No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Attack Detection

Example for Configuring Attack Detection

Networking Requirements

As shown in Figure 12-8, the enterprise branch has deployed WLAN services for mobile office applications. To protect the network against flood attacks and PSK cracking, configure the attack detection and dynamic blacklist functions and add the attacking devices to the blacklist. Packets from the attacking devices are discarded to ensure network stability and security.

Figure 12-8  Networking diagram of configuring the attack detection function

Configuration Roadmap

  1. Configure basic WLAN services to enable STAs to connect to the WLAN.
  2. Configure detection of brute force key cracking attacks for WPA2-PSK authentication and detection of flood attacks so that the device can detect information about the attacking devices.
  3. Configure the dynamic blacklist function and add devices that initiate attacks to the dynamic blacklist so that packets from the devices are discarded during the configured aging time.
NOTE:

The following example configures attack detection on the 2.4G radio. The configuration on the 5G radio is similar.

Table 12-3  Data planning

Item

Data

DHCP server The AP functions as a DHCP server to assign IP addresses to the STAs.
IP address pool for STAs 10.23.101.2-10.23.101.254/24
SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
Security profile
  • Name: wlan-security
  • Security policy: WPA2-PSK-AES
  • Password: a1234567
VAP profile
  • Name: wlan-vap
  • Service VLAN: VLAN 101
  • Referenced profile: SSID profile wlan-ssid and security profile wlan-security
WIDS attack detection
  • Attack detection mode: detection of brute force key cracking attacks for WPA2-PSK authentication and detection of flood attacks
  • Interval for brute force PSK cracking attack detection: 70s
  • Quiet time for brute force PSK cracking attack detection: 700s
  • Maximum number of key negotiation failures allowed within a brute force PSK cracking attack detection period: 25
  • Flood attack detection interval: 70s
  • Quiet time for flood attack detection: 700s
  • Maximum number of packets of the same type that an AP can receive within the flood attack detection period: 350
  • Dynamic blacklist: enabled
  • Aging time of a dynamic blacklist: 200s

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression on switch interfaces connected to APs to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected. For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

Procedure

  1. Configure the AP to communicate with the upstream device.

    NOTE:

    Configure AP uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

    # Add AP uplink interface GE0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] sysname AP
    [AP] vlan batch 101
    [AP] interface gigabitethernet 0/0/1
    [AP-GigabitEthernet0/0/1] port link-type trunk
    [AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
    [AP-GigabitEthernet0/0/1] quit
    

  2. Configure the AP as a DHCP server to allocate IP addresses to STAs.

    # Configure the AP as the DHCP server to allocate an IP address to STAs from the IP address pool on VLANIF 101.

    NOTE:
    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [AP] dhcp enable
    [AP] interface vlanif 101
    [AP-Vlanif101] ip address 10.23.101.1 24
    [AP-Vlanif101] dhcp select interface
    [AP-Vlanif101] quit
    

  3. Configure AP system parameters.

    # Configure the country code.

    [AP] wlan
    [AP-wlan-view] country-code cn
    

  4. Configure WLAN service parameters.

    # Create security profile wlan-security and set the security policy in the profile.

    [AP-wlan-view] security-profile name wlan-security
    [AP-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
    [AP-wlan-sec-prof-wlan-security] quit
    

    # Create SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP-wlan-view] ssid-profile name wlan-ssid
    [AP-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP-wlan-ssid-prof-wlan-ssid] quit
    

    # Create VAP profile wlan-vap, set the service VLAN, and apply the security profile and SSID profile to the VAP profile.

    [AP-wlan-view] vap-profile name wlan-vap
    [AP-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
    [AP-wlan-vap-prof-wlan-vap] security-profile wlan-security
    [AP-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP-wlan-vap-prof-wlan-vap] quit
    [AP-wlan-view] quit
    

  5. Bound the VAP profile wlan-vap to the radio.

    [AP] interface wlan-radio 0/0/0
    [AP-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    

  6. Configure the attack detection function.

    # Enable brute force attack detection for WPA2-PSK authentication and flood attack detection.

    [AP-Wlan-Radio0/0/0] wids attack detect enable wpa2-psk
    [AP-Wlan-Radio0/0/0] wids attack detect enable flood
    [AP-Wlan-Radio0/0/0] quit

    # Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication, the maximum number of key negotiation failures allowed within the detection period to 25, and quiet time to 700s.

