Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-WLAN security commands | 181.56 KB |
display wlan private-psk cloud-password
display wlan private-psk cloud-password mac-binding
enhanced-open transition-mode service-template
gtk-rekey client-offline enable
private-psk fail-permit enable
snmp-agent trap enable wlan usersec
wlan password-failure-limit enable
WLAN security commands
akm mode
Use akm mode to set an authentication and key management (AKM) mode.
Use undo akm mode to restore the default.
Syntax
akm mode { dot1x | private-psk | psk | anonymous-dot1x }
undo akm mode
Default
No AKM mode is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
dot1x: Specifies 802.1X as the AKM mode.
private-psk: Specifies private PSK as the AKM mode.
psk: Specifies PSK as the AKM mode.
anonymous-dot1x: Specifies WiFi alliance anonymous 802.1X as the AKM mode.
Usage guidelines
You must set the AKM mode for 802.11i (RSNA) networks.
Each WLAN service template supports only one AKM mode. Set the AKM mode only when the WLAN service template is disabled.
Set the WiFi alliance anonymous 802.1X AKM mode if the OSEN IE is used.
Each of the following AKM modes must be used with a specific authentication mode:
· 802.1X AKM—802.1X authentication mode.
· Private PSK AKM—MAC authentication mode.
· PSK AKM—MAC or bypass authentication mode.
· WiFi alliance anonymous 802.1X AKM—802.1X authentication mode.
For more information about the authentication mode, see User Access and Authentication Configuration Guide.
Examples
# Set the PSK AKM mode.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] akm mode psk
cipher-suite
security-ie
akm sae pwe
Use akm sae pwe to specify the PWE deriving method for the WPA3-SAE interaction process.
Use undo akm sae pwe to restore the default.
Syntax
akm sae pwe { both-h2e-hnp | h2e | hnp }
undo akm sae pwe
Default
The system supports using the H2E or HnP method to derive PWEs.
Views
Service template view
Predefined user roles
network-admin
Parameters
both-h2e-hnp: Specifies support of both the H2E and HnP methods.
h2e: Specifies the H2E method.
hnp: Specifies the HnP method.
Usage guidelines
Hash-to-Element (H2E) is a new method for generating PWEs in the SAE process of WPA3, which has higher security compared to the traditional Hunting-and-Pecking (HnP) method.
The specific method of generating PWE is determined by the client itself. If only a certain PWE deriving method is configured, terminals that do not support this method will not be able to connect to the wireless network. As a best practice to improve compatibility with terminals, specify the both-h2e-hnp method.
Examples
# Configure the system to use the H2E method to derive PWEs.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] akm sae pwe h2e
Related commands
wpa3
cipher-suite
Use cipher-suite to specify the cipher suite used for frame encryption.
Use undo cipher-suite to remove the cipher suite configuration.
Syntax
cipher-suite { ccmp | gcmp | tkip | wep40 | wep104 | wep128 }
undo cipher-suite { ccmp | gcmp | tkip | wep40 | wep104 | wep128 }
Default
No cipher suite is specified.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
ccmp: Specifies the AES-CCMP cipher suite.
gcmp: Specifies the AES-GCMP cipher suite.
tkip: Specifies the TKIP cipher suite.
wep40: Specifies the WEP40 cipher suite.
wep104: Specifies the WEP104 cipher suite.
wep128: Specifies the WEP128 cipher suite.
Usage guidelines
You must set the cipher suite for 802.11i networks. Set a cipher suite only when the WLAN service template is disabled.
Set the TKIP, GCMP, or CCMP cipher suite when you configure the RSN IE or WPA IE.
The WEP cipher suite includes three types, WEP40, WEP128, and WEP104. Each WLAN service template supports only one type of WEP cipher suite. After you set a type of WEP cipher suite, you must create and apply a key of the same type.
As a best practice to avoid client association failures, do not set WEP40 or WEP104 together with CCMP, GCMP, or TKIP.
When WEP128 is configured, you cannot set the CCMP, GCMP, or TKIP cipher suite.
