Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-WLAN security commands | 109.00 KB |
Contents
enhanced-open transition-mode service-template
gtk-rekey client-offline enable
snmp-agent trap enable wlan usersec
wlan password-failure-limit enable
WLAN security commands
akm mode
Use akm mode to set an authentication and key management (AKM) mode.
Use undo akm mode to restore the default.
Syntax
akm mode { dot1x | private-psk | psk }
undo akm mode
Default
No AKM mode is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
dot1x: Specifies 802.1X as the AKM mode.
private-psk: Specifies private PSK as the AKM mode.
psk: Specifies PSK as the AKM mode.
Usage guidelines
You must set the AKM mode for 802.11i (RSNA) networks.
Each WLAN service template supports only one AKM mode. Set the AKM mode only when the WLAN service template is disabled.
Each of the following AKM modes must be used with a specific authentication mode:
· 802.1X AKM—802.1X authentication mode.
· Private PSK AKM—MAC authentication mode.
· PSK AKM—MAC or bypass authentication mode.
For more information about the authentication mode, see User Access and Authentication Configuration Guide.
Examples
# Set the PSK AKM mode.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] akm mode psk
cipher-suite
security-ie
cipher-suite
Use cipher-suite to specify the cipher suite used for frame encryption.
Use undo cipher-suite to remove the cipher suite configuration.
Syntax
cipher-suite { ccmp | gcmp | tkip | wep40 | wep104 | wep128 }
undo cipher-suite { ccmp | gcmp | tkip | wep40 | wep104 | wep128 }
Default
No cipher suite is specified.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
ccmp: Specifies the AES-CCMP cipher suite.
gcmp: Specifies the AES-GCMP cipher suite.
tkip: Specifies the TKIP cipher suite.
wep40: Specifies the WEP40 cipher suite.
wep104: Specifies the WEP104 cipher suite.
wep128: Specifies the WEP128 cipher suite.
Usage guidelines
You must set the cipher suite for 802.11i networks. Set a cipher suite only when the WLAN service template is disabled.
Set the TKIP, GCMP, or CCMP cipher suite when you configure the RSN IE or WPA IE.
The WEP cipher suite includes three types, WEP40, WEP104, and WEP128. Each WLAN service template supports only one type of WEP cipher suite. After you set a type of WEP cipher suite, you must create and apply a key of the same type.
As a best practice to avoid client association failures, do not set WEP40 or WEP104 together with CCMP, GCMP, or TKIP.
When WEP128 is configured, you cannot set the CCMP, GCMP, or TKIP cipher suite.
Examples
# Set the TKIP cipher suite for frame encryption.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite tkip
security-ie
wep key
wep key-id
enhanced-open enable
Use enhanced-open enable to enable enhanced open system authentication.
Use undo enhanced-open enable to disable enhanced open system authentication.
Syntax
enhanced-open enable
undo enhanced-open enable
Default
Enhanced open system authentication is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
Enhanced open system authentication uses Opportunistic Wireless Encryption (OWE) to negotiate keys for encrypting data packets of OWE-capable clients, providing open system authentication with enhanced security performance.
Before enabling this feature, make sure the WPA3 security mode, FT, management frame protection, security IE, cipher suite, and KDF, if any, are in their default settings.
After you enable this feature, the system performs the following operations:
· Specifies the security IE as RSN.
· Specifies the cipher suite as CCMP.
· Enables management frame protection.
· Specifies the HMAC-SHA256 and HMAC-384 algorithms as the KDFs.
Examples
# Enable enhanced open system authentication.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] enhanced-open enable
Related commands
enhanced-open transition-mode service-template
enhanced-open transition-mode service-template
Use enhanced-open transition-mode service-template to specify a recommended service template in transition mode.
Use undo enhanced-open transition-mode service-template to restore the default.
Syntax
enhanced-open transition-mode service-template service-template-name
undo enhanced-open transition-mode service-template
Default
No recommended service template is specified in transition mode.
