No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
WLAN Security Configuration Commands

WLAN Security Configuration Commands

Command Support

Only the S5720HI supports WLAN-AC commands.

anti-attack broadcast-flood blacklist enable

Function

The anti-attack broadcast-flood blacklist enable command enables the broadcast flood blacklist function.

The undo anti-attack broadcast-flood blacklist enable command disables the broadcast flood blacklist function.

By default, the broadcast flood blacklist function is disabled.

Format

anti-attack broadcast-flood blacklist enable

undo anti-attack broadcast-flood blacklist enable

Parameters

None

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the broadcast flood blacklist function is enabled, the device considers traffic with a rate higher than that specified in anti-attack broadcast-flood sta-rate-threshold a broadcast flood attack and adds the STA to the blacklist.

Prerequisites

The broadcast flood detection function has been enabled using the undo anti-attack broadcast-flood disable command.

Example

# Enable the broadcast flood blacklist function.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack broadcast-flood blacklist enable

anti-attack broadcast-flood disable

Function

The anti-attack broadcast-flood disable command disables the broadcast flood detection function.

The undo anti-attack broadcast-flood disable command enables the broadcast flood detection function.

By default, the broadcast flood detection function is enabled.

Format

anti-attack broadcast-flood disable

undo anti-attack broadcast-flood disable

Parameters

None

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a large number of broadcast packets are sent to a device in a short time, the device becomes busy processing the packets and cannot process normal services. To prevent broadcast flood attacks, you can configure broadcast flood detection.

Example

# Disable the broadcast flood detection function.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-vap-prof-profile1] anti-attack broadcast-flood disable

anti-attack broadcast-flood sta-rate-threshold

Function

The anti-attack broadcast-flood sta-rate-threshold command sets the broadcast flood threshold.

The undo anti-attack broadcast-flood sta-rate-threshold command restores the default broadcast flood threshold.

By default, the broadcast flood threshold is 10 pps.

Format

anti-attack broadcast-flood sta-rate-threshold sta-rate-threshold

undo anti-attack broadcast-flood sta-rate-threshold

Parameters

Parameter

Description

Value

sta-rate-threshold

Specifies the rate threshold of broadcast traffic from STAs.

The value is an integer that ranges from 5 to 5000, in pps.

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the broadcast flood detection function is enabled, you can set the broadcast traffic threshold.

When the traffic rate exceeds the threshold, the device considers a broadcast flood attack from the STA and discards the broadcast traffic. This prevents the upper-layer network from being affected by the broadcast flood.

If the broadcast flood blacklist function is enabled using the anti-attack broadcast-flood blacklist enable command, the device adds broadcast flood STAs to the blacklist.

Prerequisites

The broadcast flood detection function has been enabled using the undo anti-attack broadcast-flood disable command.

Example

# Set the broadcast flood threshold to 100 pps.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-vap-prof-profile1] anti-attack broadcast-flood sta-rate-threshold 100

arp anti-attack check user-bind enable

Function

The arp anti-attack check user-bind enable command enables dynamic ARP inspection (DAI).

The undo arp anti-attack check user-bind enable command disables DAI.

By default, DAI is disabled.

Format

arp anti-attack check user-bind enable

undo arp anti-attack check user-bind enable

Parameters

None

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

DAI allows an AP to detect the ARP Request and Reply packets transmitted on the VAPs of the AP, to discard invalid and attack ARP packets, and to send an alarm to the connected AC. This function prevents ARP packets of unauthorized users from accessing the external network through the AP, protecting authorized users against interference or spoofing, and protecting the AP.

  • Invalid ARP packets: The source IP and MAC addresses of ARP Request and Reply packets do not match.
  • Attack ARP packets: When an AP receives a large number of consecutive ARP packets and the number of ARP packets exceeds the ARP attack alarm threshold, an ARP attack occurs.

Example

# Enable DAI.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] arp anti-attack check user-bind enable  
Related Topics

brute-force-detect interval

Function

The brute-force-detect interval command sets the interval for brute force key cracking detection.

The undo brute-force-detect interval command restores the default interval for brute force key cracking detection.

By default, the interval for brute force key cracking detection is 60 seconds.

Format

brute-force-detect interval interval

undo brute-force-detect interval

Parameters

Parameter

Description

Value

interval interval

Specifies the interval for brute force key cracking detection.

The value is an integer that ranges from 10 to 120, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a brute force key cracking attack, an attacker tries all possible key combinations one by one to obtain the correct password. To improve password security, enable defense against brute force key cracking to prolong the the time used to crack passwords.

An AP checks whether the number of key negotiation failures during WPA/WPA2-PSK, WAPI-PSK, or WEP-Share-Key authentication of a user exceeds the threshold configured using the brute-force-detect threshold command. If so, the AP considers that the user is using the brute force method to crack the password and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets from the user until the dynamic blacklist entry ages out.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Set the interval for brute force key cracking detection to 100 seconds.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa-psk
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] brute-force-detect interval 100

brute-force-detect quiet-time

Function

The brute-force-detect quiet-time command sets the quiet time for an AP to report brute force key attacks to an AC.

The undo brute-force-detect quiet-time command restores the default quiet time for an AP to report brute force key attacks to an AC.

By default, the quiet time for an AP to report brute force key attacks to an AC is 600 seconds.

Format

brute-force-detect quiet-time quiet-time-value

undo brute-force-detect quiet-time

Parameters

Parameter

Description

Value

quiet-time-value

Specifies the quiet time for an AP to report brute force key attacks to an AC.

The value is an integer that ranges from 60 to 36000, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack detection is enabled on an AP, the AP reports alarms upon attack detection. If an attack source launches attacks repeatedly, a large number of repeated alarms are generated. To prevent this situation, configure the quiet time function for attack detection. When detecting attack sources of the same MAC address, the AP does not report alarms in the quiet time. However, if the AP still detects attacks from the attack source after the quiet time expires, the AP reports alarms. You can set the quiet time based on attack types.

To obtain attack information in time, set the quiet time to a small value. If attack detection is enabled on many APs, and attacks are frequently detected, set the quiet time to a large value to avoid frequent alarm reports.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Set the quiet time for an AP to report brute force key attacks to an AC to 300 seconds.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa-psk
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] brute-force-detect quiet-time 300 

brute-force-detect threshold

Function

The brute-force-detect threshold command sets the maximum number of key negotiation failures allowed within a brute force key cracking attack detection period.

The undo brute-force-detect threshold command restores the default maximum number of key negotiation failures allowed within a brute force key cracking attack detection period.

By default, an AP allows a maximum of 20 key negotiation failures within a brute force key cracking attack detection period.

Format

brute-force-detect threshold threshold

undo brute-force-detect threshold

Parameters

Parameter

Description

Value

threshold threshold

Specifies the number of key negotiation failures within a detection period.

The value is an integer that ranges from 1 to 100.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a brute force key cracking attack, an attacker tries all possible key combinations one by one to obtain the correct password. To improve password security, enable defense against brute force key cracking to prolong the the time used to crack passwords.

An AP checks whether the number of key negotiation failures during WPA/WPA2-PSK, WAPI-PSK, or WEP-Share-Key authentication of a user exceeds the threshold configured using the brute-force-detect threshold command. If so, the AP considers that the user is using the brute force method to crack the password and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets from the user until the dynamic blacklist entry ages out. If the threshold is set to a small value, the AP may incorrectly add authorized users to the dynamic blacklist, causing the users unable to go online.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Set the maximum number of key negotiation failures allowed within a brute force key cracking attack detection period to 60.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa-psk
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] brute-force-detect threshold 60

contain-mode

Function

The contain-mode command sets the containment mode against rogue devices.

The undo contain-mode command deletes the containment mode against rogue devices.

By default, no containment mode against rogue devices is set.

Format

contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile profile-name ] | adhoc }

undo contain-mode { open-ap | spoof-ssid-ap | client [ protect ] | adhoc }

Parameters

Parameter

Description

Value

open-ap

Sets the containment mode against open-authentication rogue APs.

-

spoof-ssid-ap

Sets the containment mode against rogue APs using spoofing SSIDs.

-

client

Sets the containment mode against unauthorized STAs.

-

protect sta-whitelist-profile profile-name

Protects STAs based on the STA whitelist.

Authorized STAs in the whitelist are protected from connecting to rogue APs.

-

adhoc

Sets the containment mode against Ad-hoc devices.

-

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Rogue devices pose serious security threats to enterprise networks.

After the containment mode is set against rogue APs, the monitor AP uses the identity of the rogue AP to broadcast deauthentication frames to forcibly disconnect STAs. To prevent the STAs from connecting to the rogue AP again, the monitor AP will periodically and continuously send deauthentication frames.

After the containment mode is set against rogue STAs or Ad-hoc devices, the monitor AP uses the MAC address of a rogue device to continuously send unicast deauthentication frames.

Example

# Counter rogue APs with spoofing SSIDs.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids contain enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] contain-mode spoof-ssid-ap
Related Topics

device report-interval

Function

The device report-interval command sets the interval at which an AP reports incremental wireless device information.

The undo device report-interval command restores the default interval at which an AP reports incremental wireless device information.

By default, an AP reports incremental wireless device information to an AC at an interval of 300 seconds.

Format

device report-interval interval

undo device report-interval

Parameters

Parameter

Description

Value

interval

Specifies the interval at which an AP reports incremental wireless device information.

The value is an integer that ranges from 10 to 3600, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The monitoring AP buffers information about detected wireless devices at the interval set using the device report-interval command. When the interval is reached, the monitoring AP reports the information to the AC and then clear the reported information.

Prerequisites

The device detection function has been enabled using the wids device detect enable command for the AP.

Example

# Set the interval at which an AP reports incremental wireless device information to 120 seconds.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids device detect enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name office
[HUAWEI-wlan-wids-prof-office] device report-interval 120

device synchronization-interval

Function

The device synchronization-interval command sets the interval at which an AP reports all wireless device information.

The undo device synchronization-interval command restores the default interval at which an AP reports all wireless device information.

By default, an AP reports all wireless device information to an AC at an interval of 360 minutes.

Format

device synchronization-interval interval

undo device synchronization-interval

Parameters

Parameter

Description

Value

interval

Specifies the interval at which an AP reports all wireless device information.

The value is an integer that ranges from 120 to 360, in minutes.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An AP reports wireless device information in the following modes:
  • Incremental reporting: The AP reports the added, changed, or deleted information to the AC in real time.
  • All information reporting: The AP periodically reports all wireless device information to the AC.

To ensure that detected device information is consistent on the AP and AC, run the device synchronization-interval command to enable the AP to periodically synchronize wireless device information to the AC.

Prerequisites

The device detection function has been enabled using the wids device detect enable command for the AP.

Example

# Set the interval at which an AP reports all wireless device information to 120 minutes.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids device detect enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name office
[HUAWEI-wlan-wids-prof-office] device synchronization-interval 120

dhcp trust port

Function

The dhcp trust port command configures a DHCP trusted interface on an AP.

The undo dhcp trust port command cancels the configuration.

By default, the DHCP trusted interface is disabled in the VAP profile view and enabled on the AP's uplink interface in the AP wired port profile view.

Format

dhcp trust port

undo dhcp trust port

Parameters

None

Views

VAP profile view, AP wired port profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses and network configuration parameters and cannot communicate properly. After the undo dhcp trust port command is executed in the VAP profile view, an AP discards the DHCP OFFER, ACK, and NAK packets sent by the bogus DHCP server and reports to the AC about the IP address of the unauthorized DHCP server.

Before WLAN services are delivered to an AP, run the dhcp trust port command in the AP wired port profile view. After the command is run, the AP receives the DHCP OFFER, ACK, and NAK packets sent by the authorized DHCP server and forwards the packets to STAs so that the STAs can obtain valid IP addresses and go online.

The undo dhcp trust port command configured in the AP wired port profile view takes effect only in direct forwarding mode, but not the tunnel forwarding mode.

Precautions

When executed in the AP wired port view, this command takes effect only on uplink interfaces of an AP. To configure a downlink wired interface on an AP as a DHCP trusted interface, you only need to run the learn-client-address enable (AP wired port profile view) command to enable STA address learning, but do not need to run the dhcp trust port command.

Example

# Create the VAP profile vap1 and configure a DHCP trusted interface on the AP in the VAP profile.
<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] dhcp trust port

display ap radio-environment

Function

The display ap radio-environment command displays air interface environment information about AP radios.

Format

display ap radio-environment { ap-name ap-name | ap-id ap-id } [ radio radio-id ]

Parameters

Parameter

Description

Value

ap-name ap-name

Displays air interface environment information about radios of the AP with a specified name.

The AP name must exist.

ap-id ap-id

Displays air interface environment information about radios of the AP with a specified ID.

The AP ID must exist.

radio radio-id

Displays air interface environment information about the AP radio with a specified ID.

The radio ID must exist.

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When WLAN access experience is poor, you can run this command to view air interface environment information and Wi-Fi interference sources. The interference can be determined based on the noise floor, signal to interference plus noise ratio (SINR), co-channel interference, and adjacent-channel interference. After this command is executed, radio scanning of the AP is automatically enabled, and the AP starts to scan the air interface environment of radios. You can run this command again to view air interface environment scanning results.

Precautions

When you run this command for the first time, no air interface environment scanning result is displayed. To view air interface environment scanning results, run this command again.

After AP radio scanning is enabled using this command, the air interface performance of an AP is affected. If this command is not executed again after five minutes, AP radio scanning is automatically disabled.

