07-WLAN Security Command Reference

HomeSupportResource CenterH3C Access Points Cloud Mode Command References(E2442 R2442)-6W10007-WLAN Security Command Reference
02-WIPS commands
Title Size Download
02-WIPS commands 482.39 KB

Contents

WIPS commands· 1

access-scan· 1

ap-channel-change· 1

ap-classification rule· 2

ap-flood· 2

ap-impersonation· 3

apply ap-classification rule· 4

apply classification policy· 4

apply countermeasure policy· 5

apply detect policy· 6

apply signature policy· 6

apply signature rule· 7

ap-rate-limit 7

ap-spoofing· 8

ap-timer 9

association-table-overflow· 9

authentication· 10

block mac-address· 11

classification policy· 11

client-association fast-learn enable· 12

client-online· 13

client-rate-limit 13

client-spoofing· 14

client-timer 15

countermeasure adhoc· 15

countermeasure attack all 16

countermeasure attack deauth-broadcast 16

countermeasure attack disassoc-broadcast 17

countermeasure attack honeypot-ap· 18

countermeasure attack hotspot-attack· 18

countermeasure attack ht-40-mhz-intolerance· 19

countermeasure attack malformed-packet 19

countermeasure attack man-in-the-middle· 20

countermeasure attack omerta· 20

countermeasure attack power-save· 21

countermeasure attack soft-ap· 21

countermeasure attack unencrypted-trust-client 22

countermeasure attack weak-iv· 22

countermeasure attack windows-bridge· 23

countermeasure enhance· 23

countermeasure external-ap· 24

countermeasure mac-address· 24

countermeasure misassociation-client 25

countermeasure misconfigured-ap· 25

countermeasure packet-sending-interval 26

countermeasure policy· 27

countermeasure potential-authorized-ap· 27

countermeasure potential-external-ap· 28

countermeasure potential-rogue-ap· 28

countermeasure rogue-ap· 29

countermeasure unauthorized-client 29

countermeasure uncategorized-ap· 30

countermeasure uncategorized-client 30

deauthentication-broadcast 31

deauth-spoofing· 31

detect dissociate-client enable· 32

detect policy· 32

detect signature· 33

disassociation-broadcast 34

discovered-ap· 35

display wips sensor 35

display wips statistics· 36

display wips virtual-security-domain countermeasure record· 39

display wips virtual-security-domain device· 41

display wlan nat-detect 45

export oui 46

flood association-request 47

flood authentication· 47

flood beacon· 48

flood block-ack· 49

flood cts· 50

flood deauthentication· 50

flood disassociation· 51

flood eap-failure· 52

flood eapol-logoff 53

flood eapol-start 53

flood eap-success· 54

flood null-data· 55

flood probe-request 56

flood reassociation-request 56

flood rts· 57

frame-type· 58

honeypot-ap· 59

hotspot-attack· 60

hotspot ssid· 60

ht-40mhz-intolerance· 61

ht-greenfield· 62

ignorelist 62

import hotspot 63

import oui 64

invalid-oui-classify illegal 64

mac-address· 65

malformed duplicated-ie· 66

malformed fata-jack· 66

malformed illegal-ibss-ess· 67

malformed invalid-address-combination· 68

malformed invalid-assoc-req· 69

malformed invalid-auth· 69

malformed invalid-deauth-code· 70

malformed invalid-disassoc-code· 71

malformed invalid-ht-ie· 71

malformed invalid-ie-length· 72

malformed invalid-pkt-length· 73

malformed large-duration· 73

malformed null-probe-resp· 74

malformed overflow-eapol-key· 75

malformed overflow-ssid· 76

malformed redundant-ie· 76

man-in-the-middle· 77

manual-classify mac-address· 78

match all (AP classification rule view) 78

match all (signature view) 79

omerta· 79

oui 80

pattern· 81

permit-channel 82

power-save· 82

prohibited-channel 83

random-mac-scan· 84

report-interval 84

reset wips embedded-oui 85

reset wips statistics· 85

reset wips virtual-security-domain· 86

reset wips virtual-security-domain countermeasure record· 86

reset wlan nat-detect 87

rssi 87

rssi-change-threshold· 88

rssi-threshold· 88

security· 89

select sensor all 90

seq-number 90

signature policy· 91

signature rule· 92

soft-ap· 92

ssid (AP classification rule view) 93

ssid (signature view) 93

ssid-length· 94

trust mac-address· 95

trust oui 96

trust ssid· 96

unencrypted-authorized-ap· 97

unencrypted-trust-client 97

up-duration· 98

virtual-security-domain· 99

weak-iv· 99

windows-bridge· 100

wips (radio view) 100

wips (system view) 101

wips virtual-security-domain· 101

wireless-bridge· 102

wlan nat-detect 102

 


WIPS commands

access-scan

Use access-scan enable to configure APs to perform WIPS scanning while providing access services.

Use undo access-scan enable to disable APs from performing WIPS scanning while providing access services.

Syntax

access-scan enable

undo access-scan enable

Default

APs do not perform WIPS scanning while they are providing access services.

Views

WIPS view

Predefined user roles

network-admin

Usage guidelines

This command enhances the WIPS detection and protection capabilities but decreases the access service capability.

Examples

# Configure APs to perform WIPS scanning while providing access services.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] access-scan enable

ap-channel-change

Use ap-channel-change to configure channel change detection.

Use undo ap-channel-change to disable channel change detection.

Syntax

ap-channel-change [ quiet quiet-value ]

undo ap-channel-change

Default

Channel change detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a channel change. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a channel change within the quiet time.

Examples

# Configure channel change detection.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-channel-change quiet 5

ap-classification rule

Use ap-classification rule to create an AP classification rule and enter its view, or enter the view of an existing AP classification rule.

Use undo ap-classification rule to remove an AP classification rule.

Syntax

ap-classification rule rule-id

undo ap-classification rule rule-id

Default

No AP classification rules exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an AP classification rule ID in the range of 1 to 65535.

Examples

# Create AP classification rule 1 and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

ap-flood

Use ap-flood to configure AP flood attack detection.

Use undo ap-flood to disable AP flood attack detection.

Syntax

ap-flood [ apnum apnum-value | exceed exceed-value | quiet quiet-value ] *

undo ap-flood

Default

AP flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

apnum apnum-value: Specifies the AP number threshold in the range of 10 to 200. The default AP number threshold is 80.

exceed exceed-value: Specifies the maximum number of excessive APs allowed. The value range for the exceed-value argument is 10 to 200 and the default value is 80. If the number of APs exceeds the sum of the AP number threshold and the maximum number of excessive APs allowed, WIPS triggers an AP flood attack alarm.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP flood attack within the quiet time.

Examples

# Enable AP flood attack detection, and set the apnum-value, exceed-value, and quiet-value arguments to 50, 50, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-flood apnum 50 exceed 50 quiet 100

ap-impersonation

Use ap-impersonation to configure AP impersonation attack detection.

Use undo ap-impersonation to disable AP impersonation attack detection.

Syntax

ap-impersonation [ quiet quiet-value ]

undo ap-impersonation

Default

AP impersonation attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP impersonation attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP impersonation attack within the quiet time.

Examples

# Enable AP impersonation attack detection, and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-impersonation quiet 360

apply ap-classification rule

Use apply ap-classification rule to bind an AP classification rule to a classification policy.

Use undo apply ap-classification rule to cancel the configuration.

Syntax

apply ap-classification rule rule-id { authorized-ap | { { external-ap | misconfigured-ap | rogue-ap } [ severity-level level ] } }

undo apply ap-classification rule rule-id

Default

No AP classification rule is bound to a classification policy.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an AP classification rule by its ID in the range of 1 to 65535.

authorized-ap: Specifies APs that match the AP classification rule as authorized APs.

external-ap: Specifies APs that match the AP classification rule as external APs.

misconfigured-ap: Specifies APs that match the AP classification rule as misconfigured APs.

rogue-ap: Specifies APs that match the AP classification rule as rogue APs.

level: Specifies a severity level for the AP that matches the AP classification rule, in the range of 1 to 100. The default severity level is 50.

Examples

# Bind AP classification rule 1 to classification policy home, specify APs that match AP classification rule 1 as rogue APs, and set the severity level to 80.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] apply ap-classification rule 1 rogue-ap severity-level 80

Related commands

ap-classification rule

apply classification policy

Use apply classification policy to apply a classification policy to a virtual security domain (VSD).

Use undo apply classification policy to remove a classification policy from a VSD.

Syntax

apply classification policy policy-name

undo apply classification policy policy-name

Default

No classification policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a classification policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply classification policy policy1 to VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply classification policy policy1

apply countermeasure policy

Use apply countermeasure policy to apply a countermeasure policy to a VSD.

Use undo apply countermeasure policy to remove a countermeasure policy from a VSD.

Syntax

apply countermeasure policy policy-name

undo apply countermeasure policy policy-name

Default

No countermeasure policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a countermeasure policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply countermeasure policy policy2 to VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply countermeasure policy policy2

apply detect policy

Use apply detect policy to apply an attack detection policy to a VSD.

Use undo apply detect policy to remove an attack detection policy from a VSD.

Syntax

apply detect policy policy-name

undo apply detect policy policy-name

Default

No attack detection policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack detection policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply attack detection policy policy2 to VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply detect policy policy2

apply signature policy

Use apply signature policy to apply a signature policy to a VSD.

Use undo apply signature policy to remove a signature policy from a VSD.

Syntax

apply signature policy policy-name

undo apply signature policy policy-name

Default

No signature policy is applied to a VSD.

Views

VSD view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a signature policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Apply signature policy policy1 to VSD home.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain home

[Sysname-wips-vsd-home] apply signature policy policy1

apply signature rule

Use apply signature rule to bind a signature to a signature policy.

Use undo apply signature rule to unbind a signature from a signature policy.

Syntax

apply signature rule rule-id

undo apply signature rule rule-id

Default

No signature is bound to a signature policy.

Views

Signature policy view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a signature by its ID in the range of 1 to 128.

Examples

# Bind signature 1 to signature policy office.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature policy office

[Sysname-wips-sig-office] apply signature rule 1

ap-rate-limit

Use ap-rate-limit to rate limit AP entry learning.

Use undo ap-rate-limit to restore the default.

Syntax

ap-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo ap-rate-limit

Default

The statistics collection interval for learned AP entries is 60 seconds, the quiet time is 1200 seconds, and the AP entry threshold is 512.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for learned AP entries, in the range of 1 to 3600 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP entry attack. The value range for the quiet-value argument is 1200 to 3600 seconds. WIPS stops learning new entries and does not trigger an alarm even if it detects an AP entry attack within the quiet time.

threshold threshold-value: Specifies the number of AP entries that triggers an AP entry attack alarm. The value range for the threshold-value argument is 1 to 4096.

Examples

# Rate limit AP entry learning, and set the interval-value, quiet-value, and threshold-value arguments to 60, 1600, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-rate-limit interval 60 quiet 1600 threshold 100

Related commands

ap-timer

ap-spoofing

Use ap-spoofing to enable AP spoofing attack detection.

Use undo ap-spoofing to disable AP spoofing attack detection.

Syntax

ap-spoofing [ quiet quiet-value ]

undo ap-spoofing

Default

AP spoofing attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an AP spoofing attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an AP spoofing attack within the quiet time.

Examples

# Enable AP spoofing attack detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-spoofing quiet 360

ap-timer

Use ap-timer to set an AP entry timer.

Use undo ap-timer to restore the default.

Syntax

ap-timer inactive inactive-value aging aging-value

undo ap-timer

Default

The inactive time is 300 seconds, and the aging time is 600 seconds.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

inactive inactive-value: Specifies the inactive time in the range of 1 to 1200 seconds.

aging aging-value: Specifies the aging time for an AP entry, in the range of 1 to 86400 seconds.

Usage guidelines

When an AP does not receive or send frames within the specified inactive time, WIPS sets the AP to inactive state. When an AP does not receive or send frames within the specified aging time, WIPS deletes the entry.

The aging time must be equal to or greater than the inactive time. As a best practice, use the default inactive time and aging time.

Errors might exist in the time changes of AP entries, and the error value depends on the interval at which sensors report information about detected devices.

Examples

# Set the inactive time to 120 seconds and the aging time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ap-timer inactive 120 aging 360

Related commands

ap-rate-limit

report-interval

association-table-overflow

Use association-table-overflow to configure association/reassociation DoS attack detection.

Use undo association-table-overflow to disable association/reassociation DoS attack detection.

