08-WLAN Security Command Reference

HomeSupportResource CenterH3C Access Controllers Command References(R5426P02)-6W10408-WLAN Security Command Reference
01-WLAN security commands
Title Size Download
01-WLAN security commands 118.79 KB

WLAN security commands

akm mode

Use akm mode to set an authentication and key management (AKM) mode.

Use undo akm mode to restore the default.

Syntax

akm mode { dot1x | private-psk | psk | anonymous-dot1x }

undo akm mode

Default

No AKM mode is set.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

dot1x: Specifies 802.1X as the AKM mode.

private-psk: Specifies private PSK as the AKM mode.

psk: Specifies PSK as the AKM mode.

anonymous-dot1x: Specifies WiFi alliance anonymous 802.1X as the AKM mode.

Usage guidelines

You must set the AKM mode for 802.11i (RSNA) networks.

Each WLAN service template supports only one AKM mode. Set the AKM mode only when the WLAN service template is disabled.

Set the WiFi alliance anonymous 802.1X AKM mode if the OSEN IE is used.

Each of the following AKM modes must be used with a specific authentication mode:

·     802.1X AKM—802.1X authentication mode.

·     Private PSK AKM—MAC authentication mode.

·     PSK AKM—MAC or bypass authentication mode.

·     WiFi alliance anonymous 802.1X AKM802.1X authentication mode.

For more information about the authentication mode, see User Access and Authentication Configuration Guide.

Examples

# Set the PSK AKM mode.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] akm mode psk

Related commands

cipher-suite

security-ie

cipher-suite

Use cipher-suite to specify the cipher suite used for frame encryption.

Use undo cipher-suite to remove the cipher suite configuration.

Syntax

cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }

undo cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }

Default

No cipher suite is specified.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

ccmp: Specifies the AES-CCMP cipher suite.

tkip: Specifies the TKIP cipher suite.

wep40: Specifies the WEP40 cipher suite.

wep104: Specifies the WEP104 cipher suite.

wep128: Specifies the WEP128 cipher suite.

Usage guidelines

You must set the cipher suite for 802.11i networks. Set a cipher suite only when the WLAN service template is disabled.

Set the TKIP or CCMP cipher suite when you configure the RSN IE or WPA IE.

The WEP cipher suite includes three types, WEP40, WEP104, and WEP128. Each WLAN service template supports only one type of WEP cipher suite. After you set a type of WEP cipher suite, you must create and apply a key of the same type.

When WEP128 is configured, you cannot set the CCMP or TKIP cipher suite.

Examples

# Set the TKIP cipher suite for frame encryption.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] cipher-suite tkip

Related commands

security-ie

wep key

wep key-id

display wlan private-psk cloud-password

Use display wlan private-psk cloud-password to display private pre-shared key (PPSK) password information.

Syntax

display wlan private-psk cloud-password [ password-id ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

password-id: Specifies a password ID. If you do not specify this argument, the command displays information about all PPSK passwords.

verbose: Displays detailed information. If you do not specify this keyword, the command displays brief information about PPSK passwords.

Examples

# Display brief information about all PPSK passwords.

<Sysname> display wlan private-psk cloud-password

Total number: 2

PWD ID Username            Max clients  Used    Update time      Aging time(Min)

1111   zhangsan@3521buyd.. 2            1       2018/11/26 10:52 10080

1112   lisi                2            1       2018/11/26 10:59 10080

Table 1 Command output

Field

Description

Total number

Total number of PPSK passwords.

PWD ID

Password ID.

Max clients

Maximum number of clients that can use this password.

Used

Number of clients that have used this password for authentication.

Update time

UTC time at which the password information was updated.

Aging time(Min)

Password aging time in minutes.

A value of 0 indicates that the password never expires.

# Display detailed information about a specific password.

<Sysname> display wlan private-psk cloud-password 1111 verbose

Site ID         : 23

Password ID     : 1111

Update time     : 2018/11/26 10:52

Expiration time : 2018/12/03 10:52

Aging time(min) : 10080

Username        : zhangsan@3521buydfgsygf

Max clients     : 2

Used            : 1

CAR:

  Average inbound  : 102400 bps

  Average outbound : 102400 bps

Password        : jfkeiksdfdnfksnfekdssdfelsmdfei4f5ds4

Table 2 Command output

Field

Description

Update time

UTC time at which the password information was updated.

Expiration time

UTC time at which the password will expire.

