Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-WLAN security configuration | 587.02 KB |
802.11w management frame protection
About 802.11w management frame protection
Enhanced open system authentication
WLAN security tasks at a glance
Setting the security information element
Setting the WPA3 security mode
Setting the TKIP MIC failure hold time
Configuring 802.11w management frame protection
Enabling password failure limit
Configuring PPSK authentication
Enabling PPSK authentication from the Cloudnet platform
Configuring enhanced open system authentication
Enabling enhanced open system authentication
Specifying a recommended service template in transition mode
Enabling SNMP notifications for WLAN security
Display and maintenance commands for WLAN security
WLAN security configuration examples
Example: Configuring PSK authentication and bypass authentication
Example: Configuring PSK authentication and MAC authentication
Example: Configuring 802.1X AKM
Example: Configuring management frame protection
Example: Configuring the WPA3-SAE optional mode
Example: Configuring the WPA3-SAE mandatory mode
Example: Configuring the WPA3-Enterprise transition mode
Example: Configuring the WPA3-Enterprise mandatory mode
Example: Configuring the WPA3-Enterprise 192-bit mode
Configuring WLAN security
About WLAN security
WLAN security mechanisms include Pre Robust Security Network Association (Pre-RSNA), 802.11i, and 802.11w.
Pre-RSNA defines the original security mechanism, which is vulnerable to security attacks. To enhance WLAN security, 802.11i was introduced, but it encrypts only WLAN data traffic. Based on the 802.11i framework, 802.11w offers management frame protection to prevent attacks such as forged de-authentication and disassociation frames.
Pre-RSNA mechanism
The pre-RSNA mechanism uses the open system algorithm for authentication. WEP supports key sizes of 40 bits (WEP40) and 104 bits (WEP104) .
Open system authentication
Open system authentication is the default and simplest authentication algorithm. Any client that requests authentication by using this algorithm can pass the authentication.
Open system authentication uses the following process:
1. The client sends an authentication request to the AP.
2. The AP sends an authentication response to the client after the client passes the authentication.
Figure 1 Open system authentication process
802.11i mechanism
|
|
IMPORTANT: 802.11i requires open system authentication for link layer authentication. |
Security modes
The 802.11i mechanism (the RSNA mechanism) provides WPA and RSN security modes. WPA implements a subset of an 802.11i draft to provide enhanced security over WEP and RSN implements the full 802.11i.
AKM
The 802.11i mechanism uses the following authentication and key management (AKM) modes for authenticating user integrity and dynamically generating and updating keys:
· 802.1X—802.1X performs user authentication and generates the pairwise master key (PMK) during authentication. The client and AP use the PMK to generate the pairwise transient key (PTK).
· Private PSK—The MAC address of the client is used as the PSK to generate the PMK. The client and AP use the PMK to generate the PTK.
· PSK—The PSK is used to generate the PMK. The client and AP use the PMK to generate the PTK.
Authentication
802.1X authentication is more secure than PSK authentication. For more information about 802.1X authentication, see User Access and Authentication Configuration Guide.
PSK authentication requires the same PSK to be configured for both an AP and a client. PSK integrity is verified during the four-way handshake. If PTK negotiation succeeds, the client passes the authentication.
Key management
Key management defines how to generate and update the PTK and group temporary key (GTK). The PTK is used in unicast and the GTK is used in multicast and broadcast.
PTK and GTK
· PTK structure
¡ EAPOL-Key Confirmation Key (KCK) is used to verify the integrity of an EAPOL-Key frame.
¡ EAPOL-Key Encryption Key (KEK) is used to encrypt the key data in the EAPOL-Key frame.
¡ Temporal Key (TK) is used to encrypt unicast packets.
· The GTK includes the TK and other fields. The TK is used to encrypt multicast and broadcast packets.
EAPOL-Key packet
The IEEE 802.11i protocol uses EAPOL-Key packets during key negotiation.
Figure 2 EAPOL-Key structure
Table 1 EAPOL-Key field description
|
Field |
Description |
|
Descriptor type |
Specifies the network type: · WPA network. · RSN network. |
|
Key information |
For more information about this field, see Table 2. |
|
Key length |
Length of the key. |
|
Key replay counter |
Records the total number of GTK updates to prevent replay attacks. The AP sets this field to 0 at the beginning of the negotiation and increments the value on each successive EAPOL-Key frame. The client records this field from the last valid EAPOL-Key frame that it received if this field is greater than the field recorded previously. EAPOL-Key frame retransmission is required in the following situations: · The field received by the client is smaller than or equal to the field recorded by the client. · The field received by the AP is not equal to the field recorded on the AP. If the retransmission attempts exceed the maximum number, the AP disconnects the client. |
|
Key nonce |
Random value used to generate the PTK. |
|
EAPOL Key IV |
Encrypts the TKIP. This field is valid only when the encryption type is not CCMP. |
|
Key RSC |
Records the total number of multicast packets or broadcast packets to prevent replay attacks. The AP increments the value of this field on transmission of each multicast or broadcast packet. |
|
Reserved |
Reserved field. |
|
Key MIC |
Message integrity check. |
|
Key data length |
Length of the key data. |
|
Key data |
Data to be transmitted, such as the GTK and pairwise master key identifier (PMKID). |
Figure 3 Key information structure
Table 2 Key information description
|
Field |
Description |
|
Key Descriptor Version |
3-bit key version: · 1—Non-CCMP key. · 2—CCMP key. |
|
Key Type |
1-bit key type: · 0—Multicast negotiation key. · 1—Unicast negotiation key. |
|
Reserved |
2-bit field reserved. The sender sets this field to 0, and the receiver ignores this field. |
|
Install |
1-bit key installation field. If the Key Type field is 1, this field is 0 or 1. · 0—The AP does not request the client to install the TK. · 1—The AP requests the client to install the TK. If the Key type field is 0, the sender sets this field to 0, and the receiver ignores this field. |
|
Key Ack |
1-bit key acknowledgment field. The value 1 indicates that the AP requests an acknowledgement from the client. |
|
Key MIC |
Message integrity check. If this field is 1, the generated MIC must be included in the Key MIC field of the EAPOL-key frame. |
|
Secure |
1-bit key status. The value 1 indicates that the key has been generated. |
|
Error |
1-bit MIC check status. The value 1 indicates that a MIC failure has occurred. The client sets this field to 1 when the Request field is 1. |
|
Request |
1-bit request used by the client to request the AP to initiate the four-way handshake or multi-cast handshake in a MIC failure report. |
|
Encrypted Key Data |
1-bit key data encryption status. The value 1 indicates that the key data is encrypted. |
|
Reserved |
3-bit reserved field. The sender sets this field to 0, and the receiver ignores this field. |
WPA key negotiation
WPA uses EAPOL-Key packets in the four-way handshake to negotiate the PTK, and in the two-way handshake to negotiate the GTK.
