No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
WLAN Security Configuration Commands

WLAN Security Configuration Commands

attack detection enable (for AC)

Function

The attack detection enable command enables attack detection on a specified AP radio.

The undo attack detection enable command disables attack detection on a specified AP radio.

By default, attack detection is disabled on an AP radio.

Format

attack detection enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key }

undo attack detection enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key }

Parameters

Parameter

Description

Value

all

Indicates that all attack detection functions are enabled.

-

flood

Indicates that flood attack detection is enabled.

-

weak-iv

Indicates that weak IV attack detection is enabled.

-

spoof

Indicates that spoofing attack detection is enabled.

-

wpa-psk

Indicates that detection of brute force password cracking is enabled for WPA-PSK authentication.

-

wpa2-psk

Indicates that detection of brute force password cracking is enabled for WPA2-PSK authentication.

-

wapi-psk

Indicates that detection of brute force password cracking is enabled for WAPI-PSK authentication.

-

wep-share-key

Indicates that detection of brute force password cracking is enabled for shared key authentication.

-

Views

Radio view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To detect malicious or unintentional attacks on WLANs in real time, network administrators can enable the following attack detection functions based on actual requirements and monitor or prevent these attacks:
  • flood: detects whether an AP receives a large number of packets of a certain type in a short period.
  • weak-iv: detects whether weak IV is used on a WLAN that is currently configured with a WEP security policy.
  • spoof: detects whether a potential attacker forges an AP to send broadcast packets to disassociate a client from the authentication server and an AP from the AC.
  • wpa-psk, wpa2-psk, wapi-psk, wep-share-key: If WPA-PSK, WPA2-PSK, WAPI-PSK, and WEP-SK security policies are configured on a WLAN, detection of brute force password cracking can be enabled to increase the time required for password cracking and improve password security.

Follow-up Procedure

Run the dynamic-blacklist enable (for AC) command to enable the dynamic blacklist function.

Example

# Enable flood attack detection on radio 0 of AP 0.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] ap 0 radio 0
[Huawei-wlan-radio-0/0] attack detection enable flood

attack detection flood (for AC)

Function

The attack detection flood command specifies the interval for flood attack detection and the maximum number of packets of the same type that an AP can receive within the interval.

The undo attack detection flood command restores the interval for flood attack detection and the maximum number of packets of the same type that an AP can receive within the interval to the default values.

By default, the interval for flood attack detection is 60 seconds and an AP can receive a maximum of 300 packets of the same type within the interval.

Format

attack detection flood interval intvalue times timesvalue

undo attack detection flood

Parameters

Parameter

Description

Value

interval intvalue

Specifies the interval for flood attack detection.

The value is an integer that ranges from 10 to 120, in seconds.

times timesvalue

Specifies the number of packets of the same type that an AP receives within the detection interval.

The value is an integer that ranges from 1 to 1000.

Views

AP view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a flood attack, an AP receives a large number of packets of the same type in a short period and it is too busy with the flood attack packets to process packets sent from authorized STAs.

In flood attack detection included in the Wireless Intrusion Detection System (WIDS) attack detection, an AP continuously monitors the number of packets of the same type that are sent to it from each STA and compares the number with the value specified using the attack detection flood command. If the number of received packets exceeds the value, the AP determines that the STA is attacking. When the packet number exceeds the maximum number tolerable, the AP considers that the STA intends to launch a flood attack and locks the STA. If the dynamic blacklist function is enabled, the STA is added to the dynamic blacklist.

Follow-up Procedure

Run the dynamic-blacklist enable (for AC) command to enable the dynamic blacklist function.

Example

# Set the interval for flood attack detection to 120 seconds and the maximum number of packets of the same type that an AP can receive within the interval to 350.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] ap id 0
[Huawei-wlan-ap-0] attack detection flood interval 120 times 350

attack detection psk (for AC)

Function

The attack detection psk command specifies the interval for brute force preshared key (PSK) cracking detection and the number of key negotiation attempts allowed within the interval.

The undo attack detection psk command restores the interval for brute force PSK cracking detection and the number of key negotiation attempts allowed within the interval to the default values.

By default, the interval for brute force PSK cracking detection is 60 seconds and an AP allows a maximum of 20 key negotiation attempts within the interval.

Format

attack detection psk interval intvalue times timesvalue

undo attack detection psk

Parameters

Parameter

Description

Value

interval intvalue

Specifies the interval for brute force PSK cracking detection.

The value is an integer that ranges from 10 to 120, in seconds.

times timesvalue

Specifies the number of key negotiation attempts within the interval.

The value is an integer that ranges from 1 to 100.

Views

AP view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Brute force PSK cracking means that an attacker tries all possible PSK combinations one by one and finally obtains the right key. To improve key security, enable defense against brute force PSK cracking to prolong the time used to decrypt passwords.

An AP checks whether the number of key negotiation attempts during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the threshold configured using the attack detection psk command. If so, the AP considers that a user is using the brute force method to decrypt the password and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets of the user until the dynamic blacklist entry ages.

Follow-up Procedure

Run the dynamic-blacklist enable (for AC) command to enable the dynamic blacklist function.

Example

# Set the interval for brute force PSK cracking detection is 60 seconds and an AP allows a maximum of 60 key negotiation attempts within the interval.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] ap id 0
[Huawei-wlan-ap-0] attack detection psk interval 60 times 60

attack detection quiet-time (for AC)

Function

The attack detection quiet-time command sets the quiet time for an AP to report attacks to an AC.

The undo attack detection quiet-time command restores the default quiet time.

By default, the quiet time is 600 seconds.

Format

attack detection { flood | weak-iv | spoof | psk } quiet-time quiet-time-value

undo attack detection { flood | weak-iv | spoof | psk } quiet-time

Parameters

Parameter

Description

Value

quiet-time-value

Specifies the quiet time.

The value is an integer that ranges from 60 to 36000, in seconds.

flood

Indicates flood attack detection.

-

weak-iv

Indicates weak IV attack detection.

-

spoof

Indicates spoofing attack detection.

-

psk

Indicates PSK brute force attack detection.

-

Views

AP view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack detection is enabled on an AP, the AP reports alarms upon attack detection. If a attack source launches attacks repeatedly, a large number of repetitive attacks are generated. To prevent this situation, configure the quiet time for an AP to report alarms. When detecting attack sources of the same MAC address, the AP does not report alarms in the quiet time. However, if the AP still detects attacks from the attack source after the quiet time expires, the AP reports alarms. You can set the quiet time based on attack types.

To obtain attack information in a timely manner, set the quiet time to a small value. If attack detection is enabled on many APs, and attacks are frequently detected, set the quiet time to a large value to prevent frequent alarm reports.

Follow-up Procedure

The quiet time settings are delivered to APs to take effect.

Example

# Set the quiet time for reporting flood attacks on AP1 to 300 seconds.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] ap id 1
[Huawei-ap-1] attack detection flood quiet-time 300
Related Topics

display security-profile (for AC)

Function

The display security-profile command displays the security profile configuration.

Format

display security-profile { all | { id profile-id | name profile-name } [ detail ] }

Parameters

Parameter

Description

Value

all

Displays configurations of all security profiles.

-

id profile-id

Specifies the ID of a security profile.

The security profile ID must exist.

name profile-name

Specifies the name of a security profile.

The security profile name must exist.

detail

Displays detailed information about a security profile.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

  • You can run this command to view the configuration of access security.
  • When there is a large amount of configuration information, output information is displayed on multiple screens.