Syntax

association-table-overflow [ quiet quiet-value ]

undo association-table-overflow

Default

Association/reassociation DoS attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an association/reassociation DoS attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an association/reassociation DoS attack within the quiet time.

Examples

# Enable association/reassociation DoS attack detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] association-table-overflow quiet 100

authentication

Use authentication to configure an AP classification rule to match APs by authentication mode.

Use undo authentication to restore the default.

Syntax

authentication { equal | include } { 802.1x | none | other | psk }

undo authentication

Default

An AP classification rule does not match APs by authentication mode.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

equal: Matches authentication modes equal to the specified authentication mode.

include: Matches authentication modes that include the specified authentication mode.

802.1x: Specifies the 802.1X authentication mode.

none: Specifies no authentication.

other: Specifies an authentication mode other than 802.1X and PSK.

psk: Specifies the PSK authentication mode.

Examples

# Configure AP classification rule 1 to match APs that use the PSK authentication mode.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] authentication equal psk

block mac-address

Use block mac-address to add the MAC address of an AP or client to the static prohibited device list.

Use undo block mac-address to remove one or all MAC addresses from the static prohibited device list.

Syntax

block mac-address mac-address

undo block mac-address { mac-address | all }

Default

No MAC address is added to the static prohibited device list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies an AP or client by its MAC address, in the H-H-H format.

all: Specifies all MAC addresses.

Examples

# Add MAC address 78AC-C0AF-944F to the static prohibited device list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] block mac-address 78AC-C0AF-944F

classification policy

Use classification policy to create a classification policy and enter its view, or enter the view of an existing classification policy.

Use undo classification policy to remove a classification policy.

Syntax

classification policy policy-name

undo classification policy policy-name

Default

No classification policies exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a classification policy name, a case-sensitive string of 1 to 63 characters.

Examples

# Create classification policy home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home]

client-association fast-learn enable

Use client-association fast-learn enable to enable fast learning of client association entries.

Use undo client-association fast-learn enable to disable fast learning of client association entries.

Syntax

client-association fast-learn enable

undo client-association fast-learn enable

Default

Fast learning of client association entries is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Usage guidelines

Client association entries are entries saved on the AC after a client associates with an AP.

If this feature is not enabled, the sensor can learn the client association entries only after a client is associated with an AP successfully. After this feature is enabled, the sensor can learn the client association entries during the association process.

If the sensor learned the client association entries during the association process, the sensor will update the entries every time it detects an association request or response between the AP and the client.

This feature improves the association efficiency but reduces the association accuracy. As a best practice, enable this feature only when fast attack detection and countermeasures are required in the network.

Examples

# Enable fast learning of client association entries.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy 1

[Sysname-wips-dtc-1] client-association fast-learn enable

client-online

Use client-online to configure an AP classification rule to match APs by number of associated clients.

Use undo client-online to restore the default.

Syntax

client-online value1 [ to value2 ]

undo client-online

Default

An AP classification rule does not match APs by number of associated clients.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 to value2: Specifies a value range for the number of associated clients for APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 128 for both the value1 and value2 arguments, and value2 must be greater than value1.

Examples

# Configure AP classification rule 1 to match APs with 20 to 40 associated clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] client-online 20 to 40

client-rate-limit

Use client-rate-limit to rate limit client entry learning.

Use undo client -rate-limit to restore the default.

Syntax

client-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo client-rate-limit

Default

The statistics collection interval for learned client entries is 60 seconds, the quiet time is 1200 seconds, and the client entry threshold is 1024.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for learned client entries, in the range of 1 to 3600 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a client entry attack. The value range for the quiet-value argument is 1200 to 3600 seconds. WIPS stops learning new entries and does not trigger an alarm even if it detects a client entry attack within the quiet time.

threshold threshold-value: Specifies the number of client entries that triggers a client entry attack alarm. The value range for the threshold-value argument is 1 to 4096.

Examples

# Rate limit client entry learning, and set the interval-value, quiet-value, and threshold-value arguments to 80, 1600, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] client-rate-limit interval 80 threshold 100 quiet 1600

Related commands

client-timer

client-spoofing

Use client-spoofing to enable client spoofing attack detection.

Use undo client-spoofing to disable client spoofing attack detection.

Syntax

client-spoofing [ quiet quiet-value ]

undo client-spoofing

Default

Client spoofing attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a client spoofing attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a client spoofing attack within the quiet time.

Examples

# Enable client spoofing attack detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] client-spoofing quiet 360

client-timer

Use client-timer to set a client entry timer.

Use undo client-timer to restore the default.

Syntax

client-timer inactive inactive-value aging aging-value

undo client-timer

Default

The inactive time is 300 seconds, and the aging time is 600 seconds.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

inactive inactive-value: Specifies the inactive time in the range of 1 to 1200 seconds. aging aging-value: Specifies the aging time for a client entry, in the range of 1 to 86400 seconds.

Usage guidelines

When a client does not receive or send frames within the specified inactive time, WIPS sets the client to inactive state. When a client does not receive or send frames within the specified aging time, WIPS deletes the entry.

The aging time must be equal to or greater than the inactive time. As a best practice, use the default inactive time and aging time.

Errors might exist in the time changes of client entries, and the error value depends on the interval at which sensors report information about detected devices.

Examples

# Set the inactive time to 120 seconds, and set the aging time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] client-timer inactive 120 aging 360

Related commands

client-rate-limit

report-interval

countermeasure adhoc

Use countermeasure adhoc to enable WIPS to take countermeasures against Ad hoc devices.

Use undo countermeasure adhoc to restore the default.

Syntax

countermeasure adhoc

undo countermeasure adhoc

Default

WIPS does not take countermeasures against Ad hoc devices.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against Ad hoc devices.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure adhoc

countermeasure attack all

Use countermeasure attack all to enable WIPS to take countermeasures against all attackers.

Use undo countermeasure attack all to restore the default.

Syntax

countermeasure attack all

undo countermeasure attack all

Default

WIPS does not take countermeasures against all attackers.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against all attackers.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack all

countermeasure attack deauth-broadcast

Use countermeasure attack deauth-broadcast to enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks.

Use undo countermeasure deauth-broadcast to restore the default.

Syntax

countermeasure attack deauth-broadcast

undo countermeasure attack deauth-broadcast

Default

WIPS does not take countermeasures against devices that launch broadcast deauthentication attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack deauth-broadcast

countermeasure attack disassoc-broadcast

Use countermeasure attack disassoc-broadcast to enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks.

Use undo countermeasure attack disassoc-broadcast to restore the default.

Syntax

countermeasure attack disassoc-broadcast

undo countermeasure attack disassoc-broadcast

Default

WIPS does not take countermeasures against devices that launch broadcast disassociation attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack disassoc-broadcast

countermeasure attack honeypot-ap

Use countermeasure attack honeypot-ap to enable WIPS to take countermeasures against honeypot APs.

Use undo countermeasure attack honeypot-ap to restore the default.

Syntax

countermeasure attack honeypot-ap

undo countermeasure attack honeypot-ap

Default

WIPS does not take countermeasures against honeypot APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against honeypot APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack honeypot-ap

countermeasure attack hotspot-attack

Use countermeasure attack hotspot-attack to enable WIPS to take countermeasures against devices that launch hotspot attacks.

Use undo countermeasure attack hotspot-attack to restore the default.

Syntax

countermeasure attack hotspot-attack

undo countermeasure attack hotspot-attack

Default

WIPS does not take countermeasures against devices that launch hotspot attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch hotspot attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack hotspot-attack

countermeasure attack ht-40-mhz-intolerance

Use countermeasure attack ht-40-mhz-intolerance to enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled.

Use undo countermeasure attack ht-40-mhz-intolerance to restore the default.

Syntax

countermeasure attack ht-40-mhz-intolerance

undo countermeasure attack ht-40-mhz-intolerance

Default

WIPS does not take countermeasures against devices with the 40 MHz bandwidth mode disabled.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack ht-40-mhz-intolerance

countermeasure attack malformed-packet

Use countermeasure attack malformed-packet to enable WIPS to take countermeasures against devices that send malformed packets.

Use undo countermeasure attack malformed-packet to restore the default.

Syntax

countermeasure attack malformed-packet

undo countermeasure attack malformed-packet

Default

WIPS does not take countermeasures against devices that send malformed packets.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that send malformed packets.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack malformed-packet

countermeasure attack man-in-the-middle

Use countermeasure attack man-in-the-middle to enable WIPS to take countermeasures against devices that launch MITM attacks.

Use undo countermeasure attack man-in-the-middle to restore the default.

Syntax

countermeasure attack man-in-the-middle

undo countermeasure attack man-in-the-middle

Default

WIPS does not take countermeasures against devices that launch MITM attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch MITM attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack man-in-the-middle

countermeasure attack omerta

Use countermeasure attack omerta to enable WIPS to take countermeasures against devices that launch Omerta attacks.

Use undo countermeasure attack omerta to restore the default.

Syntax

countermeasure attack omerta

undo countermeasure attack omerta

Default

WIPS does not take countermeasures against devices that launch Omerta attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch Omerta attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack omerta

countermeasure attack power-save

Use countermeasure attack power-save to enable WIPS to take countermeasures against devices that launch power save attacks.

Use undo countermeasure attack power-save to restore the default.

Syntax

countermeasure attack power-save

undo countermeasure attack power-save

Default

WIPS does not take countermeasures against devices that launch power save attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch power save attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack power-save

countermeasure attack soft-ap

Use countermeasure attack soft-ap to enable WIPS to take countermeasures against soft APs.

Use undo countermeasure attack soft-ap to restore the default.

Syntax

countermeasure attack soft-ap

undo countermeasure attack soft-ap

Default

WIPS does not take countermeasures against soft APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against soft APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack soft-ap

countermeasure attack unencrypted-trust-client

Use countermeasure attack unencrypted-trust-client to enable WIPS to take countermeasures against unencrypted authorized clients.

Use undo countermeasure attack unencrypted-trust-client to restore the default.

Syntax

countermeasure attack unencrypted-trust-client

undo countermeasure attack unencrypted-trust-client

Default

WIPS does not take countermeasures against unencrypted authorized clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against unencrypted authorized clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack unencrypted-trust-client

countermeasure attack weak-iv

Use countermeasure attack weak-iv to enable WIPS to take countermeasures against devices that use weak IVs.

Use undo countermeasure weak-iv to restore the default.

Syntax

countermeasure attack weak-iv

undo countermeasure attack weak-iv

Default

WIPS does not take countermeasures against devices that use weak IVs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that use weak IVs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack weak-iv

countermeasure attack windows-bridge

Use countermeasure attack windows-bridge to enable WIPS to take countermeasures against devices that launch Windows bridge attacks.

Use undo countermeasure attack windows-bridge to restore the default.

Syntax

countermeasure attack windows-bridge

undo countermeasure attack windows-bridge

Default

WIPS does not take countermeasures against devices that launch Windows bridge attacks.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against devices that launch Windows bridge attacks.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure attack windows-bridge

countermeasure enhance

Use countermeasure enhance to enable the enhanced countermeasure mode.

Use undo countermeasure enhance to restore the default.

Syntax

countermeasure enhance

undo countermeasure enhance

Default

The enhanced countermeasure mode is not enabled.

Views

Countermeasure policy view

Predefined user roles

network-admin

Usage guidelines

Configure this command to prevent dual-band clients from roaming between the two radios sharing the same SSID on a rogue AP.

Examples

# Enable the enhanced countermeasure mode.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure enhance

countermeasure external-ap

Use countermeasure external-ap to enable WIPS to take countermeasures against external APs.

Use undo countermeasure external-ap to restore the default.

Syntax

countermeasure external-ap

undo countermeasure external-ap

Default

WIPS does not take countermeasures against external APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against external APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure external-ap

countermeasure mac-address

Use countermeasure mac-address to enable WIPS to take countermeasures against the device with the specified MAC address.

Use undo countermeasure mac-address to remove the configuration.

Syntax

countermeasure mac-address mac-address [ except-authorized-ap ]

undo countermeasure mac-address { mac-address | all }

Default

WIPS does not take countermeasures against detected devices.

Views

Countermeasure policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies an AP or a client by its MAC address in the H-H-H format.

except-authorized-ap: Configures WIPS to not take countermeasures against wireless clients that have associated with authorized APs.

all: Specifies all APs and clients.

Usage guidelines

You can configure this command multiple times to enable WIPS to take countermeasures against multiple devices.

