Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-WLAN security commands | 118.79 KB |
Contents
display wlan private-psk cloud-password
display wlan private-psk cloud-password mac-binding
gtk-rekey client-offline enable
private-psk fail-permit enable
snmp-agent trap enable wlan usersec
wlan password-failure-limit enable
WLAN security commands
akm mode
Use akm mode to set an authentication and key management (AKM) mode.
Use undo akm mode to restore the default.
Syntax
akm mode { dot1x | private-psk | psk | anonymous-dot1x }
undo akm mode
Default
No AKM mode is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
dot1x: Specifies 802.1X as the AKM mode.
private-psk: Specifies private PSK as the AKM mode.
psk: Specifies PSK as the AKM mode.
anonymous-dot1x: Specifies WiFi alliance anonymous 802.1X as the AKM mode.
Usage guidelines
You must set the AKM mode for 802.11i (RSNA) networks.
Each WLAN service template supports only one AKM mode. Set the AKM mode only when the WLAN service template is disabled.
Set the WiFi alliance anonymous 802.1X AKM mode if the OSEN IE is used.
Each of the following AKM modes must be used with a specific authentication mode:
· 802.1X AKM—802.1X authentication mode.
· Private PSK AKM—MAC authentication mode.
· PSK AKM—MAC or bypass authentication mode.
· WiFi alliance anonymous 802.1X AKM—802.1X authentication mode.
For more information about the authentication mode, see User Access and Authentication Configuration Guide.
Examples
# Set the PSK AKM mode.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] akm mode psk
cipher-suite
security-ie
cipher-suite
Use cipher-suite to specify the cipher suite used for frame encryption.
Use undo cipher-suite to remove the cipher suite configuration.
Syntax
cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }
undo cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 }
Default
No cipher suite is specified.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
ccmp: Specifies the AES-CCMP cipher suite.
tkip: Specifies the TKIP cipher suite.
wep40: Specifies the WEP40 cipher suite.
wep104: Specifies the WEP104 cipher suite.
wep128: Specifies the WEP128 cipher suite.
Usage guidelines
You must set the cipher suite for 802.11i networks. Set a cipher suite only when the WLAN service template is disabled.
Set the TKIP or CCMP cipher suite when you configure the RSN IE or WPA IE.
The WEP cipher suite includes three types, WEP40, WEP104, and WEP128. Each WLAN service template supports only one type of WEP cipher suite. After you set a type of WEP cipher suite, you must create and apply a key of the same type.
When WEP128 is configured, you cannot set the CCMP or TKIP cipher suite.
Examples
# Set the TKIP cipher suite for frame encryption.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite tkip
security-ie
wep key
wep key-id
display wlan private-psk cloud-password
Use display wlan private-psk cloud-password to display private pre-shared key (PPSK) password information.
Syntax
display wlan private-psk cloud-password [ password-id ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
password-id: Specifies a password ID. If you do not specify this argument, the command displays information about all PPSK passwords.
verbose: Displays detailed information. If you do not specify this keyword, the command displays brief information about PPSK passwords.
Examples
# Display brief information about all PPSK passwords.
<Sysname> display wlan private-psk cloud-password
Total number: 2
PWD ID Username Max clients Used Update time Aging time(Min)
1111 zhangsan@3521buyd.. 2 1 2018/11/26 10:52 10080
1112 lisi 2 1 2018/11/26 10:59 10080
Table 1 Command output
|
Field |
Description |
|
Total number |
Total number of PPSK passwords. |
|
PWD ID |
Password ID. |
|
Max clients |
Maximum number of clients that can use this password. |
|
Used |
Number of clients that have used this password for authentication. |
|
Update time |
UTC time at which the password information was updated. |
|
Aging time(Min) |
Password aging time in minutes. A value of 0 indicates that the password never expires. |
# Display detailed information about a specific password.
<Sysname> display wlan private-psk cloud-password 1111 verbose
Site ID : 23
Password ID : 1111
Update time : 2018/11/26 10:52
Expiration time : 2018/12/03 10:52
Aging time(min) : 10080
Username : zhangsan@3521buydfgsygf
Max clients : 2
Used : 1
CAR:
Average inbound : 102400 bps
Average outbound : 102400 bps
Password : jfkeiksdfdnfksnfekdssdfelsmdfei4f5ds4
Table 2 Command output
|
Field |
Description |
|
Update time |
UTC time at which the password information was updated. |
|
Expiration time |
UTC time at which the password will expire. |
|
Aging time (min) |
Password aging time in minutes. A value of 0 indicates that the password never expires. |
|
Max clients |
Maximum number of clients that can use this password. |
|
Used |
Number of clients that have used this password for authentication. |
|
CAR |
CAR of clients that come online by using this password. |
|
Average inbound |
Average downlink rate in bps. |
|
Average outbound |
Average uplink rate in bps. |
display wlan private-psk cloud-password mac-binding
Use display wlan private-psk cloud-password mac-binding to display MAC-password bindings.