Examples
# Set the TKIP cipher suite for frame encryption.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite tkip
security-ie
wep key
wep key-id
display wlan private-psk cloud-password
Use display wlan private-psk cloud-password to display private pre-shared key (PPSK) password information.
Syntax
display wlan private-psk cloud-password [ password-id ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
password-id: Specifies a password ID. If you do not specify this argument, the command displays information about all PPSK passwords.
verbose: Displays detailed information. If you do not specify this keyword, the command displays brief information about PPSK passwords.
Examples
# Display brief information about all PPSK passwords.
<Sysname> display wlan private-psk cloud-password
Total number: 2
PWD ID Username Max clients Used Update time Aging time(Min)
1111 zhangsan@3521buyd.. 2 1 2018/11/26 10:52 10080
1112 lisi 2 1 2018/11/26 10:59 10080
Table 1 Command output
|
Field |
Description |
|
Total number |
Total number of PPSK passwords. |
|
PWD ID |
Password ID. |
|
Max clients |
Maximum number of clients that can use this password. |
|
Used |
Number of clients that have used this password for authentication. |
|
Update time |
UTC time at which the password information was updated. |
|
Aging time(Min) |
Password aging time in minutes. A value of 0 indicates that the password never expires. |
# Display detailed information about a specific password.
<Sysname> display wlan private-psk cloud-password 1111 verbose
Site ID : 23
Password ID : 1111
Update time : 2018/11/26 10:52
Expiration time : 2018/12/03 10:52
Aging time(min) : 10080
Username : zhangsan@3521buydfgsygf
Max clients : 2
Used : 1
CAR:
Average inbound : 102400 bps
Average outbound : 102400 bps
Password : jfkeiksdfdnfksnfekdssdfelsmdfei4f5ds4
Table 2 Command output
|
Field |
Description |
|
Update time |
UTC time at which the password information was updated. |
|
Expiration time |
UTC time at which the password will expire. |
|
Aging time (min) |
Password aging time in minutes. A value of 0 indicates that the password never expires. |
|
Max clients |
Maximum number of clients that can use this password. |
|
Used |
Number of clients that have used this password for authentication. |
|
CAR |
CAR of clients that come online by using this password. |
|
Average inbound |
Average downlink rate in bps. |
|
Average outbound |
Average uplink rate in bps. |
display wlan private-psk cloud-password mac-binding
Use display wlan private-psk cloud-password mac-binding to display MAC-password bindings.
Syntax
display wlan private-psk cloud-password mac-binding [ password-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Usage guidelines
password-id: Specifies a password ID. If you do not specify this argument, the command displays all MAC-password bindings.
Examples
# Display all MAC-password bindings.
<Sysname> display wlan private-psk cloud-password mac-binding
Total: 2
PWD ID MAC address Binding time Expiration time
1111 D34A-A35C-28A3(+) 2018/11/26 11:22 2018/12/03 11:00
2222 A54E-368D-A433(*) 2018/11/26 11:30 2018/12/02 11:00
# Display the MAC-password binding of a specific password.
<Sysname> display wlan private-psk cloud-password mac-binding 1111
Total Number: 1
PWD ID MAC address Binding time Expiration time
1111 D34A-A35C-28A3(+) 2018/11/26 11:22 2018/12/03 11:00
Table 3 Command output
|
Field |
Description |
|
Total |
Total number of bound MC addresses. |
|
PWD ID |
Password ID |
|
MAC address |
Bound MAC address. An asterisk (*) indicates a MAC address bound at password creation. A plus sign (+) indicates a MAC address bound at client association. |
|
Binding time |
UTC time at which the MAC address was bound to the password. |
|
Expiration time |
UTC time at which the binding will expire. |
enhanced-open enable
Use enhanced-open enable to enable enhanced open system authentication.
Use undo enhanced-open enable to disable enhanced open system authentication.
Syntax
enhanced-open enable
undo enhanced-open enable
Default
Enhanced open system authentication is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
Enhanced open system authentication uses Opportunistic Wireless Encryption (OWE) to negotiate keys for encrypting data packets of OWE-capable clients, providing open system authentication with enhanced security performance.
