk-rekey enable to enable GTK rekey.
Use undo gtk-rekey enable to disable GTK rekey.
By default, GTK rekey is enabled.
Examples
# Disable GTK rekey.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] undo gtk-rekey enable
gtk-rekey method
Syntax
gtk-rekey method { packet-based [ packet ] | time-based [ time ] }
undo gtk-rekey method
View
Service template view
Default level
2: System level
Parameters
packet-based: Indicates the GTK is refreshed after a specified number of packets are transmitted.
packet: Number of packets (including multicasts and broadcasts) that are transmitted before the GTK is refreshed. The value is in the range of 5000 to 4294967295 and defaults to 10000000.
time-based: Indicates the GTK is refreshed based on time.
time: Time after which the GTK is refreshed. The value is in the range of 180 to 604800 seconds defaults to 86400 seconds.
Description
Use gtk-rekey method to select a mechanism for re-keying the GTK. If option time-based is selected, the GTK is refreshed after a specified period of time. If option packet-based is selected, the GTK is refreshed after a specified number of packets are transmitted.
Use undo gtk-rekey method to restore the default.
By default, the GTK rekeying method is time-based, and the interval is 86400 seconds.
|
|
NOTE: The method which is configured later overwrites the previous. For example, if you configure the packet-based method and then configure the time-based method, the time-based method is enabled. |
Examples
# Enable packet-based GTK rekeying and the packet number is 60000.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] gtk-rekey method packet-based 60000
ptk-lifetime
Syntax
ptk-lifetime time
undo ptk-lifetime
View
Service template view
Default level
2: System level
Parameters
time: Time in the range of 180 to 604800 seconds.
Description
Use ptk-lifetime to configure the PTK lifetime.
Use undo ptk-lifetime to restore the default.
By default, the PTK lifetime is 43200 seconds.
Examples
# Specify the PTK lifetime as 86400 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] ptk-lifetime 86400
security-ie
Syntax
security-ie { rsn | wpa }
undo security-ie { rsn | wpa }
View
Service template view
Default level
2: System level
Parameters
rsn: Enables the Robust Security Network (RSN) information element in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.
wpa: Enables the Wi-Fi Protected Access (WPA) Information element in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.
Description
Use security-ie to enable the WPA IE, RSN IE or both in the beacon and probe responses.
Use undo security-ie to disable the WPA IE or RSN IE in the beacon and probe responses.
By default, both WPA IE and RSN IE are disabled.
Examples
# Enable the WPA IE in the beacon and probe responses.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] security-ie wpa
tkip-cm-time
Syntax
tkip-cm-time time
undo tkip-cm-time
View
Service template view
Default level
2: System level
Parameters
time: TKIP counter measure time for MIC failure in seconds. The value is in the range of 0 to 3600 seconds.
Description
Use tkip-cm-time to set the TKIP countermeasure time.
Use undo tkip-cm-time to restore the default.
By default, the TKIP counter measure time is 0 seconds. No counter measures are taken.
After countermeasures are enabled, if more than two MIC failures occur within a certain time, the TKIP associations are disassociated, and new associations are allowed to establish only after the specified TKIP counter measure time expires.
Examples
# Set the TKIP counter measure time to 90 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] tkip-cm-time 90
wep default-key
Syntax
wep default-key key-index { wep40 | wep104 | wep128} { pass-phrase | raw-key } [ cipher | simple ] key
undo wep default-key key-index
View
Service template view
Default level
2: System level
Parameters
key-index: The key index values can be:
1: Configures the 1st WEP default key.
2: Configures the 2nd WEP default key.
3: Configures the 3rd WEP default key.