Syntax
display wlan private-psk cloud-password mac-binding [ password-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
password-id: Specifies a password ID. If you do not specify this argument, the command displays all MAC-password bindings.
Examples
# Display all MAC-password bindings.
<Sysname> display wlan private-psk cloud-password mac-binding
Total: 2
PWD ID MAC address Binding time Expiration time
1111 D34A-A35C-28A3(+) 2018/11/26 11:22 2018/12/03 11:00
2222 A54E-368D-A433(*) 2018/11/26 11:30 2018/12/02 11:00
# Display the MAC-password binding of a specific password.
<Sysname> display wlan private-psk cloud-password mac-binding 1111
Total Number: 1
PWD ID MAC address Binding time Expiration time
1111 D34A-A35C-28A3(+) 2018/11/26 11:22 2018/12/03 11:00
Table 3 Command output
|
Field |
Description |
|
Total |
Total number of bound MC addresses. |
|
PwdID |
Password ID |
|
MAC address |
Bound MAC address. An asterisk (*) indicates a MAC address bound at password creation. A plus sign (+) indicates a MAC address bound at client association. |
|
Binding time |
UTC time at which the MAC address was bound to the password. |
|
Expiration time |
UTC time at which the binding will expire. |
gtk-rekey client-offline enable
Use gtk-rekey client-offline enable to enable offline-triggered GTK update.
Use undo gtk-rekey client-offline to restore the default.
Syntax
gtk-rekey client-offline enable
undo gtk-rekey client-offline enable
Default
Offline-triggered GTK update is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
Enable offline-triggered GTK update only when GTK update is enabled.
Examples
# Enable offline-triggered GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey client-offline enable
gtk-rekey enable
gtk-rekey enable
Use gtk-rekey enable to enable GTK update.
Use undo gtk-rekey enable to disable GTK update.
Syntax
gtk-rekey enable
undo gtk-rekey enable
Default
GTK update is enabled.
Views
WLAN service template view
Predefined user roles
network-admin
Examples
# Enable GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey enable
gtk-rekey method
Use gtk-rekey method to set a GTK update method.
Use undo gtk-rekey method to restore the default.
Syntax
gtk-rekey method { packet-based [ packet ] | time-based [ time ] }
undo gtk-rekey method
Default
The GTK is updated at an interval of 86400 seconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
packet-based packet: Specifies the number of packets (including multicasts and broadcasts) that are transmitted before the GTK is updated. The value range for the packet argument is 5000 to 4294967295 and the default is 10000000.
time-based time: Specifies the interval at which the GTK is updated. The value range for the time argument is 180 to 604800 seconds and the default is 86400 seconds.
Usage guidelines
Set the GTK update method only when GTK update is enabled.
The most recent configuration overwrites the previous one. For example, if you set the packet-based method and then set the time-based method, the time-based method takes effect.
If you set the GTK update method after the service template is enabled, the change takes effect when the following conditions exist:
· If you change the GTK update interval, the new interval takes effect when the old timer times out.
· If you change the packet number threshold, the new threshold takes effect immediately.
· If you change the GTK update method to packet-based, the new method takes effect when the timer is deleted and the packet number threshold is reached.
· If you change the GTK update method to time-based, the configuration takes effect immediately.
Examples
# Enable time-based GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey method time-based 3600
# Enable packet-based GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey method packet-based 600000
gtk-rekey enable
key-derivation
Use key-derivation to set the key derivation function (KDF).
Use undo key-derivation to restore the default.