If the radio radio-id parameter is not specified, air interface environment information about all radios of the AP is displayed.

NOTE:

In the scanning result, the channel utilization, co-channel interference, and adjacent-channel interference are calculated with the impact of non-Wi-Fi interference. However, non-Wi-Fi interference devices are not displayed in the interference source list.

Example

# Display air interface environment information about radio 0 of AP 1.
<HUAWEI> display ap radio-environment ap-id 1 radio 0
Warning: This operation will enable scanning for the specified radio, affecting AP's air interface performance. Scanning will be automatically disabled 5 minutes after you run this command. Continue? [Y/N]y 
Info: This operation may take a few seconds. Please wait for a moment.done.
p:            permit
i:            interference
Ch:           Channel
NF:           Noise Floor
CommIf:       Common-Channel Interference
AdjaceIf:     Adjacent-Channel Interference
#AP:          Number of APs detected
Radio:        0
ScanChannel:  1
WorkChannel:  1
ScanCycle:    1
---------------------------------------------------------------------------
Ch  NF   CU(%) CommIf(%) AdjaceIf(%) SINR  #APs
---------------------------------------------------------------------------
1   -105 75    19        -           245       57 
---------------------------------------------------------------------------
Total: 1
---------------------------------------------------------------------------
Ch    MAC            Type  RSSI  SSID
---------------------------------------------------------------------------
1     c88d-833a-8d41 i     -65   xw9-2g-tunnel 
------------------------------------------------
Total: 1
Table 11-153  Description of the display ap radio-environment { ap-name ap-name | ap-id ap-id } [ radio radio-id ] command output
Item Description
Radio Radio on which the air interface environment is scanned.
ScanChannel Scanning channel.
WorkChannel Working channel of the AP.
ScanCycle Scanning count.
Ch Channel that has scanned a device.
NF Noise floor.
CU Channel utilization.
CommIf Co-channel interference.
AdjaceIf Adjacent-channel interference.
#APs Number of scanned APs.
SINR Signal to interference plus noise ratio (SINR).
MAC MAC address of the scanned device.
Type
Type of the scanned interference device.
  • i: WIDS device
  • p: Non-WIDS device
RSSI RSSI of the scanned device.
SSID SSID to which the scanned device is connected.
NOTE:
If an AP detects that a channel has a high channel utilization (higher than 80%) or high co-channel interference (higher than 50%), another Wi-Fi device is using this channel and affects the local AP. In this case, it is recommended that the AP channel be switched using radio calibration or other methods.

display references wids-whitelist-profile

Function

The display references wids-whitelist-profile command displays reference information about a WIDS whitelist profile.

Format

display references wids-whitelist-profile name profile-name

Parameters

Parameter Description Value
name profile-name

Displays reference information about a specified WIDS whitelist profile.

The WIDS whitelist profile must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display references wids-whitelist-profile command to view reference information about a WIDS whitelist profile.

Example

# Display reference information about the WIDS whitelist profile huawei.

<HUAWEI> display references wids-whitelist-profile name huawei
------------------------------------------------------------
Profile type                   Reference name
------------------------------------------------------------
wids-profile                   huawei
------------------------------------------------------------
Total: 1
Table 11-154  Description of the display references wids-whitelist-profile command output
Item Description

Profile type

Type of the profile that references the WIDS whitelist profile.

Reference name

Name of the profile that references the WIDS whitelist profile.

display references wids-profile

Function

The display references wids-profile command displays reference information about a WIDS profile.

Format

display references wids-profile name profile-name

Parameters

Parameter Description Value
name profile-name

Displays reference information about a specified WIDS profile.

The WIDS profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display references wids-profile command to view reference information about a WIDS profile.

Example

# Display reference information about the WIDS profile huawei.

<HUAWEI> display references wids-profile name huawei
--------------------------------------------------------------------------      
Reference type               Reference name                                     
--------------------------------------------------------------------------      
AP group                     default                                            
AP ID                        0                                                  
--------------------------------------------------------------------------      
Total: 2
Table 11-155  Description of the display references wids-profile command output
Item Description

Reference type

Type of the object that references the WIDS profile.

Reference name

Name of the object that references the WIDS profile.

display references wids-spoof-profile

Function

The display references wids-spoof-profile command displays reference information about a WIDS spoof SSID profile.

Format

display references wids-spoof-profile name profile-name

Parameters

Parameter Description Value
name profile-name

Displays reference information about a specified WIDS spoof SSID profile.

The WIDS spoof SSID profile must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display references wids-spoof-profile command to view reference information about a WIDS spoof SSID profile.

Example

# Display reference information about the WIDS spoof SSID profile huawei.

<HUAWEI> display references wids-spoof-profile name huawei
Profile type                   Reference name
------------------------------------------------------------
wids-profile                   huawei
------------------------------------------------------------
Total: 1
Table 11-156  Description of the display references wids-spoof-profile command output
Item Description

Profile type

Type of the profile that references the WIDS spoof SSID profile.

Reference name

Name of the profile that references the WIDS spoof SSID profile.

display wids-whitelist-profile

Function

The display wids-whitelist-profile command displays information about a WIDS whitelist profile.

Format

display wids-whitelist-profile { all | name profile-name }

Parameters

Parameter Description Value
all

Displays information about all WIDS whitelist profiles.

-

name profile-name

Displays information about a specified WIDS whitelist profile.

The WIDS whitelist profile must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display wids-whitelist-profile command to view information about a WIDS whitelist profile.

Example

# Display information about all WIDS whitelist profiles.

<HUAWEI> display wids-whitelist-profile all
------------------------------------------------------------
Profile name                   Reference
------------------------------------------------------------
huawei                             0
office                             0
office1                            1
------------------------------------------------------------
Total: 3
Table 11-157  Description of the display wids-whitelist-profile all command output
Item Description

Profile name

Specifies the name of a WIDS whitelist profile.

Reference

Number of times a WIDS whitelist profile is referenced.

# Display information about the WIDS whitelist profile huawei.

<HUAWEI> display wids-whitelist-profile name huawei
------------------------------------------------------------
Type          Content
------------------------------------------------------------
MAC           0011-2233-4455
OUI           00-11-22
SSID          huawei
------------------------------------------------------------
Total: 3
Table 11-158  Description of the display wids-whitelist-profile name command output

Item

Description

Type

Type of authorized APs.

Content

Rule for authorized APs.

To set the rule, run the permit-ap command.

Related Topics

display wids-profile

Function

The display wids-profile command displays information about a WIDS profile.

Format

display wids-profile { all | name profile-name }

Parameters

Parameter Description Value
all

Displays information about all WIDS profiles.

-

name profile-name

Displays information about a specified WIDS profile.

The WIDS profile must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display wids-profile command to view information about a WIDS profile.

Example

# Display information about all WIDS profiles.

<HUAWEI> display wids-profile all
------------------------------------------------------------
Profile name                   Reference
------------------------------------------------------------
default                            3
huawei                             2
office                             0
office01                           0
------------------------------------------------------------
Total: 4
Table 11-159  Description of the display wids-profile all command output
Item Description

Profile name

Name of a WIDS profile.

Reference

Number of times a WIDS profile is referenced.

# Display information about the WIDS profile huawei.

<HUAWEI> display wids-profile name huawei
------------------------------------------------------------
Device report interval(s)            : 10
Brute force detect interval(s)       : 20
Brute force detect threshold         : 20
Brute force quiet time(s)            : 600
Flood detect interval(s)             : 10
Flood detect threshold               : 1
Flood quiet time(s)                  : 600
Weak IV quiet time(s)                : 600
Spoof quiet time(s)                  : 600
Dynamic blacklist                    : enable
Contain rogue mode                   : spoof SSID AP
                                       open-authentication rogue AP
                                       client
                                       Ad hoc
STA whitelist profile                :         
WIDS spoof profile                   : huawei
WIDS whitelist profile               : huawei
------------------------------------------------------------
Table 11-160  Description of the display wids-profile name command output

Item

Description

Device report interval(s)

Interval at which an AP reports the detected incremental wireless device information.

To set the interval, run the device report-interval command.

Brute force detect interval(s)

Interval for brute force key cracking detection.

To set the interval, run the brute-force-detect interval command.

Brute force detect threshold

Maximum number of key negotiation failures allowed within a brute force key cracking detection period.

To set the maximum number, run the brute-force-detect threshold command.

Brute force quiet time(s)

Quiet time for an AP to report the detected brute force attacks to the AC.

To set the quiet time, run the brute-force-detect quiet-time command.

Flood detect interval(s)

Flood attack detection interval.

To set the interval, run the flood-detect interval command.

Flood detect threshold

Flood attack detection threshold.

To set the threshold, run the flood-detect threshold command.

Flood quiet time(s)

Quiet time for an AP to report the detected flood attacks to the AC.

To set the quiet time, run the flood-detect quiet-time command.

Weak IV quiet time(s)

Quiet time for an AP to report the detected weak IV attacks to the AC.

To set the quiet time, run the weak-iv-detect quiet-time command.

Spoof quiet time(s)

Quiet time for an AP to report the detected spoofing attacks to the AC.

To set the quiet time, run the spoof-detect quiet-time command.

Dynamic blacklist

Whether the dynamic blacklist function is enabled.

To configure the function, run the dynamic-blacklist enable command.

Contain rogue mode

Countering mode against rogue devices.

To set the countering mode, run the contain-mode command.

STA whitelist profile

STA protection based on a STA whitelist.

To set the countering mode, run the contain-mode command.

WIDS spoof profile

WIDS spoof profile bound to the WIDS profile.

To bind a WIDS spoof profile to a WIDS profile, run the wids-spoof-profile (WIDS profile view) command.

WIDS whitelist profile

WIDS whitelist profile bound to the WIDS profile.

To bind a WIDS whitelist profile to a WIDS profile, run the wids-whitelist-profile (WIDS profile view) command.

display wids-spoof-profile

Function

The display wids-spoof-profile command displays information about a WIDS spoof SSID profile.

Format

display wids-spoof-profile { all | name profile-name }

Parameters

Parameter Description Value
all

Displays information about all WIDS spoof SSID profiles.

-

name profile-name

Displays information about a specified WIDS spoof SSID profile.

The WIDS spoof SSID profile must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display wids-spoof-profile command to view information about a WIDS spoof SSID profile.

Example

# Display information about all WIDS spoof SSID profiles.

<HUAWEI> display wids-spoof-profile all
------------------------------------------------------------
Profile name                   Reference
------------------------------------------------------------
huawei                             0
office1                            1
------------------------------------------------------------
Total: 2
Table 11-161  Description of the display wids-spoof-profile all command output
Item Description

Profile name

Name of a WIDS spoof SSID profile.

Reference

Number of times a WIDS spoof SSID profile is referenced.

# Display information about the WIDS spoof SSID profile huawei.

<HUAWEI> display wids-spoof-profile name huawei
------------------------------------------------------------
ID      Pattern rule
------------------------------------------------------------
0       ^HUAWE[1l]$
------------------------------------------------------------
Total: 1
Table 11-162  Description of the display wids-spoof-profile name command output

Item

Description

ID

Index.

Pattern rule

Matching rule for spoofing SSIDs.

To set the matching rule, run the spoof-ssid command.

Related Topics

display references security-profile

Function

The display references security-profile command displays reference information about a security profile.

Format

display references security-profile name profile-name

Parameters

Parameter

Description

Value

name profile-name

Displays reference information about a specified security profile.

The security profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the command to view reference information about a security profile.

Example

# Display reference information about the security profile security-profile1.

<HUAWEI> display references security-profile name security-profile1
---------------------------------------------
Reference type           Reference name
---------------------------------------------
VAP profile              vap-profile1
---------------------------------------------
Total: 1
Table 11-163  Description of the display references security-profile command output

Item

Description

Reference type

Type of the profile that references a security profile.

Reference name

Name of the profile that references a security profile.

display references sta-blacklist-profile

Function

The display references sta-blacklist-profile command displays reference information about a STA blacklist profile.

Format

display references sta-blacklist-profile name profile-name

Parameters

Parameter

Description

Value

name profile-name

Displays reference information about a STA blacklist profile.

The STA blacklist profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the command to view reference information about a STA blacklist profile.

Example

# Display reference information about the STA blacklist profile sta-blacklist-profile1.

<HUAWEI> display references sta-blacklist-profile name sta-blacklist-profile1
---------------------------------------------
Reference type           Reference name
---------------------------------------------
VAP profile              vap-profile1
---------------------------------------------
Total: 1
Table 11-164  Description of the display references sta-blacklist-profile command output

Item

Description

Reference type

Type of the profile that references the STA blacklist profile.

Reference name

Name of the profile that references the STA blacklist profile.

display references sta-whitelist-profile

Function

The display references sta-whitelist-profile command displays reference information about a STA whitelist profile.

Format

display references sta-whitelist-profile name profile-name

Parameters

Parameter

Description

Value

name profile-name

Displays reference information about a STA whitelist profile.

The STA whitelist profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the command to view reference information about a STA whitelist profile.

Example

# Display reference information about the STA whitelist profile sta-whitelist-profile1.

<HUAWEI> display references sta-whitelist-profile name sta-whitelist-profile1
---------------------------------------------
Reference type           Reference name
---------------------------------------------
VAP profile              vap-profile1
---------------------------------------------
Total: 1
Table 11-165  Description of the display references sta-whitelist-profile command output

Item

Description

Reference type

Type of the profile that references the STA whitelist profile.

Reference name

Name of the profile that references the STA whitelist profile.

display security-profile

Function

The display security-profile command displays configuration and reference information about a security profile.