Before enabling this feature, make sure the WPA3 security mode, FT, management frame protection, security IE, cipher suite, and KDF, if any, are in their default settings.
After you enable this feature, the system performs the following operations:
· Specifies the security IE as RSN.
· Specifies the cipher suite as CCMP.
· Enables management frame protection.
· Specifies the HMAC-SHA256 and HMAC-384 algorithms as the KDFs.
Examples
# Enable enhanced open system authentication.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] enhanced-open enable
Related commands
enhanced-open transition-mode service-template
enhanced-open transition-mode service-template
Use enhanced-open transition-mode service-template to specify a recommended service template in transition mode.
Use undo enhanced-open transition-mode service-template to restore the default.
Syntax
enhanced-open transition-mode service-template service-template-name
undo enhanced-open transition-mode service-template
Default
No recommended service template is specified in transition mode.
Views
Service template view
Predefined user roles
network-admin
Parameters
service-template-name: Specifies the name of a service template, a case-insensitive string of 1 to 63 characters.
Usage guidelines
During the transition from open WLANs to enhanced open WLANs, WLANs of both types might exist to accommodate OWE-incapable and OWE-capable clients. In this case, if an OWE-capable client attempts to access an open WLAN, the corresponding AP will reject the access request.
This feature allows clients to fast access an appropriate WLAN that matches its capability.
Configure this feature in both an open service template and an enhanced open service template, and specify them as the recommended template of each other.
Bind a service template and its recommended service template to the same radio.
Enable SSID hidden for the enhanced open service template.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify service template service2 as the recommended template for service template service1 in transition mode.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] enhanced-open transition-mode service-template service2
Related commands
beacon ssid-hide (WLAN Access Command Reference)
enhanced-open enable
gtk-rekey client-offline enable
Use gtk-rekey client-offline enable to enable offline-triggered GTK update.
Use undo gtk-rekey client-offline to restore the default.
Syntax
gtk-rekey client-offline enable
undo gtk-rekey client-offline enable
Default
Offline-triggered GTK update is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
Enable offline-triggered GTK update only when GTK update is enabled.
Examples
# Enable offline-triggered GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey client-offline enable
gtk-rekey enable
gtk-rekey enable
Use gtk-rekey enable to enable GTK update.
Use undo gtk-rekey enable to disable GTK update.
Syntax
gtk-rekey enable
undo gtk-rekey enable
Default
GTK update is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Examples
# Enable GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey enable
gtk-rekey method
Use gtk-rekey method to set a GTK update method.
Use undo gtk-rekey method to restore the default.
Syntax
gtk-rekey method { packet-based [ packet ] | time-based [ time ] }
undo gtk-rekey method
Default
The GTK is updated at an interval of 86400 seconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
packet-based packet: Specifies the number of packets (including multicasts and broadcasts) that are transmitted before the GTK is updated. The value range for the packet argument is 5000 to 4294967295 and the default is 10000000.
time-based time: Specifies the interval at which the GTK is updated. The value range for the time argument is 180 to 604800 seconds and the default is 86400 seconds.
Usage guidelines
Set the GTK update method only when GTK update is enabled.
The most recent configuration overwrites the previous one. For example, if you set the packet-based method and then set the time-based method, the time-based method takes effect.
If you set the GTK update method after the service template is enabled, the change takes effect when the following conditions exist:
· If you change the GTK update interval, the new interval takes effect when the old timer times out.
· If you change the packet number threshold, the new threshold takes effect immediately.
· If you change the GTK update method to packet-based, the new method takes effect when the timer is deleted and the packet number threshold is reached.
· If you change the GTK update method to time-based, the configuration takes effect immediately.
Examples
# Enable time-based GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey method time-based 3600
# Enable packet-based GTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] gtk-rekey method packet-based 600000
gtk-rekey enable
key-derivation
Use key-derivation to set the key derivation function (KDF).
Use undo key-derivation to restore the default.