Figure 4 WPA key negotiation process
WPA key negotiation uses the following process:
1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.
2. The client performs the following operations:
a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the key derivation function (KDF).
b. Uses the KCK in the PTK to generate the MIC.
c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.
3. The AP performs the following operations:
a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.
b. Uses the KCK in the PTK to generate the MIC.
c. Compares the received MIC with the local MIC.
d. Returns EAPOL-Key message 3 that contains the PTK installation request tag and MIC if the two MICs are the same.
4. The client performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and returns EAPOL-Key message 4 that contains the MIC if the two MICs are the same.
5. The AP performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and generates a GTK with the GMK and MAC address of the AP by using the KDF if the two MICs are the same.
c. Returns EAPOL-Key group message 1 that contains the GTK and MIC.
6. The client performs the following operations:
a. Installs the GTK if the two MICs are the same.
b. Returns EAPOL-Key group message 2 that contains the MIC.
7. The AP performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the GTK if the MICs are the same.
RSN key negotiation
RSN uses EAPOL-Key packets in the four-way handshake to negotiate the PTK and the GTK.
Figure 5 RSN key negotiation process
RSN key negotiation uses the following process:
1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.
2. The client performs the following operations:
a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the KDF.
b. Uses the KCK in the PTK to generate the MIC.
c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.
3. The AP performs the following operations:
a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.
b. Uses the KCK in the PTK to generate the MIC.
c. Compares the received MIC with the local MIC.
d. Generates a GTK with the random GMK and MAC address of the AP by using the KDF if the two MICs are the same.
e. Returns EAPOL-Key message 3 that contains the key installation request tag, MIC, and GTK.
4. The client performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and GTK if the two MICs are the same.
c. Returns EAPOL-Key message 4 that contains the MIC.
5. The AP performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and GTK if the two MICs are the same.
Key updates
Key updates enhance WLAN security. Key updates include PTK updates and GTK updates.
· PTK updates—Updates for the unicast keys using the four-way handshake negotiation.
· GTK updates—Updates for the multicast keys using the two-way handshake negotiation.
Cipher suites
TKIP
Temporal Key Integrity Protocol (TKIP) and WEP both use the RC4 algorithm. You can change the cipher suite from WEP to TKIP by updating the software without changing the hardware. TKIP has the following advantages over WEP:
· TKIP provides longer initialization vectors (IVs) to enhance encryption security. Compared with WEP encryption, TKIP encryption uses the 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.
· TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP dynamic keys cannot be easily deciphered.
· TKIP offers MIC and countermeasures. If a packet has been tampered with, it will fail the MIC. If two packets fail the MIC in a period, the AP automatically takes countermeasures by stopping providing services in a period to prevent attacks.
CCMP
Counter mode with CBC-MAC Protocol (CCMP) is based on the Counter-Mode/CBC-MAC (CCM) of the Advanced Encryption Standard (AES) encryption algorithm.
CCMP contains a dynamic key negotiation and management method. Each client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP cipher suite. During the encryption process, CCMP uses a 48-bit packet number (PN) to make sure each encrypted packet uses a different PN. This improves WLAN security.
802.11w management frame protection
About 802.11w management frame protection
The management frame protection service protects a set of robust management frames, such as de-authentication, disassociation, and some robust action frames.
· For unicast management frames, it uses the PTK to encrypt the frames and provides secrecy, integrity, and replay protection.
· For broadcast and multicast management frames, it uses the Broadcast Integrity Protocol (BIP) to provide integrity and replay protection.
The security association (SA) query mechanism is used to enhance security if the AP and client negotiate to use management frame protection. SA queries include active SA queries and passive SA queries.
Active SA query
As shown in Figure 6, active SA query uses the following process:
1. The client sends an association or reassociation request to the AP.
2. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate at a later time. The response contains the association comeback time.
3. The AP sends an SA query request to verify the status of the client:
¡ If the AP receives an SA query response within the timeout time, it considers the client online.
¡ If the AP does not receive an SA query response within the timeout time, it sends another SA query request. If the AP receives an SA query response within the retransmission time, it considers the client online. The AP does not respond to any association or reassociation requests from the client until the association comeback time times out.
¡ If the AP does not receive an SA query response within the retransmission time, it considers the client offline and allows the client to reassociate.
Figure 6 Active SA query process
Passive SA query
As shown in Figure 7, passive SA query uses the following process:
1. The client triggers the SA query process upon receiving an unencrypted disassociation or deauthentication frame.
2. The client sends an SA query request to the AP.
3. The AP sends an SA query response to the client:
¡ If the client receives the response, the client determines that the AP is online and does not process the disassociation or deauthentication frame.