Format

display security-profile { all | name profile-name }

Parameters

Parameter

Description

Value

all

Displays information about all security profiles.

-

name profile-name

Displays information about a specified security profile.

The security profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the command to view configuration and reference information about a specified security profile or all security profiles.

Example

# Display configurations of all security profiles.

<HUAWEI> display security-profile all
----------------------------------------------------------
Profile name                   Reference
----------------------------------------------------------
default                        1
default-wds                    1
default-mesh                   1
security-profile1              0
----------------------------------------------------------
Total: 3
Table 11-166  Description of the display security-profile all command output

Item

Description

Profile name

Name of the security profile.

Reference

Number of times a security profile is referenced.

# Display information about the security profile default.

<HUAWEI> display security-profile name default
------------------------------------------------------------
Security policy               : Open system
Encryption                    : -
------------------------------------------------------------
WEP's configuration
Key 0                         : *****
Key 1                         : *****
Key 2                         : *****
Key 3                         : *****
Default key ID                : 0
------------------------------------------------------------
WPA/WPA2's configuration
PTK update                    : disable
PTK update interval(s)        : 43200
------------------------------------------------------------
WAPI's configuration
CA certificate filename       : -
ASU certificate filename      : -
AC certificate filename       : -
AC private key filename       : -
WAPI source interface         : - 
Authentication server IP      : -
WAI timeout(s)                : 60
BK update interval(s)         : 43200
BK lifetime threshold(%)      : 70
USK update method             : Time-based
USK update interval(s)        : 86400
MSK update method             : Time-based
MSK update interval(s)        : 86400
Cert auth retrans count       : 3
USK negotiate retrans count   : 3
MSK negotiate retrans count   : 3
------------------------------------------------------------
Table 11-167  Description of the display security-profile name command output

Item

Description

Security policy
Security policy. The following security policies are supported:
  • Open system: open system authentication
  • Share key: WEP Shared Key
  • WPA 802.1X
  • WPA2 802.1X
  • WPA-WPA2 802.1X
  • WPA PSK: WPA Pre-Shared Key
  • WPA2 PSK: WPA2 Pre-Shared Key
  • WPA-WPA2 PSK: WPA-WPA2 Pre-Shared Key
  • WAPI PSK: WAPI Pre-Shared Key
  • WAPI certificate

To configure the parameter, run the security wep, security dot1x, security psk and security wapi commands.

Encryption

Encryption mode. The following encryption modes are supported: TKIP, AES, AES-TKIP, WEP-40, WEP-104, WEP-128, and SMS4. WAPI encryption uses SMS4.

To configure the parameter, run the wep key, security dot1x and security psk commands.

PMF

Whether the Protected Management Frame (PMF) function of a VAP is enabled.

  • disable: This function is disabled.
  • optional: This function is enabled in optional mode.
  • mandatory: This function is forcibly enabled.

This line is displayed in the command output only when the authentication and encryption mode is WPA2-AES.

To configure this function, run the pmf command.

Key key-id

Key ID.

To configure the parameter, run the wep key command.

Default key ID

Default key ID.

To configure the parameter, run the wep default-key command.

PTK update

Whether to enable periodic PTK update in WPA, WPA2 or WPA-WPA2 authentication and encryption.

  • enable: Enables periodic PTK update.
  • disable: Disables periodic PTK update.

To configure the parameter, run the wpa ptk-update enable command.

PTK update interval(s)

The interval for updating PTKs in WPA, WPA2 or WPA-WPA2 authentication and encryption. The value is an integer in seconds.

To configure the parameter, run the wpa ptk-update ptk-update-interval command.

CA certificate filename

CA certificate file name.

To configure the parameter, run the wapi import certificate command.

ASU certificate filename

File name of the authentication server unit (ASU) certificate.

To configure the parameter, run the wapi import certificate command.

AC certificate filename

AC certificate file name.

To configure the parameter, run the wapi import certificate command.

AC private key filename

AC private key file name.

To configure the parameter, run the wapi import private-key command.

WAPI source interface

WAPI source interface.

To configure the parameter, run the wapi source interface command.

Authentication server IP

IP address of the ASU certificate server.

To configure the parameter, run the wapi asu command.

WAI timeout(s)

Timeout period of an association.

To configure the parameter, run the wapi sa-timeout command.

BK update interval(s)

Interval for updating the base key (BK).

To configure the parameter, run the wapi bk command.

BK lifetime threshold(%)

Threshold for triggering BK update.

To configure the parameter, run the wapi bk command.

USK update method

Whether the USK is updated based on a time interval or a packet count.

To configure the parameter, run the wapi key-update command.

USK update interval(s)

Time-based interval for updating the unicast session key (USK).

To configure the parameter, run the wapi usk command.

MSK update method

Whether the MSK is updated based on a time interval or a packet count.

To configure the parameter, run the wapi key-update command.

MSK update interval(s)

Time-based interval for updating the MBMS service key (MSK).

To configure the parameter, run the wapi msk command.

Cert auth retrans count

Number of retransmissions of certificate authentication packets.

To configure the parameter, run the wapi cert-retrans-count command.

USK negotiate retrans count

Number of retransmissions of USK negotiation packets.

To configure the parameter, run the wapi usk command.

MSK negotiate retrans count

Number of retransmissions of MSK negotiation packets.

To configure the parameter, run the wapi msk command.

display sta-blacklist-profile

Function

The display sta-blacklist-profile command displays configuration and reference information about a STA blacklist profile.

Format

display sta-blacklist-profile { all | name profile-name }

Parameters

Parameter

Description

Value

all

Displays information about all STA blacklist profiles.

-

name profile-name

Displays information about a specified STA blacklist profile.

The STA blacklist profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring STA blacklists for VAPs, you can run this command to check whether a MAC address is in the blacklists.

Example

# Display reference information about all STA blacklist profiles.

<HUAWEI> display sta-blacklist-profile all
------------------------------------------------------------
Profile name                            Reference
------------------------------------------------------------
sta-blacklist-profile1                  1
------------------------------------------------------------
Total: 1
Table 11-168  Description of the display sta-blacklist-profile all command output
Item Description

Profile name

Name of a STA blacklist profile.

Reference

Number of times a STA blacklist profile is referenced.

# Display information about the STA blacklist profile sta-blacklist-profile1.

<HUAWEI> display sta-blacklist-profile name sta-blacklist-profile1
------------------------------------------------------------
Index      MAC               Description
------------------------------------------------------------
0          0021-1111-2222
------------------------------------------------------------
Total: 1
Table 11-169  Description of the display sta-blacklist-profile name command output
Item Description

Index

Blacklist index.

MAC

MAC address of a STA in the blacklist.

To configure the parameter, run the sta-mac command.

Description

Adds MAC address description to a blacklist.

Related Topics

display station dynamic-blacklist

Function

The display station dynamic-blacklist command displays the dynamic blacklist on an AP.

Format

display station dynamic-blacklist { ap-id ap-id | ap-name ap-name }

Parameters

Parameter Description Value
ap-id ap-id

Displays information about STAs that are denied access on the AP with a specified ID.

The AP ID must exist.

ap-name ap-name

Displays information about STAs that are denied access on the AP with a specified name.

The AP name must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

There is a STA dynamic blacklist on an AP. The blacklist helps control access of STAs, for example, forbidding STAs with bogus IP addresses to go online. If a STA is not allowed to go online, the STA is added to the dynamic blacklist. Before the dynamic blacklist entry ages out, the STA cannot associate with the AP. The aging time of the dynamic blacklist entries is 10 minutes. After the aging time is reached, the dynamic blacklist entries are automatically deleted. During this period, if the STA on an entry is added to the blacklist again, the aging time of the entry is updated and recalculated.

The administrator can run this command to check STAs in the blacklist and the reasons for adding the STAs to the blacklist.

Example

# Display the dynamic blacklist on AP.

<HUAWEI> display station dynamic-blacklist ap-name huawei
Total: 1
------------------------------------------------------------------------------
STA MAC           Time left(s)   Reason
------------------------------------------------------------------------------
581f-28fc-7ead    160           static ip
------------------------------------------------------------------------------
Table 11-170  Description of the display station dynamic-blacklist command output
Item Description

STA MAC

MAC address of a STA.

Time left(s)

Remaining aging period, in seconds.

To configure the parameter, run the dynamic-blacklist aging-time command.

Reason

STA access denial reason.
  • static ip: The AP is configured to deny access of STAs with bogus IP addresses, and the STA has a static IP address configured.
  • broadcast flood: The AP is configured to detect and defend against broadcast flood attacks, and the STA initiates a broadcast flood attack.
  • WIDS attack: The AP is configured to detect attacks on a WLAN.
  • MESH key fail: Key negotiation fails during mesh link setup.

display sta-whitelist-profile

Function

The display sta-whitelist-profile command displays configuration and reference information about a STA whitelist profile.

Format

display sta-whitelist-profile { all | name profile-name }

Parameters

Parameter

Description

Value

all

Displays information about all STA whitelist profiles.

-

name profile-name

Displays information about a specified STA whitelist profile.

The STA whitelist profile must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a STA whitelist on a device, you can run this command to check whether a MAC address is in the whitelist.

Example

# Display reference information about all STA whitelist profiles.

<HUAWEI> display sta-whitelist-profile all
------------------------------------------------------------
Profile name                            Reference
------------------------------------------------------------
sta-whitelist-profile1                  1
------------------------------------------------------------
Total: 1
Table 11-171  Description of the display sta-whitelist-profile all command output
Item Description

Profile name

Name of a STA whitelist profile.

Reference

Number of times a STA whitelist profile is referenced.

# Display information about the STA whitelist profile sta-whitelist-profile1.

<HUAWEI> display sta-whitelist-profile name sta-whitelist-profile1
------------------------------------------------------------
Index      MAC                Description
------------------------------------------------------------
0         0021-1111-2222
------------------------------------------------------------
Total: 1
------------------------------------------------------------
Index      OUI                Description
------------------------------------------------------------
0         00-00-01
------------------------------------------------------------
Total: 1
Table 11-172  Description of the display sta-whitelist-profile name command output
Item Description

Index

Whitelist index.

MAC

MAC address of a STA in the whitelist.

To configure the parameter, run the sta-mac command.

OUI

OUI of a STA in the whitelist.

To configure the parameter, run the oui command.

Description

Adds MAC address description to a whitelist.

Related Topics

display wlan ids attack-detected

Function

The display wlan ids attack-detected command displays information about the detected attacking devices.

Format

display wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all types of attacking devices.

-

flood

Displays information about devices launching flood attacks.

-

spoof

Displays information about devices launching spoofing attacks.

-

wapi-psk

Displays information about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Displays information about devices launching weak IV attacks.

-

wep-share-key

Displays information about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Displays information about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Displays information about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Displays information about the detected attacking devices with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, you can run the display wlan ids attack-detected command to view information about the attacking devices.

Prerequisites

The attack detection functions of all types have been enabled using the wids attack detect enable command.

Example

# Display information of all current attacking devices.

<HUAWEI> display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detected attack type
CH: Channel number
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address     AT     CH   RSSI(dBm)  Last detected time     #AP
-------------------------------------------------------------------------------
000b-c002-9c81  pbr    165  -87        2014-11-20/15:51:13    1
0024-2376-03e9  pbr    165  -84        2014-11-20/15:52:13    1
0046-4b74-691f  act    165  -67        2014-11-20/15:43:33    1
00bc-71b7-171d  pbr    165  -88        2014-11-20/15:41:43    1
00bc-71b7-171f  act    165  -87        2014-11-20/15:44:03    1
-------------------------------------------------------------------------------
Total: 5, printed: 5
Table 11-173  Description of the display wlan ids attack-detected all command output
Item Description

MAC address

  • For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP.
  • For other types of attacks, this parameter indicates the MAC address of the device launching attacks.

AT

Acronym of the attack type.

CH

Channel in which the last attack is detected.

RSSI(dBm)

Average received signal strength indicator (RSSI) of the attack frames detected.

Last detected time

Last time at which an attack is detected.

#AP

Number of APs which detect this attack.

# Display information of an attacking device with the specified MAC address.

<HUAWEI> display wlan ids attack-detected mac-address 8c70-5a47-aad0
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address                           : 8c70-5a47-aad0
Number of detected APs                : 1
Channel                               : 165
RSSI(dBm)                             : -80
Reported AP 1
  AP name                             : ap-13
  Flood attack type                   : pbr
  First detected time(Flood)          : 2014-11-20/15:50:33
  Spoof attack type                   : -
  First detected time(Spoof)          : -
  First detected time(Weak-iv)        : -
  First detected time(WEP)            : -
  First detected time(WPA)            : -
  First detected time(WPA2)           : -
  First detected time(WAPI)           : -
-------------------------------------------------------------------------------
Table 11-174  Description of the display wlan ids attack-detected mac-address mac-address command output
Item Description

MAC address

  • For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP.
  • For other types of attacks, this parameter indicates the MAC address of the device launching attacks.

Number of detected APs

Number of APs which detect this attack.

Channel

Channel in which the last attack is detected.

RSSI(dBm)

Average received signal strength indicator (RSSI) of the attack frames detected.

Reported AP

Information of the AP which detects the attack.

AP name

Name of the AP which detects the attack.

Flood attack type

Flood attacks detected by the AP.

Spoof attack type

Spoofing attacks detected by the AP.

First detected time

First time when an attack is detected by an AP.

display wlan ids attack-detected statistics

Function

The display wlan ids attack-detected statistics command displays the number of attacks detected.