Syntax
key-derivation { sha1 | sha1-and-sha256 | sha256 }
undo key-derivation
Default
The KDF is the HMAC-SHA1 algorithm.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
sha1: Specifies the HMAC-SHA1 algorithm as the KDF.
sha256: Specifies the HMAC-SHA256 algorithm as the KDF.
sha1-and-sha256: Specifies the HMAC-SHA1 algorithm and the HMAC-SHA256 algorithm as the KDFs.
Usage guidelines
KDFs take effect only for a network that uses the 802.11i mechanism.
The HMAC-SHA256 algorithm is recommended if mandatory management frame protection is enabled.
Make sure the service template is disabled before you execute this command.
Examples
# Configure the HMAC-SHA256 algorithm as the KDF.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] key-derivation sha256
Related commands
akm mode
cipher-suite
security-ie
pmf
Use pmf to enable management frame protection.
Use undo pmf to restore the default.
Syntax
pmf { mandatory | optional }
undo pmf
Default
Management frame protection is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
mandatory: Specifies the mandatory mode. Only clients that support management frame protection can access the WLAN.
optional: Specifies the optional mode. All clients can access the WLAN.
Usage guidelines
Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security information element.
Examples
# Enable management frame protection in optional mode.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf optional
Related commands
cipher-suite
security-ie
pmf association-comeback
Use pmf association-comeback to set the association comeback time.
Use undo pmf association-comeback to restore the default.
Syntax
pmf association-comeback time
undo pmf association-comeback
Default
The association comeback time is 1 second.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Specifies the association comeback time in the range of 1 to 20 seconds.
Usage guidelines
If an AP rejects the current association or reassociation request from a client, it returns an association/reassociation response that carries the association comeback time. The AP starts to receive the association or reassociation request from the client when the association comeback time times out.
Examples
# Set the association comeback time to 2 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf association-comeback 2
pmf saquery retrycount
Use pmf saquery retrycount to maximum retransmission attempts for SA query requests.
Use undo pmf saquery retrycount to restore the default.
Syntax
pmf saquery retrycount count
undo pmf saquery retrycount
Default
The maximum retransmission attempt number is 4 for SA query requests.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
count: Specifies the maximum retransmission attempts for SA query requests, in the range of 1 to 16.
Usage guidelines
If an AP does not receive an acknowledgment for the SA query request after retransmission attempts reach the maximum number, the AP determines that the client is offline.
Examples
# Set the number of maximum retransmission attempt to 3 for SA query requests.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf saquery retrycount 3
Related commands
pmf
pmf saquery retrycount
pmf saquery retrytimeout
Use pmf saquery retrytimeout to set the interval for sending SA query requests.
Use undo pmf saquery retrytimeout to restore the default.
Syntax
pmf saquery retrytimeout timeout
undo pmf saquery retrytimeout
Default
The interval for sending SA query requests is 200 milliseconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
timeout: Specifies the interval for an AP to send SA query requests, in the range of 100 to 500 milliseconds.
Examples
# Set the interval for sending SA query requests to 300 milliseconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf saquery retrytimeout 300
Related commands
pmf
pmf saquery retrytimeout
preshared-key
Use preshared-key to set the PSK.
Use undo preshared-key to restore the default.
Syntax
preshared-key { pass-phrase | raw-key } { cipher | simple } string
undo preshared-key
Default
No PSK is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
pass-phrase: Sets a PSK, a character string.
raw-key: Sets a PSK, a hexadecimal number.
cipher: Sets a key in encrypted form.
simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies a key string. This argument is case sensitive. Key length varies by key type:
· pass-phrase—Its plaintext form is 8 to 63 characters. Its encrypted form is 8 to 117 characters.
· raw-key—Its plaintext form is 64 hexadecimal digits. Its encrypted form is 8 to 117 characters.
Usage guidelines
Set the PSK only when the WLAN service template is disabled and the AKM mode is PSK. If you set the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.
You can set only one PSK for a WLAN service template.
Examples
# Configure simple character string 12345678 as the PSK.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] akm mode psk
[Sysname-wlan-st-security] preshared-key pass-phrase simple 12345678
Related commands
akm mode
private-psk cloud enable
Use private-psk cloud enable to enable Oasis PPSK authentication.
Use undo private-psk cloud enable to disable Oasis PPSK authentication.
Syntax
private-psk cloud enable
undo private-psk cloud enable
Default
Oasis PPSK authentication is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables clients to use PPSKs configured on the Oasis platform for WLAN access.