Examples

# Enable WIPS to take countermeasures against the device with MAC address 2a11-1fa1-141f.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure mac-address 2a11-1fa1-141f

countermeasure misassociation-client

Use countermeasure misassociation-client to enable WIPS to take countermeasures against misassociated clients.

Use undo countermeasure misassociation-client to restore the default.

Syntax

countermeasure misassociation-client

undo countermeasure misassociation-client

Default

WIPS does not take countermeasures against misassociated clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against misassociated clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure misassociation-client

countermeasure misconfigured-ap

Use countermeasure misconfigured-ap to enable WIPS to take countermeasures against misconfigured APs.

Use undo countermeasure misconfigured-ap to restore the default.

Syntax

countermeasure misconfigured-ap

undo countermeasure misconfigured-ap

Default

WIPS does not take countermeasures against misconfigured APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against misconfigured APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure misconfigured-ap

countermeasure packet-sending-interval

Use countermeasure packet-sending-interval to specify the interval at which sensors send countermeasure packets.

Use undo countermeasure packet-sending-interval to restore the default.

Syntax

countermeasure packet-sending-interval interval

undo countermeasure packet-sending-interval

Default

The interval at which sensors send countermeasure packets is 30 milliseconds.

Views

Countermeasure policy view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which sensors send countermeasure packets. The value range is 1 to 100 milliseconds.

Usage guidelines

Configure this command to enable a sensor to send countermeasure packets in a channel if it has detected rogue devices in the channel. The sensor sends countermeasure packets in the channel only within scanning periods, and you can specify the interval at which sensors send countermeasure packets. For more information about channel scanning, see channel scanning configuration in Radio Resources Management Configuration Guide.

Examples

# Configure sensors to send countermeasure packets every 10 milliseconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure packet-sending-interval 10

countermeasure policy

Use countermeasure policy to create a countermeasure policy and enter its view, or enter the view of an existing countermeasure policy.

Use undo countermeasure policy to remove a countermeasure policy.

Syntax

countermeasure policy policy-name

undo countermeasure policy policy-name

Default

No countermeasure policies exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a countermeasure policy by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Create countermeasure policy home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home]

countermeasure potential-authorized-ap

Use countermeasure potential-authorized-ap to enable WIPS to take countermeasures against potential-authorized APs.

Use undo countermeasure potential-authorized-ap to restore the default.

Syntax

countermeasure potential-authorized-ap

undo countermeasure potential-authorized-ap

Default

WIPS does not take countermeasures against potential-authorized APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against potential-authorized APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure potential-authorized-ap

countermeasure potential-external-ap

Use countermeasure potential-external-ap to enable WIPS to take countermeasures against potential-external APs.

Use undo countermeasure potential-external-ap to restore the default.

Syntax

countermeasure potential-external-ap

undo countermeasure potential-external-ap

Default

WIPS does not take countermeasures against potential-external APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against potential-external APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure potential-external-ap

countermeasure potential-rogue-ap

Use countermeasure potential-rogue-ap to enable WIPS to take countermeasures against potential-rogue APs.

Use undo countermeasure potential-rogue-ap to restore the default.

Syntax

countermeasure potential-rogue-ap

undo countermeasure potential-rogue-ap

Default

WIPS does not take countermeasures against potential-rogue APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against potential-rogue APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure potential-rogue-ap

countermeasure rogue-ap

Use countermeasure rogue-ap to enable WIPS to take countermeasures against rogue APs.

Use undo countermeasure rogue-ap to restore the default.

Syntax

countermeasure rogue-ap

undo countermeasure rogue-ap

Default

WIPS does not take countermeasures against rogue APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against rogue APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure rogue-ap

countermeasure unauthorized-client

Use countermeasure unauthorized-client to enable WIPS to take countermeasures against unauthorized clients.

Use undo countermeasure unauthorized-client to restore the default.

Syntax

countermeasure unauthorized-client

undo countermeasure unauthorized-client

Default

WIPS does not take countermeasures against unauthorized clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against unauthorized clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure unauthorized-client

countermeasure uncategorized-ap

Use countermeasure uncategorized-ap to enable WIPS to take countermeasures against uncategorized APs.

Use undo countermeasure uncategorized-ap to restore the default.

Syntax

countermeasure uncategorized-ap

undo countermeasure uncategorized-ap

Default

WIPS does not take countermeasures against uncategorized APs.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against uncategorized APs.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure uncategorized-ap

countermeasure uncategorized-client

Use countermeasure uncategorized-client to enable WIPS to take countermeasures against uncategorized clients.

Use undo countermeasure uncategorized-client to restore the default.

Syntax

countermeasure uncategorized-client

undo countermeasure uncategorized-client

Default

WIPS does not take countermeasures against uncategorized clients.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to take countermeasures against uncategorized clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-cms-home] countermeasure uncategorized-client

deauthentication-broadcast

Use deauthentication-broadcast to configure broadcast deauthentication attack detection.

Use undo deauthentication-broadcast to disable broadcast deauthentication attack detection.

Syntax

deauthentication-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo deauthentication-broadcast

Default

Broadcast deauthentication attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for broadcast deauthentication frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a broadcast deauthentication attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a broadcast deauthentication attack within the quiet time.

threshold threshold-value: Specifies the number of broadcast deauthentication frames that triggers a broadcast deauthentication attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable broadcast deauthentication attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] deauthentication-broadcast interval 100 threshold 100 quiet 360

deauth-spoofing

Use deauth-spoofing to configure spoof deauthentication frame detection.

Use undo deauth-spoofing to disable spoof deauthentication frame detection.

Syntax

deauth-spoofing [ quiet quiet ]

undo deauth-spoofing

Default

Spoof deauthentication frame detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet: Specifies the quiet time after WIPS triggers an alarm upon a spoof deauthentication frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects spoof deauthentication frames within the quiet time.

Examples

# Enable spoof deauthentication frame detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] deauth-spoofing quiet 100

detect dissociate-client enable

Use detect dissociate-client enable to enable WIPS to detect unassociated clients.

Use undo detect dissociate-client enable to disable WIPS from detecting unassociated clients.

Syntax

detect dissociate-client enable

undo detect dissociate-client enable

Default

WIPS does not detect unassociated clients.

Views

Attack detection policy view

Predefined user roles

network-admin

Examples

# Enable WIPS to detect unassociated clients.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] detect dissociate-client enable

detect policy

Use detect policy to create an attack detection policy and enter its view, or enter the view of an existing attack detection policy.

Use undo detect policy to remove an attack detection policy.

Syntax

detect policy policy-name

undo detect policy policy-name

Default

No attack detection policies exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an attack detection policy name, a case-sensitive string of 1 to 63 characters.

Examples

# Create attack detection policy home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home]

detect signature

Use detect signature to enable signature-based attack detection.

Use undo detect signature to disable signature-based attack detection.

Syntax

detect signature [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo detect

Default

Signature-based attack detection is enabled.

Views

Signature policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for packets that match a signature. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an attack within the quiet time.

threshold threshold-value: Specifies the number of packets matching a signature that triggers an user-attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable WIPS to detect packets that match a signature, and set the interval-value, threshold-value, and quiet-value arguments to 60, 100, and 360, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature policy home

[Sysname-wips-sig-home] detect signature interval 60 threshold 100 quiet 360

disassociation-broadcast

Use disassociation-broadcast to configure broadcast disassociation attack detection.

Use undo disassociation-broadcast to disable broadcast disassociation attack detection.

Syntax

disassociation-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo disassociation-broadcast

Default

Broadcast disassociation attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for broadcast disassociation frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a broadcast disassociation attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a broadcast disassociation attack within the quiet time.

threshold threshold-value: Specifies the number of broadcast disassociation frames that triggers a broadcast disassociation attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable broadcast disassociation attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] disassociation-broadcast interval 100 threshold 100 quiet 360

discovered-ap

Use discovered-ap to configure an AP classification rule to match APs by number of sensors that detect the APs.

Use undo discovered-ap to restore the default.

Syntax

discovered-ap value1 [ to value2 ]

undo discovered-ap

Default

An AP classification rule does not match APs by number of sensors that detect the APs.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 to value2: Specifies a value range for the number of sensors that detect an AP. The value 1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 1 to 128 for both the value1 and value2 arguments, and value2 must be greater than value1.

Examples

# Configure AP classification rule 1 to match APs that are detected by 10 to 128 sensors.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] discovered-ap 10 to 128

display wips sensor

Use display wips sensor to display information about all sensors.

Syntax

display wips sensor

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all sensors.

<Sysname> display wips sensor

Total number of sensors: 1

Sensor ID    Sensor name                VSD name               Radio ID   Status

1            fatap                      aaa                    1          Active

Table 1 Command output

Field

Description

VSD name

Name of the VSD to which the AP belongs.

Radio ID

ID of the radio enabled with WIPS.

Status

Status of the sensor:

·     Active—The sensor is enabled with WIPS.

·     Inactive—The sensor is not enabled with WIPS.

 

display wips statistics

Use display wips statistics to display WLAN attack detection statistics collected from sensors.

Syntax

display wips statistics [ receive | virtual-security-domain vsd-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

receive: Displays attack detection statistics information for all VSDs.

virtual-security-domain vsd-name: Displays attack detection statistics information for the specified VSD.

Examples

# Display attack detection statistics information for all VSDs.

<Sysname> display wips statistics receive

Information from sensor 1

 Information about attack statistics:

   Detected association-request flood messages: 0

   Detected authentication flood messages: 0

   Detected beacon flood messages: 0

   Detected block-ack flood messages: 0

   Detected cts flood messages: 0

   Detected deauthentication flood messages: 0

   Detected disassociation flood messages: 0

   Detected eapol-start flood messages: 0

   Detected null-data flood messages: 0

   Detected probe-request flood messages: 0

   Detected reassociation-request flood messages: 0

   Detected rts flood messages: 0

   Detected eapol-logoff flood messages: 0

   Detected eap-failure flood messages: 0

   Detected eap-success flood messages: 0

   Detected duplicated-ie messages: 0

   Detected fata-jack messages: 0

   Detected illegal-ibss-ess messages: 0

   Detected invalid-address-combination messages: 0

   Detected invalid-assoc-req messages: 0

   Detected invalid-auth messages: 0

   Detected invalid-deauth-code messages: 0

   Detected invalid-disassoc-code messages: 0

   Detected invalid-ht-ie messages: 0

   Detected invalid-ie-length messages: 0

   Detected invalid-pkt-length messages: 0

   Detected large-duration messages: 0

   Detected null-probe-resp messages: 0

   Detected overflow-eapol-key messages: 0

   Detected overflow-ssid messages: 0

   Detected redundant-ie messages: 0

   Detected AP spoof AP messages: 0

   Detected AP spoof client messages: 0

   Detected AP spoof ad-hoc messages: 0

   Detected ad-hoc spoof AP messages: 0

   Detected client spoof AP messages: 0

   Detected weak IV messages: 0

   Detected excess AP messages: 0

   Detected excess client messages: 0

   Detected signature rule messages: 0

   Detected 40MHZ messages: 0

   Detected power save messages: 0

   Detected omerta messages: 0

   Detected windows bridge messages: 0

   Detected soft AP messages: 0

   Detected broadcast disassoc messages: 0

   Detected broadcast deauth messages: 0

   Detected AP impersonate messages: 0

   Detected HT greenfield messages: 0

   Detected association table overflow messages: 0

   Detected wireless bridge messages: 0

   Detected AP flood messages: 0

Table 2 Command output

Field

Description

Information from sensor n

Information collected from sensor n, where n represents the ID of the sensor.

Detected association-request flood messages

Number of detected messages for association request flood attacks.

Detected authentication flood messages

Number of detected messages for authentication request flood attacks.

Detected beacon flood messages

Number of detected messages for beacon flood attacks.

Detected block-ack flood messages

Number of detected messages for Block Ack flood attacks.

Detected cts flood messages

Number of detected messages for CTS flood attacks.

Detected deauthentication flood messages

Number of detected messages for deauthentication flood attacks.

Detected disassociation flood messages

Number of detected messages for disassociation flood attacks.

Detected eapol-start flood messages

Number of detected messages for EAPOL-start flood attacks.

Detected null-data flood messages

Number of detected messages for null data flood attacks.

Detected probe-request flood messages

Number of detected messages for probe request flood attacks.

Detected reassociation-request flood messages

Number of detected messages for reassociation request flood attacks.

Detected rts flood messages

Number of detected messages for RTS flood attacks.

Detected eapol-logoff flood messages

Number of detected messages for EAPOL-logoff flood attacks.

Detected eap-failure flood messages

Number of detected messages for EAP-failure flood attacks.