Format

display wlan ids attack-detected statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, you can run the display wlan ids attack-detected statistics command to view the total number of all types of attacks.

Prerequisites

The attack detection functions of all types have been enabled using the wids attack detect enable command.

Example

# Display the number of attacks detected.

<HUAWEI> display wlan ids attack-detected statistics
Attack tracking since: 2015-01-27/12:02:11
--------------------------------------------------------------------------------
Type                                                  Total
--------------------------------------------------------------------------------
Probe request frame flood attack                    : 0
Authentication request frame flood attack           : 0
Deauthentication frame flood attack                 : 0
Association request frame flood attack              : 0
Disassociation request frame flood attack           : 0
Reassociation request frame flood attack            : 0
Action frame flood attack                           : 0
EAPOL start frame flood attack                      : 0
EAPOL logoff frame flood attack                     : 0
Weak IVs detected                                   : 0
Spoofed deauthentication frame attack               : 0
Spoofed disassociation frame attack                 : 0
Other types of spoofing frame attack                : 0
WEP share-key attack                                : 0
WPA attack                                          : 0
WPA2 attack                                         : 0
WAPI attack                                         : 0
--------------------------------------------------------------------------------
Table 11-175  Description of the display wlan ids attack-detected statistics command output
Item Description

Type

Attack type:
  • Probe request frame flood attack
  • Authentication request frame flood attack
  • Deauthentication frame flood attack
  • Association request frame flood attack
  • Disassociation request frame flood attack
  • Reassociation request frame flood attack
  • Action frame flood attack
  • EAPOL start frame flood attack
  • EAPOL logoff frame flood attack
  • Weak IVs detected
  • Spoofed deauthentication frame attack
  • Spoofed disassociation frame attack
  • Other types of spoofing frame attack
  • WEP share-key attack: brute force cracking attack in WEP-SK authentication mode
  • WPA attack: brute force cracking attack in WPA-PSK authentication mode
  • WPA2 attack: brute force cracking attack in WPA2-PSK authentication mode
  • WAPI attack: brute force cracking attack in WAPI authentication mode

Total

Total number of attacks detected.

display wlan ids attack-history

Function

The display wlan ids attack-history command displays historical records about the attacking devices detected.

Format

display wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays historical records about all types of attacking devices.

-

flood

Displays historical records about devices launching flood attacks.

-

spoof

Displays historical records about devices launching spoofing attacks.

-

wapi-psk

Displays historical records about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Displays historical records about devices launching weak IV attacks.

-

wep-share-key

Displays historical records about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Displays historical records about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Displays information about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Displays historical records about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After attack detection is enabled, information the detected attacking devices are saved in the attacking device list. If an attacking device no longer launches an attack, the device is removed from the attacking device list and saved to the historical attacking device list. You can run the display wlan ids attack-history command to check historical records about the attacking devices detected.

Prerequisites

The attack detection functions of all types have been enabled using the wids attack detect enable command.

Example

# Display historical records of all attacking devices.

<HUAWEI> display wlan ids attack-history all
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
AP: Name of the monitor AP that has detected the device
AT: Attack type              CH: Channel number
-------------------------------------------------------------------------------
MAC address     AT     CH   RSSI(dBm)  Last detected time    AP
-------------------------------------------------------------------------------
2477-039a-37ec  pbr    165  -86        2014-11-20/15:51:43   ap-13
00bc-71b7-171d  pbr    165  -88        2014-11-20/15:41:43   ap-13
2477-039a-0bf4  pbr    165  -81        2014-11-20/15:41:53   ap-13
-------------------------------------------------------------------------------
Total: 3, printed: 3
Table 11-176  Description of the display wlan ids attack-history all command output
Item Description

MAC address

  • For spoofing attacks, this parameter indicates the basic service set identifier (BSSID) that forges the MAC address of an AP.
  • For other types of attacks, this parameter indicates the MAC address of the device launching attacks.

AT

Acronym of attack type.

CH

Channel in which the last attack is detected.

RSSI(dBm)

Average received signal strength indicator (RSSI) of the attack frames detected.

Last detected time

Last time at which an attack is detected.

AP

Name of the monitor AP.

display wlan ids contain

Function

The display wlan ids contain command displays information about countered devices.

Format

display wlan ids contain { all | ap | adhoc | client | ssid | mac-address mac-address | monitor-ap { ap-name ap-name | ap-id ap-id } [ radio-id radio-id ] }

Parameters

Parameter

Description

Value

all

Displays information about all countered devices.

-

ap

Displays information about countered APs.

-

adhoc

Displays information about countered Adhoc devices.

-

client

Displays information about countered user terminals.

-

ssid

Displays information about countered devices with unauthorized SSIDs.

-

mac-address mac-address

Displays information about countered devices with specified MAC addresses.

The MAC addresses must exist.

monitor-ap ap-name ap-name

Displays information about countered devices that are detected by the AP with a specified name.

The AP name must exist.

monitor-ap ap-id ap-id

Displays information about countered devices that are detected by the AP with a specified ID.

The AP ID must exist.

monitor-ap { ap-name ap-name | ap-id ap-id } radio-id radio-id

Displays information about countered devices that are detected by the radio with a specified ID on a specified AP.

The radio ID must exist on the AP.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After WIDS or WIPS is enabled, you can run the display wlan ids countermeasures device command to view information about countered devices.

Example

# Display the list of all countered devices.

<HUAWEI> display wlan ids contain all
#Rf: Number of monitor radios that have contained the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address      CH  Authentication   Last detected time   #Rf   SSID
-------------------------------------------------------------------------------
88e3-abbf-b93d   11  open             2014-11-20/16:16:57  1     -
-------------------------------------------------------------------------------
Total: 1, printed: 1
Table 11-177  Description of the display wlan ids contain all command output
Item Description

MAC address

MAC address of the countered device.

CH

Channel in which the monitoring AP detects a device for the last time.

Authentication

Authentication mode of the countered device.

Last detected time

Last time at which the monitoring AP detects a device.

#Rf

Number of monitor radios that have contained the device.

SSID

SSID of the countered device.

# Display information about countered SSIDs.

<HUAWEI> display wlan ids contain ssid
#Dev: Number of devices using SSID
----------------------------------------------------------------------
 SSID                              #Dev     Last detected time
----------------------------------------------------------------------
 CMCC                              2        2012-07-27/16:41:55
----------------------------------------------------------------------
Total: 1, printed: 1
Table 11-178  Description of the display wlan ids contain ssid command output
Item Description

SSID

Countered SSID.

#Dev

Number of devices that use the SSID.

Last detected time

Last time at which the device using the SSID is detected.

# Display information about countered devices with specified MAC addresses.

<HUAWEI> display wlan ids contain mac-address 549f-13c4-627f
-------------------------------------------------------------------------------
MAC address                                             : 549f-13c4-627f
BSSID                                                   : dcd2-fc9a-c808
Type                                                    : rogue client
SSID                                                    : -
Authentication                                          : -
Number of monitor radios that have contained the device : 1
Last detected channel                                   : 1
Maximum RSSI(dBm)                                       : -54
Beacon interval(ms)                                     : 0
First detected time                                     : 2015-10-20/15:06:26

Reported AP 1
 AP name                                                : admin_ap0_admin_ap0_admin
 Radio ID                                               : 0
 MAC address                                            : dcd2-fc1e-c4a0
 Radio type                                             : 802.11bg
 Channel                                                : 1
 RSSI(dBm)                                              : -54
 Last detected time                                     : 2015-10-20/15:06:26
 Counter measure                                        : Y
-------------------------------------------------------------------------------
Table 11-179  Description of the display wlan ids contain mac-address command output
Item Description

MAC address

MAC address of the detected device.

BSSID

BSSID of the detected device.

Type

Type of the detected device.

SSID

SSID of the detected device.

Authentication

Authentication mode of the detected device.

Number of monitor radios that have contained the device

Number of radios that contain the device.

If WIDS is enabled on multiple APs, the type of the device may be contained by these APs' radios.

Last detected channel

Channel in which the device is detected for the last time.

Maximum RSSI(dBm)

Maximum RSSI of the detected device.

Beacon interval(ms)

Interval at which the detected device sends Beacon frames.

First detected time

First time at which the device is detected.

Reported AP 1

Information of the Monitoring AP which reports detection information.

AP name

Name of the monitoring AP.

Radio ID

Radio ID of the monitoring AP.

MAC address

MAC address of the monitoring AP.

Radio type

Radio type of the monitoring AP.

Channel

Channel of the monitoring AP.

RSSI(dBm)

RSSI of the monitoring AP.

Last detected time

Last time when the device is detected.

Counter measure

Whether the device is contained.

# Display the list of countered devices among the wireless devices detected by the monitoring AP huawei.

<HUAWEI> display wlan ids contain monitor-ap ap-name huawei
Countermeasures Device Profile 
--------------------------------------------------------------------------------
AP MAC address                                : dcd2-fc1e-c4a0 
AP type                                       : AP6010DN-AGN 
AP name                                       : huawei
Contain device 0
  MAC address                                  : c46a-b7bc-7b83
  BSSID                                        : 0006-f476-e210
  Type                                         : rogue client
  SSID                                         : -
  Authentication                               : -
  Last detected channel by this AP             : 1
  Maximum RSSI(dBm)                            : -71
  Beacon interval(TUs)                          : 0
  First detected time                          : 2015-10-20/15:06:26
--------------------------------------------------------------------------------
Total: 1, printed: 1
Table 11-180  Description of the display wlan ids contain monitor-ap command output
Item Description

AP MAC address

MAC address of the monitoring AP.

AP type

Type of the monitoring AP.

AP name

Name of the monitoring AP.

MAC address

MAC address of the countered device.

BSSID

BSSID of the countered device.

Type

Type of the countered device.

SSID

SSID of the countered device.

Authentication

Authentication mode of the countered device.

Last detected channel by this AP

Channel in which the monitoring AP detects a countered device for the last time.

Maximum RSSI(dBm)

Maximum RSSI of the countered device.

Beacon interval(TUs)

Interval at which the countered device sends Beacon frames.

First detected time

First time at which the device is detected.

display wlan ids device-detected

Function

The display wlan ids device-detected command displays various wireless devices detected on a WLAN.

Format

display wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ] bridge | [ rogue ] client | adhoc | [ rogue ] ssid | mac-address mac-address | monitor-ap { ap-name ap-name | ap-id ap-id } [ radio-id radio-id ] }

Parameters

Parameter

Description

Value

all

Displays all wireless devices detected on the WLAN.

-

interference

Displays interfering devices detected on the WLAN.

-

rogue

Displays rogue devices detected on the WLAN.

-

ap

Displays APs detected on the WLAN.

-

bridge

Displays bridge devices detected on the WLAN.

-

client

Displays user terminals detected on the WLAN.

-

adhoc

Displays detected user terminals that belong to the Ad-hoc network on the WLAN.

-

ssid

Displays SSIDs detected on the WLAN.

-

mac-address mac-address

Displays detailed information about devices with specified MAC addresses detected on the WLAN.

The MAC addresses must exist.

monitor-ap ap-name ap-name

Displays detailed information about devices detected by the monitoring AP with a specified name on the WLAN.

The AP name must exist.

monitor-ap ap-id ap-id

Displays detailed information about devices detected by the monitoring AP with a specified ID on the WLAN.

The AP ID must exist.

monitor-ap { ap-name ap-name | ap-id ap-id } radio-id radio-id

Displays detailed information about devices detected by the radio with a specified ID on a specified AP on the WLAN.

The radio ID must exist on the AP.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To ensure the WLAN reliability, all the wireless devices on the current WLAN must be monitored. You can run the display wlan ids detected command to view information about the wireless devices detected.

Prerequisites

The device detection function has been enabled on the AP using the wids device detect enable command.

Example

# Display all devices detected on a WLAN.

<HUAWEI> display wlan ids device-detected all
Flags: r: rogue, p: permit, i: interference, a: adhoc, w: AP, b: wireless-bridge, c: client
#Rf: Number of monitor radios that have detected the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address     Type    CH  Authentication   Last detected time   #Rf   SSID
-------------------------------------------------------------------------------
0010-0020-de2b  r/i/w   1   open             2014-11-20/11:03:44  1     -
-------------------------------------------------------------------------------
Total: 1, printed: 1
Table 11-181  Description of the display wlan ids device-detected all command output
Item Description

MAC address

MAC address of the detected device.

Type

Type of the detected device:
  • r: rogue device
  • p: authorized device
  • i: interfering device
  • a: user terminal on the Ad-hoc network
  • w: AP
  • b: bridge device
  • c: user terminal

Authentication

Authentication mode of the detected device.

CH

Channel in which the device is detected for the last time.

Last detected time

Last time when the device is detected.

#Rf

Number of radios that detect the device.

SSID

SSID of the detected device.