Example

# Display configurations of all security profiles.

<Huawei> display security-profile all
  ------------------------------------------------------------
  ID           Name
  0            lw
  1            ttt
  ------------------------------------------------------------
  Total: 2

# Display brief information about security profile 0.

<Huawei> display security-profile id 0
  ------------------------------------------------------------
  Profile name                       : lw
  Profile ID                         : 0
  Authentication                     : Share key
  Encryption                         : WEP-40
  ------------------------------------------------------------
  Service-set ID                     SSID
  0                                  l00129796_9300
  1                                  l00129796_93002
  ------------------------------------------------------------
  Bridge-profile ID                  Bridge Name
  ------------------------------------------------------------

# Display detailed information about security profile 0.

<Huawei> display security-profile id 0 detail
  ------------------------------------------------------------
  Profile name                       : test
  Profile ID                         : 0
  Authentication                     : Open system
  Encryption                         : -
  ------------------------------------------------------------
  Service-set ID                     SSID
  0                                  service-set
  ------------------------------------------------------------
  Bridge-profile ID                  Bridge Name
  ------------------------------------------------------------
  WEP's configuration
  Authentication                     : Open system
  Encryption                         : -
  Key 0                              : *****
  Key 1                              : Empty
  Key 2                              : Empty
  Key 3                              : Empty
  Default key ID                     : 0
  ------------------------------------------------------------
  WPA's configuration
  Authentication                     : WPA  PSK
  Encryption                         : CCMP
  ------------------------------------------------------------
  WPA2's configuration
  Authentication                     : WPA2 PSK
  Encryption                         : CCMP
  ------------------------------------------------------------
  WAPI's configuration
  CA certificate filename            : -
  ASU certificate filename           : -
  AC certificate filename            : -
  AC private key filename            : -
  Authentication server IP           : -
  Authentication method              : WAPI certificate
  WAI timeout(s)                     : 60
  BK update interval(s)              : 43200
  BK lifetime threshold(%)           : 70
  USK update interval(s)             : 86400
  USK update packet(k)               : 10
  MSK update interval(s)             : 86400
  MSK update packet(k)               : 10
  Cert auth retrans count            : 3
  USK negotiate retrans count        : 3
  MSK negotiate retrans count        : 3
  USK update method                  : Time-based
  MSK update method                  : Time-based
  ------------------------------------------------------------
Table 12-74  Description of the display security-profile command output

Item

Description

Profile name

Name of the security profile.

Profile ID

ID of the security profile.

Authentication

Authentication mode. The following authentication modes are supported: WLAN Authentication and Privacy Infrastructure (WAPI) certificate authentication, WAPI pre-shared key authentication, Wi-Fi Protected Access (WPA) 802.1x authentication, WPA pre-shared key authentication, WPA2 802.1x authentication, WPA2 pre-shared key authentication, shared key authentication, and open system authentication.

Encryption

Encryption mode. The following encryption mode is supported: Temporal Key Integrity Protocol (TKIP), CTR with CBC-MAC Protocol (CCMP), and Wired Equivalent Privacy (WEP) using a 40-bit or 104-bit key.

SSID

Service set identifier that identifies a WLAN.

Key X

Key ID.

Default key ID

Default key ID.

CA certificate filename

CA certificate file name.

ASU certificate filename

File name of the authentication server unit (ASU) certificate.

AC certificate filename

AC certificate file name.

AC private key filename

AC private key file name.

Authentication server IP

IP address of the ASU certificate server.

Authentication method

Authentication mode.

WAI timeout(s)

Timeout period of an association.

BK update interval(s)

Interval for updating the base key (BK).

BK lifetime threshold(%)

Threshold for triggering BK update.

USK update interval(s)

Time-based interval for updating the unicast session key (USK).

USK update packet(k)

Packet count-based interval for updating the USK.

MSK update interval(s)

Time-based interval for updating the MBMS service key (MSK).

MSK update packet(k)

Packet count-based interval for updating the MSK.

Cert auth retrans count

Number of retransmissions of certificate authentication packets.

USK negotiate retrans count

Number of retransmissions of USK negotiation packets.

MSK negotiate retrans count

Number of retransmissions of MSK negotiation packets.

USK update method

Whether the USK is updated based on a time interval or a packet count.

MSK update method

Whether the MSK is updated based on a time interval or a packet count.

display sta-access-mode (for AC)

Function

Using the display sta-access-mode command, you can check whether the blacklist or whitelist function is enabled, which determines the STA access control mode.

Format

display sta-access-mode ap { ap-id | all }

Parameters

Parameter

Description

Value

ap ap-id

Specifies an AP ID.

-

all

Displays the STA access control modes of all APs.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the blacklist function is enabled, STAs in the blacklist cannot connect to the WLAN.

After the whitelist function is enabled, only the STAs in the whitelist can connect to the WLAN.

Example

# Display the STA access control mode.
<Huawei> display sta-access-mode ap 0
  Station access control mode: disable
Table 12-75  Description of the display sta-access-mode command output

Item

Description

Station access control mode

STA access control mode:
  • disable
  • white list: The whitelist is used.
  • black list: The blacklist is used.

You can run the sta-access-mode (for AC) command to set STA access control mode.

# Display the STA access control mode.
<Huawei> display sta-access-mode ap all
  AP 0 Station access control mode: disable
  AP 1 Station access control mode: disable

display sta-blacklist (for AC)

Function

The display sta-blacklist command displays the STA blacklist.

Format

display sta-blacklist

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After you run the sta-access-mode (for AC) command to enable the blacklist function, STAs in the blacklist cannot connect to the WLAN.

You can use the display sta-blacklist command to view MAC addresses of STAs in the blacklist.

Example

# Display information about the STA blacklist.

<Huawei> display sta-blacklist 
  Station mac global black list information:
  ------------------------------------------------------------------------------
  ID        MAC
  ------------------------------------------------------------------------------
  0         0026-0000-90a1
  1         0026-0000-909f
  ------------------------------------------------------------------------------
  Total number: 2
Table 12-76  Description of the display sta-blacklist command output

Item

Description

ID

STA ID in the blacklist.

MAC

MAC address of a STA in the blacklist.

Total number

Total number of STAs in the blacklist.

display sta-whitelist (for AC)

Function

The display sta-whitelist command displays the STA whitelist.

Format

display sta-whitelist

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After you run the sta-access-mode (for AC) command to enable the whitelist function, only STAs in the whitelist can connect to the WLAN.

You can run the display sta-whitelist command to view MAC addresses of STAs in the whitelist.

Example

# Display the STA whitelist.

<Huawei> display sta-whitelist 
  Station mac global white list information:
  ------------------------------------------------------------------------------
  ID        MAC
  ------------------------------------------------------------------------------
  0         0025-9e26-b9bd
  1         001e-907a-b6a6
  2         0026-0000-90a1
  ------------------------------------------------------------------------------
  Total number: 3
Table 12-77  Description of the display sta-whitelist command output
Item Description
ID ID of a STA.
MAC MAC address of a STA.
Total number Total number of STAs in the whitelist.

display wapi certificate (for AC)

Function

The display wapi certificate command displays the content of a certificate file.

Format

display wapi certificate file-name file-name

Parameters

Parameter

Description

Value

file-name file-name

Specifies a certificate file name.

The value is a string of 1 to 255 characters. It cannot contain question marks (?) or spaces and cannot start or end with double quotation marks (" ").

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view content of certificate files imported to the device.

In the command, file-name must specify the complete path of a certificate file. For example, if the certificate file as.cer is saved in the flash memory, run display wapi certificate file-name flash:/as.cer command.