Aging time (min)

Password aging time in minutes.

A value of 0 indicates that the password never expires.

Max clients

Maximum number of clients that can use this password.

Used

Number of clients that have used this password for authentication.

CAR

CAR of clients that come online by using this password.

Average inbound

Average downlink rate in bps.

Average outbound

Average uplink rate in bps.

display wlan private-psk cloud-password mac-binding

Use display wlan private-psk cloud-password mac-binding to display MAC-password bindings.

Syntax

display wlan private-psk cloud-password mac-binding [ password-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

password-id: Specifies a password ID. If you do not specify this argument, the command displays all MAC-password bindings.

Examples

# Display all MAC-password bindings.

<Sysname> display wlan private-psk cloud-password mac-binding

Total: 2

PWD ID       MAC address       Binding time      Expiration time

1111         D34A-A35C-28A3(+) 2018/11/26 11:22  2018/12/03 11:00

2222         A54E-368D-A433(*) 2018/11/26 11:30  2018/12/02 11:00

# Display the MAC-password binding of a specific password.

<Sysname> display wlan private-psk cloud-password mac-binding 1111

Total Number: 1

PWD ID       MAC address       Binding time      Expiration time

1111         D34A-A35C-28A3(+) 2018/11/26 11:22  2018/12/03 11:00

Table 3 Command output

Field

Description

Total

Total number of bound MC addresses.

PwdID

Password ID

MAC address

Bound MAC address.

An asterisk (*) indicates a MAC address bound at password creation. A plus sign (+) indicates a MAC address bound at client association.

Binding time

UTC time at which the MAC address was bound to the password.

Expiration time

UTC time at which the binding will expire.

gtk-rekey client-offline enable

Use gtk-rekey client-offline enable to enable offline-triggered GTK update.

Use undo gtk-rekey client-offline to restore the default.

Syntax

gtk-rekey client-offline enable

undo gtk-rekey client-offline enable

Default

Offline-triggered GTK update is disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

Enable offline-triggered GTK update only when GTK update is enabled.

Examples

# Enable offline-triggered GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey client-offline enable

Related commands

gtk-rekey enable

gtk-rekey enable

Use gtk-rekey enable to enable GTK update.

Use undo gtk-rekey enable to disable GTK update.

Syntax

gtk-rekey enable

undo gtk-rekey enable

Default

GTK update is enabled.

Views

WLAN service template view

Predefined user roles

network-admin

Examples

# Enable GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey enable

gtk-rekey method

Use gtk-rekey method to set a GTK update method.

Use undo gtk-rekey method to restore the default.

Syntax

gtk-rekey method { packet-based [ packet ] | time-based [ time ] }

undo gtk-rekey method

Default

The GTK is updated at an interval of 86400 seconds.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

packet-based packet: Specifies the number of packets (including multicasts and broadcasts) that are transmitted before the GTK is updated. The value range for the packet argument is 5000 to 4294967295 and the default is 10000000.

time-based time: Specifies the interval at which the GTK is updated. The value range for the time argument is 180 to 604800 seconds and the default is 86400 seconds.

Usage guidelines

Set the GTK update method only when GTK update is enabled.

The most recent configuration overwrites the previous one. For example, if you set the packet-based method and then set the time-based method, the time-based method takes effect.

If you set the GTK update method after the service template is enabled, the change takes effect when the following conditions exist:

·     If you change the GTK update interval, the new interval takes effect when the old timer times out.

·     If you change the packet number threshold, the new threshold takes effect immediately.

·     If you change the GTK update method to packet-based, the new method takes effect when the timer is deleted and the packet number threshold is reached.

·     If you change the GTK update method to time-based, the configuration takes effect immediately.

Examples

# Enable time-based GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey method time-based 3600

# Enable packet-based GTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] gtk-rekey method packet-based 600000

Related commands

gtk-rekey enable

key-derivation

Use key-derivation to set the key derivation function (KDF).

Use undo key-derivation to restore the default.

Syntax

key-derivation { sha1 | sha1-and-sha256 | sha256 }

undo key-derivation

Default

The KDF is the HMAC-SHA1 algorithm.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

sha1: Specifies the HMAC-SHA1 algorithm as the KDF.

sha256: Specifies the HMAC-SHA256 algorithm as the KDF.

sha1-and-sha256: Specifies the HMAC-SHA1 algorithm and the HMAC-SHA256 algorithm as the KDFs.