# Display information about APs detected on the WLAN.

<HUAWEI> display wlan ids device-detected ap
Flags: r: rogue, p: permit, i: interference
#Rf: Number of monitor radios that have detected the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address     Type  CH  Authentication   Last detected time   #Rf   SSID
-------------------------------------------------------------------------------
0010-0020-de2b  r/i   1   open             2014-11-20/11:03:44  1     -
-------------------------------------------------------------------------------
Total: 1, printed: 1

# Display information about rogue APs detected on the WLAN.

<HUAWEI> display wlan ids device-detected rogue ap
#Rf: Number of monitor radios that have detected the device
CH: Channel number
-------------------------------------------------------------------------------
MAC Address     CH  Authentication   Last detected time   #Rf   SSID 
-------------------------------------------------------------------------------
0010-0020-de2b  1   open             2014-11-20/11:03:44  1     -
-------------------------------------------------------------------------------
Total: 1, printed: 1

# Display information about interfering APs detected on the WLAN.

<HUAWEI> display wlan ids device-detected interference ap
Flags: r: rogue, p: permit
#Rf: Number of monitor radios that have detected the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address     Type  CH  Authentication   Last detected time   #Rf   SSID 
-------------------------------------------------------------------------------
0010-0020-de2b  r     1   open             2014-11-20/11:03:44  1     -
-------------------------------------------------------------------------------
Total: 1, printed: 1

# Display information about Ad-hoc devices detected on the WLAN.

<HUAWEI> display wlan ids device-detected adhoc
Flags: r: rogue
#Rf: Number of monitor radios that have detected the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address     Type  CH  Authentication   Last detected time   #Rf   SSID
-------------------------------------------------------------------------------
0010-0020-de2d  r     6   open             2014-11-20/11:12:58  2     -
-------------------------------------------------------------------------------
Total: 1, printed: 1

# Display information about SSIDs detected on the WLAN.

<HUAWEI> display wlan ids device-detected ssid
#Dev: Number of devices using SSID
-------------------------------------------------------------------------------
SSID                              #Dev  Last detected time
-------------------------------------------------------------------------------
trad                              1     2014-11-20/11:01:44
CMCC-4G                           6     2014-11-20/11:14:13
-------------------------------------------------------------------------------
Total: 2, printed: 2
Table 11-182  Description of the display wlan ids device-detected ssid command output
Item Description

SSID

SSID detected.

#Dev

Number of devices that use the SSID.

Last detected time

Last time at which the device using the SSID is detected.

# Display information about spoofing SSIDs detected on the WLAN.

<HUAWEI> display wlan ids device-detected rogue ssid
#Dev: number of devices using rogue SSID                                        
--------------------------------------------------------------------------------
Rogue SSID  Spoof profile  #Dev  Last detected time                             
            Pattern rule
--------------------------------------------------------------------------------
ao          a0             1     2014-11-20/11:14:39
            ao
al          a1             2     2014-11-20/11:14:39
            al
--------------------------------------------------------------------------------
ssid        --             1     2014-11-20/15:59:45 
---------------------------------------------------------------------------------
Total: 3
Table 11-183  Description of the display wlan ids device-detected rogue ssid command output
Item Description

Rogue SSID

Spoofing SSIDs detected, including SSIDs same as the authorized SSIDs and SSIDs matching the specified fuzzy rules.

Spoof profile

WIDS spoof SSID profile owned the fuzzy matching rule.

Pattern rule

Fuzzy matching rule for the spoofing SSID.

#Dev

Number of APs using the SSID.

Last detected time

Latest time when the SSID is detected.

# Display detailed information about devices with MAC address 587f-66d4-d569 detected on the WLAN.

<HUAWEI> display wlan ids device-detected mac-address 587f-66d4-d569
Detected MAC List
--------------------------------------------------------------------------------
MAC address                                             : 587f-66d4-d569
BSSID                                                   : 0008-cbe9-1c00
Type                                                    : rogue client
SSID                                                    : -
Authentication                                          : 802.1x
Number of monitor radios that have detected the device  : 1
Last detected channel                                   : 1
Maximum RSSI(dBm)                                       : -80
Beacon interval(TUs)                                     : -
First detected time                                     : 2015-10-20/15:07:23

Reported AP 1
 AP name                                                : admin_ap0_admin_ap0_admin
 Radio ID                                               : 0
 MAC address                                            : dcd2-fc1e-c4a0
 Radio type                                             : 802.11bg
 Channel                                                : 1
 RSSI(dBm)                                              : -80
 Last detected time                                     : 2015-10-20/15:07:23
 Counter measure                                        : Y
--------------------------------------------------------------------------------
Table 11-184  Description of the display wlan ids device-detected mac-address command output
Item Description

MAC address

MAC address of the detected device.

BSSID

BSSID of the detected device.

Type

Type of the detected device.

SSID

SSID of the detected device.

Authentication

Authentication mode of the detected device.

Number of monitor radios that have detected the device

Number of radios that detect the device.

If WIDS is enabled on multiple APs, the type of the device may be detected by these APs' radios.

Last detected channel

Channel of the detected device.

Maximum RSSI(dBm)

Maximum RSSI of the detected device.

Beacon interval(TUs)

Interval at which the detected device sends Beacon frames.

First detected time

First time at which the device is detected.

Reported AP 1

Information of the Monitoring AP which reports detection information.

AP name

Name of the monitoring AP.

Radio ID

Radio ID of the monitoring AP.

MAC address

MAC address of the monitoring AP.

Radio type

Radio type of the monitoring AP.

Channel

Channel of the monitoring AP.

RSSI(dBm)

RSSI of the monitoring AP.

Last detected time

Last time when the device is detected.

Counter measure

Whether the devices is contained.

display wlan ids device-detected statistics

Function

The display wlan ids device-detected statistics command displays statistics on all wireless devices detected on a WLAN.

Format

display wlan ids device-detected statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display wlan ids device-detected statistics command to view statistics on all wireless devices detected on a WLAN.

Example

# Display statistics on wireless devices detected on a WLAN.

<HUAWEI> display wlan ids device-detected statistics
------------------------------------------------------------------------------------------------                                                                
Rogue Adhoc          : 0                                                            
Contain Adhoc        : 0                                                            
Rogue AP             : 0                                                            
Permit AP            : 0                                                            
Interference AP      : 0                                                            
Contain AP           : 0                                                            
Rogue Client         : 2                                                            
Permit Client        : 0                                                            
Interference Client  : 0  
Contain Client       : 2                                                            
Permit Bridge        : 2                                                            
Rogue Bridge         : 0                                                            
Interference Bridge  : 0 
------------------------------------------------------------------------------------------------
Table 11-185  Description of the display wlan ids device-detected statistics command output
Item Description

Rogue Adhoc

Number of rogue ad-hoc devices.

Contain Adhoc

Number of contained ad-hoc devices.

Rogue AP

Number of rogue APs.

Permit AP

Number of authorized APs.

Interference AP

Number of interfering APs.

Contain AP

Number of contained APs.

Rogue Client

Number of rogue terminal devices.

Permit Client

Number of authorized terminal devices.

Interference Client

Number of interfering terminal devices.

Contain Client

Number of contained terminal devices.

Permit Bridge

Number of authorized bridge devices.

Rogue Bridge

Number of unauthorized bridge devices.

Interference Bridge

Number of interfering bridge devices.

display wlan dynamic-blacklist

Function

The display wlan dynamic-blacklist command displays information about devices in the dynamic blacklist.

Format

display wlan dynamic-blacklist { all | ap-id ap-id | ap-name ap-name | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all devices in the dynamic blacklist.

-

ap-id ap-id

Displays information about attacking devices detected by a specified AP.

The AP ID must exist.

ap-name ap-name

Displays information about attacking devices detected by a specified AP.

The AP name must exist.

mac-address mac-address

Displays information about attack devices with a specified MAC address.

The MAC address must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

An AP uses attack detection and dynamic blacklist functions to add a detected attack device to the dynamic blacklist, and rejects packets sent from this device until the device entry in the dynamic blacklist ages. You can run the display wlan dynamic-blacklist command to view information about devices in the dynamic blacklist.

Prerequisites

Example

# Display information about all devices in the dynamic blacklist.

<HUAWEI> display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
LAT: Left aging time(s)
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  eapl: EAPOL logoff frame
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      sti: Static IP
brf: Broadcast flood
-------------------------------------------------------------------------------
MAC address       Last detected time    Reason   #AP   LAT
-------------------------------------------------------------------------------
0006-f476-cb70    2015-07-27/12:51:25   brf       1    100
0006-f476-ce90    2015-07-27/12:51:25   pbr       1    200
0006-f476-d35d    2015-07-27/12:51:25   pbr       1    200
0006-f476-d910    2015-07-27/12:51:25   sti       1    200
0006-f476-dd30    2015-07-27/12:51:25   pbr       1    200
0006-f476-df30    2015-07-27/12:51:25   pbr       1    200
-------------------------------------------------------------------------------
Total: 6, printed: 6
Table 11-186  Description of the display wlan dynamic-blacklist all command output
Item Description

MAC address

MAC address of the device in the dynamic blacklist.

Last detected time

Latest time when the device was added to the dynamic blacklist.

Reason

Reason why the device is added to the dynamic blacklist. The values here are the acronyms of attack types. For details, see display wlan ids attack-detected.

#AP

Number of APs that have detected and added the device to the dynamic blacklist.

LAT

Left aging time for the device in the dynamic blacklist.

# Display information about all devices added to the dynamic blacklist by the AP named wcw.

<HUAWEI> display wlan dynamic-blacklist ap-name wcw
LAT: Left aging time(s)
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  eapl: EAPOL logoff frame
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      sti: Static IP
brf: Broadcast flood
-------------------------------------------------------------------------------
MAC address       Last detected time    Reason   LAT
-------------------------------------------------------------------------------
0006-f476-cb70    2015-07-27/12:51:25    sti     100
0006-f476-ce90    2015-07-27/12:51:25    brf     200
0006-f476-ced0    2015-07-27/12:51:30    pbr     200
0006-f476-d35d    2015-07-27/12:51:25    pbr     300
-------------------------------------------------------------------------------
Total: 4, printed: 4

# Display information about specified devices in the dynamic blacklist.

<HUAWEI> display wlan dynamic-blacklist mac-address 0006-f476-cb70
LAT: Left aging time(s)      BT: Block time(s)
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  eapl: EAPOL logoff frame
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      sti: Static IP
brf: Broadcast flood
-------------------------------------------------------------
AP name  Last detected time   Reason   LAT     BT
-------------------------------------------------------------
wcw      2015-07-27/12:51:25   pbr     100     900
wcw2     2015-07-27/12:51:25   pbr     100    1900
-------------------------------------------------------------
Total: 2, printed: 2
Table 11-187  Description of the display wlan dynamic-blacklist mac-address command output
Item Description

Last detected time

Latest time when the device was detected.

Reason

Reason why the device is added to the dynamic blacklist.

LAT

Left aging time for the device in the dynamic blacklist.

BT

Duration for which the device is in the dynamic blacklist.

display wlan ids rogue-history

Function

The display wlan ids rogue-history command displays historical records of rogue devices.

Format

display wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays historical records of all rogue devices.

-

ap

Displays historical records of rogue APs.

-

bridge

Displays historical records of rogue bridge devices.

-

client

Displays historical records of rogue user terminals.

-

adhoc

Displays historical records of rogue Adhoc devices.

-

ssid

Displays historical records of countered devices with unauthorized SSIDs.

-

mac-address mac-address

Displays historical records of devices with specified MAC addresses.

The MAC addresses must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display wlan ids rogue-history command to view the historical records of rogue devices.

Prerequisites

The device detection function has been enabled on the AP using the wids device detect enable command.

Example

# Display historical records of all rogue devices.

<HUAWEI> display wlan ids rogue-history all
Flags: a: adhoc, w: AP, b: wireless-bridge, c: client
CH: Channel number
-------------------------------------------------------------------------------
MAC address     Type  CH  Authentication   Last detected time   SSID
-------------------------------------------------------------------------------
000a-f7bc-1852  w     11  open             2014-11-20/11:20:37  wlan
000b-c002-9c81  c     11  -                2014-11-20/11:16:07  -
-------------------------------------------------------------------------------
Total: 2, printed: 2
Table 11-188  Description of the display wlan ids rogue-history all command output
Item Description

MAC address

MAC address of the rogue device listed in the historical record list.

Type

Type of the rogue device listed in the historical record list:
  • a: user terminal on the Adhoc network
  • w: AP
  • b: bridge device
  • c: user terminal

CH

Channel in which the device is detected for the last time.

Authentication

Authentication mode of the rogue device listed in the historical record list.

Last detected time

Last time when the device is detected.

SSID

SSID of the detected device.

# Display historical records of rogue APs.

<HUAWEI> display wlan ids rogue-history ap
CH: channel number
-------------------------------------------------------------------------------
MAC address     CH  Authentication   Last detected time   SSID
-------------------------------------------------------------------------------
000a-f7bc-1852  11  open             2014-11-20/11:20:37  wlan
0022-aad0-c672  11  open             2014-11-20/11:20:44  -
-------------------------------------------------------------------------------
Total: 2, printed: 2

# Display historical records of SSIDs.

<HUAWEI> display wlan ids rogue-history ssid
#Dev: number of devices using SSID
-------------------------------------------------------------------------------
SSID                              #Dev  Last detected time
-------------------------------------------------------------------------------
trad                              1     2014-11-20/11:01:44
CMCC-4G                           6     2014-11-20/11:14:13
X+Z_007                           1     2014-11-20/11:20:15
tntjoyo                           1     2014-11-20/11:18:42
-------------------------------------------------------------------------------
Total: 4, printed: 4
Table 11-189  Description of the display wlan ids rogue-history ssid command output
Item Description

SSID

SSID of the detected device.

#Dev

Number of devices that use the SSID.

Last detected time

Last time at which the device using the SSID is detected.

# Display historical records of an AP or client with a specified MAC address.

<HUAWEI> display wlan ids rogue-history mac-address 00e0-fc03-0206
-------------------------------------------------------------------
 MAC address                           : 00e0-fc03-0206
 SSID                                  : wlan
 Type                                  : rogue ap
 Authentication                        : 802.1x
 Last detected time                    : 2012-10-25/09:22:29
-------------------------------------------------------------------
Table 11-190  Description of the display wlan ids rogue-history mac-address command output
Item Description

MAC address

MAC address of the detected device.

