No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a WLAN Security Policy

Configuring a WLAN Security Policy

You can configure WLAN security policies to authenticate identities of wireless terminals and encrypt user packets, protecting the security of the WLAN and users. The supported WLAN security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1x, WAPI-PSK, and WAPI-certificate. You can configure one of them in a security profile. Open system authentication and WPA/WPA2-802.1x need to be configured together with NAC to manage user access.

Pre-configuration Tasks

Before configuring security policy, configure basic WLAN services.

Procedure

WLAN security policies are configured using profiles. Figure 25-21 shows the configuration flowchart.

Figure 25-21  WLAN security policy configuration flowchart

The configuration procedure is as follows:

Creating a Security Profile

Context

WLAN security policies are configured in security profiles, and only one security policy can be configured in a security profile. You can create multiple security profiles with different security policies and apply the profiles to different VAPs as required.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    A security profile is created and the security profile view is displayed.

    By default, security profile default is available in the system.

Configuring a Security Policy

Context

The following table gives recommendations on configuring a WLAN security policy.

Table 25-5  Recommendations on configuring a WLAN security policy

Security Policy

Recommended Configuration Scenario

Description

User Access Authentication Mode

Open system authentication

Public places with high user mobility, such as airports, stations, business centers, conference halls, and sports stadiums. Open system authentication is configured together with Portal authentication, based on which user authentication, accounting, and authorization are supported, and customized pages can be pushed.

It is not secure to use open system authentication independently. Any wireless terminals can access the network without authentication. You are advised to configure open system authentication together with Portal authentication or MAC address authentication.

  • External Portal authentication
  • Built-in Portal authentication
  • MAC address authentication

WEP

None

The WEP security policy is not recommended due to its low security.

None

WPA/WPA2-PSK

Individual or home networks

The WPA/WPA2-PSK security policy has higher security than WEP. Additionally, no third-party server is required, and the costs is low.

None

WPA/WPA2-802.1x

Scenarios with fixed users and requiring high security, and centralized management and authorization, such as mobile office, campus networks, and mobile administration

The security policy provides high security and requires a third-party server.

802.1x authentication

WAPI-PSK

None

WAPI-PSK has higher security than WEP and requires no third-party server. Only some terminals support the protocol.

None

WAPI-certificate

None

The WAPI-certificate security policy has high security and requires a third-party server. Only some terminals support the protocol.

None

Procedure

Choose one of the preceding security policies to configure.

Configuring Open System Authentication

Context

Open system authentication means no authentication and no encryption, and any one can connect to the network without authentication. To ensure network security, you are advised to configure open system authentication together with Portal authentication or MAC address authentication. For configuration of Portal authentication and MAC address authentication, see Configuring NAC.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security open

    The security policy is set to open system authentication.

    By default, the security policy is open system.

Configuring WEP

Context

WEP uses a shared key to authenticate users and encrypt service packets. Since the shared key is easy to be deciphered, the WEP security policy is not recommended due to its low security. When configuring WEP, you are advised to enable detection of brute force key cracking attacks. For details, see Configuring Attack Detection and Dynamic Blacklist.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security wep [ share-key ]

    The security policy is set to WEP.

    When the share-key parameter is present, WEP uses the configured shared key to authenticate wireless terminals and encrypt service packets. If the parameter is not present, WEP only encrypts the service packets. A shared key is configured on the wireless terminals regardless of whether the parameter is present.

    Each AP can have at most four key indexes configured. The key indexes used by different VAPs cannot be the same. That is, at most four VAPs can be configured on an AP using the security wep [ share-key ] command.

  5. Run:

    wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value

    The WEP shared key and key index are configured.

    By default, WEP-40 is used, and the key is Admin.

  6. Run:

    wep default-key key-id

    The index of the shared key used by WEP is configured.

    By default, key 0 is used for WEP authentication or encryption.

    Four shared keys can be configured for WEP. You can run the command to make the key with the specified index to take effect. The key index ID of the device starts from 0.

    After an SSID of a WLAN is scanned, users cannot access the network by clicking or double-clicking the SSID on some terminals due to default terminal settings. In this situation, manually create a WLAN on the terminals, enter the SSID, identity authentication and encryption modes, key, and key index configured on the device. After that, users can connect to the WLAN through the terminals. The key index on some terminals starts from 1 and ranges from 1 to 4. The key indexes configured on the terminal must map those configured on the device in an ascending order. For example, if the key index 0 takes effect on the device, the key index should be set to 1 on the terminal.

Configuring WPA/WPA2-PSK

Context

Both WPA and WPA2 support PSK authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.

The WPA/WPA2-PSK security policy applies to individual, home, and SOHO networks that do not require high security. The implementation of the security policy does not require an authentication server. If a wireless terminal supports only WEP encryption, the terminal can implement PSK+TKIP without hardware upgrading, whereas the terminal may need to upgrade its hardware to implement PSK+AES.

Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip | aes-tkip }, or security wpa-wpa2 psk { pass-phrase | hex } key-value tkip aes

    The security policy is set to WPA/WPA2-PSK.

  5. (Optional) Run:

    wpa ptk-update enable

    Periodic PTK update is enabled.

    By default, periodic PTK update is disabled.

    NOTE:

    When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.

  6. (Optional) Run:

    wpa ptk-update ptk-update-interval ptk-rekey-interval

    The PTK update interval is configured.