Detected eap-success flood messages

Number of detected messages for EAP-success flood attacks.

Detected duplicated-ie messages

Number of detected messages for malformed packets with duplicated IE.

Detected fata-jack messages

Number of detected messages for FATA-Jack malformed packets.

Detected illegal-ibss-ess messages

Number of detected messages for malformed packets with abnormal IBSS and ESS setting.

Detected invalid-address-combination messages

Number of detected messages for malformed packets with invalid source address.

Detected invalid-assoc-req messages

Number of detected messages for malformed association request frames.

Detected invalid-auth messages

Number of detected messages for malformed authentication request frames.

Detected invalid-deauth-code messages

Number of detected messages for malformed packets with invalid deauthentication code.

Detected invalid-disassoc-code messages

Number of detected messages for malformed packets with invalid disassociation code.

Detected invalid-ht-ie messages

Number of detected messages for malformed packets with malformed HT IE.

Detected invalid-ie-length messages

Number of detected messages for malformed packets with invalid IE length.

Detected invalid-pkt-length messages

Number of detected messages for malformed packets with invalid packet length.

Detected large-duration messages

Number of detected messages for malformed packets with oversized duration.

Detected null-probe-resp messages

Number of detected messages for malformed probe response frames.

Detected overflow-eapol-key messages

Number of detected messages for malformed packets with oversized EAPOL key.

Detected overflow-ssid messages

Number of detected messages for malformed packets with oversized SSID.

Detected redundant-ie messages

Number of detected messages for malformed packets with redundant IE.

Detected AP spoof AP messages

Number of detected messages for AP spoofing (AP spoofs AP) attacks.

Detected AP spoof client messages

Number of detected messages for client spoofing (AP spoofs client) attacks.

Detected AP spoof ad-hoc messages

Number of detected messages for Ad hoc spoofing (AP spoofs Ad hoc) attacks.

Detected ad-hoc spoof AP messages

Number of detected messages for AP spoofing (Ad hoc spoofs AP) attacks.

Detected client spoof AP messages

Number of detected messages for AP spoofing (client spoofs AP) attacks.

Detected weak IV messages

Number of detected messages for weak IVs.

Detected excess AP messages

Number of detected messages for AP entry attacks.

Detected excess client messages

Number of detected messages for client entry attacks.

Detected 40MHZ messages

Number of detected messages for clients disabled with the 40 MHz bandwidth mode.

Detected power save messages

Number of detected messages for power saving attacks.

Detected omerta messages

Number of detected messages for Omerta attacks.

Detected windows bridge messages

Number of detected messages for Windows bridge.

Detected soft AP messages

Number of detected messages for soft APs.

Detected broadcast disassoc messages

Number of detected messages for broadcast disassociation attacks.

Detected broadcast deauth messages

Number of detected messages for broadcast deauthentication attacks.

Detected AP impersonate messages

Number of detected messages for AP impersonation attacks.

Detected HT greenfield messages

Number of detected messages in HT greenfield mode.

Detected association table overflow messages

Number of detected messages for association and reassociation DoS attacks.

Detected wireless bridge messages

Number of messages detected by wireless bridges.

Detected AP flood messages

Number of detected messages for AP flood attacks.

 

Related commands

reset wips statistics

display wips virtual-security-domain countermeasure record

Use display wips virtual-security-domain countermeasure record to display information about countermeasures that WIPS has taken against rogue devices.

Syntax

display wips virtual-security-domain vsd-name countermeasure record

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Display information about countermeasures that WIPS has taken against rogue devices for VSD office.

<Sysname> display wips virtual-security-domain office countermeasure record

Total 3 times countermeasure, current 3 countermeasure record in virtual-security-domain office

 

Reason: Att - attack; Ass - associated; Black - blacklist;

        Class - classification; Manu - manual;

 

MAC address    Type   Reason   Countermeasure AP     Radio ID   Time

1000-0000-00e3 AP     Manu     fatap                  1          2016-05-03/09:32:01

1000-0000-00e4 AP     Manu     fatap                  1          2016-05-03/09:32:11

2000-0000-f282 Client Black    fatap                  1          2016-05-03/09:31:56

Table 3 Command output

Field

Description

Total 3 times countermeasure, current 3 countermeasure record in virtual-security-domain office

Number of successful countermeasures. This field can display up to 1024 countermeasure records.

MAC Address

MAC address of the wireless device against which WIPS has taken countermeasures.

Type

Type of the wireless device: AP or Client.

Reason

Reason why WIPS takes countermeasures against the wireless device:

·     Att—WIPS takes countermeasures against the device because it is an attacker.

·     Class—WIPS takes countermeasures against the device based on its device type.

·     Manu—WIPS takes countermeasures against the device based on its MAC address.

Countermeasure AP

Name of the sensor that takes countermeasures against the wireless device.

Radio ID

Radio ID of the sensor that takes countermeasures against the wireless device.

Time

Time when the AC informs the sensor of taking countermeasures against the wireless device.

 

Related commands

reset wips virtual-security-domain countermeasure record

display wips virtual-security-domain device

Use display wips virtual-security-domain device to display information about wireless devices detected in a VSD.

Syntax

display wips virtual-security-domain vsd-name device [ ap [ ad-hoc | authorized | external | mesh | misconfigured | potential-authorized | potential-external | potential-rogue | rogue | uncategorized ] | client [ [ dissociative-client ] | [ authorized | misassociation | unauthorized | uncategorized ] ] | mac-address mac-address ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

device: Specifies wireless devices.

ap: Specifies APs.

ad-hoc: Specifies APs operating in Ad hoc mode.

authorized: Specifies authorized APs.

external: Specifies external APs.

mesh: Specifies MPs.

misconfigured: Specifies misconfigured APs.

potential-authorized: Specifies potential-authorized APs.

potential-rogue: Specifies potential-rogue APs.

potential-external: Specifies potential-external APs.

rogue: Specifies rogue APs.

uncategorized: Specifies uncategorized APs.

client: Specifies clients.

dissociative-client: Specifies unassociated clients.

authorized: Specifies authorized clients.

misassociation: Specifies misassociated clients.

unauthorized: Specifies unauthorized clients.

uncategorized: Specifies uncategorized clients.

mac-address mac-address: Specifies a wireless device by its MAC address in the H-H-H format.

verbose: Displays detailed device information.

Examples

# Display information about wireless devices detected in VSD office.

<Sysname> display wips virtual-security-domain office device

Total 3 detected devices in virtual-security-domain office

 

Class: Auth - authorization; Ext - external; Mis - mistake;

       Unauth - unauthorized; Uncate - uncategorized;

       (A) - associate; (C) - config; (P) - potential;

       Ad-hoc; Mesh

 

MAC address    Type   Class    Duration    Sensors Channel Status

1000-0000-0000 AP     Ext(P)   00h 10m 46s 1       11      Active

1000-0000-0001 AP     Ext(P)   00h 10m 46s 1       6       Active

1000-0000-0002 AP     Ext(P)   00h 10m 46s 1       1       Active

Table 4 Command output

Field

Description

Type

Wireless device type: AP, Client, or Mesh.

Class

Category of the wireless device.

Duration

Duration since the wireless device entered the current state.

Sensors

Number of sensors that have detected the wireless device.

Channel

Channel on which the wireless device was most recently detected.

Status

Status of the AP or client:

·     Active—The AP or client is active.

·     Inactive—The AP or client is inactive.

 

# Display detailed information about wireless devices detected in VSD a.

<Sysname> display wips virtual-security-domain a device verbose

Total 2 detected devices in virtual-security-domain a

 

 AP: 1000-0000-0000

   Mesh Neighbor: None

   Classification: Mis(C)

   Severity level: 0

   Classify way: Auto

   Status: Active

   Status duration: 00h 27m 57s

   Vendor: Not found

   SSID: service

   Radio type: 802.11g

   Countermeasuring: No

   Security: None

   Encryption method: None

   Authentication method: None

   Broadcast SSID: Yes

   QoS supported: No

   Ad-hoc: No

   Beacon interval: 100 TU

   Up duration: 00h 27m 57s

Channel band-width supported: 20MHZ

   Hotspot AP: No

   Soft AP: No

   Honeypot AP: No

   Total number of reported sensors: 1

     Sensor 1:

       Sensor ID: 1

       Sensor name: fatap

       Radio ID: 1

       RSSI: 15

       Channel: 149

       First reported time: 2014-06-03/09:05:51

       Last reported time: 2014-06-03/09:05:51

   Total number of associated clients: 1

     01: 2000-0000-0000

Client: 2000-0000-0000

  Last reported associated AP: 1000-0000-0000

  Classification: Uncate

  Severity level: 0

  Classify way: Auto

  Dissociative status: No

  Status: Active

  Status duration: 00h 00m 02s

  Vendor: Not found

  Radio type: 802.11a

  40mhz intolerance: No

  Countermeasuring: No

  Man in the middle: No

  Total number of reported sensors: 1

     Sensor 1:

       Sensor ID: 1

       Sensor name: fatap

       Radio ID: 1

       RSSI: 50

       Channel: 149

       First reported time: 2014-06-03/14:52:56

       Last reported time: 2014-06-03/14:52:56

       Reported associated AP: 1000-0000-0000

Table 5 Command output

Field

Description

AP

MAC address of the AP.

Mesh Neighbor

MAC address of the mesh AP's neighbor.

Client

MAC address of the client.

Last reported associated AP

MAC address of the associated AP that the client most recently reports.

Classification

Category of the AP or client:

·     AP category:

¡     ad_hoc.

¡     authorized.

¡     rogue.

¡     misconfigured.

¡     external.

¡     potential-authorized.

¡     potential-rogue.

¡     potential-external.

¡     uncategorized.

·     Client category:

¡     authorized.

¡     unauthorized.

¡     misassociated.

¡     uncategorized.

Severity level

Severity level of the device.

Classify way

AP or client classification method:

·     Manual—Manual classification.

·     Invalid OUI—Added to the invalid OUI list.

·     Block List—Added to the prohibited device list.

·     Trust List—Added to the permitted device list.

·     User Define—User-defined classification.

·     Auto—Automatic classification.

Dissociative status

Whether the client is an unassociated client.

Status

Status of the AP or client:

·     Active—The AP or client is active.

·     Inactive—The AP or client is inactive.

Status duration

Duration since the wireless device entered the current state.

Vendor

OUI of the device. This field displays the device OUI if the OUI matches an imported OUI. This field displays Not found if no OUI is configured for the device or the OUI does not match any imported OUIs.

SSID

SSID of the wireless service provided by the AP.

Radio Type

Radio mode of the wireless device.

40MHz intolerance

Whether the client supports 40 MHz bandwidth mode.

Countermeasuring

Whether WIPS is taking countermeasures against the wireless device:

·     No.

·     Yes.

Man in the middle

Whether an MITM attack is detected.

Security

Security method:

·     None.

·     WEP.

·     WPA.

·     WPA2.

·     WAPI.

Encryption method

Data encryption method:

·     TKIP.

·     CCMP.

·     WEP.

·     WAPI-SMS4.

·     None.

Authentication method

Authentication method:

·     None.

·     PSK.

·     802.1X.

·     Others—Authentication methods except for PSK authentication and 802.1X authentication.

Broadcast SSID

Whether the AP broadcasts the SSID. This field displays nothing if the AP does not broadcast the SSID.

QoS supported

Whether the wireless device supports QoS.

Ad-hoc

Whether the wireless device is in Ad hoc mode.

Beacon interval

Beacon interval in TUs. One TU is equal to 1024 microseconds.

Channel band-width supported

Supported channel bandwidth mode:

·     20/40/80MHZ.

·     20/40MHZ.

·     20MHZ.

Hotspot AP

Whether the AP is a hotspot attack AP.

Soft AP

Whether the AP is a soft AP.

Honeypot AP

Whether the AP is a honeypot AP.

Sensor n

Sensor that detected the wireless device. n represents the ID assigned by the system.

Channel

Channel on which the sensor most recently detected the wireless device.

First reported time

Time when the sensor first detected the wireless device.

Last reported time

Time when the sensor most recently detected the wireless device.

n: H-H-H

MAC address of the client associated with the AP. n represents the number assigned by the system.

Reported associated AP

MAC address of the associated AP that the sensor reports.

 

Related commands

reset wips virtual-security-domain device

display wlan nat-detect

Use display wlan nat-detect to display information about clients with NAT configured.

Syntax

display wlan nat-detect [ mac-address mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address mac-address: Specifies a client by its MAC address. If you do not specify this option, the command displays information about all detected NAT-configured clients.