Views
Service template view
Predefined user roles
network-admin
Parameters
service-template-name: Specifies the name of a service template, a case-insensitive string of 1 to 63 characters.
Usage guidelines
During the transition from open WLANs to enhanced open WLANs, WLANs of both types might exist to accommodate OWE-incapable and OWE-capable clients. In this case, if an OWE-capable client attempts to access an open WLAN or if an OWE-incapable client attempts to access an enhanced open WLAN, the corresponding AP will reject the access request.
This feature allows clients to fast access an appropriate WLAN that matches its capability.
Configure this feature in both an open service template and an enhanced open service template, and specify them as the recommended template of each other.
Bind a service template and its recommended service template to the same radio.
Enable SSID hidden for the enhanced open service template.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify service template service2 as the recommended template for service template service1 in transition mode.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] enhanced-open transition-mode service-template service2
Related commands
beacon ssid-hide (WLAN Access Command Reference)
enhanced-open enable
gtk-rekey client-offline enable
Use gtk-rekey client-offline enable to enable offline-triggered GTK update.
Use undo gtk-rekey client-offline to restore the default.
Syntax
gtk-rekey client-offline enable
undo gtk-rekey client-offline enable
Default
Offline-triggered GTK update is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
Enable offline-triggered GTK update only when GTK update is enabled.
Examples
# Enable offline-triggered GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey client-offline enable
gtk-rekey enable
gtk-rekey enable
Use gtk-rekey enable to enable GTK update.
Use undo gtk-rekey enable to disable GTK update.
Syntax
gtk-rekey enable
undo gtk-rekey enable
Default
GTK update is enabled.
Views
WLAN service template view
Predefined user roles
network-admin
Examples
# Enable GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey enable
gtk-rekey method
Use gtk-rekey method to set a GTK update method.
Use undo gtk-rekey method to restore the default.
Syntax
gtk-rekey method { packet-based [ packet ] | time-based [ time ] }
undo gtk-rekey method
Default
The GTK is updated at an interval of 86400 seconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
packet-based packet: Specifies the number of packets (including multicasts and broadcasts) that are transmitted before the GTK is updated. The value range for the packet argument is 5000 to 4294967295 and the default is 10000000.
time-based time: Specifies the interval at which the GTK is updated. The value range for the time argument is 180 to 604800 seconds and the default is 86400 seconds.
Usage guidelines
Set the GTK update method only when GTK update is enabled.
The most recent configuration overwrites the previous one. For example, if you set the packet-based method and then set the time-based method, the time-based method takes effect.
If you set the GTK update method after the service template is enabled, the change takes effect when the following conditions exist:
· If you change the GTK update interval, the new interval takes effect when the old timer times out.
· If you change the packet number threshold, the new threshold takes effect immediately.
· If you change the GTK update method to packet-based, the new method takes effect when the timer is deleted and the packet number threshold is reached.
· If you change the GTK update method to time-based, the configuration takes effect immediately.
Examples
# Enable time-based GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey method time-based 3600
# Enable packet-based GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey method packet-based 600000
gtk-rekey enable
key-derivation
Use key-derivation to set the key derivation function (KDF).
Use undo key-derivation to restore the default.
Syntax
key-derivation { sha1 | sha1-and-sha256 | sha256 }
undo key-derivation
Default
The KDF is the HMAC-SHA1 algorithm.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
sha1: Specifies the HMAC-SHA1 algorithm as the KDF.
sha256: Specifies the HMAC-SHA256 algorithm as the KDF.
sha1-and-sha256: Specifies the HMAC-SHA1 algorithm and the HMAC-SHA256 algorithm as the KDFs.
Usage guidelines
KDFs take effect only for a network that uses the 802.11i mechanism.
The HMAC-SHA256 algorithm is recommended if mandatory management frame protection is enabled.