¡ If the client does not receive a response, the client determines that the AP is offline and disassociates with the AP.
Figure 7 Passive SA query process
Enhanced open system authentication
Enhanced open system authentication uses Opportunistic Wireless Encryption (OWE) to negotiate keys for encrypting data packets of OWE-capable clients, providing open system authentication with enhanced security performance.
Enhanced open system authentication uses the following procedure:
1. The client sends an authentication request to the AP.
2. The AP determines that the client can pass wireless link layer authentication and sends an authentication response to the client to notify the client of the authentication success.
3. The client and the AP perform 4-way handshake to generate a key for encryption.
Figure 8 Enhanced open system authentication process
Protocols and standards
· IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—2004
· WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
· Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999
· IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X™-2004
· 802.11i IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
· 802.11w IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
WLAN security tasks at a glance
Pre-RSNA tasks at a glance
To configure Pre-RSNA, perform the following tasks:
2. (Optional.) Enabling SNMP notifications for WLAN security
802.11i tasks at a glance
To configure 802.11i, perform the following tasks:
2. (Optional.) Setting the WPA3 security mode
4. (Optional.) Setting the PSK
5. (Optional.) Setting the KDF
6. (Optional.) Configuring GTK update
7. (Optional.) Configuring PTK update
8. (Optional.) Setting the TKIP MIC failure hold time
9. (Optional.) Configuring 802.11w management frame protection
10. (Optional.) Enabling password failure limit
11. (Optional.) Configuring enhanced open system authentication
12. (Optional.) Enabling SNMP notifications for WLAN security
Configuring security features
Configuring the AKM mode
About this task
Each of the following AKM modes must be used with a specific authentication mode:
· 802.1X AKM—802.1X authentication mode.
· Private PSK AKM—MAC authentication mode.
· PSK AKM—MAC or bypass authentication mode.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Configure the AKM mode.
akm mode { dot1x | private-psk | psk }
By default, no AKM mode is configured.
Setting the security information element
About this task
Perform this task to enable an AP to set the security information element (security IE) bit in beacon and probe responses to notify clients of its security capabilities.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Set the security IE.
security-ie { rsn | wpa }
By default, no security IE is set.
Setting the WPA3 security mode
About this task
WPA3 supports the following security modes:
· WPA3-SAE—Uses Simultaneous Authentication of Equals (SAE), which replaces PSK in WPA2-Personal to provide more robust password-based authentication. It brings better protections to individual users.
WPA3-SAE is based on WPA3-Personal with Easy Connect (WPA3-PWE). With WPA3-SAE, users can access the wireless network by simply scanning a QR code. Hash-to-Element (H2E) is a new method for generating PWEs in the SAE process of WPA3, which has higher security compared to the traditional Hunting-and-Pecking (HnP) method.
The specific method of generating PWE is determined by the client itself. If only a certain PWE deriving method is configured, terminals that do not support this method will not be able to connect to the wireless network.
· WPA3-Enterprise—Offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data. It ensures the right combination of cryptographic tools is used and sets a consistent baseline of security within a WPA3 network.
Restrictions and guidelines
To use WPA3-Enterprise 192-bit mode, set the cipher suite to GCMP, and the security IE to RSN.
For WPA3 Enterprise mandatory mode and optional modes, you do not need to configure pmf and key-derivation separately. If non-default configurations of pmf and key-derivation exist, reset them to default configurations before configuring the Enterprise mandatory or optional mode.
As a best practice, enable management frame protection if you specify a WPA3 security mode.
Some clients will be unable to come online by using the WPA3-SAE security mode if they have come online by using the WPA3 enterprise security mode temporarily. If such an issue occurs, the clients can try again by using the WPA3-SAE security mode.
Do not set the WPA3 security mode and enable 802.11r FT or enhanced open system authentication at the same time. If you do so, the service template cannot be enabled. For more information about 802.11r, see configuring WLAN roaming in WLAN Roaming Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Set the WPA3 security mode.
wpa3 { enterprise | enterprise-only-mode | enterprise-transition-mode | personal { mandatory | optional } }
By default, no WPA3 security mode is set.
4. (Optional.) Specify the method of deriving PWEs during the WPA3-SAE interaction process.
akm sae pwe { both-h2e-hnp | h2e | hnp }
By default, the system supports using H2E or HnP to derive PWEs.
5. (Optional.) Enable anti-downgrade of the WPA3 security mode.
wpa3 transit-wpa2-disable
By default, anti-downgrade of the WPA3 security mode is disabled.
Setting the cipher suite
About this task
The following cipher suites are available:
· CCMP.
· TKIP.
· GCMP.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Set the cipher suite.
cipher-suite { ccmp | gcmp | tkip }
By default, no cipher suite is set.
Setting the PSK
Restrictions and guidelines
The PSK must be set if the AKM mode is PSK. If you configure the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.
A plaintext key in string format can include the ? character, so entering ? after the preshared-key pass-phrase simple command will not provide help information.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Set the PSK.
preshared-key { pass-phrase | raw-key } { cipher | simple } string
By default, no PSK is set.
Setting the KDF
About this task
KDFs are used by 802.11i networks to generate PTKs and GTKs. KDFs include HMAC-SHA1 and HMAC-SHA256 algorithms. The HMAC-SHA256 algorithm is more secure than the HMAC-SHA1 algorithm.
To use sha1-and-sha256, configure PMF to operate in optional mode.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Set the KDF.
key-derivation { sha1 | sha256 | sha1-and-sha256 }
By default, the HMAC-SHA1 algorithm is set.
Configuring GTK update
About this task
The system generates the GTK during key negotiation if the AKM, security IE, and cipher suite are configured. This feature updates the GTK to enhance key security based on the following updating modes:
· Time-based—The GTK is updated at the specified interval.
