No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Rogue Device Detection and Containment

Example for Configuring Rogue Device Detection and Containment

Configuration Process

You need to configure and maintain WLAN features and functions in different profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system profile, AP wired port profile,and WIDS profile. When configuring WLAN services, you need to set related parameters in the WLAN profiles and bind the profiles to the AP group or APs. After that, the configuration is automatically delivered to and takes effect on the RUs. WLAN profiles can reference one another; therefore, you need to know the relationships among the profiles before configuring them. For details about the profile relationships and their basic configuration procedure, see WLAN Service Configuration Procedure.

Networking Requirements

As shown in Figure 20-7, an enterprise branch deploys WLAN basic services and provides a WLAN with the SSID of wlan-net for employees to access enterprise network resources. STAs automatically obtain IP addresses.

The branch locates in an open place, making the WLAN vulnerable to attacks. A rogue AP (AP2) having the same SSID wlan-net is deployed on the WLAN and attempts to steal enterprise business information by establishing connections with STAs. This rogue AP threatens information security on the enterprise network. To prevent such attack, deploy a monitor RU (RU3) and configure WIDS and WIPS functions to enable the central AP to detect AP2 (neither managed by the local central AP nor in the authorized AP list), preventing STAs from associating with AP2.

Figure 20-7  Networking diagram for configuring WIDS and WIPS

Configuration Roadmap

  1. Configure basic WLAN services to enable STAs to connect to the WLAN.
  2. Configure RU3 to work in monitor mode so that RU3 can detect and report information about wireless devices to the central AP.
  3. Configure WIDS and WIPS so that the central AP can contain the detected rogue APs (AP2 in this example) and disconnect STAs from AP2.
NOTE:

The following example configures WIDS and WIPS on the 2.4G radio of RU3. The configuration on the 5G radio is similar.

Table 20-2  Data planning

Item

Data

DHCP server The central AP functions as a DHCP server to assign IP addresses to the STAs and RU.
IP address pool for the RU 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AP group
  • Name: ap-group1
  • Referenced profile: VAP profile wlan-vap1 and regulatory domain profile domain1
  • Name: ap-group2
  • Referenced profile: VAP profile wlan-vap2, regulatory domain profile domain1, and WIDS profile wlan-wids
  • Working mode of radio 0 in an AP group: monitor
  • Device detection and rogue device containment on radio 0 in an AP group: enabled.
Regulatory domain profile
  • Name: domain1
  • Country code: CN
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: WPA2-PSK-AES
  • Password: a1234567
VAP profile
  • Name: wlan-vap1
  • Service VLAN: VLAN 101
  • Referenced profile: SSID profile wlan-ssid and security profile wlan-security
  • Name: wlan-vap2
  • Referenced profile: SSID profile wlan-ssid
WIDS profile
  • Name: wlan-wids
  • Rogue device containment mode for RU3: containing rogue APs

Configuration Notes

Configure port isolation on the interfaces of the device directly connected to RUs. If port isolation is not configured, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

Procedure

  1. Configure the central AP so that the RU and central AP can transmit CAPWAP packets.

    # Configure the central AP: add interface GE0/0/1 and GE0/0/3 to management VLAN 100 and VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 100 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk pvid vlan 100
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
    [AP-GigabitEthernet0/0/1] quit
    [AP] interface gigabitethernet 0/0/3
    [AP-GigabitEthernet0/0/3] port link-type trunk
    [AP-GigabitEthernet0/0/3] port trunk pvid vlan 100
    [AP-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
    [AP-GigabitEthernet0/0/3] quit
    

  2. Configure the central AP to communicate with the upstream device.

    NOTE:

    Configure central AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

    # Add central AP uplink interface GE0/0/24 to service VLAN 101.

    [AP] interface gigabitethernet 0/0/24
    [AP-GigabitEthernet0/0/24] port link-type trunk
    [AP-GigabitEthernet0/0/24] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/24] quit
    

  3. Configure the central AP as a DHCP server to allocate IP addresses to STAs and the RU.

    # Configure the central AP as the DHCP server to allocate an IP address to the RU from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

    NOTE:
    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [AP] dhcp enable
    [AP] interface vlanif 100
    [AP-Vlanif100] ip address 10.23.100.1 24
    [AP-Vlanif100] dhcp select interface
    [AP-Vlanif100] quit
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit
    

  4. Configure the RU to go online.

    # Create AP groups ap-group1 and ap-group2.

    [AP] wlan
    [AP-wlan-view] ap-group name ap-group1
    [AP-wlan-ap-group-ap-group1] quit
    [AP-wlan-view] ap-group name ap-group2
    [AP-wlan-ap-group-ap-group2] quit
    

    # Create a regulatory domain profile, configure the central AP country code in the profile, and apply the profile to the AP group.