Make sure the service template is disabled before you execute this command.
Examples
# Configure the HMAC-SHA256 algorithm as the KDF.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] key-derivation sha256
Related commands
akm mode
cipher-suite
security-ie
pmf
Use pmf to enable management frame protection.
Use undo pmf to restore the default.
Syntax
pmf { mandatory | optional }
undo pmf
Default
Management frame protection is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
mandatory: Specifies the mandatory mode. Only clients that support management frame protection can access the WLAN.
optional: Specifies the optional mode. All clients can access the WLAN.
Usage guidelines
Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security information element.
Examples
# Enable management frame protection in optional mode.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf optional
Related commands
cipher-suite
security-ie
pmf association-comeback
Use pmf association-comeback to set the association comeback time.
Use undo pmf association-comeback to restore the default.
Syntax
pmf association-comeback time
undo pmf association-comeback
Default
The association comeback time is 1 second.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Specifies the association comeback time in the range of 1 to 20 seconds.
Usage guidelines
If an AP rejects the current association or reassociation request from a client, it returns an association/reassociation response that carries the association comeback time. The AP starts to receive the association or reassociation request from the client when the association comeback time times out.
Examples
# Set the association comeback time to 2 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf association-comeback 2
pmf saquery retrycount
Use pmf saquery retrycount to maximum retransmission attempts for SA query requests.
Use undo pmf saquery retrycount to restore the default.
Syntax
pmf saquery retrycount count
undo pmf saquery retrycount
Default
The maximum retransmission attempt number is 4 for SA query requests.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
count: Specifies the maximum retransmission attempts for SA query requests, in the range of 1 to 16.
Usage guidelines
If an AP does not receive an acknowledgment for the SA query request after retransmission attempts reach the maximum number, the AP determines that the client is offline.
Examples
# Set the number of maximum retransmission attempt to 3 for SA query requests.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf saquery retrycount 3
Related commands
pmf
pmf saquery retrycount
pmf saquery retrytimeout
Use pmf saquery retrytimeout to set the interval for sending SA query requests.
Use undo pmf saquery retrytimeout to restore the default.
Syntax
pmf saquery retrytimeout timeout
undo pmf saquery retrytimeout
Default
The interval for sending SA query requests is 200 milliseconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
timeout: Specifies the interval for an AP to send SA query requests, in the range of 100 to 500 milliseconds.
Examples
# Set the interval for sending SA query requests to 300 milliseconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf saquery retrytimeout 300
Related commands
pmf
pmf saquery retrytimeout
preshared-key
Use preshared-key to set the PSK.
Use undo preshared-key to restore the default.
Syntax
preshared-key { pass-phrase | raw-key } { cipher | simple } string
undo preshared-key
Default
No PSK is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
pass-phrase: Sets a PSK, a character string.
raw-key: Sets a PSK, a hexadecimal number.
cipher: Sets a key in encrypted form.
simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies a key string. This argument is case sensitive. Key length varies by key type:
· pass-phrase—Its plaintext form is 8 to 63 characters. Its encrypted form is 8 to 117 characters.
· raw-key—Its plaintext form is 64 hexadecimal digits. Its encrypted form is 8 to 117 characters.
Usage guidelines
Set the PSK only when the WLAN service template is disabled and the AKM mode is PSK. If you set the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.
You can set only one PSK for a WLAN service template.
Examples
# Configure simple character string 12345678 as the PSK.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] akm mode psk
[Sysname-wlan-st-security] preshared-key pass-phrase simple 12345678
Related commands
akm mode
ptk-lifetime
Use ptk-lifetime to set the PTK lifetime.
Use undo ptk-lifetime to restore the default.
Syntax
ptk-lifetime time
undo ptk-lifetime
Default
The PTK lifetime is 43200 seconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Specifies the lifetime of the PSK, in the range of 180 to 604800 seconds.