Usage guidelines

KDFs take effect only for a network that uses the 802.11i mechanism.

The HMAC-SHA256 algorithm is recommended if mandatory management frame protection is enabled.

Make sure the service template is disabled before you execute this command.

Examples

# Configure the HMAC-SHA256 algorithm as the KDF.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] key-derivation sha256

Related commands

akm mode

cipher-suite

security-ie

pmf

Use pmf to enable management frame protection.

Use undo pmf to restore the default.

Syntax

pmf { mandatory | optional }

undo pmf

Default

Management frame protection is disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

mandatory: Specifies the mandatory mode. Only clients that support management frame protection can access the WLAN.

optional: Specifies the optional mode. All clients can access the WLAN.

Usage guidelines

Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security information element.

Examples

# Enable management frame protection in optional mode.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf optional

Related commands

cipher-suite

security-ie

pmf association-comeback

Use pmf association-comeback to set the association comeback time.

Use undo pmf association-comeback to restore the default.

Syntax

pmf association-comeback time

undo pmf association-comeback

Default

The association comeback time is 1 second.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

time: Specifies the association comeback time in the range of 1 to 20 seconds.

Usage guidelines

If an AP rejects the current association or reassociation request from a client, it returns an association/reassociation response that carries the association comeback time. The AP starts to receive the association or reassociation request from the client when the association comeback time times out.

Examples

# Set the association comeback time to 2 seconds.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf association-comeback 2

pmf saquery retrycount

Use pmf saquery retrycount to maximum retransmission attempts for SA query requests.

Use undo pmf saquery retrycount to restore the default.

Syntax

pmf saquery retrycount count

undo pmf saquery retrycount

Default

The maximum retransmission attempt number is 4 for SA query requests.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum retransmission attempts for SA query requests, in the range of 1 to 16.

Usage guidelines

If an AP does not receive an acknowledgment for the SA query request after retransmission attempts reach the maximum number, the AP determines that the client is offline.

Examples

# Set the number of maximum retransmission attempt to 3 for SA query requests.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf saquery retrycount 3

Related commands

pmf

pmf saquery retrycount

pmf saquery retrytimeout

Use pmf saquery retrytimeout to set the interval for sending SA query requests.

Use undo pmf saquery retrytimeout to restore the default.

Syntax

pmf saquery retrytimeout timeout

undo pmf saquery retrytimeout

Default

The interval for sending SA query requests is 200 milliseconds.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

timeout: Specifies the interval for an AP to send SA query requests, in the range of 100 to 500 milliseconds.

Examples

# Set the interval for sending SA query requests to 300 milliseconds.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] pmf saquery retrytimeout 300

Related commands

pmf

pmf saquery retrytimeout

preshared-key

Use preshared-key to set the PSK.

Use undo preshared-key to restore the default.

Syntax

preshared-key { pass-phrase | raw-key } { cipher | simple } string

undo preshared-key

Default

No PSK is set.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

pass-phrase: Sets a PSK, a character string.

raw-key: Sets a PSK, a hexadecimal number.

cipher: Sets a key in encrypted form.

simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies a key string. This argument is case sensitive. Key length varies by key type:

·     pass-phrase—Its plaintext form is 8 to 63 characters. Its encrypted form is 8 to 117 characters.

·     raw-key—Its plaintext form is 64 hexadecimal digits. Its encrypted form is 8 to 117 characters.

Usage guidelines

Set the PSK only when the WLAN service template is disabled and the AKM mode is PSK. If you set the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.

You can set only one PSK for a WLAN service template.

Examples

# Configure simple character string 12345678 as the PSK.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] akm mode psk

[Sysname-wlan-st-security] preshared-key pass-phrase simple 12345678

Related commands

akm mode

private-psk cloud enable

Use private-psk cloud enable to enable Oasis PPSK authentication.

Use undo private-psk cloud enable to disable Oasis PPSK authentication.

Syntax

private-psk cloud enable

undo private-psk cloud enable

Default

Oasis PPSK authentication is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This feature enables clients to use PPSKs configured on the Oasis platform for WLAN access.

With this feature enabled, clients must first pass bypass or MAC authentication, and then enter the PPSK password to access a WLAN. The device will generate binding entries between client MAC addresses and PPSK passwords at client association.

Make sure the service template has been disabled before you configure this feature.