Examples

# Display information about all detected NAT-configured clients.

<Sysname> display wlan nat-detect

Total 1 detected clients with NAT configured

 

MAC address    Last report         First report         Duration

0a98-2044-0000 2020-08-24/11:05:23 2020-08-24/10:05:23  01h 15m 00s

Table 6 Command output

Field

Description

Total number detected clients with NAT configured

Number of detected NAT-configured clients.

MAC address

MAC address of the detected client.

Last report

Time when the client was most recently detected.

First report

Time when the client was detected for the first time.

Duration

Duration since the client is configured with NAT.

 

Related commands

reset wlan nat-detect

export oui

Use export oui to export all OUIs in the OUI library to an OUI configuration file.

Syntax

export oui file-name

Views

WIPS view

Predefined user roles

network-admin

Parameters

file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).

Usage guidelines

This command exports all OUIs including embedded OUIs and imported OUIs.

The OUIs are exported in the following format:

000FE2     (base 16)        New H3C Technologies Co., Ltd..

Examples

# Export all OUIs in the OUI library to configuration file OUIInfo.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] export oui OUIInfo

Related commands

import oui

reset wips embedded-oui

flood association-request

Use flood association-request to configure association request flood attack detection.

Use undo flood association-request to disable association request flood attack detection.

Syntax

flood association-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood association-request

Default

Association request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for association request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an association request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an association request flood attack within the quiet time.

threshold threshold-value: Specifies the number of association request frames that triggers an association request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable association request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood association-request interval 100 threshold 100 quiet 360

flood authentication

Use flood authentication to configure authentication request flood attack detection.

Use undo flood authentication to disable authentication request flood attack detection.

Syntax

flood authentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood authentication

Default

Authentication request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for authentication request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an authentication request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an authentication request flood attack within the quiet time.

threshold threshold-value: Specifies the number of authentication request frames that triggers an authentication request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable authentication request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood authentication interval 100 threshold 100 quiet 360

flood beacon

Use flood beacon to configure beacon flood attack detection.

Use undo flood beacon to disable beacon flood attack detection.

Syntax

flood beacon [ interval interval-value | quiet quiet-value | threshold threshold-value] *

undo flood beacon

Default

Beacon flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for beacon frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a beacon flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a beacon flood attack within the quiet time.

threshold threshold-value: Specifies the number of beacon frames that triggers a beacon flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable beacon flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood beacon interval 100 threshold 100 quiet 360

flood block-ack

Use flood block-ack to configure Block Ack flood attack detection.

Use undo flood block-ack to disable Block Ack flood attack detection.

Syntax

flood block-ack [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood block-ack

Default

Block Ack flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for Block Ack frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a Block Ack flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a Block Ack flood attack within the quiet time.

threshold threshold-value: Specifies the number of Block Ack frames that triggers a Block Ack flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable Block Ack flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood block-ack interval 100 threshold 100 quiet 360

flood cts

Use flood cts to configure CTS flood attack detection.

Use undo flood cts to disable CTS flood attack detection.

Syntax

flood cts [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood cts

Default

CTS flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for CTS frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a CTS flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a CTS flood attack within the quiet time.

threshold threshold-value: Specifies the number of CTS frames that triggers a CTS flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable CTS flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood cts interval 100 threshold 100 quiet 360

flood deauthentication

Use flood deauthentication to configure deauthentication flood attack detection.

Use undo flood deauthentication to disable deauthentication flood attack detection.

Syntax

flood deauthentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood deauthentication

Default

Deauthentication flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for deauthentication frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a deauthentication flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a deauthentication flood attack within the quiet time.

threshold threshold-value: Specifies the number of deauthentication frames that triggers a deauthentication flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable deauthentication flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood deauthentication interval 100 threshold 100 quiet 360

flood disassociation

Use flood disassociation to configure disassociation flood attack detection.

Use undo flood disassociation to disable disassociation flood attack detection.

Syntax

flood disassociation [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood disassociation

Default

Disassociation flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for disassociation frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a disassociation flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a disassociation flood attack within the quiet time.

threshold threshold-value: Specifies the number of disassociation frames that triggers a disassociation flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable disassociation flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood disassociation interval 100 threshold 100 quiet 360

flood eap-failure

Use flood eap-failure to configure EAP-failure flood attack detection.

Use undo flood eap-failure to disable EAP-failure flood attack detection.

Syntax

flood eap-failure [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eap-failure

Default

EAP-failure flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAP-failure frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAP-failure flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAP-failure flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAP-failure frames that triggers an EAP-failure flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAP-failure flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eap-failure interval 100 threshold 100 quiet 360

flood eapol-logoff

Use flood eapol-logoff to configure EAPOL-logoff flood attack detection.

Use undo flood eapol-logoff to disable EAPOL-logoff flood attack detection.

Syntax

flood eapol-logoff [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eapol-logoff

Default

EAPOL-logoff flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAPOL-logoff frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAPOL-logoff flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAPOL-logoff flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAPOL-logoff frames that triggers an EAPOL-logoff flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAPOL-logoff flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eapol-logoff interval 100 threshold 100 quiet 360

flood eapol-start

Use flood eapol-start to configure EAPOL-start flood attack detection.

Use undo flood eapol-start to disable EAPOL-start flood attack detection.

Syntax

flood eapol-start [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eapol-start

Default

EAPOL-start flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAPOL-start frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAPOL-start flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAPOL-start flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAPOL-start frames that triggers an EAPOL-start flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAPOL-start flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eapol-start interval 100 threshold 100 quiet 360

flood eap-success

Use flood eap-success to configure EAP-success flood attack detection.

Use undo flood eap-success to disable EAP-success flood attack detection.

Syntax

flood eap-success [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood eap-success

Default

EAP-success flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for EAP-success frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an EAP-success flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an EAP-success flood attack within the quiet time.

threshold threshold-value: Specifies the number of EAP-success frames that triggers an EAP-success flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable EAP-success flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100, 360, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood eap-success interval 100 threshold 100 quiet 360

flood null-data

Use flood null-data to configure null data flood attack detection.

Use undo flood null-data to disable null data flood attack detection.

Syntax

flood null-data [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood null-data

Default

Null data flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for null data frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a null data flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a null data flood attack within the quiet time.

threshold threshold-value: Specifies the number of null data frames that triggers a null data flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable null data flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood null-data interval 100 threshold 100 quiet 360

flood probe-request

Use flood probe-request to configure probe request flood attack detection.

Use undo flood probe-request to disable probe request flood attack detection.

Syntax

flood probe-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood probe-request

Default

Probe request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for probe request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a probe request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a probe request flood attack within the quiet time.

threshold threshold-value: Specifies the number of probe request frames that triggers a probe request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable probe request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood probe-request interval 100 threshold 100 quiet 360

flood reassociation-request

Use flood reassociation-request to configure reassociation request flood attack detection.

Use undo flood reassociation-request to disable reassociation request flood attack detection.

Syntax

flood reassociation-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood reassociation-request

Default

Reassociation request flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for reassociation request frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a reassociation request flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a reassociation request flood attack within the quiet time.

threshold threshold-value: Specifies the number of reassociation request frames that triggers a reassociation request flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable reassociation request flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood reassociation-request interval 100 threshold 100 quiet 360

flood rts

Use flood rts to configure RTS flood attack detection.

Use undo flood rts to disable RTS flood attack detection.

Syntax

flood rts [ interval interval-value | quiet quiet-value | threshold threshold-value ] *

undo flood rts

Default

RTS flood attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for RTS frames. The value range for the interval-value argument is 1 to 3600 seconds and the default statistics collection interval is 60 seconds.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an RTS flood attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an RTS flood attack within the quiet time.

threshold threshold-value: Specifies the number of RTS frames that triggers an RTS flood attack alarm. The value range for the threshold-value argument is 1 to 100000 and the default value is 50.

Examples

# Enable RTS flood attack detection and set the interval-value, quiet-value, and threshold-value arguments to 100 seconds, 360 seconds, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] flood rts interval 100 threshold 100 quiet 360

frame-type

Use frame-type to configure a subsignature to match frame types.

Use undo frame-type to restore the default.

Syntax

frame-type { control | data | management [ frame-subtype { association-request | association-response | authentication | beacon | deauthentication | disassociation | probe-request } ] }

undo frame-type

Default

No subsignature is configured to match frame types.

Views

Signature view

Predefined user roles

network-admin

Parameters

control: Matches control frames.

data: Matches data frames.

management: Matches management frames.

frame-subtype: Specifies a frame subtype.

association-request: Matches association request frames.

association-response: Matches association response frames.

authentication: Matches authentication frames.

beacon: Matches beacon frames.

deauthentication: Matches deauthentication frames.

disassociation: Matches disassociation frames.

probe-request: Matches probe request frames.

Examples

# Configure a subsignature to match data frames for signature 1.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[wips-sig-rule-1] frame-type data

Related commands

match all (signature rule view)

mac-address

pattern

seq-number

ssid (signature rule view)

ssid-length

honeypot-ap

Use honeypot-ap to configure honeypot AP detection.

Use undo honeypot-ap to disable honeypot AP detection.

Syntax

honeypot-ap [ similarity similarity-value | quiet quiet-value ] *

undo honeypot-ap

Default

Honeypot AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

similarity similarity-value: Specifies the similarity threshold that triggers a honeypot AP alarm, in the range of 70 to 100 in percentage. The default value is 80%. An AP is determined as a honeypot AP if the similarity between the SSID of the AP and the SSID of a legitimate AP reaches the threshold.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a honeypot AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a honeypot AP within the quiet time.

Examples

# Enable honeypot AP detection, and set the similarity threshold and quiet time to 90% and 10 seconds, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] honeypot-ap similarity 90 quiet 10

hotspot-attack

Use hotspot-attack to configure hotspot attack detection.

Use undo hotspot-attack to disable hotspot attack detection.

Syntax

hotspot-attack [ quiet quiet-value ]

undo hotspot-attack

Default

Hotspot attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a hotspot attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a hotspot attack within the quiet time.

Examples

# Enable hotspot attack detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] hotspot-attack quiet 100

Related commands

import hotspot

hotspot ssid

Use hotspot ssid to specify an SSID as a hotspot SSID.

Use undo hotspot ssid to remove one or all specified hotspot SSIDs.

Syntax

hotspot ssid ssid-name

undo hotspot ssid { ssid-name | all }

Default

No SSIDs are specified as hotspot SSIDs, and the device only has built-in hotspot SSIDs.

Views

WIPS view

Predefined user roles

network-admin

Parameters

ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.

all: Specifies all SSIDs.

Usage guidelines

By default, the device has built-in hotspot SSIDs. You cannot delete the built-in hotspot SSIDs. To specify an SSID as a hotspot SSID, you can take either of the following actions:

·     Edit the SSID settings in the configuration file and then execute the import hotspot command to import the modified configuration file to the device. You can use this method to specify multiple SSIDs as hotspot SSIDs.

·     Execute the hotspot ssid command to specify an SSID as a hotspot SSID.

With hotspot SSIDs specified and hotspot attack detection enabled, the device can detect all devices broadcasting the hotspot SSIDs in the environment and mark the unlicensed devices as hotspot APs. To ensure the WLAN security, you can take countermeasures against the hotspot APs.

Examples

# Specify SSID cmcc as a hotspot SSID.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] hotspot ssid cmcc

Related commands

import hotspot

ht-40mhz-intolerance

Use ht-40mhz-intolerance to configure detection on clients with the 40 MHz bandwidth mode disabled.

Use undo ht-40mhz-intolerance to disable detection on clients with the 40 MHz bandwidth mode disabled.

Syntax

ht-40mhz-intolerance [ quiet quiet-value ]

undo ht-40mhz-intolerance

Default

Detection on clients with the 40 MHz bandwidth mode disabled is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a client with the 40 MHz bandwidth mode disabled. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a client with the 40 MHz bandwidth mode disabled within the quiet time.

Examples

# Enable detection on clients with the 40 MHz bandwidth mode disabled and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ht-40mhz-intolerance quiet 100

ht-greenfield

Use ht-greenfield to configure HT-greenfield AP detection.

Use undo ht-greenfield to disable HT-greenfield AP detection.

Syntax

ht-greenfield [ quiet quiet-value ]

undo ht-greenfield

Default

HT-greenfield AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an HT-greenfield AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an HT-greenfield AP within the quiet time.