Syntax
key-derivation { sha1 | sha1-and-sha256 | sha256 }
undo key-derivation
Default
The KDF is the HMAC-SHA1 algorithm.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
sha1: Specifies the HMAC-SHA1 algorithm as the KDF.
sha256: Specifies the HMAC-SHA256 algorithm as the KDF.
sha1-and-sha256: Specifies the HMAC-SHA1 algorithm and the HMAC-SHA256 algorithm as the KDFs.
Usage guidelines
KDFs take effect only for a network that uses the 802.11i mechanism.
When specifying the key derivation type as sha1-and-sha256, you need to configure the management frame protection to optional mode.
The HMAC-SHA256 algorithm is recommended if mandatory management frame protection is enabled.
Make sure the service template is disabled before you execute this command.
Examples
# Configure the HMAC-SHA256 algorithm as the KDF.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] key-derivation sha256
Related commands
akm mode
cipher-suite
security-ie
pmf
Use pmf to enable management frame protection.
Use undo pmf to restore the default.
Syntax
pmf { mandatory | optional }
undo pmf
Default
Management frame protection is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
mandatory: Specifies the mandatory mode. Only clients that support management frame protection can access the WLAN.
optional: Specifies the optional mode. All clients can access the WLAN.
Usage guidelines
Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP/GCMP cipher suite and RSN security information element.
Examples
# Enable management frame protection in optional mode.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf optional
Related commands
cipher-suite
security-ie
pmf association-comeback
Use pmf association-comeback to set the association comeback time.
Use undo pmf association-comeback to restore the default.
Syntax
pmf association-comeback time
undo pmf association-comeback
Default
The association comeback time is 1 second.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Specifies the association comeback time in the range of 1 to 20 seconds.
Usage guidelines
If an AP rejects the current association or reassociation request from a client, it returns an association/reassociation response that carries the association comeback time. The AP starts to receive the association or reassociation request from the client when the association comeback time times out.
Examples
# Set the association comeback time to 2 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf association-comeback 2
pmf saquery retrycount
Use pmf saquery retrycount to maximum retransmission attempts for SA query requests.
Use undo pmf saquery retrycount to restore the default.
Syntax
pmf saquery retrycount count
undo pmf saquery retrycount
Default
The maximum retransmission attempt number is 4 for SA query requests.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
count: Specifies the maximum retransmission attempts for SA query requests, in the range of 1 to 16.
Usage guidelines
If an AP does not receive an acknowledgment for the SA query request after retransmission attempts reach the maximum number, the AP determines that the client is offline.
Examples
# Set the number of maximum retransmission attempt to 3 for SA query requests.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf saquery retrycount 3
Related commands
pmf
pmf saquery retrycount
pmf saquery retrytimeout
Use pmf saquery retrytimeout to set the interval for sending SA query requests.
Use undo pmf saquery retrytimeout to restore the default.
Syntax
pmf saquery retrytimeout timeout
undo pmf saquery retrytimeout
Default
The interval for sending SA query requests is 200 milliseconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
timeout: Specifies the interval for an AP to send SA query requests, in the range of 100 to 500 milliseconds.
Examples
# Set the interval for sending SA query requests to 300 milliseconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] pmf saquery retrytimeout 300
Related commands
pmf
pmf saquery retrytimeout
preshared-key
Use preshared-key to set the PSK.
Use undo preshared-key to restore the default.
Syntax
preshared-key { pass-phrase | raw-key } { cipher | simple } string
undo preshared-key
Default
No PSK is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
pass-phrase: Sets a PSK, a character string.
raw-key: Sets a PSK, a hexadecimal number.
cipher: Sets a key in encrypted form.
simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies a key string. This argument is case sensitive. Key length varies by key type:
· pass-phrase—Its plaintext form is 8 to 63 characters. Its encrypted form is 41 to 117 characters.
· raw-key—Its plaintext form is 64 hexadecimal digits. Its encrypted form is a string of 117 characters.
Usage guidelines
Set the PSK only when the WLAN service template is disabled and the AKM mode is PSK. If you set the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.
