08-WLAN security

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10208-WLAN security
02-WIPS Countermeasures Against All SSIDs Configuration Examples

 

 

WIPS Countermeasures Against All SSIDs Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides examples for configuring WIPS countermeasures against all SSIDs.

Prerequisites

The following information applies to Comware 7-based access controllers and access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access controllers and access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of WIPS.

Example: Configuring WIPS countermeasures against all SSIDs

Network configuration

As shown in Figure 1, AP 1 and AP 2 provide wireless services for clients through SSID service.

Enable WIPS on the sensor to take countermeasures against the rogue AP that uses SSID service and SSID free.

Figure 1 Network diagram

 

Procedures

Configuring the AC

1.     Configure interfaces on the AC:

# Configure VLAN-interface 100 and assign it an IP address. The AC will use this IP address to establish CAPWAP tunnels with APs.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 112.12.1.25 16

[AC-Vlan-interface100] quit

# Configure VLAN-interface 200 and assign it an IP address. The AC will use VLAN 200 for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 112.13.1.25 16

[AC-Vlan-interface200] quit

# Configure GigabitEthernet 1/0/1 that connects the AC to the switch as a trunk port.

[AC] interface gigabitethernet1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

# Remove the trunk port from VLAN 1, and assign the port to VLANs 100 and 200.

[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

# Specify the PVID of the trunk port as VLAN 100.

[AC-GigabitEthernet1/0/1] port trunk pvid vlan 100

[AC-GigabitEthernet1/0/1] quit

2.     Configure DHCP:

# Enable DHCP on the AC.

[AC] dhcp enable

# Create DHCP address pool vlan100 to assign IP addresses for APs, and specify the IP address range for the DHCP address pool.

[AC] dhcp server ip-pool vlan100

[AC-dhcp-pool-vlan100] network 112.12.0.0 mask 255.255.0.0

# Specify gateway IP address 112.12.1.25 in the DHCP address pool.

[AC-dhcp-pool-vlan100] gateway-list 112.12.1.25

[AC-dhcp-pool-vlan100] quit

# Create DHCP address pool vlan200 to assign IP addresses for clients, and specify the IP address range for the DHCP address pool.

[AC] dhcp server ip-pool vlan200

[AC-dhcp-pool-vlan200] network 112.13.0.0 mask 255.255.0.0

# Specify gateway IP address 112.13.1.25 in the DHCP address pool.

[AC-dhcp-pool-vlan200] gateway-list 112.13.1.25

# Configure the DNS server according to the actual network plan. In this example, the gateway is specified as the DNS server.

[AC-dhcp-pool-vlan200] dns-list 112.13.1.25

[AC-dhcp-pool-vlan200] quit

3.     Configure WIPS:

# Enter WIPS view.

[AC] wips

# Create AP classification rule 1 and configure the rule to match APs that use SSID service.

[AC-wips] ap-classification rule 1

[AC-wips-cls-rule-1] ssid equal service

[AC-wips-cls-rule-1] quit

# Create AP classification rule 2 and configure the rule to match APs that do not use SSID service.

[AC-wips] ap-classification rule 2

[AC-wips-cls-rule-2] ssid not equal service

[AC-wips-cls-rule-2] quit

# Create classification policy class1.

[AC-wips] classification policy class1

# Bind AP classification rule 1 to classification policy class1, specify APs that match AP classification rule 1 as rogue APs, and set the severity level to 100.

[AC-wips-cls-class1] apply ap-classification rule 1 rogue-ap severity-level 100

# Bind AP classification rule 2 to classification policy class1, specify APs that match AP classification rule 2 as rogue APs, and set the severity level to 100.

[AC-wips-cls-class1] apply ap-classification rule 2 rogue-ap severity-level 100

# Add MAC addresses 000f-1111-0111 and 000f-1111-0112 to the permitted device list.

[AC-wips-cls-class1] trust mac-address 000f-1111-0111

[AC-wips-cls-class1] trust mac-address 000f-1111-0112

[AC-wips-cls-class1] quit

# Create virtual security domain (VSD) vsd1, and apply classification policy class1 to the VSD.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-1] apply classification policy class1

[AC-wips-vsd-1] quit

# Create countermeasure policy 1 and enable WIPS to take countermeasures against rogue APs.

[AC-wips] countermeasure policy 1

[AC-wips-cms-1] countermeasure rogue-ap

[AC-wips-cms-1] quit

# Apply countermeasure policy 1 to VSD vsd1.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply countermeasure policy 1

[AC-wips-vsd-vsd1] quit

[AC-wips] quit

4.     Configure the APs:

# Create service template service and set its SSID to service.

[AC] wlan service-template service

[AC-wlan-st-service] ssid service

# Assign clients that come online through service template service to VLAN 200.

[AC-wlan-st-service] vlan 200

# Enable service template service.

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create AP ap1 and specify its model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1GQC157001570

# Enable radio 1 of AP ap1 and bind service template service to radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] quit