· Packet-based—The GTK is updated after the specified number of packets is sent.
· Offline-triggered—The GTK is updated when a client in the basic service set (BSS) goes offline.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Enable GTK update.
gtk-rekey enable
By default, GTK update is disabled.
4. Choose the options to configure as needed:
¡ Configure a GTK update method.
gtk-rekey method { packet-based [ packet ] | time-based [ time ] }
By default, the GTK is updated at intervals of 86400 seconds. The default packet quantity is 10000000 for packet-based GTK update.
¡ Enable offline-triggered GTK update.
gtk-rekey client-offline enable
By default, offline-triggered GTK update is disabled.
Configuring PTK update
About this task
The system generates the PTK during key negotiation when the AKM, security IE, and cipher suite are configured. This feature updates the PTK after the PTK lifetime expires.
Restrictions and guidelines
Do not configure FT after configuring PTK update. If you do so, PTK update does not take effect.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Enable PTK update.
ptk-rekey enable
By default, PTK update is disabled.
4. Set the PTK lifetime.
ptk-lifetime time
By default, the PTK lifetime is 43200 seconds.
Setting the TKIP MIC failure hold time
About this task
After configuring the TKIP, you can configure the TKIP MIC failure hold time. If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Set the TKIP MIC failure hold time.
tkip-cm-time time
By default, the TKIP MIC failure hold time is 0. The AP does not take any countermeasures.
Configuring 802.11w management frame protection
About this task
When 802.11w management frame protection is disabled, network access is available for all clients, but management frame protection is not performed. When 802.11w management frame protection is enabled, network access and management frame protection availability varies by management frame protection mode.
· Optional mode—Network access is available for all clients, but management frame protection is performed only for clients that support management frame protection.
· Mandatory mode—Network access and management frame protection are available only for clients that support management frame protection.
Restrictions and guidelines
802.11w management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP/GCMP cipher suite and RSN security IE.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Enable management frame protection.
pmf { optional | mandatory }
By default, management frame protection is disabled.
4. Set the interval for sending SA query requests.
pmf saquery retrytimeout timeout
By default, the interval for sending SA query requests is 200 milliseconds.
5. Set the maximum transmission attempts for SA query requests.
pmf saquery retrycount count
By default, the maximum retransmission attempt number is 4 for SA query requests.
6. Set the association comeback time.
pmf association-comeback time
By default, the association comeback time is 1 second.
Enabling password failure limit
About this task
This feature enables the system to add a client to the dynamic blacklist if the number of the client's password failures reaches the failure threshold within the specified detection period. For more information about the dynamic blacklist, see WLAN Access Configuration Guide.
Restrictions and guidelines
This feature takes effect only when the AKM mode is PSK or private PSK.
This feature takes effect only on clients coming online after the feature is enabled.
The system restarts failure calculation if the STAMGR process restarts.
Procedure
1. Enter system view.
system-view
2. Enable password failure limit.
wlan password-failure-limit enable [ detection-period detection-period ] [ failure-threshold failure-threshold ]
By default, password failure limit is disabled.
Configuring PPSK authentication
Enabling PPSK authentication from the Cloudnet platform
About this task
This feature enables clients to use private pre-shared keys (PPSKs) configured on the Cloudnet platform for WLAN access.
With this feature enabled, clients must first pass bypass or MAC authentication, and then enter the PPSK password to access a WLAN. The device will generate binding entries between client MAC addresses and PPSK passwords at client association.
Restrictions and guidelines
Make sure the service template has been disabled before you configure this feature.
PPSK authentication from the Cloudnet platform must be used together with bypass or MAC authentication.
A cloud cluster network does not support this feature.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Enable PPSK authentication from the Cloudnet platform.
private-psk cloud enable
By default, PPSK authentication from the Cloudnet platform is disabled.
Enabling PPSK fail-permit
About this task
With PPSK authentication from the Cloudnet platform enabled, clients and devices must connect to the Cloudnet platform for authentication. PPSK fail-permit allows clients to bypass the Cloudnet platform and access the WLAN when the Cloudnet platform is unavailable.
If the Cloudnet platform becomes unavailable, PPSK fail-permit provides the following functions:
· Allows online clients to stay online until the MAC-password binding entries expire. When the MAC-password binding entries expire, the device logs all online clients.
· Allows clients whose MAC-password binding entries have not expired to re-access the WLAN.
· Allows clients that have a correct PPSK password but have never come online to access the WLAN.
Restrictions and guidelines
Make sure the service template has been disabled before you configure this feature.
Procedure
1. Enter system view.
system-view
2. Enter WLAN service template view.
wlan service-template service-template-name
3. Enable PPSK fail-permit.
private-psk fail-permit enable
By default, PPSK fail-permit is enabled.
Configuring enhanced open system authentication
Enabling enhanced open system authentication
Restrictions and guidelines
Before enabling this feature, make sure the WPA3 security mode, FT, management frame protection, security IE, cipher suite, and KDF, if any, are in their default settings.
After you enable this feature, the system performs the following operations:
· Specifies the security IE as RSN.
· Specifies the cipher suite as CCMP.
· Enables management frame protection.
· Specifies the HMAC-SHA256 and HMAC-SHA384 algorithms as the KDFs.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable enhanced open system authentication.
enhanced-open enable
By default, enhanced open system authentication is disabled.
Specifying a recommended service template in transition mode
About this task
During the transition from open WLANs to enhanced open WLANs, WLANs of both types might exist to accommodate OWE-incapable and OWE-capable clients. In this case, if an OWE-capable client attempts to access an open WLAN, the corresponding AP will reject the access request.
This feature allows clients to fast access an appropriate WLAN that matches its capability.
Restrictions and guidelines
Configure this feature in both an open service template and an enhanced open service template, and specify them as the recommended template of each other.