Examples

# Enable Oasis PPSK authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] private-psk cloud enable

Related commands

akm mode

client-security authentication-mode

private-psk fail-permit enable

Use private-psk fail-permit enable to enable PPSK fail-permit.

Use undo private-psk fail-permit enable to disable PPSK fail-permit.

Syntax

private-psk fail-permit enable

undo private-psk fail-permit enable

Default

PPSK fail-permit is enabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

With Oasis PPSK authentication enabled, clients and devices must connect to the Oasis platform for authentication. PPSK fail-permit allows clients to bypass the Oasis platform and access the WLAN when the Oasis platform is unavailable.

If the Oasis platform becomes unavailable, PPSK fail-permit provides the following functions:

·     Allows online clients to stay online until the MAC-password binding entries expire. When the MAC-password binding entries expire, the device logs all online clients.

·     Allows clients whose MAC-password binding entries have not expired to re-access the WLAN.

·     Allows clients that have a correct PPSK password but have never come online to access the WLAN.

Make sure the service template has been disabled before you configure this feature.

Examples

# Enable PPSK fail-permit.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] private-psk fail-permit enable

Related commands

private-psk cloud enable

ptk-lifetime

Use ptk-lifetime to set the PTK lifetime.

Use undo ptk-lifetime to restore the default.

Syntax

ptk-lifetime time

undo ptk-lifetime

Default

The PTK lifetime is 43200 seconds.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

time: Specifies the lifetime of the PSK, in the range of 180 to 604800 seconds.

Usage guidelines

If you configure the PTK lifetime when the service template is enabled, the configuration takes effect after the old timer times out.

Examples

# Set the PTK lifetime to 200 seconds.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ptk-lifetime 200

ptk-rekey enable

Use ptk-rekey enable to enable PTK update.

Use undo ptk-rekey enable to disable PTK update.

Syntax

ptk-rekey enable

undo ptk-rekey enable

Default

PTK update is enabled.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to update the PTK after the PTK lifetime expires.

Examples

# Enable PTK update.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] ptk-rekey enable

Related commands

ptk-lifetime

security-ie

Use security-ie to enable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.

Use undo security-ie to disable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.

Syntax

security-ie { osen | rsn | wpa }

undo security-ie { osen | rsn | wpa }

Default

OSEN IE, RSN IE, and WPA IE are disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

osen: Enables the OSEN IE in the beacon and probe response frames sent by the AP. The OSEN IE advertises the OSEN capabilities of the AP.

rsn: Enables the RSN IE in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.

wpa: Enables the WPA IE in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.

Usage guidelines

You must set the security IE for 802.11i networks. Set a security IE only when the WLAN service template is disabled and the CCMP or TKIP cipher suite is configured.

Set the WiFi alliance anonymous 802.1X AKM mode if the OSEN IE is used.

Examples

# Enable the RSN IE in beacon and probe responses.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] security-ie rsn

Related commands

akm mode

cipher-suite

snmp-agent trap enable wlan usersec

Use snmp-agent trap enable wlan usersec to enable SNMP notifications for WLAN security.

Use undo snmp-agent trap enable wlan usersec to disable SNMP notifications for WLAN security.

Syntax

snmp-agent trap enable wlan usersec

undo snmp-agent trap enable wlan usersec

Default

SNMP notifications are disabled for WLAN security.

Views

System view

Predefined user roles

network-admin

Usage guidelines

To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for WLAN security.

<Sysname> system-view

[Sysname] snmp-agent trap enable wlan usersec

tkip-cm-time

Use tkip-cm-time to set the TKIP MIC failure hold time.

Use undo tkip-cm-time to restore the default.

Syntax

tkip-cm-time time

undo tkip-cm-time

Default

The TKIP MIC failure hold time is 0 seconds. The AP does not take any countermeasures.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

time: Sets the TKIP MIC failure hold time in the range of 0 to 3600 seconds.

Usage guidelines

Set the TKIP MIC failure hold time only when the TKIP cipher suite is configured.

If you configure the MIC failure hold time when the service template is enabled, the configuration takes effect after the old timer times out.

If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.

Examples

# Set the TKIP MIC failure hold time to 180 seconds.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] tkip-cm-time 180

Related commands

cipher-suite

wep key

Use wep key to set a WEP key.

Use undo wep key to delete the configured WEP key.