Type

Type of the detected device.

SSID

SSID of an extended service set (ESS).

Authentication

Authentication mode of the detected device.

Last detected time

Last time when the device is detected.

display wlan ids spoof-ssid fuzzy-match

Function

The display wlan ids spoof-ssid fuzzy-match command displays fuzzy matching rules for spoofing SSIDs.

Format

display wlan ids spoof-ssid fuzzy-match regex regex-value

Parameters

Parameter

Description

Value

regex regex-value

Specifies the matching rules for spoofing SSIDs and displays spoofing SSIDs that match the rules.

The rules must exist.

The value is in text format and can contain 1 to 48 case-sensitive characters. It supports Chinese characters or mixture of Chinese and English characters.

NOTE:

You can only use a command editor of the UTF-8 encoding format to edit Chinese characters.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view SSIDs that match a specific rule, run the display wlan ids spoof-ssid fuzzy-match regex regex-value command.

Example

# Display SSIDs that match a specific rule.

<HUAWEI> display wlan ids spoof-ssid fuzzy-match regex ^HUAWE[1l]$
#Dev: Number of devices using SSID                                              
--------------------------------------------------------------------------------
Match SSID                       #Dev  Last detected time   WIDS spoof profile  
--------------------------------------------------------------------------------
HUAWE1                            2    2014-03-06/12:44:37  huawei
HUAWEl                            1    2014-03-06/12:44:50  huawei
--------------------------------------------------------------------------------
Total: 2
Table 11-191  Description of the display wlan ids spoof-ssid fuzzy-match regex command output

Item

Description

Match SSID

SSID matching a specific rule.

#Dev

Number of APs using the matching SSID.

Last detected time

Latest time when the SSID is detected.

WIDS spoof profile

WIDS spoof profile to which the rules belong.

Related Topics

display wlan wapi certificate

Function

The display wlan wapi certificate command displays the content of a certificate file.

Format

display wlan wapi certificate file-name file-name

Parameters

Parameter

Description

Value

file-name file-name

Specifies a certificate file name.

The value is a string of 1 to 255 visible characters. It cannot contain question marks (?) and cannot start or end with double quotation marks (" ") or spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view content of certificate files imported to the device.

In the command, file-name must specify the complete path of a certificate file. For example, if the certificate file as.cer is saved in the flash memory, run display wlan wapi certificate file-name flash:/as.cer command.

Example

# Display content of certificate file as.cer.

<HUAWEI> display wlan wapi certificate file-name flash:/as.cer
Certificate:
Data:
  Version: V3
  Serial number:
      50 FA CF CA
  Signature algorithm: sha256ECDSA192
  Issuer:
      C = CN
      O = 0003
      OU = CUCC
      CN = as_test_1@ASU
  Validity:
    Not before: 2013-01-19 16:54:34 UTC
    Not after : 2033-01-19 16:54:34 UTC
  Subject:
      C = CN
      O = 0003
      OU = CUCC
      CN = as_test_1@ASU
  Subject public key information:
    Public key algorithm: ECC
    Public key: (392 bit)
      04 31 AB F2 76 AE E4 BD EF E6 ED CA 93 C0 04 C8
      C9 C9 BF 6F A3 6A F9 A1 9E 35 3E 9B 08 21 EF 20
      5E 82 C1 42 2D A9 42 C3 CE 91 98 7F 21 83 7C 71
      3A
Table 11-192  Description of the display wlan wapi certificate command output

Item

Description

Version

Version of the X.509 certificate.

Serial number

Serial number of the certificate.

Signature algorithm

Algorithm used to calculate the signature.

Issuer

Certificate issuer.

Validity

Valid period of the certificate, specified by the start date and end date.

Subject

Subject of the certificate.

Subject public key information

Information about the public key of the certificate.

dynamic-blacklist aging-time

Function

The dynamic-blacklist aging-time command sets an aging time for a dynamic blacklist.

The undo dynamic-blacklist aging-time command restores the aging time of a dynamic blacklist to the default value.

By default, the aging time of a dynamic blacklist is 600 seconds.

Format

dynamic-blacklist aging-time time

undo dynamic-blacklist aging-time

Parameters

Parameter

Description

Value

time

Specifies the aging time at the expiry of which a specified MAC address is removed from the dynamic blacklist.

The value is an integer that ranges from 180 to 3600, in seconds.

Views

AP system profile view

Default Level

2: Configuration level

Usage Guidelines

When detecting attacks from a STA, an AP reports the STA to the AC, forbids the STA to go online, and rejects any packets sent from the STA. As long as the STA is blacklisted, it cannot go online again even if it no longer launches attacks. To avoid that, you can run the dynamic-blacklist aging-time command to configure an aging time for the dynamic blacklist. If the configured aging time expires and the AP detects no attack from the STA, the STA is once again allowed to go online.

Example

# Set the aging time of the dynamic blacklist to 300 seconds.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-system-profile name huawei
[HUAWEI-wlan-ap-system-prof-huawei] dynamic-blacklist aging-time 300

dynamic-blacklist enable

Function

The dynamic-blacklist enable command enables the dynamic blacklist function.

The undo dynamic-blacklist enable command disables the dynamic blacklist function.

By default, the dynamic blacklist function is disabled.

Format

dynamic-blacklist enable

undo dynamic-blacklist enable

Parameters

None

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack detection is enabled to detect flood attacks, weak IV attacks, spoofing attacks, and brute force key cracking attacks. When detecting attacks initiated by a device, an AP reports an alarm to the AC. In addition, you can run the dynamic-blacklist enable command to enable the dynamic blacklist function on the AC for handling flood attacks and brute force key cracking attacks. The AC then automatically adds the attacking device to a dynamic blacklist and discard packets sent from the attacking device till the dynamic blacklist ages out.

An AP can use the dynamic blacklist to filter out the blacklisted wireless devices to avoid malicious attacks.

Follow-up Procedure

Run the dynamic-blacklist aging-time command to set an aging time for the dynamic blacklist.

Example

# Enable the dynamic blacklist function.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] dynamic-blacklist enable

flood-detect interval

Function

The flood-detect interval command sets the flood attack detection interval.

The undo flood-detect interval command restores the default flood attack detection interval.

By default, the flood attack detection interval is 10 seconds.

Format

flood-detect interval interval

undo flood-detect interval

Parameters

Parameter

Description

Value

interval interval

Specifies the interval for flood attack detection.

The value is an integer that ranges from 10 to 120, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A flood attack occurs when an AP receives a large number of packets of the same type within a short period. As a result, the AP is flooded by too many attack packets to process service packets from authorized wireless terminals.

After the flood attack detection function is enabled, an AP counts the number of packets of the same type that it receives from a user at regular intervals. When the number exceeds a specified threshold, the AP considers that the user launches a flood attack. If the dynamic blacklist function is enabled, the user will be added to a dynamic blacklist.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Set the flood attack detection interval to 120s.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable flood
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] flood-detect interval 120

flood-detect quiet-time

Function

The flood-detect quiet-time command sets the quiet time for an AP to report the detected flood attacks to the AC.

The undo flood-detect quiet-time command restores the quiet time for an AP to report the detected flood attacks to the AC.

By default, the quiet time is 600 seconds for an AP to report the detected flood attacks to the AC.

Format

flood-detect quiet-time quiet-time-value

undo flood-detect quiet-time

Parameters

Parameter

Description

Value

quiet-time-value

Specifies the quiet time for an AP to report the detected flood attacks to the AC.

The value is an integer that ranges from 60 to 36000, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After attack detection is enabled on an AP, the AP reports alarms upon attack detection. If an attack source launches attacks repeatedly, a large number of repeated alarms are generated. To prevent this situation, configure the quiet time for an AP to report alarms. When detecting attack sources of the same MAC address, the AP does not report alarms in the quiet time. However, if the AP still detects attacks from the attack source after the quiet time expires, the AP reports alarms. You can set the quiet time based on attack types.

To obtain attack information in a timely manner, set the quiet time to a small value. If attack detection is enabled on many APs, and attacks are frequently detected, set the quiet time to a large value to prevent frequent alarm reports.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Set the quiet time to 300 seconds for an AP to report the detected flood attacks to the AC.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable flood
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] flood-detect quiet-time 300

flood-detect threshold

Function

The flood-detect threshold command sets the flood attack detection threshold. A flood attack occurs when an AP receives a large number of packets of the same type within a short period.

The undo flood-detect threshold command restores the default flood attack detection threshold.

By default, the flood attack detection threshold is 500.

Format

flood-detect threshold threshold

undo flood-detect threshold

Parameters

Parameter

Description

Value

threshold threshold

Specifies the flood attack detection threshold.

The value is an integer that ranges from 1 to 1000.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A flood attack occurs when a device receives a large number of packets of the same type within a short period. As a result, the device is flooded by too many attack packets to process service packets from authorized wireless terminals.

After the flood attack detection function is enabled, a device counts the number of packets of the same type that it receives from a user at regular intervals. When the number exceeds a specified threshold, the device considers that the user launches a flood attack. If the dynamic blacklist function is enabled, the user will be added to a dynamic blacklist. If the threshold is set to a small value, the device may incorrectly add authorized users to the dynamic blacklist, causing the users unable to go online.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Set the flood attack detection threshold to 350.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable flood
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] flood-detect threshold 350

ip source check user-bind enable

Function

The ip source check user-bind enable command enables IP source guard on APs.

The undo ip source check user-bind enable command disables IP source guard on APs.

By default, IP source guard is disabled on APs.

Format

ip source check user-bind enable

undo ip source check user-bind enable

Parameters

None

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Users can configure static IP addresses for their clients and connect to the Internet after passing 802.1x authentication. To defend against source IP address spoofing attacks, you need to enable IP source guard on APs.

To prevent IP packets of unauthorized users from entering external networks through an AP, enable IP source guard in a VAP profile and bind the VAP profile to an AP or AP group. The IP source guard function can filter incoming packets on an AP radio interface, preventing unauthorized packets from passing through the AP.

If STA address learning is enabled on an AP using the undo learn-client-address disable command, DHCP users are allowed to access the AP. Before the users who are assigned IP addresses statically access an AP, the administrator needs to manually configure static binding entries for the users. That is, the administrator configures an IP network segment and binds it to the MAC addresses of the users so that the users can access the AP.

Example

# Enable IP source guard on APs.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] ip source check user-bind enable

learn-client-address dhcp-strict

Function

The learn-client-address dhcp-strict command enables strict STA IP address learning through DHCP.

The undo learn-client-address dhcp-strict command disables strict STA IP address learning through DHCP.

By default, strict STA IP address learning through DHCP is disabled.

Format

learn-client-address dhcp-strict [ blacklist enable ]

undo learn-client-address dhcp-strict

Parameters

Parameter

Description

Value

blacklist enable

Adds STAs with bogus IP addresses to a blacklist.

By default, STAs with bogus IP addresses are not added to a blacklist.

-

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a STA associates with an AP, the following situation occurs after strict STA IP address learning through DHCP is enabled:
  • If the STA obtains an IP address through DHCP, the AP will automatically report the IP address to the AC. The STA IP address can be used to maintain the mapping between STA IP addresses and MAC addresses.
  • For a STA using a static IP address:
    • If blacklist enable is specified, the STA will be added to a dynamic blacklist of the AP and cannot associate with the AP before the blacklist entry ages.
    • If blacklist enable is not specified, the STA can associate with the AP but the AP does not learn the IP address of the STA.

Prerequisites

The DHCP trusted port has been disabled using the undo dhcp trust port command in the VAP profile view.

STA address learning has been enabled using the undo learn-client-address disable command.

Precautions

After strict STA IP address learning is enabled, it is recommended that you run the ip source check user-bind enable and arp anti-attack check user-bind enable commands to enable IP source guard and dynamic ARP inspection so that STAs cannot communicate with the network before obtaining an IP address through DHCP.

Example

# Enable strict STA IP address learning through DHCP.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] learn-client-address dhcp-strict

learn-client-address disable (VAP profile view)

Function

learn-client-address disable command disables STA IPv4 address learning.

undo learn-client-address disable command disables STA IPv4 address learning.

By default, STA address learning is enabled.

Format

learn-client-address ipv4 disable

undo learn-client-address ipv4 disable

Parameters

Parameter Description
ipv4 IPv4 address.

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a STA associates with an AP that has STA address learning enabled and obtains an IP address, the AP automatically reports the STA IP address to the AC to maintain the STA' IP address and MAC address binding entry

Prerequisites

  • Before disabling STA address learning, run the undo dhcp trust port command to disable the DHCP trusted interface of the AP for the IPv4 address.

  • Before disabling STA address learning, run the undo learn-client-address dhcp-strict command to disable strict STA IPv4 address learning.

Precautions

  • If a bridging device functions as a STA to connect to an AP enabled with STA address learning, the AP cannot learn IP addresses of users connected to the bridging device; therefore, the users cannot communicate with the network. In this situation, disable STA address learning.

  • Disabling STA address learning will lead to a Portal authentication failure.

Example

# Disable STA IPv4 address learning.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] learn-client-address IPv4 disable
Related Topics

oui

Function

The oui command configures an organizationally unique identifier (OUI) for STAs in the whitelist.

The undo oui command deletes the OUI of a specified STA or all STAs in the whitelist.

By default, no OUI is configured for STAs in the whitelist.

