No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R010C00 Configuration Guide - WLAN-AC

This document describes native AC (hereinafter referred to as WLAN AC) configuration procedures and provides configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Security Policy

Configuring a Security Policy

Context

The following table gives recommendations on configuring a WLAN security policy.For the NAC configuration, see NAC Configuration (Unified Mode).

Table 12-2  Recommendations on configuring a WLAN security policy

Security Policy

Parameter

Description

Open system authentication

Recommended Configuration Scenario

Public places with high user mobility, such as airports, stations, business centers, conference halls, and sports stadiums. Open system authentication is configured together with Portal authentication, based on which user authentication, accounting, and authorization are supported, and customized pages can be pushed.

Description

It is not secure to use open system authentication independently. Any wireless terminals can access the network without authentication. You are advised to configure open system authentication together with Portal authentication or MAC address authentication.

User Access Authentication Mode

  • External Portal authentication
  • MAC address authentication

WEP

Recommended Configuration Scenario

None

Description

The WEP security policy is not recommended due to its low security.

User Access Authentication Mode

None

WPA/WPA2-PSK

Recommended Configuration Scenario

Individual or home networks

Description

The WPA/WPA2-PSK security policy has higher security than WEP. Additionally, no third-party server is required, and the costs is low.

User Access Authentication Mode

None

WPA/WPA2-802.1x

Recommended Configuration Scenario

Scenarios with fixed users and requiring high security, and centralized management and authorization, such as mobile office, campus networks, and mobile administration

Description

The security policy provides high security and requires a third-party server.

User Access Authentication Mode

802.1x authentication

WAPI-PSK

Recommended Configuration Scenario

None

Description

WAPI-PSK has higher security than WEP and requires no third-party server. Only some terminals support the protocol.

User Access Authentication Mode

None

WAPI-certificate

Recommended Configuration Scenario

None

Description

The WAPI-certificate security policy has high security and requires a third-party server. Only some terminals support the protocol.

User Access Authentication Mode

None

Procedure

Choose one of the preceding security policies to configure.

Configuring Open System Authentication

Context

Open system authentication means no authentication and no encryption, and any one can connect to the network without authentication. To ensure network security, you are advised to configure open system authentication together with Portal authentication or MAC address authentication. For configuration of Portal authentication and MAC address authentication, see NAC Configuration (Unified Mode).

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security open

    The security policy is set to open system authentication.

    By default, the security policy is open system.

Configuring WEP

Context

WEP uses a shared key to authenticate users and encrypt service packets. Since the shared key is easy to be deciphered, the WEP security policy is not recommended due to its low security. When configuring WEP, you are advised to enable detection of brute force key cracking attacks. For details, see Configuring WIDS Attack Detection and Dynamic Blacklist.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security wep [ share-key ]

    The security policy is set to WEP.

    When the share-key parameter is present, WEP uses the configured shared key to authenticate wireless terminals and encrypt service packets. If the parameter is not present, WEP only encrypts the service packets. A shared key is configured on the wireless terminals regardless of whether the parameter is present.

    Each AP can have at most four key indexes configured. The key indexes used by different VAPs cannot be the same. That is, at most four VAPs can be configured on an AP using the security wep [ share-key ] command.

  5. Run:

    wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value

    The WEP shared key and key index are configured.

    By default, WEP-40 is used, and the key is Admin.

  6. Run:

    wep default-key key-id

    The index of the shared key used by WEP is configured.

    By default, key 0 is used for WEP authentication or encryption.

    Four shared keys can be configured for WEP. You can run the command to make the key with the specified index to take effect. The key index ID of the device starts from 0.

    After an SSID of a WLAN is scanned, users cannot access the network by clicking or double-clicking the SSID on some terminals due to default terminal settings. In this situation, manually create a WLAN on the terminals, enter the SSID, identity authentication and encryption modes, key, and key index configured on the device. After that, users can connect to the WLAN through the terminals. The key index on some terminals starts from 1 and ranges from 1 to 4. The key indexes configured on the terminal must map those configured on the device in an ascending order. For example, if the key index 0 takes effect on the device, the key index should be set to 1 on the terminal.

Configuring WPA/WPA2-PSK

Context

Both WPA and WPA2 support PSK authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.

The WPA/WPA2-PSK security policy applies to individual, home, and SOHO networks that do not require high security. The implementation of the security policy does not require an authentication server. If a wireless terminal supports only WEP encryption, the terminal can implement PSK+TKIP without hardware upgrading, whereas the terminal may need to upgrade its hardware to implement PSK+AES.

Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip | aes-tkip }

    The security policy is set to WPA/WPA2-PSK.

  5. (Optional) Run:

    wpa ptk-update enable

    Periodic PTK update is enabled.

    By default, periodic PTK update is disabled.

    NOTE:

    When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.

  6. (Optional) Run:

    wpa ptk-update ptk-update-interval ptk-rekey-interval

    The PTK update interval is configured.