Usage guidelines
If you configure the PTK lifetime when the service template is enabled, the configuration takes effect after the old timer times out.
Examples
# Set the PTK lifetime to 200 seconds.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] ptk-lifetime 200
ptk-rekey enable
Use ptk-rekey enable to enable PTK update.
Use undo ptk-rekey enable to disable PTK update.
Syntax
ptk-rekey enable
undo ptk-rekey enable
Default
PTK update is enabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to update the PTK after the PTK lifetime expires.
Examples
# Enable PTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] ptk-rekey enable
Related commands
ptk-lifetime
security-ie
Use security-ie to enable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.
Use undo security-ie to disable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.
Syntax
security-ie { rsn | wpa }
undo security-ie { rsn | wpa }
Default
RSN IE and WPA IE are disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
rsn: Enables the RSN IE in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.
wpa: Enables the WPA IE in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.
Usage guidelines
You must set the security IE for 802.11i networks. Set a security IE only when the WLAN service template is disabled and the CCMP or TKIP cipher suite is configured.
Examples
# Enable the RSN IE in beacon and probe responses.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] security-ie rsn
akm mode
cipher-suite
snmp-agent trap enable wlan usersec
Use snmp-agent trap enable wlan usersec to enable SNMP notifications for WLAN security.
Use undo snmp-agent trap enable wlan usersec to disable SNMP notifications for WLAN security.
Syntax
snmp-agent trap enable wlan usersec
undo snmp-agent trap enable wlan usersec
Default
SNMP notifications are disabled for WLAN security.
Views
System view
Predefined user roles
network-admin
Usage guidelines
To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for WLAN security.
<Sysname> system-view
[Sysname] snmp-agent trap enable wlan usersec
tkip-cm-time
Use tkip-cm-time to set the TKIP MIC failure hold time.
Use undo tkip-cm-time to restore the default.
Syntax
tkip-cm-time time
undo tkip-cm-time
Default
The TKIP MIC failure hold time is 0 seconds. The AP does not take any countermeasures.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Sets the TKIP MIC failure hold time in the range of 0 to 3600 seconds.
Usage guidelines
Set the TKIP MIC failure hold time only when the TKIP cipher suite is configured.
If you configure the MIC failure hold time when the service template is enabled, the configuration takes effect after the old timer times out.
If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.
Examples
# Set the TKIP MIC failure hold time to 180 seconds.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] tkip-cm-time 180
cipher-suite
wep key
Use wep key to set a WEP key.
Use undo wep key to delete the configured WEP key.
Syntax
wep key key-id { wep40 | wep104 | wep128 } { pass-phrase | raw-key } { cipher | simple } string
undo wep key key-id
Default
No WEP key is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
key-id: Sets the key ID in the range of 1 to 4.
wep40: Sets the WEP40 key.
wep104: Sets the WEP104 key.
wep128: Sets the WEP128 key.
pass-phrase: Sets a WEP key, a character string.
raw-key: Sets a WEP key, a hexadecimal number.
cipher: Sets a key in encrypted form.
simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
key: Specifies a key string. This argument is case sensitive. The cipher key length is in the range of 37 to 73 characters. The plaintext key length varies by key type:
· wep40 pass-phrase—Its plaintext form is 5 characters.
· wep104 pass-phrase—Its plaintext form is 13 characters.
· wep128 pass-phrase—Its plaintext form is 16 characters.
· wep40 raw-key—Its plaintext form is 10 hexadecimal digits.
· wep104 raw-key—Its plaintext form is 26 hexadecimal digits.
· wep128 raw-key—Its plaintext form is 32 hexadecimal digits.
Usage guidelines
Set a WEP key only when the WLAN service template is disabled and the cipher suite WEP is configured. You can set a maximum of four WEP keys.
Examples
# Configure the cipher suite WEP40 and configure plain text 12345 as WEP key 1.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite wep40
[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345
Related commands
cipher-suite
wep key-id
wep key-id
Use wep key-id to apply a WEP key.