Examples

# Enable HT-greenfield AP detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] ht-greenfield quiet 100

ignorelist

Use ignorelist to add a MAC address to the alarm-ignored device list.

Use undo ignorelist to remove a specific or all MAC addresses from the alarm-ignored device list.

Syntax

ignorelist mac-address mac-address

undo ignorelist mac-address { mac-address | all }

Default

No MAC address is added to the alarm-ignored device list.

Views

WIPS view

Predefined user roles

network-admin

Parameters

mac-address: Specifies a MAC address in the H-H-H format.

all: Specifies all MAC addresses in the alarm-ignored device list.

Usage guidelines

For wireless devices in the alarm-ignored device list, WIPS does not generate any alarms.

Examples

# Add MAC address 2a11-1fa1-1311 to the alarm-ignored device list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ignorelist mac-address 2a11-1fa1-1311

import hotspot

Use import hotspot to import hotspots from a configuration file.

Use undo import hotspot to remove the configuration.

Syntax

import hotspot file-name

undo import hotspot

Default

A device has built-in hotspot SSIDs and no configuration file containing hotspot information exists.

Views

WIPS view

Predefined user roles

network-admin

Parameters

file-name: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).

Usage guidelines

You can import hotspots from only one configuration file.

Examples

# Import hotspots from configuration file hotspot_cfg.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] import hotspot hotspot_cfg

Related commands

hotspot-attack

import oui

Use import oui to import OUIs from a configuration file.

Use undo import oui to restore the default.

Syntax

import oui file-name

undo import oui

Default

No OUIs are imported.

Views

WIPS view

Predefined user roles

network-admin

Parameters

oui: Specifies a configuration file by its name, a case-insensitive string of 1 to 255 characters. It cannot contain back slashes (\), slashes (/), colons (:), asterisks (*), question marks (?), quotation marks ("), left angle brackets (<), right angle brackets (>), or vertical bars (|).

Usage guidelines

You can download the configuration file from the IEEE website.

You can import OUIs from only one configuration file.

Examples

# Import OUIs from configuration file oui_import_cfg.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] import oui oui_import_cfg

Related commands

export oui

reset wips embedded-oui

invalid-oui-classify illegal

Use invalid-oui-classify illegal to configure WIPS to classify devices with invalid OUIs as rogue devices.

Use undo invalid-oui-classify to restore the default.

Syntax

invalid-oui-classify illegal

undo invalid-oui-classify

Default

WIPS does not classify devices with invalid OUIs as rogue devices.

Views

Classification policy view

Predefined user roles

network-admin

Examples

# Configure WIPS to classify devices with invalid OUIs as rogue devices.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] invalid-oui-classify illegal

Related commands

import oui

mac-address

Use mac-address to configure a subsignature to match frames by MAC address.

Use undo mac-address to restore the default.

Syntax

mac-address { bssid | destination | source } mac-address

undo mac-address

Default

No subsignature is configured to match frames by MAC address.

Views

Signature view

Predefined user roles

network-admin

Parameters

bssid: Matches a BSSID.

destination: Matches a destination MAC address.

source: Matches a source MAC address.

mac-address: Specifies a MAC address in the H-H-H format.

Examples

# Configure a subsignature to match frames with source MAC address 000f-e201-0101 for signature 1.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-rule-1] mac-address source 000f-e201-0101

Related commands

frame-type

match all (signature rule view)

pattern

seq-number

ssid (signature rule view)

ssid-length

malformed duplicated-ie

Use malformed duplicated-ie to enable duplicated IE detection.

Use undo malformed duplicated-ie to disable duplicated IE detection.

Syntax

malformed duplicated-ie [ quiet quiet-value ]

undo malformed duplicated-ie

Default

Duplicated IE detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a duplicated IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a duplicated IE within the quiet time.

Usage guidelines

This feature is applicable to all management frames. WIPS determines that a packet is malformed if the packet has an duplicated IE. This feature does not take effect on frames with vendor-defined IEs.

Examples

# Enable duplicated IE detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed duplicated-ie quiet 360

malformed fata-jack

Use malformed fata-jack to enable FATA-Jack detection.

Use undo malformed fata-jack to disable FATA-Jack detection.

Syntax

malformed fata-jack [ quiet quiet-value ]

undo malformed fata-jack

Default

FATA-Jack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a FATA-Jack malformed packet. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a FATA-Jack malformed packet within the quiet time.

Usage guidelines

This feature is applicable to authentication frames. WIPS determines that an authentication frame is malformed if the value of the authentication algorithm number is 2.

Examples

# Enable FATA-Jack detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed fata-jack quiet 360

malformed illegal-ibss-ess

Use malformed illegal-ibss-ess to enable abnormal IBSS or ESS setting detection.

Use undo malformed illegal-ibss-ess to disable abnormal IBSS or ESS setting detection.

Syntax

malformed illegal-ibss-ess [ quiet quiet-value ]

undo malformed illegal-ibss-ess

Default

Abnormal IBSS or ESS setting detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an abnormal IBSS and ESS setting. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an abnormal IBSS and ESS setting within the quiet time.

Usage guidelines

This feature is applicable to beacon frames and probe response frames. WIPS determines that a frame is malformed if both the IBSS and ESS are set to 1 in the frame.

Examples

# Enable abnormal IBSS or ESS setting detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed illegal-ibss-ess quiet 360

malformed invalid-address-combination

Use malformed invalid-address-combination to enable invalid source address detection.

Use undo malformed invalid-address-combination to disable invalid source address detection.

Syntax

malformed invalid-address-combination [ quiet quiet-value ]

undo malformed invalid-address-combination

Default

Invalid source address detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid source address. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid source address within the quiet time.

Usage guidelines

This feature is applicable to all management frames. WIPS determines that a frame is malformed when the following conditions are met:

·     The TO DS of the frame is 1, indicating that the frame is sent to the AP by a client.

·     The source MAC address of the frame is a multicast or broadcast address.

Examples

# Enable invalid source address detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-address-combination quiet 360

malformed invalid-assoc-req

Use malformed invalid-assoc-req to enable malformed association request frame detection.

Use undo malformed invalid-assoc-req to disable malformed association request frame detection.

Syntax

malformed invalid-assoc-req [ quiet quiet-value ]

undo malformed invalid-assoc-req

Default

Malformed association request frame detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed association request frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed association request frame within the quiet time.

Usage guidelines

This feature is applicable to association request frames. WIPS determines that a frame is malformed if the SSID length in the frame is 0.

Examples

# Enable malformed association request frame detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-assoc-req quiet 360

malformed invalid-auth

Use malformed invalid-auth to enable malformed authentication request frame detection.

Use undo malformed invalid-auth to disable malformed authentication request frame detection.

Syntax

malformed invalid-auth [ quiet quiet-value ]

undo malformed invalid-auth

Default

Malformed authentication request frame detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed authentication request frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed authentication request frame within the quiet time.

Usage guidelines

This feature is applicable to authentication request frames. WIPS determines that a frame is malformed when the following conditions are met:

·     The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3.

·     The authentication transaction sequence number, indicating the authentication process between the client and the AP, is 1 and the status code is not 0.

·     The authentication transaction sequence number is larger than 4.

Examples

# Enable malformed authentication request frame detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-auth quiet 360

malformed invalid-deauth-code

Use malformed invalid-deauth-code to enable invalid deauthentication code detection.

Use undo malformed invalid-deauth-code to disable invalid deauthentication code detection.

Syntax

malformed invalid-deauth-code [ quiet quiet-value ]

undo malformed invalid-deauth-code

Default

Invalid deauthentication code detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid deauthentication code. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid deauthentication code within the quiet time.

Usage guidelines

This feature is applicable to deauthentication frames. WIPS determines that a frame is malformed if the reason code in the frame is 0 or in the range of 67 to 65535.

Examples

# Enable invalid deauthentication code detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-deauth-code quiet 360

malformed invalid-disassoc-code

Use malformed invalid-disassoc-code to enable invalid disassociation code detection.

Use undo malformed invalid-disassoc-code to disable invalid disassociation code detection.

Syntax

malformed invalid-disassoc-code [ quiet quiet-value ]

undo malformed invalid-disassoc-code

Default

Invalid disassociation code detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid disassociation code. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid disassociation code within the quiet time.

Usage guidelines

This feature is applicable to disassociation frames. WIPS determines that a frame is malformed if the reason code in the frame is 0 or in the range of 67 to 65535.

Examples

# Enable invalid disassociation code detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-disassoc-code quiet 360

malformed invalid-ht-ie

Use malformed invalid-ht-ie to enable malformed HT IE detection.

Use undo malformed invalid-ht-ie to disable malformed HT IE detection.

Syntax

malformed invalid-ht-ie [ quiet quiet-value ]

undo malformed invalid-ht-ie

Default

Malformed HT IE detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed HT IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed HT IE within the quiet time.

Usage guidelines

This feature is applicable to beacon, probe response, association response, and reassociation response frames. WIPS determines that a frame is malformed when the following conditions are met:

·     The SM power save value of the HT capabilities IE is 2.

·     The secondary channel offset value of the HT operation IE is 2.

Examples

# Enable malformed HT IE detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-ht-ie quiet 360

malformed invalid-ie-length

Use malformed invalid-ie-length to enable invalid IE length detection.

Use undo malformed invalid-ie-length to disable invalid IE length detection.

Syntax

malformed invalid-ie-length [ quiet quiet-value ]

undo malformed invalid-ie-length

Default

Invalid IE length detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid IE length. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid IE length within the quiet time.

Usage guidelines

This feature is applicable to all management frames. WIPS determines that a frame is malformed if the length of an IE in the frame does not conform to the 802.11 protocol.

Examples

# Enable invalid IE length detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-ie-length quiet 360

malformed invalid-pkt-length

Use malformed invalid-pkt-length to enable invalid packet length detection.

Use undo malformed invalid-pkt-length to disable invalid packet length detection.

Syntax

malformed invalid-pkt-length [ quiet quiet-value ]

undo malformed invalid-pkt-length

Default

Invalid packet length detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an invalid packet length. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an invalid packet length within the quiet time.

Usage guidelines

This feature is applicable to all management frames. WIPS determines that a frame is malformed if the remaining length of the IE is not zero after the packet payload is resolved.

Examples

# Enable invalid packet length detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed invalid-pkt-length quiet 360

malformed large-duration

Use malformed large-duration to enable oversized duration detection.

Use undo malformed large-duration to disable oversized duration detection.

Syntax

malformed large-duration [ quiet quiet-value | threshold value ]

undo malformed large-duration

Default

Oversized duration detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized duration. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized duration within the quiet time.

threshold value: Specifies the duration size that triggers WIPS to determine an oversized duration and trigger an alarm. The value range for the value argument is 1 to 32767 and the default value is 5000.

Usage guidelines

This feature is applicable to unicast management frames, unicast data frames, RTS, CTS, and ACK frames. WIPS determines that a frame is malformed if the duration value in the frame is larger than the specified threshold.

Examples

# Enable oversized duration detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed large-duration quiet 360

malformed null-probe-resp

Use malformed null-probe-resp to enable malformed probe response frame detection.

Use undo malformed null-probe-resp to disable malformed probe response frame detection.

Syntax

malformed null-probe-resp [ quiet quiet-value ]

undo malformed null-probe-resp

Default

Malformed probe response frame detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a malformed probe response frame. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a malformed probe response frame within the quiet time.

Usage guidelines

This feature is applicable to probe response frames. WIPS determines that a frame is malformed if the frame is not a mesh frame and its SSID length is 0.

Examples

# Enable malformed probe response frame detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed null-probe-resp quiet 360

malformed overflow-eapol-key

Use malformed overflow-eapol-key to enable oversized EAPOL key detection.

Use undo malformed overflow-eapol-key to disable oversized EAPOL key detection.

Syntax

malformed overflow-eapol-key [ quiet quiet-value ]

undo malformed overflow-eapol-key

Default

Oversized EAPOL key detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized EAPOL key. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized EAPOL key within the quiet time.

Usage guidelines

This feature is applicable to EAPOL-Key frames. WIPS determines that a frame is malformed if the TO DS is 1 and the key length is larger than 0 in the frame. A malicious EAPOL-Key frame might result in DOS attacks.

Examples

# Enable oversized EAPOL key detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed overflow-eapol-key quiet 360

malformed overflow-ssid

Use malformed overflow-ssid to enable oversized SSID detection.

Use undo malformed overflow-ssid to disable oversized SSID detection.

Syntax

malformed overflow-ssid [ quiet quiet-value ]

undo malformed overflow-ssid

Default

Oversized SSID detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an oversized SSID. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an oversized SSID within the quiet time.