4: Configures the 4th WEP default key.
wep40: Indicates the WEP40 key option.
wep104: Indicates the WEP104 key option.
wep128: Indicates the WEP128 key option.
pass-phrase: Enables the pass-phrase option. Then a string of alphanumeric characters is used as the key. If WEP40 is selected, 5 alphanumeric characters must be entered as the pass-phrase. If WEP104 is selected, 13 alphanumeric characters must be entered as the pass-phrase. If WEP128 is selected, 16 alphanumeric characters must be entered as the pass-phrase. The length of a pass-phrase is fixed.
raw-key: Enables the raw-key option. The key is entered as a hexadecimal number. A 10-digit hexadecimal number for WEP40, a 26-digit hexadecimal number for WEP104 and a 32-digit hexadecimal number for WEP128. The length of the raw-key is fixed.
key: Key. The key lengths for different combinations are as follows:
· For wep40 pass-phrase, the key length is 5 alphanumeric characters.
· For wep104 pass-phrase, the key length is 13 alphanumeric characters.
· For wep128 pass-phrase, the key length is 16 alphanumeric characters.
· For wep40 raw-key, the key length is a 10-digit hexadecimal number.
· For wep104 raw-key, the key length is a 26-digit hexadecimal number.
· For wep128 raw-key, the key length is a 32-digit hexadecimal number.
cipher key: Specifies a cipher-text key, which is displayed in cipher text. The key is a case-sensitive string of 24 to 88 characters.
simple key: Specifies a simple-text key, which is displayed in simple text. The key is a case-sensitive string and the value range depends on the key option selected.
If the simple or cipher keyword is not specified, a simple-text key is set and the key is displayed in cipher text. The value range of the key is the same as the simple-text key.
Description
Use wep default-key to configure the WEP default key.
Use undo wep default-key to delete the configured WEP default key.
By default, the WEP default key index number is 1.
|
|
NOTE: When security IE is configured, WEP default key 1 is not allowed for configuration. |
Examples
# Specify the first WEP default key as 12345, which is displayed in simple text.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase simple 12345
[Sysname-wlan-st-1] display this
#
wlan service-template 1 crypto
wep default-key 1 wep40 pass-phrase simple 12345
#
return
# Specify the first WEP default key as a cipher-text key, which is displayed in cipher text.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase cipher -_'PV5%9O`CQ=^Q`MAF4<1!!
[Sysname-wlan-st-1] display this
#
wlan service-template 1 crypto
wep default-key 1 wep40 pass-phrase cipher -_'PV5%9O`CQ=^Q`MAF4<1!!
#
return
# Specify the first WEP default key as 12345, which is displayed in cipher text.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase 12345
MAF4<1!!
[Sysname-wlan-st-1] display this
#
wlan service-template 1 crypto
wep default-key 1 wep40 pass-phrase cipher -_'PV5%9O`CQ=^Q`MAF4<1!!
#
return
wep key-id
Syntax
wep key-id { 1 | 2 | 3 | 4 }
undo wep key-id
View
Service template view
Default level
2: System level
Parameters
· 1: Key index 1.
· 2: Key index 2.
· 3: Key index 3.
· 4: Key index 4.
Description
Use wep key-id to specify the default WEP key used in the encryption and decryption of broadcast and multicast frames. There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding to the specified key index is used for encrypting and decrypting broadcast and multicast frames.
Use undo wep key-id to restore the default.
By default, the key index number is 1.
Examples
# Specify the index of the key for broadcast/multicast encryption and decryption as 2.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep key-id 2
wep mode
Syntax
wep mode dynamic
undo wep mode
View
Service template view
Default level
2: System level
Parameters
dynamic: Enables dynamic WEP encryption.
Description
Use wep mode to enable WEP encryption.
Use undo wep mode to restore the default.
By default, static WEP encryption is enabled.
· Dynamic WEP encryption must be used together with 802.1X authentication, and the WEP key ID cannot be configured as 4.
· With dynamic WEP encryption configured, the device automatically uses the WEP 104 encryption method. To change the encryption method, use the cipher-suite command.
· With dynamic WEP encryption configured, the WEP key used to encrypt unicast frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key.
Related commands: wep key-id and cipher-suite.
Examples
# Specify the WEP encryption mode as dynamic.
<Sysname> system-view
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] wep mode dynamic