Use undo wep key-id to restore the default.
Syntax
wep key-id { 1 | 2 | 3 | 4 }
undo wep key-id
Default
Key 1 is applied.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
1: Specifies the WEP key whose ID is 1.
2: Specifies the WEP key whose ID is 2.
3: Specifies the WEP key whose ID is 3.
4: Specifies the WEP key whose ID is 4.
Usage guidelines
Apply a WEP key only when the WLAN service template is disabled.
In the 802.11i mechanism, key 1 is the negotiated key. To apply a WEP key, specify a WEP key whose ID is not 1.
You can only apply an existing WEP key.
Examples
# Configure the cipher suite WEP40, configure plain text 12345 as WEP key 1, and apply WEP key 1.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite wep40
[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345
[Sysname-wlan-st-security] wep key-id 1
Related commands
wep key
wep mode dynamic
Use the wep mode dynamic command to enable the dynamic WEP mechanism.
Use the undo wep mode dynamic command to disable the dynamic WEP mechanism.
Syntax
wep mode dynamic
undo wep mode dynamic
Default
The dynamic WEP mechanism is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
Enable the dynamic WEP mechanism only when the WLAN service template is disabled.
The dynamic WEP mechanism requires 802.1X authentication for user access authentication.
Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.
Examples
# Enable the dynamic WEP mechanism.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] wep mode dynamic
Related commands
cipher-suite
client-security authentication-mode (See User Access and Authentication Command Reference)
wep key
wlan password-failure-limit enable
Use wlan password-failure-limit enable to enable password failure limit.
Use undo wlan password-failure-limit enable to disable password failure limit.
Syntax
wlan password-failure-limit enable [ detection-period detection-period ] [ failure-threshold failure-threshold ]
undo wlan password-failure-limit enable
Default
Password failure limit is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
detection-period detection-period: Specifies the detection period in the range of 5 to 600 seconds. The default value is 100.
failure-threshold failure-threshold: Specifies the failure threshold in the range of 1 to 100. The default value is 20.
Usage guidelines
This feature enables the system to add a client to the dynamic blacklist if the number of the client's password failures reach the failure threshold within the specified detection period. For more information about the dynamic blacklist, see WLAN Access Configuration Guide.
When you configure this feature, follow these restrictions and guidelines:
· This feature takes effect only when the AKM mode is PSK or private PSK.
· This feature takes effect only on clients coming online after the feature is enabled.
· The system restarts failure calculation if the STAMGR process restarts.
· This feature does not take effect on APs coming online from a subordinate AC in an IRF fabric.
Examples
# Enable password failure limit, set the detection period to 300 seconds, and set the failure threshold to 50.
<Sysname> system-view
[Sysname] wlan password-failure-limit enable detection-period 300 failure-threshold 50
wpa3
Use wpa3 to enable WPA3 and set the WPA3 security mode.
Use undo wpa3 to disable WPA3.
Syntax
wpa3 { enterprise | personal { mandatory | optional } }
undo wpa3
Default
WPA3 is disabled.
Views
Service template view
Predefined user roles
network-admin
Parameters
enterprise: Specifies WPA3-Enterprise.
personal: Specifies WPA3-SAE.
mandatory: Specifies the mandatory security mode. In this mode, clients that do not support WPA3 cannot access the WLAN.
optional: Specifies the optional security mode. In this mode, clients that do not support WPA3 can access the WLAN.
Usage guidelines
To use WPA3-Enterprise, set the cipher suite to GCMP, and the security IE to RSN.
To use WPA3-SAE, set the cipher suite to CCMP, and the security IE to RSN.
As a best practice, enable management frame protection if you specify a WPA3 security mode.
Examples
# Set the WPA3 security mode to personal.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] wpa3 personal mandatory
Related commands
cipher-suite
security-ie
