- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-WLAN roaming center commands | 100.33 KB |
display wlan roaming-center history user
display wlan roaming-center statistics packet
display wlan roaming-center user
reset wlan roaming-center history user
reset wlan roaming-center statistics packet
WLAN roaming center commands
address-security cache
Use address-security cache to set the aging timer for address security entries.
Use undo address-security cache to restore the default.
Syntax
address-security cache { ipv4-aging-time aging-time | ipv6-aging-time aging-time }
undo address-security cache { ipv4-aging-time | ipv6-aging-time }
Default
The aging timer is 14400 seconds for IPv4 entries and 604800 seconds for IPv6 entries.
Views
WLAN roaming center view
Predefined user roles
network-admin
Parameters
ipv4-aging-time: Specifies IPv4 address security entries.
ipv6-aging-time: Specifies IPv6 address security entries.
aging-time: Specifies the aging timer. The value range is 600 to 86400 seconds for IPv4 entries and 600 to 1296000 seconds for IPv6 entries.
Usage guidelines
Client roaming centers generate address security entries at client associations to record client MAC address, IP address, and username information, and synchronize the entries to the WLAN roaming center. When the aging timer of an entry expires, the client roaming center deletes the entry.
As a best practice, set an aging time not larger than the lease of IP addresses assigned to clients by the DHCP server.
Examples
# Set the aging timer of IPv4 address security entries to 600 seconds.
<Sysname> system-view
[Sysname] wlan roaming-center
[Sysname-wlan-roaming-center] address-security cache ipv4-aging-time 600
Related commands
address-security enable
address-security enable
Use address-security enable to enable address security.
Use undo address-security enable to disable address security.
Syntax
address-security enable
undo address-security enable
Default
Address security is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables the WLAN roaming center to check clients coming online from the specified service template for MAC address or IP address spoofing attacks. If a MAC or IP address spoofing attack is detected, the AC adds the attacker to the blacklist, and logs off both the attacker and the client whose address is spoofed.
For WLAN address security to take effect, configure 802.1X authentication.
WLAN address security takes effect only on clients that come online afterwards.
Examples
# Enable address security on service template 1.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] address-security enable
client ip-cache aging-time
Use client ip-cache aging-time to set the aging timer for client IP address cache entries.
Use undo client ip-cache aging-time to restore the default.
Syntax
client ip-cache aging-time aging-time
undo client ip-cache aging-time
Default
The aging timer is 1800 seconds for client IP address cache entries.
Views
WLAN roaming center view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the aging timer for client IP address cache entries, in the range of 600 to 86400 seconds.
Usage guidelines
With IP address recovery enabled for reassociated clients, the WLAN roaming center maintains IP and MAC binding entries for clients that leave an AP. When the aging timer of such a cache entry expires, the WLAN roaming center deletes the entry.
Examples
# Set the aging timer for client IP address cache entries to 600 seconds.
<Sysname> system-view
[Sysname] wlan roaming-center
[Sysname-wlan-roaming-center] client ip-cache aging-time 600
Related commands
client ip-snooping ip-recover enable (User Access and Authentication Command Reference)
control-access
Use control-access to specify a portal roaming center or client roaming center permitted by the WLAN roaming center.
Use undo control-access to restore the default.
Syntax
control-access { bas-ip ipv4-address | bas-ipv6 ipv6-address }
undo control-access { bas-ip ipv4-address | bas-ipv6 ipv6-address }
Default
No permitted portal roaming center or client roaming center is specified.
Views
WLAN roaming center view
Predefined user roles
network-admin
Parameters
bas-ip ipv4-address: Specifies the IPv4 address of a portal roaming center or client roaming center.
bas-ipv6 ipv6-address: Specifies the IPv6 address of a portal roaming center or client roaming center.
Usage guidelines
This feature enables the WLAN roaming center to process packets from only the permitted portal or client roaming centers, enhancing network security. If no permitted portal roaming centers are specified, the WLAN roaming center processes packets from all portal roaming centers.
In inter-AC roaming of portal users, you can execute this command multiple times to specify multiple portal or client roaming centers. You can specify both IPv4 addresses and IPv6 addresses of portal or client roaming centers.
Examples
# Specify the AC with an IP address of 111.8.33.72 as a portal or client roaming center permitted by the WLAN roaming center.
