08-WLAN Security Command Reference

HomeSupportResource CenterH3C Access Controllers Command References(R5426P02)-6W10408-WLAN Security Command Reference
05-WAPI commands
Title Size Download
05-WAPI commands 101.64 KB

WAPI commands

The following compatibility matrixes show the support of hardware platforms for WAPI:

 

Hardware series

Model

WAPI compatibility

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

Yes

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

Hardware series

Model

WAPI compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

No

WX3800H series

WX3820H

WX3840H

No

WX5800H series

WX5860H

No

display wapi statistics

Use display wapi statistics to display WLAN Authentication and Privacy Infrastructure (WAPI) statistics.

Syntax

display wapi statistics [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The AP name can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays WAPI statistics for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays WAPI statistics for all radios of the specified AP.

Examples

# Display WAPI statistics for all APs.

<Sysname> display wapi statistics

 AP name: AP1      Radio ID: 2      SSID: wapi

   BSSID: 487a-da52-d4f0

   Signature errors: 0

   HMAC errors: 0

   Authentication failures: 0

   Discarded packets: 0

   Overtime errors: 27

   Format errors: 0

   Certificate verification failures: 3

   Unicast negotiation failures: 0

   Multicast negotiation failures: 0

   Received WAI packets: 18

      Authentication access requests: 8

      Certificate authentication responses: 2

      Unicast key negotiation responses: 2

      Multicast key responses: 6

      Correct packets: 18

      Wrong packets: 0

   Sent WAI packets: 28

      Authentication activation packets: 8

      Certificate authentication requests: 8

      Authentication access responses: 2

      Unicast key negotiation requests: 2

      Unicast key negotiation confirmation packets: 2

      Multicast key announcements: 6

Table 1 Command output

Field

Description

AP name

Name of the AP to which the client is associated.

Radio ID

ID of the radio to which the client is associated.

SSID

SSID to which the client is associated.

BSSID

Basic service set identifier.

Signature errors

Number of signature verification failures.

HMAC errors

Number of incorrect message authentication codes.

Authentication failures

Number of WAI authentication failures.

Discarded packets

Number of discarded WAI packets.

Overtime errors

Number of WAI packet retransmissions.

Format errors

Number of WAI packets with format errors.

Certificate verification failures

Number of certificate authentication failures.

Unicast negotiation failures

Number of USK negotiation failures.

Multicast negotiation failures

Number of MSK negotiation failures.

Received WAI packets

Number of WAI packets received by the radio.

Authentication access request

Number of access authentication requests received by the radio.

Certificate authentication response

Number of certificate authentication responses received by the radio.

Unicast key negotiation response

Number of USK negotiation responses received by the radio.

Multicast key response

Number of MSK responses received by the radio.

Correct packets

Number of correct WAI packets received by the radio.

Wrong packets

Number of WAI packets with errors received by the radio.

Sent WAI packets

Number of WAI packets sent by the radio.

Authentication active

Number of authentication activation messages sent by the radio.

Certificate authentication request

Number of certificate authentication requests sent by the radio.

Authentication access response

Number of access authentication responses sent by the radio.

Unicast key negotiation request

Number of USK negotiation requests sent by the radio.

Unicast key negotiation confirm

Number of USK negotiation acknowledges sent by the radio.

Multicast key announce

Number of MSK advertisements sent by the radio.

 

Related commands

reset wapi statistics

display wapi user

Use display wapi user to display information about WAPI users.

Syntax

display wapi user [ ap ap-name [ radio radio-id ] | user-mac mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The AP name can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model.

user-mac mac-address: Specifies a WAPI user by its MAC address in the format of H-H-H.

Usage guidelines

If you do not specify any options, the command displays information about all WAPI users.

Examples

# Display information about all WAPI users.

<Sysname> display wapi user

Total number of users: 1

 

AP name                                   : ap1

Radio ID                                  : 2

SSID                                      : wapi

BSSID                                     : 487a-da52-d4f0

MAC address                               : 54dc-1d2d-fb20

VLAN                                      : 1

Authentication method                     : PSK

Current state                             : Online

    Authentication state                  : Idle

    Unicast key negotiation state         : Established

    Multicast key negotiation state       : Established

    Authorization state                   : Success

    Accounting state                      : Success

Uptime                                    : 01:18:26

Table 2 Command output

Field

Description

AP name

Name of the AP to which the client is associated.

Radio ID

ID of the radio to which the client is associated.

SSID

SSID to which the client is associated.

BSSID

Basic service set identifier.

MAC address

MAC address of the client.

VLAN

ID of the VLAN to which the client belongs.

Authentication method

Authentication mode:

·     PSK—PSK authentication.

·     Certificate—Certificate authentication.

Current state

Current state of the client:

·     Init—Initializing.

·     Auth—Authenticated.

·     USK—The client is in a USK negotiation process.

·     MSK—The client is in an MSK advertisement process.

·     Author—Authorized.

·     Online—Online.

·     Deactive—Offline.

Authentication state

Certificate authentication state:

·     Idle—Initializing.