Usage guidelines

This feature is applicable to beacon, probe request, probe response, and association request frames. WIPS determines that a frame is malformed if the SSID length in the frame is larger than 32, which does not conform to the 802.11 protocol.

Examples

# Enable oversized SSID detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed overflow-ssid quiet 360

malformed redundant-ie

Use malformed redundant-ie to enable redundant IE detection.

Use undo malformed redundant-ie to disable redundant IE detection.

Syntax

malformed redundant-ie [ quiet quiet-value ]

undo malformed redundant-ie

Default

Redundant IE detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a redundant IE. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a redundant IE within the quiet time.

Usage guidelines

This feature is applicable to all management frames.  WIPS determines that a frame is malformed if an IE in the frame is neither a necessary IE to the frame nor a reserved IE.

Examples

# Enable redundant IE detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] malformed redundant-ie quiet 360

man-in-the-middle

Use man-in-the-middle to configure man-in-the-middle (MITM) attack detection.

Use undo man-in-the-middle to disable MITM attack detection.

Syntax

man-in-the-middle [ quiet quiet-value ]

undo man-in-the-middle

Default

MITM attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an MITM attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an MITM attack within the quiet time.

Usage guidelines

WIPS can detect MITM attacks only when you enable both honeypot AP detection and MITM attack detection.

Examples

# Enable MITM attack detection.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] honeypot-ap

[Sysname-wips-dtc-home] man-in-the-middle

manual-classify mac-address

Use manual-classify mac-address to classify APs by MAC address.

Use undo manual-classify mac-address to restore the default.

Syntax

manual-classify mac-address mac-address { authorized-ap | external-ap | misconfigured-ap | rogue-ap }

undo manual-classify mac-address { mac-address | all }

Default

APs are not classified by MAC address.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies an AP by its MAC address, in the H-H-H format.

authorized-ap: Specifies the AP as an authorized AP.

external-ap: Specifies the AP as an external AP.

misconfigured-ap: Specifies the AP as a misconfigured AP.

rogue-ap: Specifies the AP as a rogue AP.

all: Specifies all APs.

Examples

# Classify the AP whose MAC address is 000f-00e2-0001 as an authorized AP.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] manual-classify mac-address 000f-00e2-0001 authorized-ap

match all (AP classification rule view)

Use match all to configure the AP classification rule criteria to be in logical AND relationship.

Use undo match all to restore the default.

Syntax

match all

undo match all

Default

The AP classification rule criteria are in logical OR relationship. An AP matches an AP classification rule if it matches any of the criteria of the AP classification rule.

Views

AP classification rule view

Predefined user roles

network-admin

Examples

# Configure the criteria of AP classification rule 1 to be in logical AND relationship.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] match all

match all (signature view)

Use match all to configure the subsignatures to be in logical AND relationship.

Use undo match all to restore the default.

Syntax

match all

undo match all

Default

The subsignatures are in logical OR relationship. A packet matches a signature if it matches any of the subsignatures of the signature.

Views

Signature view

Predefined user roles

network-admin

Examples

# Configure the subsignatures of signature 1 to be in logical AND relationship.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[wips-sig-rule-1] match all

Related commands

frame-type

mac-address

pattern

seq-number

ssid (signature rule view)

ssid-length

omerta

Use omerta to configure Omerta attack detection.

Use undo omerta to disable Omerta attack detection.

Syntax

omerta [ quiet quiet-value ]

undo omerta

Default

Omerta attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon an Omerta attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an Omerta attack within the quiet time.

Examples

# Enable Omerta attack detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] omerta quiet 100

oui

Use oui to configure an AP classification rule to match APs by OUI information.

Use undo oui to restore the default.

Syntax

oui oui-info

undo oui

Default

An AP classification rule does not match APs by OUI information.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

oui-info: Specifies the OUI information in the XXXXXX format, a case-insensitive hexadecimal string.

Examples

# Configure AP classification rule 1 to match APs with OUI 000fe4.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] oui 000fe4

pattern

Use pattern to configure a subsignature to match frames by specified bits.

Use undo pattern to restore the default.

Syntax

pattern pattern-number offset offset-value mask mask value1 [ to value2 ] [ from-payload ]

undo pattern { pattern-number | all }

Default

No subsignature is configured to match frames by specified bits.

Views

Signature view

Predefined user roles

network-admin

Parameters

pattern-number: Specifies a number for a subsignature that matches the specified bits of a frame, in the range of 0 to 7.

offset offset-value: Specifies the offset from the specified bit to the reference bit. The value range for the offset-value argument is 0 to 2346 bits. The reference bit can be the first bit of the frame head (default) or the frame payload.

mask mask: Specifies a two-byte mask that is used for the AND operation with the specified bits. The mask is in hexadecimal format and the value range for the mask is 0 to ffff.

value1 [ to value2 ]: Specifies a value range for the specified bits. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 65535 for both the value1 and value2 arguments, and value2 cannot be smaller than value1.

from-payload: Specifies the first bit of the frame payload as the reference bit. If you do not specify this keyword, the first bit of the frame head is the reference bit.

Examples

# Configure a subsignature to match the second and third bits from the frame head of a frame. If the values of the second and third bytes of a frame are within the range of 0x0015 to 0x0020, the frame matches the subsignature.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-rule-1] pattern 1 offset 8 mask ffff 15 to 20

Related commands

frame-type

match all (signature rule view)

mac-address

ssid (signature rule view)

seq-number

ssid-length

permit-channel

Use permit-channel to add one or multiple channels to the permitted channel list.

Use undo permit-channel to remove the specified or all channels from the permitted channel list.

Syntax

permit-channel channel-id-list

undo permit-channel { channel-id-list | all }

Default

No channels are added to the permitted channel list.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

channel-id-list: Specifies a space-separated list of up to 10 permitted channel items. Each item specifies a channel number or a range of channel numbers in the form of value1 to value2. The value range for channel numbers is 1 to 224. The value for the value2 argument must be equal to or greater than the value for the value1 argument.

all: Specifies all permitted channels.

Usage guidelines

To prevent WIPS from taking all channels as prohibited channels, use this command to configure a permitted channel list before you configure prohibited channel detection.

Examples

# Add channel 1 to the permitted channel list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] permit-channel 1

Related commands

prohibited-channel

power-save

Use power-save to configure power saving attack detection.

Use undo power-save to disable power saving attack detection.

Syntax

power-save [ interval interval-value | minoffpacket packet-value | onoffpercent percent-value | quiet quiet-value ] *

undo power-save

Default

Power saving attack detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the statistics collection interval for power save frames. The value range for the interval-value argument is 1 to 3600 seconds, and the default value is 10 seconds.

minoffpacket packet-value: Specifies the threshold for the number of power save off frames that triggers power save attack analysis. If the number of off frames from a client reaches the threshold, WIPS analyzes the power save frames to determine whether a power save attack occurs. The value range for the argument is 10 to 150, and the default is 50.

onoffpercent percent-value: Specifies the threshold for the ratio between the power save on frames and off frames from a client. WIPS triggers an alarm for a power save attack when the threshold is reached. The value range for this argument is 0 to 100, and the default is 80.

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a power saving attack. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a power saving attack within the quiet time.

Examples

# Enable power saving attack detection, and set the interval-value, packet-value, percent-value, and quiet-value arguments to 20, 20, 90, and 100, respectively.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] power-save interval 20 minoffpacket 20 onoffpercent 90 quiet 100

prohibited-channel

Use prohibited-channel to configure prohibited channel detection.

Use undo prohibited-channel to disable prohibited channel detection.

Syntax

prohibited-channel [ quiet quiet-value ]

undo prohibited-channel

Default

Prohibited channel detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a prohibited channel. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a prohibited channel within the quiet time.

Usage guidelines

To prevent WIPS from taking all channels as prohibited channels, use the permit-channel command to configure a permitted channel list before you configure prohibited channel detection.

Examples

# Enable prohibited channel detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] prohibited-channel quiet 100

Related commands

permit-channel

random-mac-scan

Use random-mac-scan enable to configure WIPS to not trigger alarms for Apple terminals that use a random MAC address.

Use undo random-mac-scan enable to restore the default.

Syntax

random-mac-scan enable

undo random-mac-scan enable

Default

WIPS triggers alarms for Apple terminals that use a random MAC address.

Views

Attack detection policy view

Predefined user roles

network-admin

Examples

# Configure WIPS to not trigger alarms for Apple terminals that use a random MAC address.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] random-mac-scan enable

report-interval

Use report-interval to set the interval at which APs report information about detected devices.

Use undo report-interval to restore the default.

Syntax

report-interval interval

undo report-interval

Default

APs report information about detected devices every 30000 milliseconds.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which APs report information about detected devices, in the range of 1000 to 300000 milliseconds.

Examples

# Set the interval at which APs report information about detected devices to 10000 milliseconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] report-interval 10000

reset wips embedded-oui

Use reset wips embedded-oui to delete all embedded OUIs in the OUI library.

Syntax

reset wips embedded-oui

Views

User view

Predefined user roles

network-admin

Examples

# Delete all embedded OUIs in the OUI library.

<Sysname> reset wips embedded-oui

Related commands

export oui

import oui

reset wips statistics

Use reset wips statistics to clear WLAN attack detection statistics collected from all sensors.

Syntax

reset wips statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear information collected by all sensors.

<Sysname> reset wips statistics

Related commands

display wips statistics receive

reset wips virtual-security-domain

Use reset wips virtual-security-domain to clear AP or client entries in a VSD.

Syntax

reset wips virtual-security-domain vsd-name device { ap { all | mac-address mac-address } | client { all | mac-address mac-address } | all }

Views

User view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

device: Specifies device entries.

ap: Specifies AP entries.

all: Specifies all AP entries.

mac-address mac-address: Specifies an AP by its MAC address.

client: Specifies client entries.

all: Specifies all client entries.

mac-address mac-address: Specifies a client by its MAC address.

all: Specifies all APs and client entries.

Examples

# Clear all AP and client entries in VSD aaa.

<Sysname> reset wips virtual-security-domain aaa device all

Related commands

display wips virtual-security-domain device

reset wips virtual-security-domain countermeasure record

Use reset wips virtual-security-domain countermeasure record to clear information about countermeasures that WIPS has taken against rogue devices.

Syntax

reset wips virtual-security-domain vsd-name countermeasure record

Views

User view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Clear information about countermeasures that WIPS has taken against rogue devices for VSD aaa.

<Sysname> reset wips virtual-security-domain aaa countermeasure record

Related commands

display wips virtual-security-domain countermeasure record

reset wlan nat-detect

Use reset wlan nat-detect to clear information about clients with NAT configured.

Syntax

reset wlan nat-detect

Views

User view

Predefined user roles

network-admin

Examples

# Clear information about clients with NAT configured.

<Sysname> reset wlan nat-detect

Related commands

display wlan nat-detect

rssi

Use rssi to configure an AP classification rule to match APs by RSSI.

Use undo rssi to restore the default.

Syntax

rssi value1 [ to value2 ]

undo rssi

Default

An AP classification rule does not match APs by RSSI.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 [ to value2 ]: Specifies a value range for the RSSI of APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 100 for both the value1 and value2 arguments, and value2 cannot be smaller than value1.

Examples

# Configure AP classification rule 1 to match APs with an RSSI of 20 to 40.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] rssi 20 to 40

rssi-change-threshold

Use rssi-change-threshold to set the RSSI difference threshold for wireless device detection.

Use undo rssi-change-threshold to restore the default.

Syntax

rssi-change-threshold threshold-value

undo rssi-change-threshold

Default

The RSSI difference threshold is 20 for wireless device detection.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

threshold-value: Specifies the RSSI difference threshold for wireless device detection, in the range of 1 to 100.

Examples

# Set the RSSI difference threshold to 80 for wireless device detection.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] rssi-change-threshold 80

rssi-threshold

Use rssi-threshold to set the RSSI threshold for clients or APs.

Use undo rssi-threshold to restore the default.

Syntax

rssi-threshold { ap ap-rssi-value | client client-rssi-value }

undo rssi-threshold { ap | client }

Default

No RSSI threshold is set for clients or APs.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

ap ap-rssi-value: Specifies the RSSI threshold for APs, in the range of 1 to 100.

client client-rssi-value: Specifies the RSSI threshold for clients, in the range of 1 to 100.

Examples

# Set the RSSI threshold for APs to 80.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] rssi-threshold ap 80

security

Use security to configure an AP classification rule to match APs by security mode.

Use undo security to restore the default.