<Sysname> system-view
[Sysname] wlan roaming-center
[Sysname-wlan-roaming-center] control-access bas-ip 111.8.33.72
display wlan roaming-center history user
Use display wlan roaming-center history user to display offline client history on the WLAN roaming center.
Syntax
display wlan roaming-center history user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all offline clients.
ip ipv4-address: Specifies an offline client by its IPv4 address.
ipv6 ipv6-address: Specifies an offline client by its IPv6 address.
mac mac-address: Specifies an offline client by its MAC address.
Examples
# Display the history of all offline clients on the WLAN roaming center.
<Sysname> display wlan roaming-center history user all
MAC address: 000d-88f8-0eac
IP address: 192.168.0.123
Online BAS IP: 192.168.0.100
Online time: 12:01:12 01/02 2018
Offline time: 12:26:12 01/02 2018
Roaming information:
Roaming count: 3
BAS-IP Roam-in time
192.168.0.10 12:20:12 01/02 2018 UTC
192.168.0.11 12:18:12 01/02 2018 UTC
192.168.0.12 12:16:12 01/02 2018 UTC
MAC address: 000d-88f8-0ead
IP address: 192.168.0.123
Online BAS IP: 192.168.0.100
Online time: 12:01:12 01/02 2018
Offline time: 12:26:12 01/02 2018
Roaming information:
Roaming count: 3
BAS-IP Roam-in time
192.168.0.10 12:20:12 01/02 2018 UTC
192.168.0.11 12:18:12 01/02 2018 UTC
192.168.0.12 12:16:12 01/02 2018 UTC
Table 1 Command output
Field |
Description |
MAC address |
Client MAC address. |
IP address |
Client IPv4 or IPv6 address. |
Online BAS IP |
IP address of the AC from which the client first came online. |
Online time |
Time at which the client came online. |
Offline time |
Time at which the client went offline. |
Roaming information |
Client roaming entries. This field can display a maximum of ten entries, with the most recent one coming the first in the output. |
Roaming count |
Number of roamings performed by the client. |
BAS-IP |
IP address of the portal roaming center. |
Roam-in time |
Time at which the client roamed to the portal roaming center. |
Related commands
reset wlan roaming-center history user
wlan roaming-center enable
display wlan roaming-center statistics packet
Use display wlan roaming-center statistics packet to display packet statistics on the WLAN roaming center.
Syntax
display wlan roaming-center statistics packet [ bas-ip ipv4-address | bas-ipv6 ipv6-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
bas-ip ipv4-address: Specifies a portal roaming center by its IPv4 address.
bas-ipv6 ipv6-address: Specifies a portal roaming center by its IPv6 address.
Usage guidelines
If you do not specify the bas-ip ipv4-address or bas-ipv6 ipv6-address option, the command displays packet statistics about all portal roaming centers.
Examples
# Display packet statistics about the portal roaming center with an IP address of 192.168.0.100.
<Sysname> display wlan roaming-center statistics packet bas-ip 192.168.0.100
BAS-IP: 192.168.0.100
Total sent packets: 100
Total received packets: 101
Total invalid packets: 0
Pkt-Type Success Error Timeout
RC_REQ_INFO 1 1 0
RC_ACK_INFO 1 2 0
RC_REQ_ONLINE 1 2 0
RC_ACK_ONLINE 1 1 1
RC_REQ_OFFLINE 1 1 0
RC_ACK_OFFLINE 1 1 1
RC_REQ_DHCPINFO 1 1 1
RC_ACK_DHCPINFO 1 1 1
RC_REQ_NTY_OFFLINE 1 1 0
RC_ACK_NTY_OFFLINE 1 1 1
Table 2 Command output
Field |
Description |
|
BAS-IP |
IP address of the portal roaming center. |
|
Pkt-Type |
Type of the packet: · RC_REQ_INFO—User query request that the portal roaming center sends to the WLAN roaming center. · RC_ACK_INFO—User query response that the WLAN roaming center sends to the portal roaming center. · RC_REQ_ONLINE—User online request that the portal roaming center sends to the WLAN roaming center. · RC_ACK_ONLINE—User online response that the WLAN roaming center sends to the portal roaming center. · RC_REQ_OFFLINE—User offline request that the portal roaming center sends to the WLAN roaming center. · RC_ACK_OFFLINE—User offline response that the WLAN roaming center sends to the portal roaming center. · RC_REQ_DHCPINFO—User DHCP information request that the portal roaming center sends to the WLAN roaming center. · RC_ACK_DHCPINFO—User DHCP information response that the WLAN roaming center sends to the portal roaming center. · RC_REQ_NTY_OFFLINE—User offline notification request that the WLAN roaming center sends to the portal roaming center. · RC_ACK_NTY_OFFLINE—User offline notification response that the portal roaming center sends to the WLAN roaming center. |
|
Success |
Number of packets that have been transmitted successfully. |
|
Error |
Number of packets that failed to be transmitted. |
|
Timeout |
Number of packet transmission timeouts. |
|
display wlan roaming-center user
Use display wlan roaming-center user to display client information on the WLAN roaming center.