    [AP-wlan-view] regulatory-domain-profile name domain1
    [AP-wlan-regulatory-domain-prof-domain1] country-code cn
    [AP-wlan-regulatory-domain-prof-domain1] quit
    [AP-wlan-view] ap-group name ap-group1
    [AP-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AP-wlan-ap-group-ap-group1] quit
    [AP-wlan-view] ap-group name ap-group2
    [AP-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
    Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
    e?[Y/N]:y 
    [AP-wlan-ap-group-ap-group2] quit
    [AP-wlan-view] quit
    

    # Configure the management VLAN for RUs connected to the central AP.

    [AP] management-vlan 100
    
    # Import the RU offline on the central AP and add the RU1 and RU3 to ap-group1 and ap-group2. Assume that the RU1's MAC address is fcb6-9897-c520 and the RU3's MAC address is fcb6-9897-ca40..
    NOTE:

    The default RU authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the R240D is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AP] wlan
    [AP-wlan-view] ap auth-mode mac-auth
    [AP-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
    [AP-wlan-ap-1] ap-name RU1
    [AP-wlan-ap-1] ap-group ap-group1
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
    s of the radio, Whether to continue? [Y/N]:y 
    [AP-wlan-ap-1] quit
    [AP-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
    [AP-wlan-ap-2] ap-name RU3
    [AP-wlan-ap-2] ap-group ap-group2
    Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
    s of the radio, Whether to continue? [Y/N]:y 
    [AP-wlan-ap-2] quit
    

    # After the RU is powered on, run the display ap all command to check the RU state. If the State field is displayed as nor, the RU goes online normally.

    [AP-wlan-view] display ap all
    Total AP information:
    nor  : normal          [2]
    --------------------------------------------------------------------------------
    ID   MAC            Name   Group     IP            Type            State STA Uptime
    --------------------------------------------------------------------------------
    1    fcb6-9897-c520 RU1   ap-group1 10.23.100.253 R240D          nor   0   10S
    2    fcb6-9897-ca40 RU3   ap-group2 10.23.100.254 R240D          nor   0   15S
    --------------------------------------------------------------------------------
    Total: 2

  5. Configure WLAN service parameters.

    # Create the security profile wlan-security and set the security policy in the profile.

    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create the VAP profile wlan-vap1, set the service VLAN, and apply the security profile and SSID profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap1
    [AP-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap1] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap1] quit
    

    # Create the VAP profile wlan-vap2,and apply the SSID profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap2
    [AP-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap2] quit
    

    # Bind the VAP profile wlan-vap1 to the AP group ap-group1.

    [AP-wlan-view] ap-group name ap-group1
    [AP-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio all
    [AP-wlan-ap-group-ap-group1] quit
    

    # Bind the VAP profile wlan-vap2 to the AP group ap-group2.

    [AP-wlan-view] ap-group name ap-group2
    [AP-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 2 radio all
    

  6. Configure radio 0 of RU3 to work in monitor mode.

    [AP-wlan-ap-group-ap-group2] radio 0
    [AP-wlan-group-radio-ap-group2/0] work-mode monitor
    Warning: Modify the work mode may cause business interruption, continue?(y/n)[n]
    :y
    

  7. Configure WIDS and WIPS.

    # Enable device detection and rogue device containment.

    [AP-wlan-group-radio-ap-group2/0] wids device detect enable
    [AP-wlan-group-radio-ap-group2/0] wids contain enable
    [AP-wlan-group-radio-ap-group2/0] quit
    [AP-wlan-ap-group-ap-group2] quit
    

    # Create the WIDS profile wlan-wids and set the containment mode to containing rogue APs.

    [AP-wlan-view] wids-profile name wlan-wids
    [AP-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
    [AP-wlan-wids-prof-wlan-wids] quit
    

  8. Bind the WIDS profile wlan-wids to the AP group ap-group2.

    [AP-wlan-view] ap-group name ap-group2
    [AP-wlan-ap-group-ap-group2] wids-profile wlan-wids
    [AP-wlan-ap-group-ap-group2] quit
    

  9. Verify the configuration.

    Run the display wlan ids contain ap command. The command output shows information about the contained AP2.

    [AP-wlan-view] display wlan ids contain ap
    #Rf: Number of monitor radios that have contained the device
    CH: Channel number
    -------------------------------------------------------------------------------
    MAC address     CH   Authentication   Last detected time  #Rf   SSID
    -------------------------------------------------------------------------------
    000b-6b8f-fc6a  11   -                2014-11-20/16:16:57  1    wlan-net
    -------------------------------------------------------------------------------
    Total: 1, printed: 1

    STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so traffic between STAs and AP2 is stopped and then STAs connect to RU1.

    C:\Documents and Settings\huawei> ping 10.23.101.22
    
    Pinging 10.23.101.22 with 32 bytes of data:
    
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 10.23.101.22: bytes=32 time=1433ms TTL=255
    Reply from 10.23.101.22: bytes=32 time=40ms TTL=255
    Reply from 10.23.101.22: bytes=32 time=11ms TTL=255
    Reply from 10.23.101.22: bytes=32 time=46ms TTL=255

Configuration Files

Central AP configuration file

#
 sysname AP
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 101
#
management-vlan 100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap1
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
 vap-profile name wlan-vap2
  ssid-profile wlan-ssid
 regulatory-domain-profile name domain1
 wids-profile name wlan-wids
  contain-mode spoof-ssid-ap
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   vap-profile wlan-vap1 wlan 1
  radio 1
   vap-profile wlan-vap1 wlan 1
 ap-group name ap-group2
  regulatory-domain-profile domain1
  wids-profile wlan-wids
  radio 0
   vap-profile wlan-vap2 wlan 2
   work-mode monitor
   wids device detect enable
   wids contain enable
  radio 1
   vap-profile wlan-vap2 wlan 2
 ap-id 1 type-id 19 ap-mac fcb6-9897-c520 ap-sn 210235554710CB000042
  ap-name RU1
  ap-group ap-group1
 ap-id 2 type-id 28 ap-mac fcb6-9897-ca40 ap-sn 210235419610D2000097
  ap-name RU3
  ap-group ap-group2
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116080

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next