Bind a service template and its recommended service template to the same radio.
Enable SSID hidden for the enhanced open service template.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Specify a recommended service template in transition mode.
enhanced-open transition-mode service-template service-template-name
By default, no recommended service template is specified in transition mode.
If you execute this command multiple times, the most recent configuration takes effect.
Enabling SNMP notifications for WLAN security
About this task
To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for WLAN security.
snmp-agent trap enable wlan usersec
By default, SNMP notifications are disabled for WLAN security.
Display and maintenance commands for WLAN security
For more information about the following display commands, see WLAN Access Command Reference.
Execute display commands in any view.
|
Task |
Command |
|
Display client information. |
display wlan client [ interface interface-type interface-number | mac-address mac-address | service-template service-template-name ] [ verbose ] |
|
Display WLAN service template information. |
display wlan service-template [ service-template-name ] [ verbose ] |
|
Display private pre-shared key (PPSK) password information. |
display wlan private-psk cloud-password [ password-id ] [ verbose ] |
|
Display MAC-password bindings. |
display wlan private-psk cloud-password mac-binding [ password-id ] |
WLAN security configuration examples
Example: Configuring PSK authentication and bypass authentication
Network configuration
As shown in Figure 9, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and bypass authentication.
· Configure the client to use preshared key 12345678 to access the network.
Procedure
1. Create a WLAN service template named service1.
<AP> system-view
[AP] wlan service-template service1
2. Specify an SSID of service for the service template.
[AP-wlan-st-service1] ssid service
3. Configure WLAN security for service template service1:
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AP-wlan-st-service1] akm mode psk
[AP-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and WPA as the security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie wpa
4. Enable service template service1.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
5. Bind service template service1 to radio interface WLAN-Radio 1/0/1 of the AP.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
[AP] display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
VLAN ID : 1
AKM mode : PSK
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring PSK authentication and MAC authentication
Network configuration
As shown in Figure 10, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and MAC authentication so that the client can access the network by using login username abc and password 123.
· Configure the client to use preshared key 12345678 to access the network.
Procedure
1. Configure a username of abc and a password of 123 on the RADIUS server and make sure the RADIUS server and AP can reach each other. (Details not shown.)
2. Create a WLAN service template named service1.
<AP> system-view
[AP] wlan service-template service1
3. Specify an SSID of service for the service template.
[AP-wlan-st-service1] ssid service
4. Configure WLAN security for service template service1:
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AP-wlan-st-service1] akm mode psk
[AP-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and WPA as the security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie wpa
# Configure the MAC-address-based authentication mode.
[AP-wlan-st-service1] client-security authentication-mode mac
5. Enable service template service1.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
6. Configure a RADIUS scheme:
# Create a RADIUS scheme named radius1 and enter its view.
[AP] radius scheme radius1
# Specify the primary authentication server and accounting server.
[AP-radius-radius1] primary authentication 10.1.1.3 1812
[AP-radius-radius1] primary accounting 10.1.1.3 1813
# Set the shared keys for authentication and accounting to 12345678 in plaintext.
[AP-radius-radius1] key authentication simple 12345678
[AP-radius-radius1] key accounting simple 12345678
# Configure the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:
¡ Exclude domain names from the usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format without-domain
[AP-radius-radius1] quit
¡ Include domain names in the usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format with-domain
[AP-radius-radius1] quit
7. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.
[AP] domain dom1
[AP-isp-dom1] authentication lan-access radius-scheme radius1
[AP-isp-dom1] authorization lan-access radius-scheme radius1
[AP-isp-dom1] accounting lan-access radius-scheme radius1
[AP-isp-dom1] quit
8. Configure an ISP domain of dom1, a username of abc, and a password of 123 for the user.
[AP] mac-authentication mac domain dom1
[AP] mac-authentication user-name-format fixed account abc password simple 123
9. Bind service template service1 to radio interface WLAN-Radio 1/0/1 of the AP.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
|
|
NOTE: For more information about the AAA and RADIUS commands in this section, see User Access and Authentication Command Reference. |
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
[AP] display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
VLAN ID : 1
AKM mode : PSK
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : MAC
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring 802.1X AKM
Network configuration
As shown in Figure 11, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and 802.1X authentication so that the client can access the network by using login username abcdef and password 123456.
· Configure the 802.1X as the AKM mode.
Procedure
1. Configure a username of abcdef and a password of 123456 on the RADIUS server and make sure the RADIUS server and AP can reach each other. (Details not shown.)
2. Configure the 802.1X client. (Details not shown.)
3. Create a WLAN service template named service1.
<AP> system-view
[AP] wlan service-template service1
4. Specify an SSID of service for the service template.
[AP-wlan-st-service1] ssid service
5. Configure WLAN security for service template service1:
# Configure 802.1X as the AKM mode.
[AP-wlan-st-service1] akm mode dot1x
# Configure CCMP as the cipher suite and WPA as the security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie wpa
# Configure the 802.1X authentication mode.
[AP-wlan-st-service1] client-security authentication-mode dot1x
6. Enable service template service1.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
7. Configure a RADIUS scheme.
# Create a RADIUS scheme named radius1 and enter its view.
[AP] radius scheme radius1
# Specify the primary authentication server and accounting server.
[AP-radius-radius1] primary authentication 10.1.1.3 1812
[AP-radius-radius1] primary accounting 10.1.1.3 1813
# Set the shared keys for authentication and accounting to 12345 in plaintext.
[AP-radius-radius1] key authentication simple 12345
[AP-radius-radius1] key accounting simple 12345
# Configure the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:
¡ Exclude domain names from the usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format without-domain
[AP-radius-radius1] quit
¡ Include domain names in the usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format with-domain
[AP-radius-radius1] quit
8. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.