    By default, the interval for updating PTKs is 43200 seconds.

  7. (Optional) Run:

    pmf { optional | mandatory }

    The PMF function is configured.

    By default, the PMF function is disabled for a VAP.

    The authentication mode WPA2 and encryption mode AES are required.

Configuring WPA/WPA2-802.1x

Context

Both WPA and WPA2 support 802.1X authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.

WPA/WPA2-802.1x applies to enterprise networks that require high security. An independent authentication server needs to be deployed. If customers' devices support only WEP encryption, the devices can implement 802.1x+TKIP without hardware upgrading, whereas the devices may need to upgrade their hardware to implement 802.1x+AES.

Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }, or security wpa-wpa2 dot1x tkip aes

    The security policy is set to WPA/WPA2-802.1x.

    An authentication profile must be configured for 802.1x access authentication. For details, see Configuring NAC.

    The authentication type in the security profile and authentication profile must both be set to 802.1x authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.

  5. (Optional) Run:

    wpa ptk-update enable

    Periodic PTK update is enabled.

    By default, periodic PTK update is disabled.

    NOTE:

    When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.

  6. (Optional) Run:

    wpa ptk-update ptk-update-interval ptk-rekey-interval

    The PTK update interval is configured.

    By default, the interval for updating PTKs is 43200 seconds.

  7. (Optional) Run:

    pmf { optional | mandatory }

    The PMF function is configured.

    By default, the PMF function is disabled for a VAP.

    The authentication mode WPA2 and encryption mode AES are required.

Configuring WAPI-PSK

Context

WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.

WAPI-PSK applies to home networks or small-scale enterprise networks. No additional certificate system is required.

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security wapi psk { pass-phrase | hex } key-value

    The security policy is set to WAPI-PSK.

  5. (Optional) Run:

    wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

    The interval for updating a Base Key (BK) and the BK lifetime percentage are set.

    The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

    By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

  6. (Optional) Run:

    wapi sa-timeout sa-time

    The timeout period of a security association is set.

    By default, the timeout period for a SA is 60s.

    If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.

  7. (Optional) Run:

    wapi { usk | msk } key-update { disable | time-based }

    The WAPI USK or MSK update mode is set.

    By default, USKs and MSKs are updated based on time.

  8. (Optional) Run:

    wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }

    The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.

    By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.

  9. (Optional) Run:

    wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }

    The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.

    By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.

Configuring WAPI-Certificate

Context

WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.

WAPI-PSK applies to large-scale enterprise networks or carrier networks that can deploy and maintain an expensive certificate system.

WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The X.509 V3 certificate file has the name extension .cer. Before importing a certificate for WAPI, ensure that the certificate file is saved in the root directory of the storage medium.

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    security-profile name profile-name

    The security profile view is displayed.

  4. Run:

    security wapi certificate

    The security policy is set to WAPI-certificate.

  5. Configure the certificate file and ASU server.
    1. Run the wapi import certificate { ac | asu | issuer } format pkcs12 file-name file-name password password or wapi import certificate { ac | asu | issuer } format pem file-name file-name command to import the central AP certificate file, certificate of the central AP certificate issuer, and ASU certificate file.

      By default, the central AP certificate file, certificate of the central AP certificate issuer, and ASU certificate file are not imported.

    2. Run the wapi import private-key format pkcs12 file-name file-name password password or wapi import private-key format pem file-name file-name command to import the central AP's private key file.

      By default, no central AP private key file is imported.

    3. Run the wapi asu ip ip-address command to configure the ASU server's IP address.

      By default, no IP address is specified for the ASU server.

    4. (Optional) run the wapi cert-retrans-count cert-count command to set the number of retransmissions of certificate authentication packets.

      By default, the number of retransmissions is 3.

  6. (Optional) Run:

    wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

    The interval for updating a Base Key (BK) and the BK lifetime percentage are set.

    The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

    By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

  7. (Optional) Run:

    wapi sa-timeout sa-time

    The timeout period of a security association is set.

    By default, the timeout period for a SA is 60s.

    If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.

  8. (Optional) Run:

    wapi { usk | msk } key-update { disable | time-based }

    The WAPI USK or MSK update mode is set.

    By default, USKs and MSKs are updated based on time.

  9. (Optional) Run:

    wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }

    The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.

    By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.

  10. (Optional) Run:

    wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }

    The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.

    By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.

Applying the Configuration to a VAP Profile

Context

After a WLAN security policy is configured in a security profile, bind the security profile to a VAP profile. Each VAP profile contains one security profile. Wireless terminals can connect to the WLAN through an SSID only after they complete identity authentication according to the security policy configured in the VAP profile.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run:

    security-profile profile-name

    The security profile is bound to the VAP profile.

    By default, the security profile default is bound to a VAP profile.

Checking the Configuration

Context

After the WLAN security policy configuration is complete, check the security profiles on the device, including their configuration and profile reference information, and content of the certificate imported during WAPI-certificate authentication.

Procedure

  • Run the display security-profile { all | name profile-name } command to check information about a security profile.
  • Run the display references security-profile name profile-name command to check reference information about a security profile.
  • Run the display wlan wapi certificate file-name file-name command to check the content of the certificate imported during WAPI-certificate authentication.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118828

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next