Syntax
display wlan roaming-center user { all | bas-ip ipv4-address | bas-ipv6 ipv6-address | ip ipv4-address | ipv6 ipv6-address | mac mac-address } [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all clients.
bas-ip ipv4-address: Specifies a portal roaming center by its IPv4 address.
bas-ipv6 ipv6-address: Specifies a portal roaming center by its IPv6 address.
ip ipv4-address: Specifies a client by its IPv4 address.
ipv6 ipv6-address: Specifies a client by its IPv6 address.
mac mac-address: Specifies a client by its MAC address.
verbose: Displays detailed client information. If you do not specify this keyword, the command displays brief client information.
Examples
# Display brief client information on the WLAN roaming center.
<Sysname> display wlan roaming-center user all
Total user: 5
MAC address IP address
000d-88f8-0eac 122.122.111.100
000d-88f8-0eaa 122.122.111.101
000d-88f8-0eab 122.122.111.102
000d-88f8-0eae 10::4
000d-88f8-0eaf 1002:1002:1002:1002:1002:
1002:1002:1002
# Display brief information about the client with an IP address of 122.122.111.100 on the WLAN roaming center.
<Sysname> display wlan roaming-center user ip 122.122.111.100
MAC address IP address
000d-88f8-0eac 122.122.111.100
# Display brief information about the client with an IPv6 address of 10::4 on the WLAN roaming center.
<Sysname> display wlan roaming-center user ipv6 10::4
MAC address IP address
000d-88f8-0eae 10::4
# Display brief information about the client with a MAC address of 000d-88f8-0eac on the WLAN roaming center.
<Sysname> display wlan roaming-center user mac 000d-88f8-0eac
MAC address IP address
000d-88f8-0eac 122.122.111.100
# Display detailed information about the client with a MAC address of 000d-88f8-0eac on the WLAN roaming center.
<Sysname> display wlan roaming-center user mac 000d-88f8-0eac verbose
MAC address: 000d-88f8-0eac
IP address: 2::1:21
Username: 1
Authorization information:
User profile: abc
ACL number/name: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Session timeout period: N/A
Idle cut traffic threshold: N/A
Roaming information:
Online BAS IP: 192.168.0.100
Online time: 12:01:12 01/02 2018 UTC
Roaming count: 3
BAS-IP Roam-in time
192.168.0.10 12:20:12 01/02 2018 UTC
192.168.0.11 12:18:12 01/02 2018 UTC
192.168.0.12 12:16:12 01/02 2018 UTC
Table 3 Command output
Field |
Description |
MAC address |
Client MAC address. |
IP address |
Client IP address. |
User profile |
Authorized user profile. This field displays N/A if no user profile is authorized to the client. |
ACL number/name |
Number or name of the authorized ACL. This field displays N/A if no ACL is authorized to the client. |
Inbound CAR |
Authorized inbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. If no inbound CAR is authorized, this field displays N/A. |
Outbound CAR |
Authorized outbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. If no outbound CAR is authorized, this field displays N/A. |
Session timeout period |
Session timeout in seconds. This field displays N/A if no session timeout is authorized. |
Idle cut traffic threshold |
Session idle timeout in seconds and minimum traffic threshold in bytes. This field displays only the session idle timeout if the minimum traffic threshold failed to be obtained from the user online request. |
Online BAS IP |
IP address of the AC from which the client first came online. |
Online time |
Time at which the client first came online. |
Roaming count |
Number of roamings performed by the client. |
port
Use port to specify the port used by the WLAN roaming center to communicate with portal roaming centers and client roaming centers.