You can set only one PSK for a WLAN service template.
Examples
# Configure simple character string 12345678 as the PSK.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] akm mode psk
[Sysname-wlan-st-security] preshared-key pass-phrase simple 12345678
Related commands
akm mode
private-psk cloud enable
Use private-psk cloud enable to enable PPSK authentication by the cloud platform.
Use undo private-psk cloud enable to disable PPSK authentication by the cloud platform.
Syntax
private-psk cloud enable
undo private-psk cloud enable
Default
PPSK authentication by the cloud platform is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables clients to use PPSKs configured on the cloud platform for WLAN access.
With this feature enabled, clients must first pass bypass or MAC authentication, and then enter the PPSK password to access a WLAN. The device will generate binding entries between client MAC addresses and PPSK passwords at client association.
Make sure the service template has been disabled before you configure this feature.
Examples
# Enable PPSK authentication by the cloud platform.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] private-psk cloud enable
Related commands
akm mode
client-security authentication-mode (User Access and Authentication Command Reference)
private-psk fail-permit enable
Use private-psk fail-permit enable to enable PPSK fail-permit.
Use undo private-psk fail-permit enable to disable PPSK fail-permit.
Syntax
private-psk fail-permit enable
undo private-psk fail-permit enable
Default
PPSK fail-permit is enabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
With PPSK authentication by the cloud platform enabled, clients and devices must connect to the cloud platform for authentication. PPSK fail-permit allows clients to bypass the cloud platform and access the WLAN when the cloud platform is unavailable.
If the cloud platform becomes unavailable, PPSK fail-permit provides the following functions:
· Allows online clients to stay online until the MAC-password binding entries expire. When the MAC-password binding entries expire, the device logs all online clients.
· Allows clients whose MAC-password binding entries have not expired to re-access the WLAN.
· Allows clients that have a correct PPSK password but have never come online to access the WLAN.
Make sure the service template has been disabled before you configure this feature.
Examples
# Enable PPSK fail-permit.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] private-psk fail-permit enable
Related commands
private-psk cloud enable
ptk-lifetime
Use ptk-lifetime to set the PTK lifetime.
Use undo ptk-lifetime to restore the default.
Syntax
ptk-lifetime time
undo ptk-lifetime
Default
The PTK lifetime is 43200 seconds.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Specifies the lifetime of the PSK, in the range of 180 to 604800 seconds.
Usage guidelines
If you configure the PTK lifetime when the service template is enabled, the configuration takes effect after the old timer times out.
Examples
# Set the PTK lifetime to 200 seconds.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] ptk-lifetime 200
ptk-rekey enable
Use ptk-rekey enable to enable PTK update.
Use undo ptk-rekey enable to disable PTK update.
Syntax
ptk-rekey enable
undo ptk-rekey enable
Default
PTK update is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to update the PTK after the PTK lifetime expires.
Do not configure FT after enabling PTK update. If you do so, PTK update does not take effect.
Examples
# Enable PTK update.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] ptk-rekey enable
Related commands
ptk-lifetime
security-ie
Use security-ie to enable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.
Use undo security-ie to disable the OSEN IE, RSN IE, or WPA IE in beacon and probe responses.
Syntax
security-ie { osen | rsn | wpa }
undo security-ie { osen | rsn | wpa }
Default
OSEN IE, RSN IE, and WPA IE are disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
osen: Enables the OSEN IE in the beacon and probe response frames sent by the AP. The OSEN IE advertises the OSEN capabilities of the AP.
rsn: Enables the RSN IE in the beacon and probe response frames sent by the AP. The RSN IE advertises the RSN capabilities of the AP.
wpa: Enables the WPA IE in the beacon and probe response frames sent by the AP. The WPA IE advertises the WPA capabilities of the AP.
Usage guidelines
You must set the security IE for 802.11i networks. Set a security IE only when the WLAN service template is disabled and the CCMP or TKIP cipher suite is configured.
Set the WiFi alliance anonymous 802.1X AKM mode if the OSEN IE is used.