[AP] domain dom1
[AP-isp-dom1] authentication lan-access radius-scheme radius1
[AP-isp-dom1] authorization lan-access radius-scheme radius1
[AP-isp-dom1] accounting lan-access radius-scheme radius1
[AP-isp-dom1] quit
9. Configure ISP domain dom1 as the default ISP domain.
[AP] domain default enable dom1
10. Bind service template service1 to radio interface WLAN-Radio 1/0/1 of the AP.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
|
|
NOTE: For more information about the AAA and RADIUS commands in this section, see User Access and Authentication Command Reference. |
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
[AP] display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
VLAN ID : 1
AKM mode : PSK
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring management frame protection
Network configuration
As shown in Figure 12, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure the client to use preshared key 12345678 to access the network.
· Configure the CCMP cipher suite, RSN security IE, and management frame protection.
Procedure
1. Create a WLAN service template named service1.
<AP> system-view
[AP] wlan service-template service1
2. Specify an SSID of service for the service template.
[AP-wlan-st-service1] ssid service
3. Enable management frame protection in optional mode.
[AP-wlan-st-service1] pmf optional
4. Configure the 802.11i mechanism:
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AP-wlan-st-service1] akm mode psk
[AP-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and RSN as the security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie rsn
5. Enable service template service1.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
6. Bind service template service1 to radio interface WLAN-Radio 1/0/1 of the AP.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
[AP] display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
VLAN ID : 1
AKM mode : PSK
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1-AND-SHA256
PMF status : Optional
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
# Use the display wlan client verbose command to verify the management frame protection negotiation results after an 802.11w client comes online.
[AP] display wlan client verbose
Total number of clients: 1
MAC address : 5250-0012-0411
Username : 11w
Radio ID : 1
Channel : 36
SSID : service
BSSID : 1111-2222-3333
VLAN ID : 1
Power save mode : Active
Wireless mode : 802.11a
QoS mode : None
Listen interval : 100
RSSI : 0
Rx/Tx rate : 0/0
Authentication method : Open system
Security mode : RSN
AKM mode : PSK
Encryption cipher : CCMP
User authentication mode : Bypass
Authorization ACL ID : N/A
Authorization user profile : N/A
Authorization CAR : N/A
Roam status : Normal
Key derivation : SHA256
PMF status : Enabled
Online time : 0hr 0min 10sec
Example: Configuring the WPA3-SAE optional mode
Network configuration
As shown in Figure 13, the switch acts as a DHCP server to assign IP addresses to both the AP and the client. Configure wireless settings for the client to use WEP key 12345 to access the WLAN at the link layer.
Procedures
1. Configure a wireless service template:
# Create wireless service template service1.
<AP> system-view
[AP] wlan service-template service1
# Set the SSID to service.
[AP-wlan-st-service1] ssid service
2. Configure the PSK AKM mode, CCMP cipher suite, RSN security IE, and WPA3-SAE optional mode, enable optional PMF, and enable the service template.
# Set the AKM mode to PSK, and specify plaintext string 12345678 as the PSK key.
[AP-wlan-st-service1] akm mode psk
[AP-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Set the CCMP cipher suite and RSN security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie rsn
[AP-wlan-st-service1] wpa3 personal optional
[AP-wlan-st-service1] pmf optional
# Enable the wireless service template.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
3. Bind the wireless service template to WLAN-Radio 1/0/1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Verify that you can view the wireless service configuration on the AP.
<AP> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Disabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
WPA3 status : Optional
PPSK : Disabled
PPSK Fail Permit : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 512
Max MAC-auth users per BSS : 512
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Optional
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarding policy status : Disabled
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
QoS U-APSD mode : 1
BTM status : Disabled
Example: Configuring the WPA3-SAE mandatory mode
Network configuration
As shown in Figure 14, the switch acts as a DHCP server to assign IP addresses to both the AP and the client. Configure wireless settings for the client to use WEP key 12345678 to access the WLAN at the link layer.
Procedures
1. Configure a wireless service template:
# Create wireless service template service1.
<AP> system-view
[AP] wlan service-template service1
# Set the SSID to service.
[AP-wlan-st-service1] ssid service
2. Configure the PSK AKM mode, CCMP cipher suite, RSN security IE, and WPA3-SAE mandatory mode, enable mandatory PMF, and enable the service template.
# Set the AKM mode to PSK, and specify plaintext string 12345678 as the PSK key.
[AP-wlan-st-service1] akm mode psk
[AP-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Set the CCMP cipher suite and RSN security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie rsn
[AP-wlan-st-service1] wpa3 personal mandatory
[AP-wlan-st-service1] pmf mandatory
# Enable the wireless service template.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
3. Bind the wireless service template to WLAN-Radio 1/0/1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Verify that you can view the wireless service configuration on the AP.
<AP> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Disabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
WPA3 status : Mandatroy
PPSK : Disabled
PPSK Fail Permit : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 512
Max MAC-auth users per BSS : 512
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Mandatory
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarding policy status : Disabled
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
QoS U-APSD mode : 1
BTM status : Disabled
Example: Configuring the WPA3-Enterprise transition mode
Network configuration
As shown in Figure 15, the switch acts a DHCP server to assign IP addresses to both the AP and the client.
· Configure open-system authentication at the link layer, and configure the client to use username abcdef and password 123456 to pass 802.1X authentication to access the WLAN.
· Configure the data packets between client and AP to use 802.1X authentication and key management to ensure the security of user data transmission.