Example

# Display content of certificate file as.cer.

<Huawei> display wapi certificate file-name flash:/as.cer
  Certificate:
  Data:
    Version: V3
    Serial Number:
      4B 05 3B F4
    Signature Algorithm: sha256ECDSA192
    Issuer:
      OU = iwncomm
      CN = iwncomm
    Validity:
      Not Before: 2009-11-19 12:37:08 UTC
      Not After : 2029-11-19 12:37:08 UTC
    Subject:
      OU = iwncomm
      CN = iwncomm
    Subject Public Key Info:
      Public Key Algorithm: ECC
      Public Key: (392 bit)
      04 69 5C B1 3F 52 A1 D6 6C DD 5A 4C E7 5D 5D C8
      2B 83 BF 22 A2 F2 63 B1 FA 5F 6E 87 A8 F2 F6 31
      12 D3 A4 D4 9B 34 F9 30 35 2A 70 5B 43 48 47 47
      7D
Table 12-78  Description of the display wapi certificate command output

Item

Description

Version

Version of the X.509 certificate.

Serial Number

Serial number of the certificate.

Signature Algorithm

Algorithm used to calculate the signature.

Issuer

Certificate issuer.

Validity

Valid period of the certificate, specified by the start date and end date.

Subject

Subject of the certificate.

Subject Public Key Info

Information about the public key of the certificate.

display wlan ids attack-detected (for AC)

Function

The display wlan ids attack-detected command displays information about the attacking devices detected.

Format

display wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all types of attacking devices.

-

flood

Displays information about devices launching flood attacks.

-

spoof

Displays information about devices launching spoofing attacks.

-

wapi-psk

Displays information about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Displays information about devices launching weak IV attacks.

-

wep-share-key

Displays information about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Displays information about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Displays information about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Displays information about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, you can run the display wlan ids attack-detected command to view the information list of attacking devices.

Prerequisites

Attack detection has been enabled on the AP radio using the attack detection enable (for AC) command.

Example

# Display information of all current attacking devices.

<Huawei> display wlan ids attack-detected all
Total Number Of Entries: 4
 act = Action Frame           asr = Association Request
 aur = Authentication Request daf = Deauthentication Frame
 dar = Disassociation Request ndf = Null Data Frame
 pbr = Probe Request          rar = Reassociation Request
 eaps = EAPOL Start Frame     eapl = EAPOL Logoff Frame
 saf = Spoofed Disassociation Frame
 sdf = Spoofed Deauthentication Frame
 wiv = Weak IV Detected       nqf = Null Qos Frame
 wep = Wep Share-key          wpa = WPA
 wpa2 = WPA2                  wapi = WAPI
 #AP = number of active APs detecting, AT = Last Detected Attack Type
 Ch = Channel Number, AR = RSSI
 Attacking Device(s) Table
--------------------------------------------------------------------------------
 MAC address     AT     Ch   AR(dBm)  Last Detected Time     #AP
--------------------------------------------------------------------------------
 0010-1000-0031  saf    1    -10      2013-07-27/16:41:55    1
 0010-1000-0030  wiv    1    -10      2013-07-27/16:41:55    2
 0010-1000-002f  asr    1    -10      2013-07-27/16:41:55    2
 0010-1000-002e  saf    1    -10      2013-07-27/16:41:55    2
--------------------------------------------------------------------------------
Table 12-79  Description of the display wlan ids attack-detected all command output
Item Description

MAC address

  • For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP.
  • For other types of attacks, this parameter indicates the MAC address of the device launching attacks.

AT

Acronym of attack type.

Ch

Channel in which the last attack is detected.

AR

Average received signal strength indicator (RSSI) of the attack frames detected.

Last Detected Time

Last time at which an attack is detected.

#AP

Number of APs which detect this attack.

# Display information of attacking device by specifying its MAC address.

<Huawei> display wlan ids attack-detected mac-address dcd2-fc1c-77ef
 act = Action Frame           asr = Association Request
 aur = Authentication Request daf = Deauthentication Frame
 dar = Disassociation Request ndf = Null Data Frame
 pbr = Probe Request          rar = Reassociation Request
 eaps = EAPOL Start Frame     eapl = EAPOL Logoff Frame
 saf = Spoofed Disassociation Frame
 sdf = Spoofed Deauthentication Frame
 wiv = Weak IV Detected       nqf = Null Qos Frame
 wep = Wep Share-key          wpa = WPA
 wpa2 = WPA2                  wapi = WAPI
 #AP = number of active APs detecting, AT = Last Detected Attack Type
 Ch = Channel Number, AR = RSSI
 Attacking Device(s) Table
--------------------------------------------------------------------------
 MAC address                           : dcd2-fc1c-77ef
 Number of detected APs                : 1
 Channel                               : 1
 RSSI                                  : -79(dBm)
 Reported AP 1:
        AP ID                               : 13
        Flood attack type                   : asr,aur,pbr
        First detected time(Flood)          : 2012-10-25/16:51:59
        Spoof attack type                   : saf,sdf
        First detected time(Spoof)          : 2012-10-25/16:46:37
        First detected time(Weak-iv)        : -
        First detected time(Wep)            : -
        First detected time(WPA)            : -
        First detected time(WPA2)           : -
        First detected time(WAPI)           : -
--------------------------------------------------------------------------
Table 12-80  Description of the display wlan ids attack-detected mac-address mac-address command output
Item Description

MAC address

  • For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP.
  • For other types of attacks, this parameter indicates the MAC address of the device launching attacks.

Number of detected APs

Number of APs which detect this attack.

Channel

Channel in which the last attack is detected.

RSSI

Average received signal strength indicator (RSSI) of the attack frames detected.

Reported AP

Information of AP which detect the attack.

AP ID

ID of the AP which detects the attack.

Flood attack type

The type of flood attacking detected by the AP.

Spoof attack type

The type of spoof attacking detected by the AP.

First detected time

The first time of each attacking which AP detects.

display wlan ids attack-detected statistics (for AC)

Function

The display wlan ids attack-detected statistics command displays the number of attacks detected.

Format

display wlan ids attack-detected statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, you can run the display wlan ids attack-detected statistics command to view the total number of all types of attacks.

Prerequisites

Attack detection has been enabled on the AP radio using the attack detection enable (for AC) command.

Example

# Display the number of attacks detected.

<Huawei> display wlan ids attack-detected statistics
Attack tracking since: 2012-07-27/16:16:06
--------------------------------------------------------------------------------
 Type                                               Total
--------------------------------------------------------------------------------
 Probe Request Frame Flood Attack                    : 7
 Authentication Request Frame Flood Attack           : 0
 Deauthentication Frame Flood Attack                 : 0
 Association Request Frame Flood Attack              : 1
 Disassociation Request Frame Flood Attack           : 8
 Reassociation Request Frame Flood Attack            : 0
 Action Frame Flood Attack                           : 0
 Null Data Frame Flood Attack                        : 0
 Null Qos Frame Flood Attack                         : 0
 EAPOL Start Frame Flood Attack                      : 0
 EAPOL Logoff Frame Flood Attack                     : 0
 Weak IVs Detected                                   : 21
 Spoofed Deauthentication Frame Attack               : 0
 Spoofed Disassociation Frame Attack                 : 2
 WEP Share-key Attack                                : 0
 WPA Attack                                          : 0
 WPA2 Attack                                         : 0
 WAPI Attack                                         : 0
--------------------------------------------------------------------------------
Table 12-81  Description of the display wlan ids attack-detected statistics command output
Item Description

Type

Attack type:
  • Probe Request Frame Flood Attack
  • Authentication Request Frame Flood Attack
  • Deauthentication Frame Flood Attack
  • Association Request Frame Flood Attack
  • Disassociation Request Frame Flood Attack
  • Reassociation Request Frame Flood Attack
  • Action Frame Flood Attack
  • Null Data Frame Flood Attack
  • Null Qos Frame Flood Attack
  • EAPOL Start Frame Flood Attack
  • EAPOL Logoff Frame Flood Attack
  • Weak IVs Detected
  • Spoofed Deauthentication Frame Attack
  • Spoofed Disassociation Frame Attack
  • WEP Share-key Attack: brute force cracking attack in WEP-SK authentication mode
  • WPA Attack: brute force cracking attack in WPA-PSK authentication mode
  • WPA2 Attack: brute force cracking attack in WPA2-PSK authentication mode
  • WAPI Attack: brute force cracking attack in WAPI authentication mode

Total

Total number of attacks detected.

display wlan ids attack-history (for AC)

Function

The display wlan ids attack-history command displays historical records about the attacking devices detected.