With this feature enabled, clients must first pass bypass or MAC authentication, and then enter the PPSK password to access a WLAN. The device will generate binding entries between client MAC addresses and PPSK passwords at client association.
Make sure the service template has been disabled before you configure this feature.
Examples
# Enable Oasis PPSK authentication.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] private-psk cloud enable
Related commands
akm mode
client-security authentication-mode
private-psk fail-permit enable
Use private-psk fail-permit enable to enable PPSK fail-permit.
Use undo private-psk fail-permit enable to disable PPSK fail-permit.
Syntax
private-psk fail-permit enable
undo private-psk fail-permit enable
Default
PPSK fail-permit is enabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
With Oasis PPSK authentication enabled, clients and devices must connect to the Oasis platform for authentication. PPSK fail-permit allows clients to bypass the Oasis platform and access the WLAN when the Oasis platform is unavailable.
If the Oasis platform becomes unavailable, PPSK fail-permit provides the following functions:
· Allows online clients to stay online until the MAC-password binding entries expire. When the MAC-password binding entries expire, the device logs all online clients.
· Allows clients whose MAC-password binding entries have not expired to re-access the WLAN.
· Allows clients that have a correct PPSK password but have never come online to access the WLAN.
Make sure the service template has been disabled before you configure this feature.
Examples
# Enable PPSK fail-permit.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] private-psk fail-permit enable
Related commands
private-psk cloud enable
ptk-lifetime
Use ptk-lifetime to set the PTK lifetime.
Use undo ptk-lifetime to restore the default.
Syntax
ptk-lifetime time
undo ptk-lifetime
Default
The PTK lifetime is 43200 seconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Specifies the lifetime of the PSK, in the range of 180 to 604800 seconds.
Usage guidelines
If you configure the PTK lifetime when the service template is enabled, the configuration takes effect after the old timer times out.
Examples
# Set the PTK lifetime to 200 seconds.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] ptk-lifetime 200
ptk-rekey enable
Use ptk-rekey enable to enable PTK update.
Use undo ptk-rekey enable to disable PTK update.
Syntax
ptk-rekey enable
undo ptk-rekey enable
Default
PTK update is enabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to update the PTK after the PTK lifetime expires.
Examples
# Enable PTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] ptk-rekey enable
Related commands
ptk-lifetime
security-ie
Use security-ie to enable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.
Use undo security-ie to disable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.
Syntax
security-ie { osen | rsn | wpa }
undo security-ie { osen | rsn | wpa }
Default
OSEN IE, RSN IE, and WPA IE are disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
osen: Enables the OSEN IE in the beacon and probe response frames sent by the AP. The OSEN IE advertises the OSEN capabilities of the AP.
rsn: Enables the RSN IE in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.
wpa: Enables the WPA IE in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.
Usage guidelines
You must set the security IE for 802.11i networks. Set a security IE only when the WLAN service template is disabled and the CCMP or TKIP cipher suite is configured.
Set the WiFi alliance anonymous 802.1X AKM mode if the OSEN IE is used.
Examples
# Enable the RSN IE in beacon and probe responses.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] security-ie rsn
akm mode
cipher-suite
snmp-agent trap enable wlan usersec
Use snmp-agent trap enable wlan usersec to enable SNMP notifications for WLAN security.
Use undo snmp-agent trap enable wlan usersec to disable SNMP notifications for WLAN security.
Syntax
snmp-agent trap enable wlan usersec
undo snmp-agent trap enable wlan usersec
Default
SNMP notifications are disabled for WLAN security.
Views
System view
Predefined user roles
network-admin
Usage guidelines
To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for WLAN security.
<Sysname> system-view
[Sysname] snmp-agent trap enable wlan usersec
tkip-cm-time
Use tkip-cm-time to set the TKIP MIC failure hold time.
Use undo tkip-cm-time to restore the default.
Syntax
tkip-cm-time time
undo tkip-cm-time
Default
The TKIP MIC failure hold time is 0 seconds. The AP does not take any countermeasures.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Sets the TKIP MIC failure hold time in the range of 0 to 3600 seconds.
Usage guidelines
Set the TKIP MIC failure hold time only when the TKIP cipher suite is configured.
If you configure the MIC failure hold time when the service template is enabled, the configuration takes effect after the old timer times out.
If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.
Examples
# Set the TKIP MIC failure hold time to 180 seconds.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] tkip-cm-time 180
cipher-suite
wep key
Use wep key to set a WEP key.