·     Request—Access authentication request in progress.

·     Response—Certificate authentication response in progress.

·     Authenticated—Certificate authentication completed.

Unicast key negotiation state

USK negotiation state:

·     Idle—Initializing.

·     Negotiating—USK negotiation request in progress.

·     Established—USK negotiation completed.

Multicast key negotiation state

MSK negotiation state:

·     Idle—Initializing.

·     Negotiating—MSK advertisement in progress.

·     Established—MSK negotiation completed.

Authorization state

Authorization state:

·     Idle—Initializing.

·     Waiting—Waiting.

·     Success—Succeeded.

·     Fail—Failed.

·     Timeout—Timed out.

Accounting state

Accounting state:

·     Idle—Initializing.

·     Waiting—Waiting.

·     Success—Succeeded.

·     Fail—Failed.

·     Timeout—Timed out.

Online time

Online duration of the client, in the hh:mm:ss format.

 

reset wapi statistics

Use reset wapi statistics to clear WAPI statistics.

Syntax

reset wapi statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The AP name can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command clears WAPI statistics for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears WAPI statistics for all radios of the specified AP.

Examples

# Clear WAPI statistics for all APs.

<Sysname> reset wapi statistics

Related commands

display wapi statistics

wapi authentication method

Use wapi authentication-method to specify an authentication mode for WAPI.

Use undo wapi authentication-method to restore the default.

Syntax

wapi authentication-method { certificate | certificate-or-psk | psk }

undo wapi authentication-method

Default

WAPI uses the certificate authentication mode.

Views

Service template view

Predefined user roles

network-admin

Parameters

certificate: Specifies the certificate authentication mode.

certificate-or-psk: Specifies the certificate or PSK authentication mode.

psk: Specifies the PSK authentication mode.

Examples

# Configure WAPI to use the certificate authentication mode.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi authentication-method certificate

# Configure WAPI to use the certificate or PSK authentication mode.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi authentication-method certificate

# Configure WAPI to use the PSK authentication mode.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi authentication-method certificate

Related commands

wapi psk

wapi authentication-server ip

Use wapi authentication-server ip to specify an AS by its IP address.

Use undo wapi authentication-server ip to restore the default.

Syntax

wapi authentication-server ip ip-address

undo wapi authentication-server ip

Default

No AS is specified.

Views

Service template view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the AS.

Usage guidelines

You can specify only one AS for a service template. If you execute this command multiple times for a service template, the most recent configuration takes effect.

Examples

# Specify AS 10.10.1.1 for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi authentication-server ip 10.10.1.1

wapi bk lifetime

Use wapi bk lifetime to set the BK lifetime.

Use undo wapi bk lifetime to restore the default.

Syntax

wapi bk lifetime time

undo wapi bk lifetime

Default

The BK lifetime is 43200 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Specifies the BK lifetime in the range of 180 to 604800 seconds.

Usage guidelines

WAPI updates the BK after the BK expires. WAPI can update the BK only when you enable BK update.

When both BK update and USK update are enabled, WAPI updates the USK every time the BK is updated, regardless of whether the USK has expired or not. The BK lifetime timer is reset after the USK is updated.

Examples

# Set the BK lifetime to 1000 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi bk lifetime 1000

Related commands

wapi bk rekey enable

wapi usk lifetime

wapi usk rekey enable

wapi bk-rekey enable

Use wapi bk-rekey enable to enable BK update.

Use undo wapi bk-rekey enable to disable BK update.

Syntax

wapi bk-rekey enable

undo wapi bk-rekey enable

Default

BK update is enabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

WAPI updates the BK after the BK expires. WAPI can update the BK only when you enable BK update.

Examples

# Enable BK update.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi bk-rekey enable

Related commands

wapi bk lifetime

wapi certificate domain

Use wapi certificate domain to specify a PKI domain and a certificate.

Use undo wapi certificate domain to restore the default.

Syntax

wapi certificate domain domain-name serial serial-number

undo wapi certificate domain

Default

No PKI domain or certificate is specified.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The argument cannot contain the special characters listed in Table 1.

Table 3 Special characters

Character name

Symbol

Character name

Symbol

Tilde

~

Dot

.

Asterisk

*

Left angle bracket

Backslash

\

Right angle bracket

Vertical bar

|

Quotation marks

"

Colon

:

Apostrophe

'

 

serial serial-number: Specifies a certificate by its serial number, a case-sensitive string of 1 to 127 characters.

Usage guidelines

You can specify only one PKI domain and one certificate for a service template. If you execute this command multiple times for a service template, the most recent configuration takes effect.

Examples

# Specify PKI domain abc and certificate def for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi certificate domain abc serial def

wapi domain

Use wapi domain to specify an ISP domain to charge WAPI users.

Use undo wapi domain to restore the default.

Syntax

wapi domain domain-name

undo wapi domain

Default

No ISP domain is specified, and the system does not charge WAPI users.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

·     The name does not contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

·     The name is not d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

Make sure the ISP domain specified in this command has been created using the domain command. For more information about the domain command, see AAA commands in User Access and Authentication Command Reference.