Format

display wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays historical records about all types of attacking devices.

-

flood

Displays historical records about devices launching flood attacks.

-

spoof

Displays historical records about devices launching spoofing attacks.

-

wapi-psk

Displays historical records about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Displays historical records about devices launching weak IV attacks.

-

wep-share-key

Displays historical records about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Displays historical records about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Displays information about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Displays historical records about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, information the detected attacking devices are saved in the attacking device list. If an attacking device no longer launches an attack, the device is removed from the attacking device list and saved to the historical attacking device list. You can run the display wlan ids attack-history command to check historical records about the attacking devices detected.

Prerequisites

Attack detection has been enabled on the AP radio using the attack detection enable (for AC) command.

Example

# Display historical records of all attacking devices.

<Huawei> display wlan ids attack-history all
Total Number Of Entries: 4
 act = Action Frame           asr = Association Request
 aur = Authentication Request daf = Deauthentication Frame
 dar = Disassociation Request ndf = Null Data Frame
 pbr = Probe Request          rar = Reassociation Request
 eaps = EAPOL Start Frame     eapl = EAPOL Logoff Frame 
 saf = Spoofed Disassociation Frame
 sdf = Spoofed Deauthentication Frame
 wiv = Weak IV Detected       nqf = Null Qos Frame
 wep = Wep Share-key          wpa = WPA
 wpa2 = WPA2                  wapi = WAPI
 AP = Detector AP ID
 AT = Attack Type, Ch = Channel Number, AR = Average RSSI
 Attack History Table
--------------------------------------------------------------------------------
 MAC address   AT     Ch   AR(dBm)  Last Detected Time     AP
--------------------------------------------------------------------------------
 1010-1000-0031  saf    1    -10       2013-05-11/16:41:55  2
 1010-1000-0030  wiv    1    -10       2013-05-11/16:41:55  2
 1010-1000-002f  asr    1    -10       2013-05-11/16:41:55  2
 1010-1000-002e  saf    1    -10       2013-05-11/16:41:55  2
--------------------------------------------------------------------------------
Table 12-82  Description of the display wlan ids attack-history all command output
Item Description

MAC address

  • For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP.
  • For other types of attacks, this parameter indicates the MAC address of the device launching attacks.

AT

Acronym of attack type.

Ch

Channel in which the last attack is detected.

AR

Average received signal strength indicator (RSSI) of the attack frames detected.

Last Detected Time

Last time at which an attack is detected.

AP

SSID of the AP that detects attacks.

display wlan ids dynamic-blacklist (for AC)

Function

The display wlan ids dynamic-blacklist command displays information about devices in the dynamic blacklist.

Format

display wlan ids dynamic-blacklist { all | ap ap-id | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all devices in the dynamic blacklist.

-

ap ap-id

Displays information about attacking devices detected by a specified AP.

The value is an integer that ranges from 0 to 15.

mac-address mac-address

Displays information about attacking devices with a specified MAC address.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

An AP uses attack detection and dynamic blacklist functions to add an attacking device detected to the dynamic blacklist, and rejects packets sent from this device until the device entry in the dynamic blacklist ages. You can run the display wlan ids dynamic-blacklist command to view information about devices in the dynamic blacklist.

Prerequisites

Example

# Display information about all devices in the dynamic blacklist.

<Huawei> display wlan ids dynamic-blacklist all
Total number of entries : 2
--------------------------------------------------------------------------------
 #AP = number of active APs detecting
 MAC address       Last Updated Since    Reason   #AP
--------------------------------------------------------------------------------
 0010-1000-0002    2005-07-27/16:53:40   asr      1
 0010-1000-0005    2005-07-27/16:53:40   asr      1
--------------------------------------------------------------------------------
Table 12-83  Description of the display wlan ids dynamic-blacklist all command output
Item Description

MAC address

MAC address of the device in the dynamic blacklist.

Last Updated Since

Latest time of device attack detection.

Reason

Reason why the device is added to the dynamic blacklist. The values here are the acronyms of attack types. For details, see display wlan ids attack-detected (for AC).

#AP

The number of AP that detects the device and adds it to the dynamic blacklist.

# Display information about specified devices in the dynamic blacklist.

<Huawei> display wlan ids dynamic-blacklist mac-address 1010-1000-0005
--------------------------------------------------------------------------------
 MAC address                           : 1010-1000-0005
 Reported AP 0:
  AP name                              : ap-0
  reason                               : asr
  Last Detected time                   : 2012-07-27/16:53:40
-------------------------------------------------------------------------------
Table 12-84  Description of the display wlan ids dynamic-blacklist mac-address command output
Item Description

Reported AP 0

AP that adds the device to the dynamic blacklist.

AP name

Name of the monitoring AP.

Last Detected time

Last time at which the device is detected.

dynamic-blacklist aging-duration (for AC)

Function

The dynamic-blacklist aging-duration command sets an aging time for the dynamic blacklist.

The undo dynamic-blacklist aging-duration command restores the aging time for the dynamic blacklist to the default value.

By default, the aging time for the dynamic blacklist is 600 seconds.

Format

dynamic-blacklist aging-duration duration

undo dynamic-blacklist aging-duration

Parameters

Parameter

Description

Value

duration

Specifies the aging time at the expiry of which a specified MAC address is removed from the dynamic blacklist.

The value is an integer that ranges from 180 to 3600, in seconds.

Views

AP view

Default Level

2: Configuration level

Usage Guidelines

The dynamic blacklist function is enabled using the dynamic-blacklist enable (for AC) command. When detecting attacks from a STA, an AP reports the detection to the AC and the AC adds the STA to the dynamic blacklist to disable the STA from getting online and to reject any packets sent from the STA. As long as the STA is blacklisted, it cannot go online again even if it no longer launches attacks. To avoid that, you can run the dynamic-blacklist aging-duration command to set the aging time of the dynamic blacklist. If the set aging time expires and the AP detects no attack from the STA, the STA is once again allowed to go online.

Example

# Set the aging time for the dynamic blacklist to 300 seconds.

<Huawei> system-view
[Huawei] wlan 
[Huawei-wlan-view] ap id 0
[Huawei-wlan-ap-0] dynamic-blacklist aging-duration 300

dynamic-blacklist enable (for AC)

Function

The dynamic-blacklist enable command enables the dynamic blacklist function.

The undo dynamic-blacklist enable command disables the dynamic blacklist function.

By default, the dynamic blacklist function is disabled.

Format

dynamic-blacklist enable

undo dynamic-blacklist enable

Parameters

None

Views

AP view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack detection is enabled using the attack detection enable (for AC) command, you can run the dynamic-blacklist enable command to enable the dynamic blacklist function. When detecting attacks from a device, an AP reports the detection to the AC and the AC adds the device to the dynamic blacklist to reject any packets sent from the device until the dynamic blacklist entry ages.

An AP can use the dynamic blacklist to filter out the blacklisted wireless devices to avoid malicious attacks.

Follow-up Procedure

Run the dynamic-blacklist aging-duration (for AC) command to set an aging time for the dynamic blacklist.