Use undo wep key to delete the configured WEP key.
Syntax
wep key key-id { wep40 | wep104 | wep128 } { pass-phrase | raw-key } { cipher | simple } string
undo wep key key-id
Default
No WEP key is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
key-id: Sets the key ID in the range of 1 to 4.
wep40: Sets the WEP40 key.
wep104: Sets the WEP104 key.
wep128: Sets the WEP128 key.
pass-phrase: Sets a WEP key, a character string.
raw-key: Sets a WEP key, a hexadecimal number.
cipher: Sets a key in encrypted form.
simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
key: Specifies a key string. This argument is case sensitive. The cipher key length is in the range of 37 to 73 characters. The plaintext key length varies by key type:
· wep40 pass-phrase—Its plaintext form is 5 characters.
· wep104 pass-phrase—Its plaintext form is 13 characters.
· wep128 pass-phrase—Its plaintext form is 16 characters.
· wep40 raw-key—Its plaintext form is 10 hexadecimal digits.
· wep104 raw-key—Its plaintext form is 26 hexadecimal digits.
· wep128 raw-key—Its plaintext form is 32 hexadecimal digits.
Usage guidelines
Set a WEP key only when the WLAN service template is disabled and the cipher suite WEP is configured. You can set a maximum of four WEP keys.
Examples
# Configure the cipher suite WEP40 and configure plain text 12345 as WEP key 1.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite wep40
[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345
Related commands
cipher-suite
wep key-id
wep key-id
Use wep key-id to apply a WEP key.
Use undo wep key-id to restore the default.
Syntax
wep key-id { 1 | 2 | 3 | 4 }
undo wep key-id
Default
Key 1 is applied.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
1: Specifies the WEP key whose ID is 1.
2: Specifies the WEP key whose ID is 2.
3: Specifies the WEP key whose ID is 3.
4: Specifies the WEP key whose ID is 4.
Usage guidelines
Apply a WEP key only when the WLAN service template is disabled.
In the 802.11i mechanism, key 1 is the negotiated key. To apply a WEP key, specify a WEP key whose ID is not 1.
You can only apply an existing WEP key.
Examples
# Configure the cipher suite WEP40, configure plain text 12345 as WEP key 1, and apply WEP key 1.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite wep40
[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345
[Sysname-wlan-st-security] wep key-id 1
Related commands
wep key
wep mode dynamic
Use the wep mode dynamic command to enable the dynamic WEP mechanism.
Use the undo wep mode dynamic command to disable the dynamic WEP mechanism.
Syntax
wep mode dynamic
undo wep mode dynamic
Default
The dynamic WEP mechanism is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
Enable the dynamic WEP mechanism only when the WLAN service template is disabled.
The dynamic WEP mechanism requires 802.1X authentication for user access authentication.
Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.
Examples
# Enable the dynamic WEP mechanism.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] wep mode dynamic
Related commands
cipher-suite
client-security authentication-mode (See User Access and Authentication Command Reference)
wep key
wlan password-failure-limit enable
Use wlan password-failure-limit enable to enable password failure limit.
Use undo wlan password-failure-limit enable to disable password failure limit.
Syntax
wlan password-failure-limit enable [ detection-period detection-period ] [ failure-threshold failure-threshold ]
undo wlan password-failure-limit enable
Default
Password failure limit is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
detection-period detection-period: Specifies the detection period in the range of 5 to 600 seconds. The default value is 100.
failure-threshold failure-threshold: Specifies the failure threshold in the range of 1 to 100. The default value is 20.
Usage guidelines
This feature enables the system to add a client to the dynamic blacklist if the number of the client's password failures reach the failure threshold within the specified detection period. For more information about the dynamic blacklist, see WLAN Configuration Guide.
When you configure this feature, follow these restrictions and guidelines:
· This feature takes effect only when the AKM mode is PSK or private PSK.
· This feature takes effect only on clients coming online after the feature is enabled.
· The system restarts failure calculation if the STAMGR process restarts.
· This feature does not take effect on APs coming online from a subordinate AC in an IRF fabric.
Examples
# Enable password failure limit, set the detection period to 300 seconds, and set the failure threshold to 50.
<Sysname> system-view
[Sysname] wlan password-failure-limit enable detection-period 300 failure-threshold 50