    By default, the interval for updating PTKs is 43200 seconds.

  7. (Optional) Run:

    pmf { optional | mandatory }

    The PMF function is configured.

    By default, the PMF function is disabled for a VAP.

    The authentication mode WPA2 and encryption mode AES are required.

Configuring WPA/WPA2-802.1x

Context

Both WPA and WPA2 support 802.1X authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.

WPA/WPA2-802.1x applies to enterprise networks that require high security. An independent authentication server needs to be deployed. If customers' devices support only WEP encryption, the devices can implement 802.1x+TKIP without hardware upgrading, whereas the devices may need to upgrade their hardware to implement 802.1x+AES.

Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }

    The security policy is set to WPA/WPA2-802.1x.

    An authentication profile must be configured for 802.1x access authentication. For details, see NAC Configuration (Unified Mode).

    The authentication type in the security profile and authentication profile must both be set to 802.1x authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.

  5. (Optional) Run:

    wpa ptk-update enable

    Periodic PTK update is enabled.

    By default, periodic PTK update is disabled.

    NOTE:

    When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.

  6. (Optional) Run:

    wpa ptk-update ptk-update-interval ptk-rekey-interval

    The PTK update interval is configured.

    By default, the interval for updating PTKs is 43200 seconds.

  7. (Optional) Run:

    pmf { optional | mandatory }

    The PMF function is configured.

    By default, the PMF function is disabled for a VAP.

    The authentication mode WPA2 and encryption mode AES are required.

Configuring WAPI-PSK

Context

WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.

WAPI-PSK applies to home networks or small-scale enterprise networks. No additional certificate system is required.

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.

NOTE:

The AP7030DE, AP7050DE and AP9330DN do not support WAPI.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security wapi psk { pass-phrase | hex } key-value

    The security policy is set to WAPI-PSK.

  5. (Optional) Run:

    wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

    The interval for updating a Base Key (BK) and the BK lifetime percentage are set.

    The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

    By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

  6. (Optional) Run:

    wapi sa-timeout sa-time

    The timeout period of a security association is set.

    By default, the timeout period for a SA is 60s.

    If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.

  7. (Optional) Run:

    wapi { usk | msk } key-update { disable | time-based }

    The WAPI USK or MSK update mode is set.

    By default, USKs and MSKs are updated based on time.

  8. (Optional) Run:

    wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }

    The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.

    By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.

  9. (Optional) Run:

    wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }

    The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.

    By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.

Configuring WAPI-Certificate

Context

WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.

WAPI-PSK applies to large-scale enterprise networks or carrier networks that can deploy and maintain an expensive certificate system.

WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The X.509 V3 certificate file has the name extension .cer. Before importing a certificate for WAPI, ensure that the certificate file is saved in the root directory of the storage medium.

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.

NOTE:

The AP7030DE, AP7050DE and AP9330DN do not support WAPI.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security wapi certificate

    The security policy is set to WAPI-certificate.

  5. Configure the certificate file and ASU server.
    1. Run the wapi import certificate { ac | asu | issuer } format pkcs12 file-name file-name password password or wapi import certificate { ac | asu | issuer } format pem file-name file-name command to import the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file.

      By default, the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file are not imported.

    2. Run the wapi import private-key format pkcs12 file-name file-name password password or wapi import private-key format pem file-name file-name command to import the AC's private key file.

      By default, no AC private key file is imported.

    3. Run the wapi asu ip ip-address command to configure the ASU server's IP address.

      By default, no IP address is specified for the ASU server.

    4. (Optional) Run the wapi cert-retrans-count cert-count command to set the number of retransmissions of certificate authentication packets.

      By default, the number of retransmissions is 3.

  6. (Optional) Run the wapi source interface { vlanif vlan-id | loopback loopback-number } command to configure a VLANIF interface or a loopback interface as the source interface for the AC to communicate with the ASU server.

    By default, no source interface is configured for an AC to communicate with an ASU server.

    The IP address of the WAPI source interface on the AC must be on the same network segment as the IP address of the ASU server. If no WAPI source interface is configured, the IP address of the AC source interface is used as the source IP address for sending WAPI packets to the WAPI server by default.

  7. (Optional) Run:

    wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

    The interval for updating a Base Key (BK) and the BK lifetime percentage are set.

    The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

    By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

  8. (Optional) Run:

    wapi sa-timeout sa-time

    The timeout period of a security association is set.

    By default, the timeout period for a SA is 60s.

    If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.

  9. (Optional) Run:

    wapi { usk | msk } key-update { disable | time-based }

    The WAPI USK or MSK update mode is set.

    By default, USKs and MSKs are updated based on time.

  10. (Optional) Run:

    wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }

    The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.

    By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.

  11. (Optional) Run:

    wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }

    The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.

    By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1000142094

Views: 119598

Downloads: 119

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next