Procedures
|
|
NOTE: · The configuration below contains AAA/RADIUS commands. For more information about the commands, see AAA commands in Security Command Reference. · Configure the 802.1X client. · Configure the RADIUS server, and add a user account with username abcdef and password 123456. |
1. Configure 802.1X:
# Configure 802.1X authentication to use the EAP relay method.
<AP> system-view
[AP] dot1x
[AP] dot1x authentication-method eap
2. Configure a wireless service template:
# Create wireless service template service1.
[AP] wlan service-template service1
# Set the SSID to service.
[AP-wlan-st-service1] ssid service
3. Configure the AKM mode, cipher suite, key derivation algorithm, PMF mode, and security IE.
# Set the AKM mode to 802.1X.
[AP-wlan-st-service1] akm mode dot1x
# Set the CCMP cipher suite and RSN security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie rsn
# Configure the WPA3-Enterprise transition mode.
[AP-wlan-st-service1] wpa3 enterprise-transition-mode
4. Configure the client authentication mode and enable the wireless service template:
# Specify the client access authentication mode as 802.1X.
[AP-wlan-st-service1] client-security authentication-mode dot1x
# Enable the wireless service template.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
5. Configure a RADIUS scheme.
# Create RADIUS scheme radius1 and enter its view.
[AP] radius scheme radius1
# Configure the IP address of the primary authentication and accounting server as 10.1.1.3 and specify the port numbers for authentication and accounting as 1812 and 1813, respectively.
[AP-radius-radius1] primary authentication 10.1.1.3 1812
[AP-radius-radius1] primary accounting 10.1.1.3 1813
# Set the plaintext shared key for packet exchanging with the AP and authentication/accounting server to 12345.
[AP-radius-radius1] key authentication simple 12345
[AP-radius-radius1] key accounting simple 12345
# Configure the device to exclude domain names in usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format without-domain
[AP-radius-radius1] quit
|
|
NOTE: Whether to include domain names in usernames sent to the server depends on whether the server accepts usernames with domain names and on the server configuration: · If the server does not accept usernames with domain names, or the user authentication service on the server is not configured with a domain name suffix, use the without-domain keyword to configure the device to exclude domain names in usernames sent to the RADIUS server. · If the server can accept usernames with domain names and the user authentication service on the server is configured with a domain name suffix, use the with-domain keyword to configure the device to include domain names in the usernames sent to the RADIUS server. |
6. Create an authentication domain and configure a RADIUS scheme:
# Create ISP domain dom1 and enter its view.
[AP] domain dom1
# Configure 802.1X users to use RADIUS scheme radius1 for authentication, authorization, and accounting.
[AP-isp-dom1] authentication lan-access radius-scheme radius1
[AP-isp-dom1] authorization lan-access radius-scheme radius1
[AP-isp-dom1] accounting lan-access radius-scheme radius1
[AP-isp-dom1] quit
# Specify ISP domain dom1 as the default domain.
[AP] domain default enable dom1
7. Bind the wireless service template to WLAN-Radio 1/0/1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Verify that you can view the wireless service configuration on the AP.
<AP> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : 802.1X
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Disabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
WPA3 status : Enterprise-transition
PPSK : Disabled
PPSK Fail Permit : Enabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 512
Max MAC-auth users per BSS : 512
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1-AND-SHA256
PMF status : Optional
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarding policy status : Disabled
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
QoS U-APSD mode : 1
BTM status : Disabled
Example: Configuring the WPA3-Enterprise mandatory mode
Network configuration
As shown in Figure 16, the switch acts a DHCP server to assign IP addresses to both the AP and the client.
· Configure open-system authentication at the link layer, and configure the client to use username abcdef and password 123456 to pass 802.1X authentication to access the WLAN.
· Configure the data packets between client and AP to use 802.1X authentication and key management to ensure the security of user data transmission.
Procedures
|
|
NOTE: · The configuration below contains AAA/RADIUS commands. For more information about the commands, see AAA commands in Security Command Reference. · Configure the 802.1X client. · Configure the RADIUS server, and add a user account with username abcdef and password 123456. |
1. Configure 802.1X:
# Configure 802.1X authentication to use the EAP relay method.
<AP> system-view
[AP] dot1x
[AP] dot1x authentication-method eap
2. Configure a wireless service template:
# Create wireless service template service1.
[AP] wlan service-template service1
# Set the SSID to service.
[AP-wlan-st-service1] ssid service
3. Configure the AKM mode, cipher suite, key derivation algorithm, PMF mode, and security IE.
# Set the AKM mode to 802.1X.
[AP-wlan-st-service1] akm mode dot1x
# Set the CCMP cipher suite and RSN security IE.
[AP-wlan-st-service1] cipher-suite ccmp
[AP-wlan-st-service1] security-ie rsn
# Configure the WPA3-Enterprise mandatory mode.
[AP-wlan-st-service1] wpa3 enterprise-only-mode
4. Configure the client authentication mode and enable the wireless service template:
# Specify the client access authentication mode as 802.1X.
[AP-wlan-st-service1] client-security authentication-mode dot1x
# Enable the wireless service template.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
5. Configure a RADIUS scheme.
# Create RADIUS scheme radius1 and enter its view.
[AP] radius scheme radius1
# Configure the IP address of the primary authentication and accounting server as 10.1.1.3 and specify the port numbers for authentication and accounting as 1812 and 1813, respectively.