Syntax

wep key key-id { wep40 | wep104 | wep128 } { pass-phrase | raw-key } { cipher | simple } string

undo wep key key-id

Default

No WEP key is set.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

key-id: Sets the key ID in the range of 1 to 4.

wep40: Sets the WEP40 key.

wep104: Sets the WEP104 key.

wep128: Sets the WEP128 key.

pass-phrase: Sets a WEP key, a character string.

raw-key: Sets a WEP key, a hexadecimal number.

cipher: Sets a key in encrypted form.

simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

key: Specifies a key string. This argument is case sensitive. The cipher key length is in the range of 37 to 73 characters. The plaintext key length varies by key type:

·     wep40 pass-phrase—Its plaintext form is 5 characters.

·     wep104 pass-phrase—Its plaintext form is 13 characters.

·     wep128 pass-phrase—Its plaintext form is 16 characters.

·     wep40 raw-key—Its plaintext form is 10 hexadecimal digits.

·     wep104 raw-key—Its plaintext form is 26 hexadecimal digits.

·     wep128 raw-key—Its plaintext form is 32 hexadecimal digits.

Usage guidelines

Set a WEP key only when the WLAN service template is disabled and the cipher suite WEP is configured. You can set a maximum of four WEP keys.

Examples

# Configure the cipher suite WEP40 and configure plain text 12345 as WEP key 1.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] cipher-suite wep40

[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345

Related commands

cipher-suite

wep key-id

wep key-id

Use wep key-id to apply a WEP key.

Use undo wep key-id to restore the default.

Syntax

wep key-id { 1 | 2 | 3 | 4 }

undo wep key-id

Default

Key 1 is applied.

Views

WLAN service template view

Predefined user roles

network-admin

Parameters

1: Specifies the WEP key whose ID is 1.

2: Specifies the WEP key whose ID is 2.

3: Specifies the WEP key whose ID is 3.

4: Specifies the WEP key whose ID is 4.

Usage guidelines

Apply a WEP key only when the WLAN service template is disabled.

In the 802.11i mechanism, key 1 is the negotiated key. To apply a WEP key, specify a WEP key whose ID is not 1.

You can only apply an existing WEP key.

Examples

# Configure the cipher suite WEP40, configure plain text 12345 as WEP key 1, and apply WEP key 1.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] cipher-suite wep40

[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345

[Sysname-wlan-st-security] wep key-id 1

Related commands

wep key

wep mode dynamic

Use the wep mode dynamic command to enable the dynamic WEP mechanism.

Use the undo wep mode dynamic command to disable the dynamic WEP mechanism.

Syntax

wep mode dynamic

undo wep mode dynamic

Default

The dynamic WEP mechanism is disabled.

Views

WLAN service template view

Predefined user roles

network-admin

Usage guidelines

Enable the dynamic WEP mechanism only when the WLAN service template is disabled.

The dynamic WEP mechanism requires 802.1X authentication for user access authentication.

Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.

Examples

# Enable the dynamic WEP mechanism.

<Sysname> system-view

[Sysname] wlan service-template security

[Sysname-wlan-st-security] wep mode dynamic

Related commands

cipher-suite

client-security authentication-mode (See User Access and Authentication Command Reference)

wep key

wep key-id

wlan password-failure-limit enable

Use wlan password-failure-limit enable to enable password failure limit.

Use undo wlan password-failure-limit enable to disable password failure limit.

Syntax

wlan password-failure-limit enable [ detection-period detection-period ] [ failure-threshold failure-threshold ]

undo wlan password-failure-limit enable

Default

Password failure limit is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

detection-period detection-period: Specifies the detection period in the range of 5 to 600 seconds. The default value is 100.

failure-threshold failure-threshold: Specifies the failure threshold in the range of 1 to 100. The default value is 20.

Usage guidelines

This feature enables the system to add a client to the dynamic blacklist if the number of the client's password failures reach the failure threshold within the specified detection period. For more information about the dynamic blacklist, see WLAN Configuration Guide.

When you configure this feature, follow these restrictions and guidelines:

·     This feature takes effect only when the AKM mode is PSK or private PSK.

·     This feature takes effect only on clients coming online after the feature is enabled.

·     The system restarts failure calculation if the STAMGR process restarts.

·     This feature does not take effect on APs coming online from a subordinate AC in an IRF fabric.

Examples

# Enable password failure limit, set the detection period to 300 seconds, and set the failure threshold to 50.

<Sysname> system-view

[Sysname] wlan password-failure-limit enable detection-period 300 failure-threshold 50