No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Rogue Device Detection and Containment

Example for Configuring Rogue Device Detection and Containment

Networking Requirements

As shown in Figure 12-7, an enterprise branch deploys WLAN basic services for mobile office applications and provides a WLAN with the SSID of wlan-net for employees to access enterprise network resources. STAs automatically obtain IP addresses.

The branch locates in an open place, making the WLAN vulnerable to attacks. A rogue AP (AP2) of another vendor having the same SSID wlan-net is deployed on the WLAN and attempts to steal enterprise business information by establishing connections with STAs. This rogue AP threatens information security on the enterprise network. To prevent such attack, deploy a monitor AP (AP3) and configure WIDS and WIPS functions to enable the monitor AP to detect AP2, preventing STAs from associating with AP2.

Figure 12-7  Networking diagram for configuring WIDS and WIPS

Configuration Roadmap

  1. Configure basic WLAN services to enable STAs to connect to the WLAN. For details, see Example for Configuring Fat AP Layer 2 Networking.
  2. Configure AP3 to work in monitor mode so that AP3 can detect information about wireless device.
  3. Configure WIDS and WIPS so that the AP3 can contain the detected rogue APs (AP2 in this example) and disconnect STAs from AP2.
NOTE:

The following example configures WIDS and WIPS on the 2.4G radio of AP3. The configuration on the 5G radio is similar.

Table 12-2  Data planning

Item

Data

SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net
VAP profile
  • Name: wlan-vap
  • Referenced profile: SSID profile wlan-ssid
Radio working mode of AP3

monitor

WIDS and WIPS
  • Device detection: enabled
  • Rogue device containment: enabled
  • Rogue device containment mode for AP3: containing rogue APs
WIDS whitelist
  • authorized MAC address: 00bc-da3f-e900
  • authorized OUI: 00-bc-da
  • authorized SSID: wlan-net

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression on switch interfaces connected to APs to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected. For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

Procedure

  1. Configure the AP3's system parameters.

    # Configure the country code.

    <Huawei> system-view
    [Huawei] sysname AP3
    [AP3] wlan
    [AP3-wlan-view] country-code cn
    

  2. Configure a VAP profile.

    # Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AP3-wlan-view] ssid-profile name wlan-ssid
    [AP3-wlan-ssid-prof-wlan-ssid] ssid wlan-net
    [AP3-wlan-ssid-prof-wlan-ssid] quit
    

    # Create the VAP profile wlan-vap, and apply the SSID profile to the VAP profile.

    [AP3-wlan-view] vap-profile name wlan-vap
    [AP3-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
    [AP3-wlan-vap-prof-wlan-vap] quit
    [AP3-wlan-view] quit
    

  3. Bind the VAP profile to a radio.

    [AP3] interface wlan-radio 0/0/0
    [AP3-Wlan-Radio0/0/0] vap-profile wlan-vap wlan 2
    

  4. Configure the 2.4G radio of AP3 to work in monitor mode.

    [AP3-wlan-Radio0/0/0] work-mode monitor
    Warning: Modify the work mode may cause business interruption, continue?(y/n)[n]
    :y
    

  5. Configure WIDS and WIPS.

    # Enable device detection and rogue device containment.

    [AP3-wlan-Radio0/0/0] wids device detect enable
    [AP3-wlan-Radio0/0/0] wids contain enable
    [AP3-wlan-Radio0/0/0] quit
    

    # Set the containment mode to containing rogue APs.

    [AP3] wlan
    [AP3-wlan-view] wids
    [AP3-wlan-wids] contain-mode spoof-ssid-ap
    

    # Configure a WIDS whitelist and add authorized APs to the WIDS whitelist.

    [AP3-wlan-wids] permit-ap mac-address 00bc-da3f-e900
    [AP3-wlan-wids] permit-ap oui 00-bc-da
    [AP3-wlan-wids] permit-ap ssid wlan-net
    [AP3-wlan-wids] quit
    

  6. Verify the configuration.

    Run the display wlan ids contain ap command. The command output shows information about the contained AP2.

    [AP3-wlan-view] display wlan ids contain ap
    #Rf: Number of monitor radios that have detected the device
    CH: Channel number
    -------------------------------------------------------------------------------
    MAC address     CH  Authentication   Last detected time  #Rf   SSID
    -------------------------------------------------------------------------------
    000b-6b8f-fc6a  11  open             2014-11-20/16:16:57  1    wlan-net
    -------------------------------------------------------------------------------
    Total: 1, printed: 1

    STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so traffic between STAs and AP2 is stopped and then STAs connect to AP1.

    C:\Documents and Settings\huawei> ping 10.23.101.22
    
    Pinging 10.23.101.22 with 32 bytes of data:
    
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 10.23.101.22: bytes=32 time=1433ms TTL=255
    Reply from 10.23.101.22: bytes=32 time=40ms TTL=255
    Reply from 10.23.101.22: bytes=32 time=11ms TTL=255
    Reply from 10.23.101.22: bytes=32 time=46ms TTL=255

Configuration Files

AP3 configuration file

#
 sysname AP3
#
wlan
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  ssid-profile wlan-ssid
 wids
  contain-mode spoof-ssid-ap
  permit-ap mac-address 00bc-da3f-e900
  permit-ap oui 00-bc-da
  permit-ap ssid wlan-net
#
interface Wlan-Radio0/0/0
 vap-profile wlan-vap wlan 2
 work-mode monitor
 wids device detect enable
 wids contain enable
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 119046

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next