Example for Configuring Attack Detection
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system profile, AP wired port profile, WIDS profile, and WDS profile. When configuring WLAN services, you need to set related parameters in the WLAN profiles and bind the profiles to the AP group or APs. After that, the configuration is delivered to and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to know the relationships among the profiles before configuring them. For details about the profile relationships and their basic configuration procedure, see WLAN Service Configuration Procedure.
Networking Requirements
As shown in Figure 7-18, the AC directly connects to the AP. The enterprise branch has deployed WLAN services for mobile office applications. To protect the network against flood attacks and PSK cracking, configure the attack detection and dynamic blacklist functions and add the attacking devices to the blacklist. Packets from the attacking devices are discarded to ensure network stability and security.
Configuration Roadmap
- Configure basic WLAN services to enable STAs to connect to the WLAN.
- Configure detection of brute force key cracking attacks for WPA2-PSK authentication and detection of flood attacks so that the device can detect information about the attacking devices.
- Configure the dynamic blacklist function and add devices that initiate attacks to the dynamic blacklist so that packets from the devices are discarded during the configured aging time.
The following example configures attack detection on the 2.4G radio. The configuration on the 5G radio is similar.
Item |
Data |
|---|---|
| DHCP server | The AC functions as a DHCP server to assign IP addresses to the STAs and AP. |
| IP address pool for the AP | 10.10.10.2-10.10.10.254/24 |
| IP address pool for STAs | 10.10.11.2-10.10.11.254/24 |
| AC's source interface address | VLANIF 100: 10.10.10.1/24 |
| AP group |
|
| Regulatory domain profile |
|
| SSID profile |
|
| Security profile |
|
| VAP profile |
|
| WIDS profile |
|
| AP system profile |
|
Configuration Notes
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
- The management VLAN and service VLAN cannot be configured the same.
When multiple VAP profiles are configured and share one service VLAN, enable inter-service VLAN proxy ARP if the data forwarding mode is set to tunnel.
Procedure
- Connect the AP and AC.
# Add Eth2/0/0 to management VLAN 100 and service VLAN 101.
You are advised to configure port isolation on Eth2/0/0 that connects the AC to the AP. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
<Huawei> system-view [Huawei] sysname AC [AC] vlan batch 100 101 [AC] interface ethernet 2/0/0 [AC-Ethernet2/0/0] port link-type trunk [AC-Ethernet2/0/0] port trunk pvid vlan 100 [AC-Ethernet2/0/0] port trunk allow-pass vlan 100 101 [AC-Ethernet2/0/0] port-isolate enable [AC-Ethernet2/0/0] quit
- Configure
the AC as a DHCP server to allocate IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the interface IP address pool on VLANIF 100, and allocate IP addresses to STAs from the interface IP address pool on VLANIF 101.
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.10.10.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit [AC] interface vlanif 101 [AC-Vlanif101] ip address 10.10.11.1 24 [AC-Vlanif101] dhcp select interface [AC-Vlanif101] quit
- Configure the
AP to go online.
# Create an AP group and add the AP to the AP group.
[AC] wlan ac [AC-wlan-view] ap-group name ap-group1 Info: This operation may take a few seconds. Please wait for a moment.done. [AC-wlan-ap-group-ap-group1] quit# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn Info: The current country code is same with the input country code. [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit
# Configure the AC's source interface.
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.[AC] wlan ac [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] --------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime --------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S --------------------------------------------------------------------------------------------- Total: 1 - Configure attack detection.
# Enable brute force attack detection for WPA2-PSK authentication and flood attack detection.
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] radio 0 [AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk [AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood [AC-wlan-group-radio-ap-group1/0] quit [AC-wlan-ap-group-ap-group1] quit
# Create the WIDS profile wlan-wids.
[AC-wlan-view] wids-profile name wlan-wids
# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication, the maximum number of key negotiation failures allowed within the detection period to 25, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70 [AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25 [AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to 350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70 [AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350 [AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
# Enable the dynamic blacklist function.
[AC-wlan-wids-prof-wlan-wids] dynamic-blacklist enable [AC-wlan-wids-prof-wlan-wids] quit
# Create the AP system profile wlan-system and set the aging time of dynamic blacklist to 200s.
[AC-wlan-view] ap-system-profile name wlan-system [AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200 [AC-wlan-ap-system-prof-wlan-system] quit
- Configure WLAN service parameters.
# Create security profile wlan-security and set the security policy in the profile.
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security [AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the service VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 Info: This operation may take a few seconds, please wait.done. [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap, WIDS profile wlan-wids, and AP system profile wlan-system to the AP group.
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all [AC-wlan-ap-group-ap-group1] wids-profile wlan-wids [AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-ap-group-ap-group1] quit# Commit the configuration.
[AC-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
- Verify the configuration.
# After the configuration is complete, run the display wlan ids attack-detected all command to check the detected attacking devices.
[AC-wlan-view] display wlan ids attack-detected all #AP: Number of monitor APs that have detected the device AT: Last detcted attack type CH: Channel number act: Action frame asr: Association request aur: Authentication request daf: Deauthentication frame dar: Disassociation request wiv: Weak IV detected pbr: Probe request rar: Reassociation request eaps: EAPOL start frame eapl: EAPOL logoff frame saf: Spoofed disassociation frame sdf: Spoofed deauthentication frame otsf: Other types of spoofing frames ------------------------------------------------------------------------------------------------ MAC address AT CH RSSI(dBm) Last detected time #AP ------------------------------------------------------------------------------------------------ 261f-a0ec-c0f3 pbr 1 -60 2015-01-28/17:35:55 1 ------------------------------------------------------------------------------------------------ Total: 1, printed: 1
# Run the display wlan ids dynamic-blacklist all command to check devices on the blacklist.
[AC-wlan-view] display wlan ids dynamic-blacklist all #AP: Number of monitor APs that have detected the device act: Action frame asr: Association request aur: Authentication request daf: Deauthentication frame dar: Disassociation request eapl: EAPOL logoff frame pbr: Probe request rar: Reassociation request eaps: EAPOL start frame -------------------------------------------------------------------------------- MAC address Last detected time Reason #AP ------------------------------------------------------------------------------------------------ 261f-a0ec-c0f3 2015-01-28/17:35:55 pbr 1 ------------------------------------------------------------------------------------------------ Total: 1, printed: 1
Configuration Files
AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
capwap source interface vlanif100
#
wlan ac
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#4R-.UpLuaWW`dGKS3R':Hg.h4g.hh:ygc7*P$q("%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-group name ap-group1
ap-system-profile wlan-system
regulatory-domain-profile domain1
wids-profile wlan-wids
radio 0
vap-profile wlan-vap wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
vap-profile wlan-vap wlan 1
radio 2
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