[AP-radius-radius1] primary authentication 10.1.1.3 1812
[AP-radius-radius1] primary accounting 10.1.1.3 1813
# Set the plaintext shared key for packet exchanging with the AP and authentication/accounting server to 12345.
[AP-radius-radius1] key authentication simple 12345
[AP-radius-radius1] key accounting simple 12345
# Configure the device to exclude domain names in usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format without-domain
[AP-radius-radius1] quit
|
|
NOTE: Whether the username sent to the server includes the domain name depends on whether the server accepts usernames with domain names and on the server configuration: · If the server does not accept usernames with domain names, or the user authentication service on the server is not configured with a domain name suffix, use the without-domain keyword to configure the device to exclude domain names in usernames sent to the RADIUS server. · If the server can accept usernames with domain names and the user authentication service on the server is configured with a domain name suffix, use the with-domain keyword to configure the device to include domain names in the usernames sent to the RADIUS server. |
6. Create an authentication domain and configure a RADIUS scheme:
# Create ISP domain dom1 and enter its view.
[AP] domain dom1
# Configure 802.1X users to use RADIUS scheme radius1 for authentication, authorization, and accounting.
[AP-isp-dom1] authentication lan-access radius-scheme radius1
[AP-isp-dom1] authorization lan-access radius-scheme radius1
[AP-isp-dom1] accounting lan-access radius-scheme radius1
[AP-isp-dom1] quit
# Specify ISP domain dom1 as the default domain.
[AP] domain default enable dom1
7. Bind the wireless service template to WLAN-Radio 1/0/1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Verify that you can view the wireless service configuration on the AP.
<AP> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : 802.1X
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Disabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
WPA3 status : Enterprise-only
PPSK : Disabled
PPSK Fail Permit : Enabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 512
Max MAC-auth users per BSS : 512
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA256
PMF status : Mandatroy
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarding policy status : Disabled
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
QoS U-APSD mode : 1
BTM status : Disabled
Example: Configuring the WPA3-Enterprise 192-bit mode
Network configuration
As shown in Figure 17, the switch acts a DHCP server to assign IP addresses to both the AP and the client.
· Configure open-system authentication at the link layer, and configure the client to use username abcdef and password 123456 to pass 802.1X authentication to access the WLAN.
· Configure the data packets between client and AP to use 802.1X authentication and key management to ensure the security of user data transmission.
Procedures
|
|
NOTE: · The configuration below contains AAA/RADIUS commands. For more information about the commands, see AAA commands in Security Command Reference. · Configure the 802.1X client. · Configure the RADIUS server, and add a user account with username abcdef and password 123456. |
1. Configure 802.1X:
# Configure 802.1X authentication to use the EAP relay method.
<AP> system-view
[AP] dot1x
[AP] dot1x authentication-method eap
2. Configure a wireless service template:
# Create wireless service template service1.
[AP] wlan service-template service1
# Set the SSID to service.
[AP-wlan-st-service1] ssid service
3. Configure the AKM mode, cipher suite, PMF mode, and security IE:
# Set the AKM mode to 802.1X.
[AP-wlan-st-service1] akm mode dot1x
# Set the GCMP cipher suite and RSN security IE.
[AP-wlan-st-service1] cipher-suite gcmp
[AP-wlan-st-service1] security-ie rsn
# Enable the mandatory PMF mode.
[AP-wlan-st-service1] pmf mandatory
# Configure the WPA3-Enterprise 192-bit mode.
[AP-wlan-st-service1] wpa3 enterprise
4. Configure the client authentication mode and enable the wireless service template:
# Specify the client access authentication mode as 802.1X.
[AP-wlan-st-service1] client-security authentication-mode dot1x
# Enable the wireless service template.
[AP-wlan-st-service1] service-template enable
[AP-wlan-st-service1] quit
5. Configure a RADIUS scheme.
# Create RADIUS scheme radius1 and enter its view.
[AP] radius scheme radius1
# Configure the IP address of the primary authentication and accounting server as 10.1.1.3 and specify the port numbers for authentication and accounting as 1812 and 1813, respectively.
[AP-radius-radius1] primary authentication 10.1.1.3 1812
[AP-radius-radius1] primary accounting 10.1.1.3 1813
# Set the plaintext shared key for packet exchanging with the AP and authentication/accounting server to 12345.
[AP-radius-radius1] key authentication simple 12345
[AP-radius-radius1] key accounting simple 12345
# Configure the device to exclude domain names in usernames sent to the RADIUS server.
[AP-radius-radius1] user-name-format without-domain
[AP-radius-radius1] quit
|
|
NOTE: Whether the username sent to the server includes the domain name depends on whether the server accepts usernames with domain names and on the server configuration: · If the server does not accept usernames with domain names, or the user authentication service on the server is not configured with a domain name suffix, use the without-domain keyword to configure the device to exclude domain names in usernames sent to the RADIUS server. · If the server can accept usernames with domain names and the user authentication service on the server is configured with a domain name suffix, use the with-domain keyword to configure the device to include domain names in the usernames sent to the RADIUS server. |
6. Create an authentication domain and configure a RADIUS scheme:
# Create ISP domain dom1 and enter its view.
[AP] domain dom1
# Configure 802.1X users to use RADIUS scheme radius1 for authentication, authorization, and accounting.
[AP-isp-dom1] authentication lan-access radius-scheme radius1
[AP-isp-dom1] authorization lan-access radius-scheme radius1
[AP-isp-dom1] accounting lan-access radius-scheme radius1
[AP-isp-dom1] quit
# Specify ISP domain dom1 as the default domain.
[AP] domain default enable dom1
7. Bind the wireless service template to WLAN-Radio 1/0/1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] undo shutdown
[AP-WLAN-Radio1/0/1] service-template service1
[AP-WLAN-Radio1/0/1] quit
Verifying the configuration
# Verify that you can view the wireless service configuration on the AP.
<AP> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : Not configured
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : 802.1X
Security IE : RSN
Cipher suite : GCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
GTK rekey : Disabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
WPA3 status : Enterprise-192 bit
PPSK : Disabled
PPSK Fail Permit : Enabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 512
Max MAC-auth users per BSS : 512
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1
PMF status : Mandatroy
Hotspot policy number : Not configured
Forward policy : Not configured
Forwarding policy status : Disabled
Forwarder : AP
FT status : Disabled
QoS trust : Port
QoS priority : 0
QoS U-APSD mode : 1
BTM status : Disabled