Examples
# Enable the RSN IE in beacon and probe responses.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] security-ie rsn
akm mode
cipher-suite
snmp-agent trap enable wlan usersec
Use snmp-agent trap enable wlan usersec to enable SNMP notifications for WLAN security.
Use undo snmp-agent trap enable wlan usersec to disable SNMP notifications for WLAN security.
Syntax
snmp-agent trap enable wlan usersec
undo snmp-agent trap enable wlan usersec
Default
SNMP notifications are disabled for WLAN security.
Views
System view
Predefined user roles
network-admin
Usage guidelines
To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for WLAN security.
<Sysname> system-view
[Sysname] snmp-agent trap enable wlan usersec
tkip-cm-time
Use tkip-cm-time to set the TKIP MIC failure hold time.
Use undo tkip-cm-time to restore the default.
Syntax
tkip-cm-time time
undo tkip-cm-time
Default
The TKIP MIC failure hold time is 0 seconds. The AP does not take any countermeasures.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
time: Sets the TKIP MIC failure hold time in the range of 0 to 3600 seconds.
Usage guidelines
Set the TKIP MIC failure hold time only when the TKIP cipher suite is configured.
If you configure the MIC failure hold time when the service template is enabled, the configuration takes effect after the old timer times out.
If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.
Examples
# Set the TKIP MIC failure hold time to 180 seconds.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] tkip-cm-time 180
cipher-suite
wep key
Use wep key to set a WEP key.
Use undo wep key to delete the configured WEP key.
Syntax
wep key key-id { wep40 | wep104 | wep128 } { pass-phrase | raw-key } { cipher | simple } string
undo wep key key-id
Default
No WEP key is set.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
key-id: Sets the key ID in the range of 1 to 4.
wep40: Sets the WEP40 key.
wep104: Sets the WEP104 key.
wep128: Sets the WEP128 key.
pass-phrase: Sets a WEP key, a character string.
raw-key: Sets a WEP key, a hexadecimal number.
cipher: Sets a key in encrypted form.
simple: Sets a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
key: Specifies a key string. This argument is case sensitive. The cipher key length is in the range of 37 to 73 characters. The plaintext key length varies by key type:
· wep40 pass-phrase—Its plaintext form is 5 characters.
· wep104 pass-phrase—Its plaintext form is 13 characters.
· wep128 pass-phrase—Its plaintext form is 16 characters.
· wep40 raw-key—Its plaintext form is 10 hexadecimal digits.
· wep104 raw-key—Its plaintext form is 26 hexadecimal digits.
· wep128 raw-key—Its plaintext form is 32 hexadecimal digits.
Usage guidelines
Set a WEP key only when the WLAN service template is disabled and the cipher suite WEP is configured. You can set a maximum of four WEP keys.
Examples
# Configure the cipher suite WEP40 and configure plain text 12345 as WEP key 1.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite wep40
[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345
Related commands
cipher-suite
wep key-id
wep key-id
Use wep key-id to apply a WEP key.
Use undo wep key-id to restore the default.
Syntax
wep key-id { 1 | 2 | 3 | 4 }
undo wep key-id
Default
Key 1 is applied.
Views
WLAN service template view
Predefined user roles
network-admin
Parameters
1: Specifies the WEP key whose ID is 1.
2: Specifies the WEP key whose ID is 2.
3: Specifies the WEP key whose ID is 3.
4: Specifies the WEP key whose ID is 4.
Usage guidelines
Apply a WEP key only when the WLAN service template is disabled.
In the 802.11i mechanism, key 1 is the negotiated key. To apply a WEP key, specify a WEP key whose ID is not 1.
You can only apply an existing WEP key.
Examples
# Configure the cipher suite WEP40, configure plain text 12345 as WEP key 1, and apply WEP key 1.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] cipher-suite wep40
[Sysname-wlan-st-security] wep key 1 wep40 pass-phrase simple 12345
[Sysname-wlan-st-security] wep key-id 1
Related commands
wep key
wep mode dynamic
Use wep mode dynamic to enable the dynamic WEP mechanism.