Syntax

security { equal | include } { clear | wep | wpa | wpa2 }

undo security

Default

No AP classification rule is configured to match APs by security mode.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

equal: Matches security modes equal to the specified security mode.

include: Matches security modes that include the specified security mode.

clear: Specifies the clear security mode.

wep: Specifies the WEP security mode.

wpa: Specifies the WPA security mode.

wpa2: Specifies the WPA2 security mode.

Examples

# Configure AP classification rule 1 to match APs that use the WEP security mode.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] security equal wep

select sensor all

Use select sensor all to enable all sensors that detect an attacker to take countermeasures against the attacker.

Use undo select sensor to remove the configuration.

Syntax

select sensor all

undo select sensor

Default

Only the sensor that most recently detects an attacker takes countermeasures against the attacker.

Views

Countermeasure policy view

Predefined user roles

network-admin

Examples

# Enable all sensors that detect an attacker to take countermeasures against the attacker.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] countermeasure policy home

[Sysname-wips-ctm-home] select sensor all

seq-number

Use seq-number to configure a subsignature to match frames by sequence number.

Use undo seq-number to restore the default.

Syntax

seq-number seq-value1 [ to seq-value2 ]

undo seq-number

Default

No subsignature is configured to match frames by sequence number.

Views

Signature view

Predefined user roles

network-admin

Parameters

seq-value1 [ to seq-value2 ]: Specifies a value range for the sequence number of a frame. The seq-value1 and seq-value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 4095 for both the seq-value1 and seq-value2 arguments, and seq-value2 cannot be smaller than seq-value1.

Examples

# Configure a subsignature to match frames with the sequence number 100.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[wips-sig-rule-1] seq-number 100

Related commands

frame-type

match all (signature rule view)

mac-address

pattern

ssid (signature rule view)

ssid-length

signature policy

Use signature policy to create a signature policy and enter its view, or enter the view of an existing signature policy.

Use undo signature policy to remove a signature policy.

Syntax

signature policy policy-name

undo signature policy policy-name

Default

No signature policies exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a signature policy name, a case-sensitive string of 1 to 63 characters.

Examples

# Create a signature policy named home and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature policy home

signature rule

Use signature rule to create a signature and enter its view, or enter the view of an existing signature.

Use undo signature rule to remove a signature.

Syntax

signature rule rule-id

undo signature rule rule-id

Default

No signatures exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a signature ID in the range of 1 to 128.

Examples

# Create signature 1 and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

soft-ap

Use soft-ap to configure soft AP detection.

Use undo soft-ap to disable soft AP detection.

Syntax

soft-ap [ convert-time time-value ]

undo soft-ap

Default

Soft AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

convert-time time-value: Specifies the interval at which a soft AP switches between its role of client and AP. The value range for the time-value argument is 5 to 600 seconds, and the default is 10 seconds.

Examples

# Enable soft AP detection and set the time-value argument to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] soft-ap convert-time 100

ssid (AP classification rule view)

Use ssid to configure an AP classification rule to match APs by SSID.

Use undo ssid to restore the default.

Syntax

ssid [ case-sensitive ] [ not ] { equal | include } ssid-string

undo ssid

Default

An AP classification rule does not match APs by SSID.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

case-sensitive: Concerns the case of the SSID.

not: Matches SSIDs that are not equal to or do not include the specified SSID.

equal: Matches SSIDs equal to the specified SSID.

include: Matches SSIDs that include the specified SSID.

ssid-string: Specifies an SSID, a case-sensitive string of 1 to 32 characters.

Examples

# Configure AP classification rule 1 to match APs using SSID abc.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] ssid equal abc

ssid (signature view)

Use ssid to configure a subsignature to match frames by SSID.

Use undo ssid to restore the default.

Syntax

ssid [ case-sensitive ] [ not ] { equal | include } string

undo ssid

Default

No subsignature is configured to match frames by SSID.

Views

Signature view

Predefined user roles

network-admin

Parameters

case-sensitive: Concerns the case of the SSID.

not: Matches SSIDs that are not equal to or do not include the specified SSID.

equal: Matches SSIDs equal to the specified SSID.

include: Matches SSIDs that include the specified SSID.

string: Specifies an SSID, a case-sensitive string of 1 to 32 characters.

Examples

# Configure a subsignature to match frames with SSID office for signature 1.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-rule-1] ssid equal office

Related commands

frame-type

match all (signature rule view)

mac-address

pattern

seq-number

ssid-length

ssid-length

Use ssid-length to configure a subsignature to match frames by SSID length.

Use undo ssid-length to restore the default.

Syntax

ssid-length length-value1 [ to length-value2 ]

undo ssid-length

Default

No subsignature is configured to match frames by SSID length.

Views

Signature rule

Predefined user roles

network-admin

Parameters

length-value1 [ to length-value2 ]: Specifies the value range for the SSID length. The length-value1 and length-value2 arguments specify the start value and end value for the value range, respectively. The value range is 1 to 32 for both the length-value1 and length-value2 arguments, and length-value2 cannot be smaller than length-value1.

Examples

# Configure a subsignature to match frames in which the SSID length is 10.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] signature rule 1

[Sysname-wips-sig-1] ssid-length 10

Related commands

frame-type

match all (signature rule view)

mac-address

pattern

seq-number

ssid (signature rule view)

trust mac-address

Use trust mac-address to add the MAC address of an AP or client to the permitted device list.

Use undo trust mac-address to remove one or all MAC addresses from the permitted device list.

Syntax

trust mac-address mac-address

undo trust mac-address { mac-address | all }

Default

No MAC addresses exist in the permitted device list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

mac-address: Specifies a MAC address.

all: Specifies all MAC addresses.

Examples

# Add MAC address 78AC-C0AF-944F to the permitted device list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] trust mac-address 78AC-C0AF-944F

trust oui

Use trust oui to add an OUI to the trusted OUI list.

Use undo trust oui to remove one or all OUIs from the trusted OUI list.

Syntax

trust oui oui

undo trust oui { oui | all }

Default

No OUIs exist in the trusted OUI list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

oui: Specifies an OUI by its name, a case-insensitive string of 6 characters.

all: Specifies all OUIs.

Examples

# Add OUIs 000fe4 and 000fe5 to the trusted OUI list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] trust oui 000fe4

[Sysname-wips-cls-home] trust oui 000fe5

trust ssid

Use trust ssid to add an SSID to the trusted SSID list.

Use undo trust ssid to remove one or all SSIDs from the trusted SSID list.

Syntax

trust ssid ssid-name

undo trust ssid { ssid-name | all }

Default

No SSIDs exist in the trusted SSID list.

Views

Classification policy view

Predefined user roles

network-admin

Parameters

ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.

all: Specifies all SSIDs.

Examples

# Add SSID flood1 to the trusted SSID list.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] classification policy home

[Sysname-wips-cls-home] trust ssid flood1

unencrypted-authorized-ap

Use unencrypted-authorized-ap to configure unencrypted authorized AP detection.

Use undo unencrypted-authorized-ap to disable unencrypted authorized AP detection.

Syntax

unencrypted-authorized-ap [ quiet quiet-value ]

undo unencrypted-authorized-ap

Default

Unencrypted authorized AP detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an unencrypted authorized AP. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an unencrypted authorized AP within the quiet time.

Examples

# Enable unencrypted authorized AP detection and set the quiet time to 10 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] unencrypted-authorized-ap quiet 10

unencrypted-trust-client

Use unencrypted-trust-client to configure unencrypted authorized client detection.

Use undo unencrypted-trust-client to disable unencrypted authorized client detection.

Syntax

unencrypted-trust-client [ quiet quiet-value ]

undo unencrypted-trust-client

Default

Unencrypted authorized client detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting an unencrypted authorized client. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects an unencrypted authorized client within the quiet time.

Examples

# Enable unencrypted authorized client detection and set the quiet time to 10 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] unencrypted-trust-client quiet 10

up-duration

Use up-duration to configure an AP classification rule to match APs by running time.

Use undo up-duration to restore the default.

Syntax

up-duration value1 [ to value2 ]

undo up-duration

Default

An AP classification rule does not match APs by running time.

Views

AP classification rule view

Predefined user roles

network-admin

Parameters

value1 [ to value2 ]: Specifies the value range for the running time of APs. The value1 and value2 arguments specify the start value and end value for the value range, respectively. The value range is 0 to 2592000 seconds for both the value1 and value2 arguments, and value2 must be greater than value1.

Examples

# Configure AP classification rule 1 to match APs with a running time of 2000 to 40000 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] ap-classification rule 1

[Sysname-wips-cls-rule-1] up-duration 2000 to 40000

virtual-security-domain

Use virtual-security-domain to create a VSD and enter its view, or enter the view of an existing VSD.

Use undo virtual-security-domain to remove a VSD.

Syntax

virtual-security-domain vsd-name

undo virtual-security-domain vsd-name

Default

No VSDs exist.

Views

WIPS view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD name, a case-sensitive string of 1 to 63 characters.

Examples

# Create VSD office and enter its view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] virtual-security-domain office

[Sysname-wips-vsd-office]

weak-iv

Use weak-iv to configure weak IV detection.

Use undo weak-iv to disable weak IV detection.

Syntax

weak-iv [ quiet quiet-value ]

undo weak-iv

Default

Weak IV detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon a weak IV. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a weak IV within the quiet time.

Examples

# Enable weak IV detection.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] weak-iv

windows-bridge

Use windows-bridge to configure Windows bridge detection.

Use undo windows-bridge to disable Windows bridge detection.

Syntax

windows-bridge [ quiet quiet-value ]

undo windows-bridge

Default

Windows bridge detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a Windows bridge. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a Windows bridge within the quiet time.

Examples

# Enable Windows bridge detection and set the quiet time to 360 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] windows-bridge quiet 360

wips (radio view)

Use wips enable to enable WIPS.

Use wips disable to disable WIPS.

Use undo wips to restore the default.

Syntax

wips { disable | enable }

undo wips

Default

WIPS is disabled.

Views

Radio interface view

Predefined user roles

network-admin

Usage guidelines

Make sure the number of spatial streams supported by a radio is larger than the number of spatial streams required by the scanned devices. If you enable green energy management, specify a MIMO mode with lower spatial stream handling capacity, or change the default input power level to low, WIPS will be affected.

Examples

# Enable WIPS on WLAN-radio 1/0/1.

<Sysname> system-view

[Sysname] interface wlan-radio 1/0/1

[Sysname-wlan-radio-1] wips enable

wips (system view)

Use wips to enter WIPS view.

Use undo wips to clear all configurations in WIPS view.

Syntax

wips

undo wips

Default

No WIPS view is configured.

Views

System view

Predefined user roles

network-admin

Examples

# Enter WIPS view.

<Sysname> system-view

[Sysname] wips

[Sysname-wips]

wips virtual-security-domain

Use wips virtual-security-domain to add an AP to a VSD.

Use undo wips virtual-security-domain to remove an AP from the VSD.

Syntax

wips virtual-security-domain vsd-name

undo wips virtual-security-domain

Default

An AP is not added to any VSD.

Views

System view

Predefined user roles

network-admin

Parameters

vsd-name: Specifies a VSD by its name, a case-sensitive string of 1 to 63 characters.

Examples

# Add the AP to VSD office.

<Sysname> system-view

[Sysname] wips virtual-security-domain office

wireless-bridge

Use wireless-bridge to configure wireless bridge detection.

Use undo wireless-bridge to disable wireless bridge detection.

Syntax

wireless-bridge [ quiet quiet-value ]

undo wireless-bridge

Default

Wireless bridge detection is disabled.

Views

Attack detection policy view

Predefined user roles

network-admin

Parameters

quiet quiet-value: Specifies the quiet time after WIPS triggers an alarm upon detecting a wireless bridge. The value range for the quiet-value argument is 5 to 604800 seconds and the default quiet time is 600 seconds. WIPS does not trigger an alarm even if it detects a wireless bridge within the quiet time.

Examples

# Enable wireless bridge detection and set the quiet time to 100 seconds.

<Sysname> system-view

[Sysname] wips

[Sysname-wips] detect policy home

[Sysname-wips-dtc-home] wireless-bridge quiet 100

wlan nat-detect

Use wlan nat-detect enable to enable detection on clients with NAT configured.

Use undo wlan nat-detect to restore the default.

Syntax

wlan nat-detect enable

undo wlan nat-detect

Default

Detection on clients with NAT configured is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The device generates an alarm when it detects a client configured with NAT. To view information about detected NAT-configured clients, use the display wlan nat-detect command.

Examples

# Enable detection on clients with NAT configured.

<Sysname> system-view

[Sysname] wlan nat-detect enable