Format

oui oui [ description description ]

undo oui { oui | all }

Parameters

Parameter

Description

Value

oui

Specifies the OUI of STAs in the whitelist.

The value is in H-H-H format. An H is a hexadecimal number of 2 digits.

description

Specifies the OUI description of STAs in the whitelist.

The value is a string of 1 to 80 characters.

all

Deletes the OUI of all STAs in the whitelist.

-

Views

STA whitelist profile view

Default Level

2: Configuration level

Usage Guidelines

After the whitelist function is enabled, all STAs in the whitelist can connect to the WLAN. In some scenarios, all STAs with a specified OUI need to be added to the whitelist. You can run the oui command to add STAs with a specified OUI to the whitelist.

Precautions

MAC addresses and OUIs share the specifications of a STA whitelist. A maximum of 3276 MAC addresses or OUIs can be added to a STA whitelist.

Example

# Configure the OUI 00-11-22 for STAs in the whitelist profile sta-whitelist-profile1.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta-whitelist-profile name sta-whitelist-profile1
[HUAWEI-wlan-whitelist-prof-sta-whitelist-profile1] oui 00-11-22

permit-ap

Function

The permit-ap command configures a WIDS whitelist.

The undo permit-ap command deletes entries in the WIDS whitelist.

By default, no WIDS whitelist is configured.

Format

permit-ap { mac-address mac-address | oui oui | ssid ssid }

undo permit-ap { mac-address { mac-address | all } | oui { oui | all } | ssid { name ssid | all } }

Parameters

Parameter

Description

Value

mac-address mac-address

Adds or deletes an authorized MAC address.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

mac-address all

Deletes an authorized MAC address list.

-

oui oui

Adds or deletes an authorized OUI.

The value is in H-H-H format. An H is a hexadecimal number of 2 digits.

oui all

Deletes an authorized OUI list.

-

ssid name ssid

Deletes an authorized SSID.

The value must be an existing SSID.

ssid ssid

Adds an authorized SSID.

The value must be an existing SSID.

ssid all

Deletes an authorized SSID list.

-

Views

WIDS whitelist profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After WIDS/WIPS is enabled, rogue APs can be detected and countered. However, there may be APs of other vendors or other networks working in the existing signal coverage areas. If these APs are countered, their services will be affected. To prevent this situation, configure an authorized AP list, including an authorized MAC address list, OUI list, and SSID list. If an unauthorized AP is detected but matches the authorized AP list, the AP is considered an authorized AP and will not be countered.

For example, APs of other vendors are deployed on the existing WLAN to expand network capacity. To prevent the APs from being countered, add OUIs of the vendors to a whitelist and add SSIDs of these APs to a whitelist. In this way, the device will consider the APs as authorized APs.

The device determines whether a detected AP is authorized as follows:
  1. Check whether the AP's MAC address is in the authorized MAC address list.
    • If so, the AP is an authorized AP.

    • If not, go to step 2.

Precautions

If you add or delete an entry, the device will re-check the validity of the unauthorized APs. If an unauthorized AP becomes authorized, the device stops countering the AP. If an authorized AP becomes unauthorized, the device starts countering the AP.

Example

# Add an MAC address, an OUI, and an SSID to the WIDS whitelist.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-whitelist-profile name huawei
[HUAWEI-wlan-wids-whitelist-huawei] permit-ap mac-address 0011-2233-4455
[HUAWEI-wlan-wids-whitelist-huawei] permit-ap oui 00-11-22
[HUAWEI-wlan-wids-whitelist-huawei] permit-ap ssid huawei

pmf

Function

The pmf command enables the Protected Management Frame (PMF) function of a VAP.

The undo pmf command disables the PMF function for a VAP.

By default, the PMF function is disabled for a VAP.

Format

pmf { optional | mandatory }

undo pmf

Parameters

Parameter

Description

Value

optional

Indicates the optional mode, in which STAs can access the VAP regardless of whether the STAs support PMF or not, but the VAP encrypts only management frames of PMF-capable STAs.

-

mandatory

Indicates the mandatory mode, in which the VAP permits access only from PMF-capable STAs.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

PMF is a specification released by Wi-Fi Alliance (WFA) based on IEEE 802.11w standards. It aims to apply security measures defined in WPA2 to unicast and multicast management action frames to improve network credibility.

If management frames transmitted on WLANs are not encrypted, the following security problems may be introduced. PMF can address the problems.
  • Hackers intercept management frames exchanged between the APs and users.
  • Hackers pretend to be APs and send Disassociation and Deauthentication frames to disconnect users.
  • Hackers pretend to be users and send Disassociation frames to APs to disconnect the users.

Precautions

The authentication and encryption mode must be WPA2–AES in the security profile.

Modifying configuration in the security profile will disconnect all users on the VAP that uses the security profile. The users need to reassociate with the VAP to go online.

The PMF function cannot be deployed on Mesh networks.

Only the AP2X30DN, AP4030DN, AP4130DN, AP5030DN, AP5130DN, AP8030DN, AP2050DN AP2050DN-E AP8130DN-W AP7030DE, AP9330DN, AP8130DN, AD9430DN-24 (including the mapping RUs), AD9430DN-12 (including the mapping RUs), AD9431DN-24X (including the mapping RUs), AP9131DN and AP9132DN AP4030TN, AP4050DN-E, AP4050DN-HD, AP6050DN, AP6150DN, AP7050DN-E, AP7050DE, AP4050DN, AP4051DN, AP4151DN, AP4050DN-S, AP8050DN, AP8150DN, AP8050DN-S, AP1050DN-S, AP4051TN, AP6052DN, AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN support the PMF function.

Example

# Enable the PMF function in optional mode.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 psk pass-phrase abcdfffffg aes
[HUAWEI-wlan-sec-prof-p1] pmf optional

reset wlan ids attack-detected

Function

The reset wlan ids attack-detected command deletes information about the attacking devices detected.

Format

reset wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Deletes information about all types of attacking devices.

-

flood

Deletes information about devices launching flood attacks.

-

spoof

Deletes information about devices launching spoofing attacks.

-

wapi-psk

Deletes information about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Deletes information about devices launching weak IV attacks.

-

wep-share-key

Deletes information about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Deletes information about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Deletes information about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Deletes information about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

3: Management level

Usage Guidelines

After attack detection is enabled, information about attacking devices detected is recorded. When there is excessive information recorded or the recorded information is useless, you can run the reset wlan ids attack-detected command to delete the information.

Example

# Delete information about all the current attacking devices.

<HUAWEI> reset wlan ids attack-detected all

reset wlan ids attack-detected statistics

Function

The reset wlan ids attack-detected statistics command deletes the number of attacks detected.

Format

reset wlan ids attack-detected statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

After attack detection is enabled, the number of attacks detected is recorded. When there is excessive information recorded or the recorded information is useless, you can run the reset wlan ids attack-detected statistics command to delete the information.

Example

# Delete the number of attacks detected.

<HUAWEI> reset wlan ids attack-detected statistics

reset wlan ids attack-history

Function

The reset wlan ids attack-history command deletes historical records about the attacking devices detected.

Format

reset wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Deletes historical records about all types of attacking devices.

-

flood

Deletes historical records about devices launching flood attacks.

-

spoof

Deletes historical records about devices launching spoofing attacks.

-

wapi-psk

Deletes historical records about devices that perform brute force cracking in WAPI-PSK authentication mode.

-

weak-iv

Deletes historical records about devices launching weak IV attacks.

-

wep-share-key

Deletes historical records about devices that perform brute force cracking in WEP-SK authentication mode.

-

wpa-psk

Deletes historical records about devices that perform brute force cracking in WPA-PSK authentication mode.

-

wpa2-psk

Deletes historical records about devices that perform brute force cracking in WPA2-PSK authentication mode.

-

mac-address mac-address

Deletes historical records about detected devices launching attacks with specified MAC addresses.

The value is in H-H-H format. An H is a hexadecimal number of 4 digits.

Views

All views

Default Level

3: Management level

Usage Guidelines

After attack detection is enabled, historical records about attacking devices detected are recorded. When there is excessive information recorded or the recorded information is useless, you can run the reset wlan ids attack-history command to delete the information.

Example

# Delete historical records about all the current attacking devices.

<HUAWEI> reset wlan ids attack-history all

reset wlan ids device-detected

Function

The rreset wlan ids device-detected command deletes information about the wireless devices detected.

Format

reset wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ] bridge | [ rogue ] client | adhoc | ssid [ ssid ] | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Deletes information about all the wireless devices detected.

-

interference

Deletes information about the interfering devices detected.

-

rogue

Deletes information about the rogue devices detected.

-

ap

Deletes information about the APs detected.

-

bridge

Deletes information about the bridge devices detected.

-

client

Deletes information about the user terminals detected.

-

adhoc

Deletes information about detected user terminals that belong to Adhoc network.

-

ssid [ ssid ]

Deletes information about detected devices with specified SSID or all SSIDs.

The value must be an existing SSID.

mac-address mac-address

Deletes information about detected devices with specified MAC addresses.

The value must be an existing MAC address.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When there is excessive information about wireless devices recorded or the recorded information is useless, you can run the reset wlan ids device-detected command to delete the information.

Precautions

The reset wlan ids device-detected ssid ssid command cannot delete device information containing special characters (such as tabs) from the SSID. To delete such information, run the reset wlan ids device-detected mac-address mac-address or reset wlan ids device-detectedall command.

Example

# Delete information about all the wireless devices detected.

<HUAWEI> reset wlan ids device-detected all

reset wlan dynamic-blacklist

Function

The reset wlan dynamic-blacklist command deletes information about devices in the dynamic blacklist.

Format

reset wlan dynamic-blacklist { ap-id ap-id | ap-name ap-name | mac-address mac-address | all }

Parameters

Parameter

Description

Value

ap-id ap-id

Deletes the dynamic blacklist information reported by the AP with a specified ID.

The AP ID must exist.

ap-name ap-name

Deletes the dynamic blacklist information reported by the AP with a specified name.

The AP name must exist.

mac-address mac-address

Deletes the device with a specified MAC address from the dynamic blacklist.

The MAC address must exist.

all

Deletes all information in the dynamic blacklist.

-

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The reset wlan dynamic-blacklist command is applicable to the following scenarios:
  • To recollect the dynamic blacklist information, run the reset wlan dynamic-blacklist all command to delete all information in the dynamic blacklist. After that, the AC recollects the information.
  • To remove an authorized device from the dynamic blacklist, run the reset wlan dynamic-blacklist mac-address command to remove the MAC address of the device from the dynamic blacklist. After that, information sent from the device is not rejected.

Precautions

Running the reset wlan dynamic-blacklist command affects packet receiving of APs. Exercise caution when running this command.

Example

# Delete the device with MAC address 78AC-C0C1-C1FC from the dynamic blacklist.

<HUAWEI> reset wlan dynamic-blacklist mac-address 78ac-c0c1-c1fc

reset wlan ids rogue-history

Function

The reset wlan ids rogue-history command deletes historical records of rogue devices.

Format

reset wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid [ ssid ] | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Deletes historical records of all rogue devices.

-

ap

Deletes historical records of rogue APs.

-

bridge

Deletes historical records of rogue bridge devices.

-

client

Deletes historical records of rogue user terminals.

-

adhoc

Deletes historical records of rogue Adhoc devices.

-

ssid [ ssid ]

Deletes historical records of devices with specified SSIDs.

The value must be an existing SSID.

mac-address mac-address

Deletes historical records of devices with specified MAC addresses.

The value must be an existing MAC address.

Views

All views

Default Level

3: Management level

Usage Guidelines

When there are excessive historical records of rogue devices or their historical records are useless, you can run the reset wlan ids rogue-history command to delete the historical records.

Example

# Delete all detected historical records of the rogue devices.

<HUAWEI> reset wlan ids rogue-history all

security dot1x

Function

The security dot1x command configures pre-shared key (PSK) authentication and encryption for WPA and WPA2.

The undo security command restores the default security policy.

By default, the security policy is open system.

Format

security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }

security wpa-wpa2 dot1x tkip aes

undo security

Parameters

Parameter

Description

Value

wpa

Configures WPA authentication.

-

wpa2

Configures WPA2 authentication.

-

wpa-wpa2

Configures WPA-WPA2 authentication. STAs can be authenticated using WPA or WPA2.

-

aes

Configures AES encryption.

-

tkip

Configures TKIP encryption.

-

aes-tkip

Configures AES-TKIP encryption. After passing the authentication, STAs can use the AES or TKIP algorithm for data encryption.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

WPA/WPA2 authentication includes WPA/WPA2 PSK authentication and 802.1x authentication, which are also called WPA/WPA2 personal edition and WPA/WPA2 enterprise edition respectively. 802.1x authentication is of high security and is applicable to enterprise networks.

To access a WLAN device using WPA or WPA2 802.1x authentication, run the security dot1x command. If multiple types of STAs are available, you can configure the WPA-WPA2 and TKIP-CCMP security policy for authentication and data encryption.

The security wpa-wpa2 dot1x tkip aes command indicates that WPA and WPA2 use TKIP and AES for data encryption, respectively.

Precautions

The following STAs do not support the WPA2 802.1x authentication and cannot access the AP. You must configure other security policies for the STAs.
  • Nokia: N8
  • HP: Pre 3

The authentication type in the security profile and authentication profile must both be set to 802.1x authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.

The system displays the message only when the security profile has been bound to the other profiles.

If 802.1x authentication and TKIP or AES-TKIP encryption for WPA/WPA2 are configured, the access of non-HT STAs fails to be denied.