# Create AP ap2 and specify its model and serial ID.

[AC] wlan ap ap2 model WA4320i-ACN

[AC-wlan-ap-ap2] serial-id 210235A1GQC157001571

# Enable radio 1 of AP ap2 and bind service template service to radio 1.

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] service-template service

[AC-wlan-ap-ap2-radio-1] quit

# Create AP sensor and specify its model and serial ID.

[AC] wlan ap sensor model WA4320i-ACN

[AC-wlan-ap-sensor] serial-id 210235A1GQC157001572

# Enable radio 1 of AP sensor, and enable WIPS for the radio.

[AC-wlan-ap-sensor] radio 1

[AC-wlan-ap-sensor-radio-1] radio enable

[AC-wlan-ap-sensor-radio-1] wips enable

[AC-wlan-ap-sensor-radio-1] quit

# Enable radio 2 of AP sensor, and enable WIPS for the radio.

[AC-wlan-ap-sensor] radio 2

[AC-wlan-ap-sensor-radio-2] radio enable

[AC-wlan-ap-sensor-radio-2] wips enable

[AC-wlan-ap-sensor-radio-2] quit

# Add AP sensor to VSD vsd1.

[AC-wlan-ap-sensor] wips virtual-security-domain vsd1

[AC-wlan-ap-sensor] return

Configuring the switch

# Create VLANs 100 and 200. The switch will use VLAN 100 to forward the traffic on CAPWAP tunnels between the AC and APs, and use VLAN 200 to forward client traffic.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] vlan 200

[Switch-vlan200] quit

# Configure GigabitEthernet 1/0/1 that connects the switch to the AC as a trunk port.

[Switch] interface gigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

# Remove the trunk port from VLAN 1, and assign the port to VLAN 100 and VLAN 200.

[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

# Specify the PVID of the trunk port as VLAN 100.

[Switch-GigabitEthernet1/0/1] port trunk pvid vlan 100

[Switch-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 that connects the switch to AP sensor as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 that connects the switch to AP ap1 as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet1/0/3

[Switch-GigabitEthernet1/0/3] port link-type access

[Switch-GigabitEthernet1/0/3] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/3] poe enable

[Switch-GigabitEthernet1/0/3] quit

# Configure GigabitEthernet 1/0/4 that connects the switch to AP ap2 as an access port, and assign the port to VLAN 100.

[Switch] interface gigabitethernet1/0/4

[Switch-GigabitEthernet1/0/4] port link-type access

[Switch-GigabitEthernet1/0/4] port access vlan 100

# Enable PoE on the access port.

[Switch-GigabitEthernet1/0/4] poe enable

[Switch-GigabitEthernet1/0/4] quit

Verifying the configuration

1.     Verify that WIPS has classified the AP that uses all SSIDs as a rogue AP and the service APs as authorized APs.

<AC> display wips virtual-security-domain vsd1 device

Total 3 detected devices in virtual-security-domain vsd1

 

Class: Auth - authorization; Ext - external; Mis - mistake;

Unauth - unauthorized; Uncate - uncategorized;

(A) - associate; (C) - config; (P) - potential

 

MAC address    Type   Class    Duration    Sensors Channel Status

000f-1111-0111 AP   Auth   00h 05m 26s 1       161     Active

000f-1111-0112 AP   Auth   00h 05m 26s 1       161     Active

000f-e200-1202 AP   Rogue  00h 05m 26s 1       161     Active

000f-e200-1222 AP   Rogue  00h 05m 26s 1       161     Active

2.     Verify that WIPS has taken countermeasures against the rogue AP.

<AC> display wips virtual-security-domain vsd1 countermeasure record

Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1

 

Reason: Attack; Ass - associated; Black - blacklist;

        Class - classification; Manu - manual;

 

MAC address    Type   Reason   Countermeasure AP      Radio ID  Time

000f-e200-1202 AP      Class    sensor                    1          2019-09-20/07:20:38

000f-e200-1222 AP      Class    sensor                    1          2019-09-20/07:20:38

Configuration files

·     AC:

#

dhcp enable

#

vlan 100

#

vlan 200

#

dhcp server ip-pool vlan100

 gateway-list 112.12.1.25

 network 112.12.0.0 mask 255.255.0.0

#

dhcp server ip-pool vlan200

 gateway-list 112.13.1.25

 network 112.13.0.0 mask 255.255.0.0

 dns-list 112.13.1.25

#

wlan service-template service

 ssid service

 vlan 200

 service-template enable

#

interface Vlan-interface100

 ip address 112.12.1.25 255.255.0.0

#

interface Vlan-interface200

 ip address 112.13.1.25 255.255.0.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 100 200

 port trunk pvid vlan 100

#

wlan ap ap1 model WA4320i-ACN

 serial-id 210235A1GQC157001570

 radio 1

  radio enable

  service-template service

#

wlan ap ap2 model WA4320i-ACN

 serial-id 210235A1GQC157001571

 radio 1

  radio enable

  service-template service

#

wlan ap sensor model WA4320i-ACN

 serial-id 210235A1GQC157001572

 wips virtual-security-domain vsd1

 radio 1

  radio enable

  wips enable

#

wips

 #

 ap-classification rule 1

  ssid equal service

#

 ap-classification rule 2

  ssid not equal service

 #

 classification policy class1

  apply ap-classification rule 1 rogue-ap severity-level 100

  apply ap-classification rule 2 rogue-ap severity-level 100

  trust mac-address 000f-1111-0111

  trust mac-address 000f-1111-0112

 

 #

 countermeasure policy 1

  countermeasure rogue-ap

 #

 virtual-security-domain vsd1

  apply classification policy class1

  apply countermeasure policy 1

#

·     Switch:

#

vlan 100

#

vlan 200

#

interface GigabitEthernet1/0/1

 port link-type trunk

undo port trunk permit vlan 1

 port trunk permit vlan 100 200

 port trunk pvid vlan 100

#

interface GigabitEthernet1/0/2

 port access vlan 100

poe enable

#

interface GigabitEthernet1/0/3

 port access vlan 100

poe enable

#

interface GigabitEthernet1/0/4

 port access vlan 100

poe enable

#

Related documentation

·     WLAN Security Command Reference in H3C Access Controllers Command References

·     WLAN Security Configuration Guide in H3C Access Controllers Configuration Guides