Example

# Enable the dynamic blacklist function.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] ap id 0
[Huawei-wlan-ap-0] dynamic-blacklist enable

reset wlan ids attack-detected (for AC)

Function

The reset wlan ids attack-detected command deletes information about the attacking devices detected.

Format

reset wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Deletes information about all types of attacking devices.

-

flood

Deletes information about devices launching flood attacks.

-

spoof

Deletes information about devices launching spoofing attacks.

-

wapi-psk

Deletes information about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Deletes information about devices launching weak IV attacks.

-

wep-share-key

Deletes information about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Deletes information about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Deletes information about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Deletes information about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After attack detection is enabled, information about attacking devices detected is recorded. When there is excessive information recorded or the recorded information is useless, you can run the reset wlan ids attack-detected command to delete the information.

Prerequisites

Attack detection has been enabled on the AP radio using the attack detection enable (for AC) command.

Example

# Delete information about all the current attacking devices.

<Huawei> reset wlan ids attack-detected all

reset wlan ids attack-detected statistics (for AC)

Function

The reset wlan ids attack-detected statistics command deletes the number of attacks detected.

Format

reset wlan ids attack-detected statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After attack detection is enabled, the number of attacks detected is recorded. When there is excessive information recorded or the recorded information is useless, you can run the reset wlan ids attack-detected statistics command to delete the information.

Prerequisites

Attack detection has been enabled on the AP radio using the attack detection enable (for AC) command.

Example

# Delete the number of attacks detected.

<Huawei> reset wlan ids attack-detected statistics

reset wlan ids attack-history (for AC)

Function

The reset wlan ids attack-history command deletes historical records about the attacking devices detected.

Format

reset wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Deletes historical records about all types of attacking devices.

-

flood

Deletes historical records about devices launching flood attacks.

-

spoof

Deletes historical records about devices launching spoofing attacks.

-

wapi-psk

Deletes historical records about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Deletes historical records about devices launching weak IV attacks.

-

wep-share-key

Deletes historical records about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Deletes historical records about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Deletes historical records about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Deletes historical records about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After attack detection is enabled, historical records about attacking devices detected is recorded. When there is excessive information recorded or the recorded information is useless, you can run the reset wlan ids attack-history command to delete the historical records information about the attacking devices detected.

Prerequisites

Attack detection has been enabled on the AP radio using the attack detection enable (for AC) command.

Example

# Delete historical records about all the current attacking devices.

<Huawei> reset wlan ids attack-history all

reset wlan ids dynamic-blacklist (for AC)

Function

The reset wlan ids dynamic-blacklist command deletes information about devices in the dynamic blacklist.

Format

reset wlan ids dynamic-blacklist { ap ap-id | mac-address mac-address | all }

Parameters

Parameter

Description

Value

ap ap-id

Clears the dynamic blacklist information reported by specified APs.

-

mac-address mac-address

Deletes devices with a specified MAC address from the dynamic blacklist.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

all

Deletes all information in the dynamic blacklist.

-

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The reset wlan ids dynamic-blacklist command is applicable to the following scenarios:
  • To recollect the dynamic blacklist information, run the reset wlan ids dynamic-blacklist all command to delete all information in the dynamic blacklist. After that, the AC recollects the information.
  • If an unintentional rogue device has restored to its normal state but the dynamic blacklist entry has not aged, run the reset wlan ids dynamic-blacklist mac-address command to remove the MAC address of the device from the dynamic blacklist. After that, information sent from the device is not rejected.

Precautions

After you run the reset wlan ids dynamic-blacklist command to delete the information in the dynamic blacklist, packet receipt of APs is affected. Therefore, confirm the action before running this command.

Example

# Remove the client with MAC address 78AC-C0C1-C1FC from the dynamic blacklist.

<Huawei> reset wlan ids dynamic-blacklist mac-address 78ac-c0c1-c1fc

security-policy (for AC)

Function

The security-policy command configures the security policy that a profile used.

The undo security-policy command restores the default security policy that a profile used.

By default, the wep security policy is used.

Format

security-policy { wep | wpa | wpa2 | wapi }

undo security-policy

Parameters

Parameter

Description

Value

wep

Indicates a WEP security policy. By default, open system authentication+non-encryption is used.

-

wpa

Indicates a WPA security policy. By default, 802.1X, the Protected Extensible Authentication Protocol (PEAP) authentication, and TKIP encryption are used.

-

wpa2

Indicates a WPA2 security policy. By default, 802.1X, PEAP authentication, and CCMP encryption are used.

-

wapi

Indicates a WAPI security policy. By default, the WAPI-CERT authentication and WPI encryption are used.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

You can select security policies on a WLAN based on the security level. WEP is a security policy used earlier and has security risks. It can be used in open scenarios that do not require high security, such as airports and railway stations. WPA and WAPI can provide higher security for devices.

  • Before running this command, ensure that a security profile has been configured. You can specify a security policy in the security profile.
  • Security policies need later configurations such as shared keys and certificates.
  • You need to run this command together with the ap radio and service-set (for AC) commands.

If the new configuration is not delivered to the AP after you delete or modify a security profile, user authentication may fail. Therefore, excise caution when you run this command.

Example

# Create a security profile named p1 and set the security policy to WPA2.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] security-policy wpa2

security-profile (for AC)

Function

The security-profile command creates a security profile or enters the security profile view.

The undo security-profile command deletes a security profile according to the ID or name.

By default, no security profile is created.

Format

security-profile { id profile-id | name profile-name } *

undo security-profile { all | id profile-id | name profile-name }

Parameters

Parameter

Description

Value

id profile-id

Specifies the ID of a security profile.

The value is an integer that ranges from 0 to 15.

name profile-name

Specifies the name of a security profile.

The value is a string of 1 to 31 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot begin or end with double quotation marks (" ").

all

Indicates all security profiles.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to configure access security. A security profile must be configured before you specify an authentication mode in the profile. To delete a security profile, run the undo security-profile command.

The system configures the new profile with the following default values:
  • WEP: no authentication and no encryption
  • WPA: 802.1X+PEAP authentication and TKIP encryption
  • WPA2: 802.1X+PEAP authentication and CCMP encryption
  • WAPI: WAPI certificate encryption
NOTE:
  • If you enter only a name, the system checks whether the specified profile exists according to the name. If so, you enter the profile view. If not, the profile is created.
  • If you enter only an ID, the system checks whether the specified profile exists according to the ID. If so, you enter the profile view. If not, an error message is displayed and no profile is created.
  • If the name and ID you enter exist in the profile and match, you can enter the profile view. If the name and ID do not exist, the profile using the specified ID is created and you enter the profile view.

Example

# Configure a security profile named p1.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1

sta-access-mode (for AC)

Function

Using the sta-access-mode command, you can check whether the blacklist or whitelist function is enabled, which determines the STA access control mode.

The undo sta-access-mode command disables the blacklist or whitelist function.

By default, the blacklist or whitelist function is disabled.

Format

sta-access-mode ap { { start-id [ to end-id ] } &<1-10> | all } { blacklist | whitelist | disable }

undo sta-access-mode ap { { start-id [ to end-id ] } &<1-10> | all }

Parameters

Parameter

Description

Value

ap start-id [ to end-id ]

Specifies an AP ID.

The value is an integer that ranges from 0 to 15.

blacklist

Enables the blacklist function.

-

whitelist

Enables the whitelist function.

-

disable

Disables the blacklist or whitelist function.

-

all

Specifies all APs.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

  • The blacklist configured using the sta-blacklist (for AC) command takes effect only after the blacklist function is enabled using the sta-access-mode command.
  • The whitelist configured using the sta-whitelist (for AC) command takes effect only after the whitelist function is enabled using the sta-access-mode command.