    [AP] wlan
    [AP-wlan-view] wids
    [AP-wlan-wids] brute-force-detect interval 70
    [AP-wlan-wids] brute-force-detect threshold 25
    [AP-wlan-wids] brute-force-detect quiet-time 700
    

    # Set the interval for flood attack detection to 70 seconds, the maximum number of packets of the same type that an AP can receive within the flood attack detection period to 350, and quiet time to 700s.

    [AP-wlan-wids] flood-detect interval 70
    [AP-wlan-wids] flood-detect threshold 350
    [AP-wlan-wids] flood-detect quiet-time 700
    

    # Enable the dynamic blacklist function.

    [AP-wlan-wids] dynamic-blacklist enable
    [AP-wlan-wids] quit
    

    # Set the aging time for the dynamic blacklist to 200 seconds.

    [AP-wlan-view] dynamic-blacklist aging-time 200
    

  7. Verify the configuration.

    After the configuration is complete, run the display wlan ids attack-detected all command to check the detected attacking devices.

    [AP-wlan-view] display wlan ids attack-detected all
    #AP: Number of monitor APs that have detected the device
    AT: Last detected attack type
    CH: Channel number
    act: Action frame            asr: Association request
    aur: Authentication request  daf: Deauthentication frame
    dar: Disassociation request  wiv: Weak IV detected
    pbr: Probe request           rar: Reassociation request
    eaps: EAPOL start frame      eapl: EAPOL logoff frame
    saf: Spoofed disassociation frame
    sdf: Spoofed deauthentication frame
    otsf: Other types of spoofing frames
    -------------------------------------------------------------------------------
    MAC address     AT     CH   RSSI(dBm)  Last detected time     #AP
    -------------------------------------------------------------------------------
    000b-c002-9c81  pbr    165  -87        2014-11-20/15:51:13    1
    0024-2376-03e9  pbr    165  -84        2014-11-20/15:51:13    1
    0046-4b74-691f  act    165  -67        2014-11-20/15:51:13    1
    -------------------------------------------------------------------------------
    Total: 3, printed: 3

    Run the display wlan ids dynamic-blacklist all command to check devices on the dynamic blacklist.

    [AP-wlan-view] display wlan ids dynamic-blacklist all
    #AP: Number of monitor APs that have detected the device
    act: Action frame            asr: Association request
    aur: Authentication request  daf: Deauthentication frame
    dar: Disassociation request  eapl: EAPOL logoff frame
    pbr: Probe request           rar: Reassociation request
    eaps: EAPOL start frame
    -------------------------------------------------------------------------------
    MAC address       Last detected time    Reason   #AP
    -------------------------------------------------------------------------------
    000b-c002-9c81    2014-11-20/16:15:53   pbr      1   
    0024-2376-03e9    2014-11-20/16:15:53   pbr      1   
    0046-4b74-691f    2014-11-20/16:15:53   act      1   
    -------------------------------------------------------------------------------
    Total: 3, printed: 3
    

Configuration Files

AP configuration file

#
 sysname AP
#
vlan batch 101
#
dhcp enable
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 101
#
wlan
 dynamic-blacklist aging-time 200
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#4R-.UpLuaWW`dGKS3R':Hg.h4g.hh:ygc7*P$q("%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
 wids
  flood-detect interval 70
  flood-detect threshold 350
  flood-detect quiet-time 700
  brute-force-detect interval 70
  brute-force-detect threshold 25
  brute-force-detect quiet-time 700
  dynamic-blacklist enable
#
interface Wlan-Radio0/0/0
 vap-profile wlan-vap wlan 2
 wids attack detect enable flood
 wids attack detect enable wpa2-psk
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116054

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next