Use undo port to restore the default.
Syntax
port port-number
undo port
Default
The WLAN roaming center uses port 1088 to communicate with portal roaming centers and client roaming centers.
Views
WLAN roaming center view
Predefined user roles
network-admin
Parameters
port-number: Specifies a port number in the range of 1 to 65534. Make sure the specified port is not in use and does not use a well-known port number.
Usage guidelines
Make sure the port specified for the WLAN roaming center is the same as the port specified for portal roaming centers and client roaming centers.
Changing the port number when portal clients are online might cause information synchronization failure between the WLAN roaming center and portal roaming centers. Portal clients might fail to roam and must be reauthenticated.
As a best practice to avoid data residual, disable the WLAN roaming center before you change the port number.
Examples
# Configure the WLAN roaming center to use port 60015 to communicate with portal roaming centers and client roaming centers.
<Sysname> system-view
[sysname] wlan roaming-center
[Sysname-wlan-roaming-center] port 60015
Related commands
roaming-center enable
reset wlan roaming-center history user
Use reset wlan roaming-center history user to clear client history information on the WLAN roaming center.
Syntax
reset wlan roaming-center history user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address }
Views
User view
Predefined user roles
network-admin
Parameters
all: Specifies all clients.
ip ipv4-address: Specifies a client by its IPv4 address.
ipv6 ipv6-address: Specifies a client by its IPv6 address.
mac mac-address: Specifies a client by its MAC address.
Examples
# Clear history information about all clients on the WLAN roaming center.
<Sysname> reset wlan roaming-center history user all
Related commands
display wlan roaming-center history user
reset wlan roaming-center statistics packet
Use reset wlan roaming-center statistics packet to clear packet statistics on the WLAN roaming center.
Syntax
reset wlan roaming-center statistics packet [ bas-ip ipv4-address | bas-ipv6 ipv6-address ]
Views
User view
Predefined user roles
network-admin
Parameters
bas-ip ipv4-address: Specifies a portal roaming center by its IPv4 address.
bas-ipv6 ipv6-address: Specifies a portal roaming center by its IPv6 address.
Usage guidelines
If you do not specify the bas-ip ipv4-address or the bas-ipv6 ipv6-address option, the command clears all packet statistics on the WLAN roaming center.
Examples
# Clear all packet statistics on the WLAN roaming center.
<Sysname> reset wlan roaming-center statistics packet
reset wlan roaming-center user
Use reset wlan roaming-center user to clear client information on the WLAN roaming center.
Syntax
reset wlan roaming-center user { all | bas-ip ipv4-address | bas-ipv6 ipv6-address | ip ipv4-address | ipv6 ipv6-address | mac mac-address }
Views
User view
Predefined user roles
network-admin
Parameters
all: Specifies all clients.
bas-ip ipv4-address: Specifies a portal roaming center by its IPv4 address.
bas-ipv6 ipv6-address: Specifies a portal roaming center by its IPv6 address.
ip ipv4-address: Specifies a client by its IPv4 address.
ipv6 ipv6-address: Specifies a client by its IPv6 address.
mac mac-address: Specifies a client by its MAC address.
Examples
# Clear information about all clients on the WLAN roaming center.
<Sysname> reset wlan roaming-center user all
Related commands
display wlan roaming-center user
response-timeout
Use response-timeout to set the response timeout timer for packets to portal or client roaming centers.
Use undo response-timeout to restore the default.
Syntax
response-timeout timeout
undo response-timeout
Default
The response timeout timer is 3 seconds.
Views
WLAN roaming center view
Predefined user roles
network-admin
Parameters
timeout: Specifies the timeout timer in the range of 1 to 10 seconds.
Usage guidelines
In inter-AC roaming, when a portal user goes offline, it informs the associated portal roaming center, which then informs the WLAN roaming center. Then, the WLAN roaming center informs the other portal roaming centers. If the WLAN roaming center fails to receive a response from a portal roaming center before the response timeout timer expires, it retransmits the packet. If it fails to receive any response from a portal roaming center after the last retransmission attempt, it deletes the timeout timer.