Example

# Enable the blacklist function on the AP 0.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] sta-access-mode ap 0 blacklist

sta-blacklist (for AC)

Function

The sta-blacklist command adds a STA's MAC address to the STA blacklist.

The undo sta-blacklist command deletes the created blacklist.

By default, no blacklist is created.

Format

sta-blacklist mac-address

undo sta-blacklist { mac-address | all }

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in the blacklist.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

all

Deletes all MAC addresses from the blacklist.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

Users whose MAC addresses are in the blacklist cannot be associated with APs and cannot access resources on WLAN networks.

The configured blacklist can take effect only after the blacklist function is enabled by using the sta-access-mode (for AC) command.

Example

# Add a STA's MAC address to the STA blacklist.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] sta-blacklist 0014-2261-2a43

sta-whitelist (for AC)

Function

The sta-whitelist command adds a STA's MAC address to the STA whitelist.

The undo sta-whitelist command deletes STA's MAC address from the STA whitelist.

By default, no STA whitelist created.

Format

sta-whitelist mac-address

undo sta-whitelist { mac-address | all }

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in the whitelist.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

all

Deletes all MAC addresses from the whitelist.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

Users whose MAC addresses are in the whitelist can be associated with APs and access resources on WLAN networks.

The configured whitelist can take effect only after the whitelist function is enabled by using the sta-access-mode (for AC) command. After the configured whitelist takes effect, users whose MAC addresses are not in the whitelist cannot access network resources.

NOTE:
If the STA whitelist is configured but no MAC address is added to the whitelist, any STA can access WLAN network resources.

Example

# Add a STA's MAC address to the STA whitelist.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] sta-whitelist 0011-43c7-d73e

user-isolate (for AC)

Function

The user-isolate command enables Layer 2 user isolation.

The undo user-isolate command disables Layer 2 user isolation.

By default, Layer 2 user isolation is disabled.

Format

user-isolate

undo user-isolate

Parameters

None

Views

Service set view

Default Level

2: Configuration level

Usage Guidelines

When multiple wireless users associate with the same VAP, one of the users with security risks may send a large number of broadcast packets to the other users, which impacts data services of the other users. After Layer 2 user isolation is enabled, wireless users associated with the same VAP can only forward packets at Layer 3 through the gateway but cannot implement Layer 2 data forwarding. This ensures secure data transmission between users.

Example

# Create a service set ChinaNet and configure Layer 2 user isolation.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] service-set name ChinaNet 
[Huawei-wlan-service-set-ChinaNet] user-isolate

wapi asu (for AC)

Function

The wapi asu command specifies an IP address for an authentication server unit (ASU) server.

The undo wapi asu command deletes the IP address of the ASU server.

By default, no IP address is specified for the ASU server.

Format

wapi asu ip ip-address

undo wapi asu ip

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address for the ASU server.

The value is in dotted decimal notation.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If WAPI certificate authentication is configured, an AC sends WAPI authentication packets to the ASU server at the specified IP address.

Prerequisites

If WAPI certificate authentication is specified as a security policy in a security profile, run the wapi asu command to specify an IP address for the ASU server.

Precautions

The wapi asu command helps to determine to which ASU server WAPI packets are sent. Users must ensure the correctness of both ASU certificates and ASU servers; otherwise, they may fail in user authentication.

Example

# Specify IP address 10.164.10.10 for the ASU server.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi asu ip 10.164.10.10  

wapi authentication-method (for AC)

Function

The wapi authentication-method command configures the WAPI authentication mode.

The undo wapi authentication-method command restores the default WAPI authentication mode.

By default, WAPI certificate authentication is used.

Format

wapi authentication-method psk { pass-phrase | hex } cipher cipher-key

wapi authentication-method certificate

undo wapi authentication-method

Parameters

Parameter

Description

Value

certificate

Configures WAPI certificate authentication.

-

psk

Configures WAPI pre-shared key authentication.

-

pass-phrase

Specifies the key phrase.

-

hex

Specifies a hexadecimal number.

The password of hex does not have enough complexity, so pass-phrase is recommend.

-

cipher cipher-key

Specifies a password in cipher text.

In pass-phrase mode, the key is a string of 8 to 64 characters in plain text or 32 to 108 characters in cipher text. In hex mode, the key is a string of 8 to 32 hexadecimal numbers, in which case the length of the string must be an even, or a string of 32 to 68 characters in cipher text.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

WAPI supports two authentication modes: certificate authentication and pre-shared key authentication. When pre-shared key authentication is used, a pre-shared key must be configured.

  • If WAPI authentication is specified as a security policy in a security profile, you can run the wapi authentication-method command to configure the WAPI authentication mode.
  • The wapi authentication-method command determines the WAPI authentication and key management mode. When certificate authentication and key management are configured, authentication involves identity authentication and key negotiation, and the authentication server and certificate need to be configured. When pre-shared key authentication is configured, a pre-shared key needs to be configured, and STAs also need to know the pre-shared key. In this situation, authentication just involves key negotiation.

Example

# Set the WAPI authentication mode to pre-shared key authentication and specify the key.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi authentication-method psk pass-phrase cipher huawei@123 

wapi bk (for AC)

Function

The wapi bk command sets the interval for updating a BK and the BK lifetime percentage.

The undo wapi bk command restores the default interval for updating a BK and the BK lifetime percentage.

By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

Format

wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

undo wapi { bk-threshold | bk-update-interval }

Parameters

Parameter

Description

Value

bk-threshold bk-threshold

Specifies the BK lifetime percentage.

The value is an integer that ranges from 1 to 100.

bk-update-interval bk-update-interval

Specifies the interval for updating a BK.

The value is an integer that ranges from 600 to 604800, in seconds.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

You can set the intervals for updating a BK and an MSK to ensure security.

Example

# Set the interval for updating a BK to 10000s and the BK lifetime percentage to 80%.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi bk-update-interval 10000   
[Huawei-wlan-sec-prof-p1] wapi bk-threshold 80

wapi import certificate (for AC)

Function

The wapi import certificate command imports the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file.

The undo wapi certificate command deletes the imported AC certificate file, certificate of the AC certificate issuer, or ASU certificate file.

By default, the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file are not imported.

Format

wapi import certificate { ac | asu | issuer } file-name file-name [ password cipher password ]

undo wapi certificate { issuer | ac | asu }

Parameters

Parameter

Description

Value

issuer

Specifies the certificate of the AC certificate issuer.

-

ac

Specifies the AC certificate.

-

asu

Specifies the ASU certificate.

-

file-name file-name

Specifies a certificate file name, which the complete path of a certificate file must be specified.

The value is a string of 1 to 255 characters. It cannot contain question marks (?) or spaces and cannot start or end with double quotation marks (" ").

password cipher password

Specifies the certificate key.

  • The password can be in plain text or cipher text.

    • A plain text password is a string of 1 to 32 characters.
    • A cipher text password is a string of 32 to 68 characters.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

  • If WAPI certificate authentication is specified as a security policy in a security profile, run the wapi import certificate command to specify the AC certificate, certificate of the AC certificate issuer, and ASU certificate. STAs will fail to be authenticated if you do not run this command. The issuer certificate helps to check whether the AC certificate is modified.
  • Before using this command, store the AC certificate and ASU certificate to the storage of the device, and import the certificates and private key using TFTP. Certificates must be X509 V3 certificates and comply with the WAPI standard. Otherwise, certificates cannot be imported.
  • After this command is run:
    • When an issuer certificate is configured, the system checks correctness of the AC certificate.
    • If the authentication system uses only two certificates, the issuer certificate and ASU certificate have the same certificate file name and are the same certificate. If the authentication system uses three certificates, the issuer certificate and ASU certificate are different from each other and both must be imported.
NOTE:
  • The ASU certificate and issuer certificate must be imported.
  • Certificates to be imported must be valid and correct.
  • If the certificate with the same name but different contents has been imported by other security profiles, delete the earlier certificate first.