In the current software version, the authentication and authorization methods for an ISP domain do not take effect on WAPI users.

Examples

# Specify ISP domain abc for WAPI users.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi domain abc

wapi enable

Use wapi enable to enable WAPI.

Use undo wapi enable to disable WAPI.

Syntax

wapi enable

undo wapi enable

Default

WAPI is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

Before enabling WAPI for a service template, disable the service template.

Examples

# Enable WAPI for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi enable

wapi msk-rekey client-offline enable

Use wapi msk-rekey client-offline enable to configure WAPI to update the MSK every time a client goes offline.

Use undo wapi msk-rekey client-offline enable to disable this feature.

Syntax

wapi msk-rekey client-offline enable

undo wapi msk-rekey client-offline enable

Default

WAPI does not update the MSK when a client goes offline.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only when you enable MSK update.

Examples

# Configure WAPI to update the MSK every time a client goes offline.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi msk-rekey enable

[Sysname-wlan-st-service1] wapi msk-rekey client-offline enable

Related commands

wapi msk-rekey enable

wapi msk-rekey method

wapi msk-rekey enable

Use wapi msk-rekey enable to enable MSK update.

Use undo wapi msk-rekey enable to disable MSK update.

Syntax

wapi msk-rekey enable

undo wapi msk-rekey enable

Default

MSK update is enabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

WAPI updates the MSK after the MSK expires. WAPI can update the MSK only when you enable MSK update.

Examples

# Enable MSK update.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi msk-rekey enable

Related commands

wapi msk-rekey client-offline enable

wapi msk-rekey method

wapi msk-rekey method

Use wapi msk-rekey method to configure the MSK update mode.

Use undo wapi msk-rekey method to restore the default.

Syntax

wapi msk-rekey method { packet-based [ packet ] | time-based [ interval ] }

undo wapi msk-rekey method

Default

WAPI uses the time-based MSK update mode.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

packet-based: Specifies the packet-based MSK update mode.

packet: Specifies the number of packets that triggers an MSK update. The value range for this argument is 5000 to 4294967295, and the default value is 10000. The system increases the counter of this argument by one for every 1000 packets.

time-based: Specifies the time-based MSK update mode.

interval: Specifies the MSK update interval in the range of 180 to 604800 seconds. The default value for this argument is 86400.

Usage guidelines

Make sure MSK update has been enabled before executing this command.

Packet-based MSK update and time-based MSK update are mutually exclusive. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure WAPI to update the MSK for every 20000000 packets.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi msk-rekey enable

[Sysname-wlan-st-service1] wapi msk-rekey method pack-based 20000

Related commands

wapi msk-rekey client-offline enable

wapi msk-rekey enable

wapi psk

Use wapi psk to specify a PSK.

Use undo wapi psk to restore the default.

Syntax

wapi psk { cipher | simple } { hex | string } key

undo wapi psk

Default

No PSK is specified.

Views

Service template view

Predefined user roles

network-admin

Parameters

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

hex: Specifies a hexadecimal key string.

string: Specifies a character key string.

key: Specifies the key. If you specify a character key string, the plaintext form is a case-sensitive string of 1 to 16 characters and the encrypted form is a case-sensitive string of 1 to 53 characters. If you specify a hexadecimal key string, the plaintext form is a case-insensitive string of 2 to 32 characters and the encrypted form is a case-sensitive string of 2 to 88 characters.

Usage guidelines

As a best practice, specify a key in the form of a character string that contains 8 or more digits in plain text.

Examples

# Specify character string 123456 in plaintext form as the PSK.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi psk simple string 123456

# Specify character string 123456 in encrypted form as the PSK.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi psk cipher string 123456

# Specify hexadecimal string 123456 in plaintext form as the PSK.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi psk simple hex 123456

# Specify hexadecimal string 123456 in encrypted form as the PSK.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi psk cipher hex 123456

Related commands

wapi authentication-method

wapi usk lifetime

Use wapi usk lifetime to set the USK lifetime.

Use undo wapi usk lifetime to restore the default.

Syntax

wapi usk lifetime time

undo wapi usk lifetime

Default

The USK lifetime is 86400 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Specifies the USK lifetime in the range of 180 to 604800 seconds.

Usage guidelines

WAPI updates the USK after the USK expires. WAPI can update the USK only when you enable USK update.

When both BK update and USK update are enabled, WAPI updates the USK every time the BK is updated, regardless of whether the USK has expired or not.

Examples

# Set the USK lifetime to 1000 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi usk lifetime 1000

Related commands

wapi usk rekey enable

wapi usk-rekey enable

Use wapi usk-rekey enable to enable USK update.

Use undo wapi usk-rekey enable to disable USK update.

Syntax

wapi usk-rekey enable

undo wapi usk-rekey enable

Default

USK update is enabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

WAPI updates the USK after the USK expires. WAPI can update the USK only when you enable USK update.

Examples

# Enable USK update.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] wapi usk-rekey enable

Related commands

wapi usk lifetime