Use undo wep mode dynamic to disable the dynamic WEP mechanism.
Syntax
wep mode dynamic
undo wep mode dynamic
Default
The dynamic WEP mechanism is disabled.
Views
WLAN service template view
Predefined user roles
network-admin
Usage guidelines
Enable the dynamic WEP mechanism only when the WLAN service template is disabled.
The dynamic WEP mechanism requires 802.1X authentication for user access authentication.
Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.
Examples
# Enable the dynamic WEP mechanism.
<Sysname> system-view
[Sysname] wlan service-template security
[Sysname-wlan-st-security] wep mode dynamic
Related commands
cipher-suite
client-security authentication-mode (See User Access and Authentication Command Reference)
wep key
wep key-id
wlan password-failure-limit enable
Use wlan password-failure-limit enable to enable password failure limit.
Use undo wlan password-failure-limit enable to disable password failure limit.
Syntax
wlan password-failure-limit enable [ detection-period detection-period ] [ failure-threshold failure-threshold ]
undo wlan password-failure-limit enable
Default
Password failure limit is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
detection-period detection-period: Specifies the detection period in the range of 5 to 600 seconds. The default value is 100.
failure-threshold failure-threshold: Specifies the failure threshold in the range of 1 to 100. The default value is 20.
Usage guidelines
This feature enables the system to add a client to the dynamic blacklist if the number of the client's password failures reach the failure threshold within the specified detection period. For more information about the dynamic blacklist, see WLAN Access Configuration Guide.
When you configure this feature, follow these restrictions and guidelines:
· This feature takes effect only when the AKM mode is PSK or private PSK.
· This feature takes effect only on clients coming online after the feature is enabled.
· The system restarts failure calculation if the STAMGR process restarts.
Examples
# Enable password failure limit, set the detection period to 300 seconds, and set the failure threshold to 50.
<Sysname> system-view
[Sysname] wlan password-failure-limit enable detection-period 300 failure-threshold 50
wpa3
Use wpa3 to enable WPA3 and set the WPA3 security mode.
Use undo wpa3 to disable WPA3.
Syntax
wpa3 { enterprise | personal { mandatory | optional } }
undo wpa3
Default
WPA3 is disabled.
Views
Service template view
Predefined user roles
network-admin
Parameters
enterprise: Specifies WPA3-Enterprise.
personal: Specifies WPA3-SAE.
mandatory: Specifies the mandatory security mode. In this mode, clients that do not support WPA3 cannot access the WLAN.
optional: Specifies the optional security mode. In this mode, clients that do not support WPA3 can access the WLAN.
Usage guidelines
To use WPA3-Enterprise, set the cipher suite to GCMP, and the security IE to RSN.
To use WPA3-SAE, set the cipher suite to CCMP, and the security IE to RSN.
As a best practice, enable management frame protection if you specify a WPA3 security mode.
Do not set the WPA3 security mode and enable 802.11r FT or enhanced open system authentication at the same time. If you do so, the service template cannot be enabled. For more information about 802.11r, see WLAN Roaming Configuration Guide.
Examples
# Set the WPA3 security mode to personal.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] wpa3 personal mandatory
Related commands
cipher-suite
security-ie
wpa3 transit-wpa2-disable
Use wpa3 transit-wpa2-disable to enable anti-downgrade of the WPA3 security mode.
Use undo wpa3 transit-wpa2-disable to restore the default.
Syntax
wpa3 transit-wpa2-disable
undo wpa3 transit-wpa2-disable
Default
Anti-downgrade of the WPA3 security mode is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
After enabling this feature, WPA3 clients that have connected to a WPA3 network will no longer be able to connect to a WPA2 network with the same SSID. This prevents terminals from connecting to wireless networks with lower security performance. The WPA3 clients can only join a WPA2 network with the same SSID after they have removed connections to the WPA3 wireless service.
Enabling this feature does not have any impact on clients that support only WPA2.
Examples
# Enable anti-downgrade of the WPA3 security mode.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] wpa3 transit-wpa2-disable
Related commands
wpa3