Example

# Import the AC certificate.
<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi import certificate ac file-name flash:/local_ac.cer  

wapi cert-retrans-count (for AC)

Function

The wapi cert-retrans-count command sets the number of retransmissions of certificate authentication packets.

The undo wapi cert-retrans-count command restores the default number of retransmissions of certificate authentication packets.

By default, the number of retransmissions is 3.

Format

wapi cert-retrans-count cert-count

undo wapi cert-retrans-count

Parameters

Parameter

Description

Value

cert-count

Specifies the number of retransmissions of certificate authentication packets.

The value is an integer that ranges from 1 to 10.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

If WAPI authentication is specified as a security policy using the security-policy (for AC) command, run the wapi cert-retrans-count command to set the number of retransmissions of certificate authentication packets.

Example

# Set the number of retransmissions of certificate authentication packets to 5.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi cert-retrans-count 5

wapi msk (for AC)

Function

The wapi msk command sets the interval for updating an MSK, number of packets that will trigger MSK update, and number of retransmissions of MSK negotiation packets.

The undo wapi msk command restores the default interval for updating an MSK, number of packets that will trigger MSK update, and number of retransmissions of MSK negotiation packets.

By default, the interval for updating an MSK is 86400s; the number of packets that will trigger MSK update is 10; the number of retransmissions of MSK negotiation packets is 3.

Format

wapi { msk-update-interval msk-interval | msk-update-packet msk-packet | msk-retrans-count msk-count }

undo wapi { msk-update-interval | msk-update-packet | msk-retrans-count }

Parameters

Parameter

Description

Value

msk-update-interval msk-interval

Specifies the interval for updating an MSK. When the MSK update mode is set to time-based update using the wapi key-update (for AC) command, the interval for updating an MSK needs to be set.

The value is an integer that ranges from 600 to 604800, in seconds.

msk-update-packet msk-packet

Specifies the number of packets that will trigger MSK update. When the MSK update mode is set to packet count-based update using the wapi key-update (for AC) command, the number of packets that will trigger MSK update needs to be set.

The value is an integer that ranges from 1 to 4294967295.

msk-retrans-count msk-count

Specifies the number of retransmissions of MSK negotiation packets.

The value is an integer that ranges from 1 to 10.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the USK and MSK have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the following key update mechanisms:
  • Time-based key update: periodically updates a key.
  • Packet-based key update: updates a key when the number of packets encrypted using the key reaches the specified value.

Example

# Set the interval for updating an MSK to 10000s, number of packets that will trigger MSK update to 1200, and number of retransmissions of MSK negotiation packets to 5.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi msk-update-interval 10000 
[Huawei-wlan-sec-prof-p1] wapi msk-update-packet 1200   
[Huawei-wlan-sec-prof-p1] wapi msk-retrans-count 5 

wapi import private-key (for AC)

Function

The wapi import private-key command imports the AC private key file.

The undo wapi private-key command deletes the imported AC private key file.

By default, no AC private key file is imported.

Format

wapi import private-key file-name file-name [ password cipher cipher-password ]

undo wapi private-key

Parameters

Parameter

Description

Value

file-name file-name

Specifies the name of a private key file.

The value is a string of 1 to 255 characters. It cannot contain question marks (?) or spaces and cannot start or end with double quotation marks (" ").

password

Specifies the AC private key.

-

cipher cipher-password

Specifies a password in cipher text.

The password can be in plain text or cipher text.

  • A plain text password is a string of 1 to 32 characters.
  • A cipher text password is a string of 32 to 68 characters.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

  • If WAPI certificate authentication is specified as a security policy in a security profile, run the wapi import private-key command to specify the private key file for the AC certificate.
  • Before using this command, store the AC private key file to the storage of the device, and import the private key file using TFTP.
  • After this command is used, the system obtains the private key file and establishes the mapping between the certificate and private key.
NOTE:

The certificate and private key to be imported must be valid and correct.

Example

# Import the AC private key file ac_key.key.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi import private-key file-name flash:/ac_key.key

wapi sa-timeout (for AC)

Function

The wapi sa-timeout command sets the timeout period of a security association (SA) of key encryption.

The undo wapi sa-timeout command restores the default timeout period of a SA for key encryption.

By default, the timeout period for a SA is 60s.

Format

wapi sa-timeout sa-time

undo wapi sa-timeout

Parameters

Parameter

Description

Value

sa-time

Specifies the timeout period of an SA.

The value is an integer that ranges from 1 to 255, in seconds.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

You can prolong the WAPI timeout period to increase the authentication success ratio.

Example

# Set the timeout period of an SA to 100s.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi sa-timeout 100

wapi key-update (for AC)

Function

The wapi key-update command sets the USK and MSK update mode.

The undo wapi key-update command restores the default USK and MSK update mode.

By default, USKs and MSKs are updated based on time.

Format

wapi { usk | msk } key-update { disable | time-based | packet-based | timepacket-based }

undo wapi { usk | msk } key-update

Parameters

Parameter

Description

Value

usk

Indicates USK update.

-

msk

Indicates MSK update.

-

disable

Disables key update.

-

time-based

Indicates time-based update.

You can run the wapi msk (for AC) and wapi usk (for AC) commands to respectively set the intervals for updating an MSK and a USK.

-

packet-based

Indicates packet count-based update.

You can run the wapi msk (for AC) and wapi usk (for AC) commands to set the number of packets that will trigger MSK update and USK update.

-

timepacket-based

Indicates time-based update and packet count-based update.

You can run the wapi msk (for AC) and wapi usk (for AC) commands to set the intervals for updating an MSK and a USK and number of packets that will trigger MSK update and USK update.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

  • To ensure network security, update keys in a timely manner. There are several key update modes. To change the WAPI key update mode, run the wapi key-update command.
  • The wapi key-update command sets the USK and MSK update mode. If the interval for updating an MSK or a USK is too long or the number of packets that will trigger MSK or USK update is too large, key security cannot be ensured.
  • If disable is specified, keys will not be updated.

Example

# Set the USK update mode to packet count-based update.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi usk key-update packet-based  

wapi usk (for AC)

Function

The wapi usk command sets the interval for updating a USK, number of packets that will trigger USK update, and number of retransmissions of USK negotiation packets.

The undo wapi usk command restores the default interval for updating a USK, number of packets that will trigger USK update, and number of retransmissions of USK negotiation packets.

By default, the interval for updating a USK is 86400s; the number of packets that will trigger USK update is 10; the number of retransmissions of USK negotiation packets is 3.

Format

wapi { usk-update-interval usk-interval | usk-update-packet usk-packet | usk-retrans-count usk-count }

undo wapi { usk-update-interval | usk-update-packet | usk-retrans-count }

Parameters

Parameter

Description

Value

usk-update-interval usk-interval

Specifies the interval for updating a USK. When the USK update mode is set to time-based update using the wapi key-update (for AC) command, the interval for updating a USK needs to be set.

The value is an integer that ranges from 600 to 604800, in seconds.

usk-update-packet usk-packet

Specifies the number of packets that will trigger USK update. When the USK update mode is set to packet count-based update using the wapi key-update (for AC) command, the number of packets that will trigger USK update needs to be set.

The value is an integer that ranges from 1 to 4294967295.

usk-retrans-count usk-count

Specifies the number of retransmissions of USK negotiation packets.