In a WLAN configured with WLAN address security, the WLAN roaming center sends requests to client roaming centers to query the aging time of MAC address and IP address entries. If it fails to receive a response before the response timeout timer expires, it deletes the specific MAC address and IP address entry.
Examples
# Set the response timeout timer to 2 seconds for packets to portal or client roaming centers.
<Sysname> system-view
[sysname] wlan roaming-center
[Sysname-wlan-roaming-center] response-timeout 2
retry
Use retry to set the maximum transmission attempts for user offline notification requests.
Use undo retry to restore the default.
Syntax
retry retries
undo retry
Default
The maximum number of transmission attempts for user offline notification requests is 5.
Views
WLAN roaming center view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of packet transmission attempts in the range of 1 to 10.
Usage guidelines
After sending a user offline notification request to an AC, the WLAN roaming center resends the request if it fails to receive a response before the wait timer expires. If it fails to receive any response after the maximum transmission attempt limit is reached, the WLAN roaming center deletes the timeout timer and removes the AC from the access device list of the client.
Examples
# Set the maximum transmission attempts for user offline notification requests to 4.
<Sysname> system-view
[Sysname] wlan roaming-center
[Sysname-wlan-roaming-center] retry 4
Related commands
response-timeout
roaming-center enable
Use roaming-center enable to enable the WLAN roaming center.
Use undo roaming-center enable to disable the WLAN roaming center.
Syntax
roaming-center enable
undo roaming-center enable
Default
The WLAN roaming center feature is disabled.
Views
WLAN roaming center view
Predefined user roles
network-admin
Usage guidelines
For portal users to roam between ACs, you must enable portal roaming center on both ACs.
You can enable the WLAN roaming center on only one AC in a network.
Disabling the WLAN roaming center feature deletes all portal client information.
To use WLAN address security, you must enable the WLAN roaming center.
Examples
# Enable the WLAN roaming center.
<Sysname> system-view
[Sysname] wlan roaming-center
[Sysname-wlan-roaming-center] roaming-center enable
spoofing-attack blacklist
Use spoofing-attack blacklist to add a client to the spoofing attack blacklist by username.
Use undo spoofing-attack blacklist to delete a client from the spoofing attack blacklist.
Syntax
spoofing-attack blacklist username username
undo spoofing-attack blacklist username username
Default
No clients exist in the spoofing attack blacklist.
Views
Address security view
Predefined user roles
network-admin
Parameters
username username: Specifies the username of a user, a case-sensitive string of 1 to 55 characters. The name cannot be a, al, or all, and cannot contain domain names or the following special characters: \ | / : * ? < > @
Usage guidelines
With address security configured, the WLAN roaming center logs off both the detected MAC or IP address spoofing attackers and the spoofed clients, and adds the attackers to the blacklist. This prevents attackers from coming online again.
You can add a maximum of 5000 clients to the spoofing attack blacklist.
The spoofing attack blacklist takes effect only on the WLAN roaming center.
Examples
# Add the client with username user1 to the spoofing attack blacklist.
<Sysname> system-view
[Sysname] wlan address-security
[Sysname-wlan-address-security] spoofing-attack blacklist username user1
Related commands
address-security enable
wlan address-security
Use wlan address-security to create the address security view and enter the view.
Use undo wlan address-security to delete the address security view.
Syntax
wlan address-security
undo wlan address-security
Default
The address security view does not exist.
Views
Address security view
Predefined user roles
network-admin
Examples
# Enter address security view.
<Sysname> system-view
[Sysname] wlan address-security
[Sysname-wlan-address-security]
wlan roaming-center
Use wlan roaming-center to create a WLAN roaming center and enter its view, or enter the view of an existing WLAN roaming center.
Use undo wlan roaming-center to delete the WLAN roaming center.
Syntax
wlan roaming-center
undo wlan roaming-center
Default
No WLAN roaming center exists.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In inter-AC roaming of portal users, the WLAN roaming center stores and updates client information and provides query services for the information. Deleting the WLAN roaming center deletes all client roaming information.
In address security application, the WLAN roaming center checks online clients for MAC address and IP address spoofing and prevents attackers from coming online to enhance network security.
Examples
# Create a WLAN roaming center and enter its view.
<Sysname> system-view
[Sysname] wlan roaming-center
[Sysname-wlan-roaming-center]