The value is an integer that ranges from 1 to 10.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the USK and MSK have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the following key update mechanisms:
  • Time-based key update: periodically updates a key.
  • Packet-based key update: updates a key when the number of packets encrypted using the key reaches the specified value.

Example

# Set the interval for updating a USK to 10000s, number of packets that will trigger USK update to 1200, and number of retransmissions of USK negotiation packets to 5.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wapi usk-update-interval 10000 
[Huawei-wlan-sec-prof-p1] wapi usk-update-packet 1200   
[Huawei-wlan-sec-prof-p1] wapi usk-retrans-count 5  

wep authentication-method (for AC)

Function

The wep authentication-method command configures the WEP authentication mode.

The undo wep authentication-method command restores the default WEP authentication mode.

By default, open system authentication is used.

Format

wep authentication-method { open-system [ data-encrypt ] | share-key }

undo wep authentication-method

Parameters

Parameter

Description

Value

open-system

Sets the WEP authentication mode to open system authentication.

-

share-key

Sets the WEP authentication mode to pre-shared key authentication.

-

data-encrypt

Sets the WEP authentication mode to open system authentication and data encryption.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can select security policies on a WLAN based on the security level. WEP is a security policy used earlier and has security risks. It can be used in open scenarios that do not require high security, such as airports and railway stations. You can run this command to set the WEP authentication mode to open system authentication or pre-shared key authentication.

Table 12-85  Comparison between open system authentication and pre-shared key authentication

Authentication Mode

Advantage

Disadvantage

open-system

Wireless devices can connect to a network without authentication.

STA identities are not checked, bringing security risks.

share-key

A pre-shared key is used to enhance security.

  • A long key string must be configured on each device and is difficult to expand.
  • A static key is used, which is easy to decipher.

Precautions

  • If the authentication mode is set to share-key, run the wep key (for AC) command to configure a pre-shared key.
  • If the authentication mode is set to open-system without data-encrypt, the WEP pre-shared key configured in the profile cannot take effect.
  • If the authentication mode is set to open-system with data-encrypt, run the wep key (for AC) command to configure a pre-shared key.

Example

# Create security profile p1 and set the authentication mode to share-key.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile name p1  
[Huawei-wlan-sec-prof-p1] wep authentication-method share-key

wep default-key (for AC)

Function

The wep default-key command sets the default key ID for WEP authentication or encryption.

The undo wep default-key command restores the default key ID for WEP authentication or encryption.

By default, key 0 is used for WEP authentication or encryption.

Format

wep default-key key-id

undo wep default-key

Parameters

Parameter

Description

Value

key-id

Specifies the default key ID.

The value is an integer that ranges from 0 to 3.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

  • A maximum of four WEP keys can be configured, and only one WEP key is used for authentication and encryption. This command specifies which key to use.
  • After a key ID is specified, the specified key is used for authentication or encryption.

Example

# Set the default key ID to 1.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wep default-key 1 
Related Topics

wep key (for AC)

Function

The wep key command sets a WEP key.

The undo wep key command deletes the specified key.

By default, the device does not set a WEP key.

Format

wep key { wep-40 | wep-104 } { pass-phrase | hex } key-id cipher cipher-key-value

undo wep key key-id

Parameters

Parameter

Description

Value

wep-40

Configures WEP-40 authentication.

-

wep-104

Configures WEP-104 authentication.

-

pass-phrase

Specifies the key phrase.

-

hex

Specifies a hexadecimal number.

-

key-id

Specifies the key ID.

The value is an integer that ranges from 0 to 3.

cipher cipher-key-value

Specifies a password in cipher text.

The password can be in plain text or cipher text.
  • A plain text password is a string of case-sensitive characters.
    • If WEP-40 is used, the WEP key is 10 hexadecimal characters(select hex) or 5 ASCII characters(select pass-phrase).
    • If WEP-104 is used, the WEP key is 26 hexadecimal characters or 13 ASCII characters.
  • The password is a character string in cipher text. You are advised to enter a password in plain text and then use the password displayed in cipher text as the cipher text password.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

To connect to a WLAN device in WEP shared-key authentication mode or open system authentication+data encryption mode, run the wep key command to set a WEP key.

NOTE:

If the key is in hexadecimal notation, you can enter hexadecimal numbers without entering 0x.

Example

# Configure a WEP key and its ID.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] wep key wep-40 hex 1 cipher 1234567890 

authentication-method dot1x encryption-method (for AC)

Function

The authentication-method dot1x encryption-method command configures 802.1X authentication and encryption for WPA and WPA2.

The undo authentication-method command disables WPA and WPA2 authentication and encryption.

By default, WPA uses 802.1X authentication+TKIP encryption, WPA2 uses 802.1X authentication+CCMP encryption.

Format

{ wpa | wpa2 } authentication-method dot1x encryption-method { tkip | ccmp }

undo { wpa | wpa2 } authentication-method

Parameters

Parameter

Description

Value

wpa

Configures WPA authentication.

-

wpa2

Configures WPA2 authentication.

-

tkip

Configures TKIP encryption.

-

ccmp

Configures CCMP encryption.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

WPA/WPA2 authentication includes WPA/WPA2 pre-shared key authentication and 802.1X authentication, which are also called WPA/WPA2 personal edition and WPA/WPA2 enterprise edition respectively. 802.1X authentication is of high security and is applicable to enterprise networks.

To access a WLAN device using WPA or WPA2 802.1X authentication, run the authentication-method dot1x encryption-method command.

Example

# Configure WPA authentication (802.1x and TKIP encryption).

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] security-policy wpa
[Huawei-wlan-sec-prof-p1] wpa authentication-method dot1x encryption-method tkip

# Configure WPA2 authentication (802.1x and TKIP encryption).

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] security-policy wpa2
[Huawei-wlan-sec-prof-p1] wpa2 authentication-method dot1x encryption-method tkip

authentication-method psk encryption-method (for AC)

Function

The authentication-method psk encryption-method command configures pre-shared key authentication and encryption for WPA and WPA2.

The undo authentication-method command disables WPA and WPA2 authentication and encryption.

By default, WPA uses 802.1X authentication+TKIP encryption, WPA2 uses 802.1X authentication+CCMP encryption.

Format

{ wpa | wpa2 } authentication-method psk { pass-phrase | hex } cipher cipher-key encryption-method { tkip | ccmp }

undo { wpa | wpa2 } authentication-method

Parameters

Parameter

Description

Value

wpa

Configures WPA authentication.

-

wpa2

Configures WPA2 authentication.

-

pass-phrase

Specifies the key phrase.

-

hex

Specifies a hexadecimal number.

The password of hex does not have enough complexity, so pass-phrase is recommend.

-

cipher cipher-key

Specifies a password in cipher text.

The value is of 8 to 63 characters in plain text, 64 hexadecimal characters in plain text, or 32 to 108 characters in cipher text.

tkip

Configures TKIP encryption.

-

ccmp

Configures CCMP encryption.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

To access a WLAN device using WPA or WPA2 pre-shared key authentication, run the wpa authentication-method psk encryption-method command.

NOTE:

If the key is in hexadecimal notation, you can enter hexadecimal numbers without entering 0x.

Example

# Configure WPA pre-shared key authentication and the authentication key.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] security-policy wpa
[Huawei-wlan-sec-prof-p1] wpa authentication-method psk pass-phrase cipher huawei@123 encryption-method ccmp  

# Configure WPA2 pre-shared key authentication and the authentication key.

<Huawei> system-view
[Huawei] wlan ac
[Huawei-wlan-view] security-profile id 10 name p1
[Huawei-wlan-sec-prof-p1] security-policy wpa2
[Huawei-wlan-sec-prof-p1] wpa2 authentication-method psk pass-phrase cipher huawei@123 encryption-method ccmp  
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 52265

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next