The offline management VAP does not support 802.1x authentication and encryption modes. Therefore, if the offline management VAP is enabled for a VAP profile, the VAP profile cannot be bound to a security profile with WPA/WPA2 802.1x authentication and encryption configured. If the VAP profile has been bound to a security profile, the authentication and encryption modes of the security profile cannot be changed to WPA/WPA2 802.1x.

Example

# Configure WPA (802.1x authentication and TKIP encryption).

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa dot1x tkip
Warning:  If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
 configured, the function of denying access of legacy STAs cannot take effect. 

# Configure WPA2 (802.1x authentication and TKIP encryption).

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 dot1x tkip
Warning:  If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
 configured, the function of denying access of legacy STAs cannot take effect. 
# Configure WPA/WPA2 (802.1x authentication and AES-TKIP encryption).
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
Warning:  If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
 configured, the function of denying access of legacy STAs cannot take effect. 

security psk

Function

The security psk command configures pre-shared key authentication and encryption for WPA and WPA2.

The undo security command restores the default security policy.

By default, the security policy is open system.

Format

security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip | aes-tkip }

security wpa-wpa2 psk { pass-phrase | hex } key-value tkip aes

undo security

Parameters

Parameter

Description

Value

wpa

Configures WPA authentication.

-

wpa2

Configures WPA2 authentication.

-

wpa-wpa2

Configures WPA-WPA2 authentication. User terminals can be authenticated using WPA or WPA2.

-

pass-phrase

Specifies the key phrase.

-

hex

Specifies a hexadecimal number.

The password of hex does not have enough complexity, so pass-phrase is recommended.

-

key-value

Specifies a password in cipher text.

The value is of 8 to 63 ASCII characters in plain text, 64 hexadecimal characters in plain text, or 48 or 68 or 88 or 108 characters in cipher text.

A password cannot contain the space and double quotation mark (") at the same time. When the password contains a space, add the double quotation mark (") to the beginning and end of the string when entering the password. For example, if the password is abc123 ABC, enter "abc123 ABC".

NOTE:
To improve security, you are advised to configure a password that contains at least two of the following: digits, lowercase letters, uppercase letters, and special characters.

aes

Configures AES encryption.

-

tkip

Configures TKIP encryption.

-

aes-tkip

Configures AES-TKIP encryption. After passing the authentication, user terminals can use the AES or TKIP algorithm for data encryption.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

WPA/WPA2 authentication includes WPA/WPA2 pre-shared key authentication and 802.1X authentication, which are also called WPA/WPA2 personal edition and WPA/WPA2 enterprise edition respectively. 802.1X authentication is of high security and is applicable to enterprise networks.

To access a WLAN device using WPA or WPA2 pre-shared key authentication, run the security psk command. If multiple types of user terminals are available, you can configure the WPA-WPA2 and AES-TKIP security policy for authentication and data encryption.

The security wpa-wpa2 psk { pass-phrase | hex } key-value tkip aes command indicates that WPA and WPA2 use TKIP and AES for data encryption, respectively.

Precautions

If the key is in hexadecimal notation, you can enter hexadecimal characters without entering 0x.

If a security profile is bound to multiple VAP profiles, it will take a few minutes to configure WPA/WPA2 PSK authentication and encryption in the security profile.

The system displays the message only when the security profile has been bound to the other profiles.

If pre-shared key authentication and TKIP or AES-TKIP encryption for WPA/WPA2 is configured, the access of non-HT STAs fails to be denied.

Example

# Configure WPA pre-shared key authentication and the authentication key.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa psk pass-phrase abcdfffffg123 aes

# Configure WPA2 pre-shared key authentication and the authentication key.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 psk pass-phrase abcdfffffg123 aes
# Configure WPA-WPA2 pre-shared key authentication and TKIP-CCMP encryption.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 psk pass-phrase abcdfffffg123 aes-tkip
Warning:  If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
 configured, the function of denying access of legacy STAs cannot take effect. 

security wapi

Function

The security wapi command configures the WAPI authentication mode.

The undo security command restores the default security policy.

By default, the security policy is open system.

Format

security wapi psk { pass-phrase | hex } key-value

security wapi certificate

undo security

Parameters

Parameter

Description

Value

certificate

Configures WAPI certificate authentication.

-

psk

Configures WAPI pre-shared key authentication.

-

pass-phrase

Specifies the key phrase.

-

hex

Specifies a hexadecimal number.

The password of hex does not have enough complexity, so pass-phrase is recommended.

-

key-value

Specifies a password in cipher text.

In pass-phrase mode, the key is a string of 8 to 64 characters in plain text or 48 or 68 or 88 or 108 characters in cipher text. In hex mode, the key is a string of 8 to 32 hexadecimal numbers, in which case the length of the string must be an even, or a string of 48 or 68 or 88 or 108 characters in cipher text.

A password cannot contain the space and double quotation mark (") at the same time. When the password contains a space, add the double quotation mark (") to the beginning and end of the string when entering the password. For example, if the password is abc123 ABC, enter "abc123 ABC".

NOTE:
To improve security, you are advised to configure a password that contains at least two of the following: digits, lowercase letters, uppercase letters, and special characters.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

WAPI supports two authentication modes: certificate authentication and pre-shared key authentication. When pre-shared key authentication is used, a pre-shared key must be configured.

  • If WAPI authentication is specified as a security policy in a security profile, you can run the wapi authentication-method command to configure the WAPI authentication mode.
  • The wapi authentication-method command determines the WAPI authentication and key management mode. When certificate authentication and key management are configured, authentication involves identity authentication and key negotiation, and the authentication server and certificate need to be configured. When pre-shared key authentication is configured, a pre-shared key needs to be configured, and STAs also need to know the pre-shared key. In this situation, authentication just involves key negotiation.

Precautions

The AP7030DE, AP7050DE and AP9330DN do not support WAPI.

The system displays the message only when the security profile has been bound to the other profiles.

Example

# Set the WAPI authentication mode to pre-shared key authentication and specify the key.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wapi psk pass-phrase testpassword123

security wep

Function

The security wep command configures the WEP authentication mode.

The undo security command restores the default security policy.

By default, the security policy is open system.

Format

security { open | wep [ share-key ] }

undo security

Parameters

Parameter

Description

Value

open

Sets the WEP authentication mode to open authentication.

-

wep

Sets the WEP authentication mode to share-key authentication.

-

share-key

When the WEP authentication mode is set to shared-key authentication:
  • If the parameter is present, WEP uses the configured shared key to authenticate wireless terminals and encrypt service packets.
  • If the parameter is not present, WEP only uses the configured shared key to encrypts the service packets.

A shared key is configured on the wireless terminals regardless of whether the parameter is present.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can select security policies on a WLAN based on the security level. WEP is a security policy used earlier and has security risks. It can be used in open scenarios that do not require high security. You can run this command to set the WEP authentication mode to open authentication or share-key authentication.

Table 11-193  Comparing authentication modes

Configuration

Authentication Mode

Encryption Mode

Advantage

Disadvantage

security open

open Not encrypted

Wireless devices can connect to a network without authentication.

STA identities are not checked, bringing security risks.

Service data is not WEP-encrypted.

security wep

open WEP encryption

Service data is WEP-encrypted.

STA identities are not checked, bringing security risks.

security wep share-key

Shared key authentication WEP encryption

A shared key is used to enhance security.

Service data is WEP-encrypted.

  • A long key string must be configured on each device and is difficult to expand.
  • A static key is used, which is easy to decipher.

Precautions

  • If the security wep [ share-key ] command is executed, you can run the wep key command to configure the pre-shared key. Otherwise, the default pre-shared key is used.
  • If the security open command is executed, you do not need to configure the pre-shared key. The configured pre-shared key will not take effect.
  • Each AP can have at most four key indexes configured. The key indexes used by different VAPs cannot be the same. That is, at most four VAPs can be configured on an AP using the security wep [ share-key ] command.

  • The system displays the message only when the security profile has been bound to the other profiles.

  • If WEP shared key authentication mode is configured, the access of non-HT STAs fails to be denied.

Example

# Create security profile p1 and set the authentication mode to share-key.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wep share-key
Warning:  If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
 configured, the function of denying access of legacy STAs cannot take effect. 
Related Topics

security-profile (wlan view)

Function

The security-profile command creates a security profile or enters the security profile view.

The undo security-profile command deletes a security profile according to the ID or name.

By default, security profiles default, default-wds, and default-mesh are available in the system.

Format

security-profile name profile-name

undo security-profile { all | name profile-name }

Parameters

Parameter

Description

Value

name profile-name

Specifies the name of a security profile.

The value is a string of 1 to 35 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot start or end with double quotation marks (" ").

all

Deletes all security profiles.

NOTE:
Security profiles default, default-wds, and default-mesh cannot be deleted.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to configure access security. A security profile must be configured before you specify an authentication mode in the profile. To delete a security profile, run the undo security-profile command.

The system configures the new profile, the default value is no authentication and no encryption.

Example

# Configure a security profile named p1.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1]

security-profile (VAP profile view)

Function

The security-profile command binds a security profile to a VAP profile.

The undo security-profile command unbinds a security profile from a VAP profile.

By default, the security profile default is bound to a VAP profile.

Format

security-profile profile-name

undo security-profile

Parameters

Parameter

Description

Value

profile-name

Specifies the name of a security profile.

The security profile must exist.

Views

VAP profile view

Default Level

2: Configuration level

Usage Guidelines

You can use this command to bind a security profile to a VAP profile. The security profile then applies to all users using this VAP profile.

Example

# Create VAP profile ChinaNet and bind security profile security-profile1 to the VAP profile.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name ChinaNet
[HUAWEI-wlan-vap-prof-ChinaNet] security-profile security-profile1

spoof-detect quiet-time

Function

The spoof-detect quiet-time command sets the quiet time for an AP to report the detected spoofing attacks to the AC.

The undo spoof-detect quiet-time command restores the default quiet time for an AP to report the detected spoofing attacks to the AC.

By default, the quiet time is 600 seconds for an AP to report the detected spoofing attacks to the AC.

Format

spoof-detect quiet-time quiet-time-value

undo spoof-detect quiet-time

Parameters

Parameter

Description

Value

quiet-time-value

Specifies the quiet time for an AP to report the detected spoofing attacks to the AC.

The value is an integer that ranges from 60 to 36000, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

After attack detection is enabled on an AP, the AP reports alarms upon attack detection. If an attack source launches attacks repeatedly, a large number of repeated alarms are generated. To prevent this situation, configure the quiet time for an AP to report alarms. When detecting attack sources of the same MAC address, the AP does not report alarms in the quiet time. However, if the AP still detects attacks from the attack source after the quiet time expires, the AP reports alarms. You can set the quiet time based on attack types.

To obtain attack information in a timely manner, set the quiet time to a small value. If attack detection is enabled on many APs, and attacks are frequently detected, set the quiet time to a large value to prevent frequent alarm reports.

Example

# Set the quiet time to 300 seconds for an AP to report the detected spoofing attacks to the AC.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable spoof
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] spoof-detect quiet-time 300

spoof-ssid

Function

The spoof-ssid command configures a fuzzy matching rule for spoofing SSIDs.

The undo spoof-ssid command deletes a fuzzy matching rule for spoofing SSIDs.

By default, no fuzzy matching rule is configured for spoofing SSIDs.

Format

spoof-ssid fuzzy-match regex regex-value

undo spoof-ssid { fuzzy-match regex regex-value | all }

Parameters

Parameter

Description

Value

fuzzy-match

Configure a fuzzy matching rule to identify spoofing SSIDs.

-

regex regex-value

Specifies the regular expression for an SSID. If an SSID matches the regular expression, the SSID is considered a spoofing SSID.

The value is in text format and can contain 1 to 48 case-sensitive characters. It supports Chinese characters or mixture of Chinese and English characters.

NOTE:

You can only use a command editor of the UTF-8 encoding format to edit Chinese characters.

all

Delete all fuzzy matching rules.

-

Views

WIDS spoof SSID profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

WLAN services are available in public places, such as banks and airports. Users can connect to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to the rogue AP, which brings security risks. To address this problem, configure a fuzzy matching rule to identify spoofing SSIDs. The device compares a detected SSID with the matching rule. If the SSID matches the rule, the SSID is considered a spoofing SSID. The AP using the spoofing SSID is a rogue AP. After rogue AP containment is configured, the device contains the rogue AP and disconnects users from the spoofing SSID.

Precautions

To make fuzzy matching rules for spoofing SSIDs take effect, enable device detection and rogue device containment so that the device can take countermeasures against rogue APs.

Example

# Configure a fuzzy matching rule using the regular expression ^HUAWE[1l]$ to identify spoofing IDs HUAWE1 or HUAWEl similar to HUAWEI.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-spoof-profile name huawei 
[HUAWEI-wlan-wids-spoof-huawei] spoof-ssid fuzzy-match regex ^HUAWE[1l]$

sta-access-mode

Function

The sta-access-mode command binds STA blacklist and STA whitelist profiles to VAP profiles or AP system profiles.

The undo sta-access-mode command unbinds STA blacklist and STA whitelist profiles from VAP profiles or AP system profiles.

By default, no STA blacklist and STA whitelist profiles are bound to a VAP profile and an AP system profile.

Format

sta-access-mode { blacklist | whitelist } profile-name

undo sta-access-mode

Parameters

Parameter

Description

Value

blacklist

Specifies a STA blacklist profile.

-

whitelist

Specifies a STA whitelist profile.

-

profile-name

Specifies the names of STA blacklist and whitelist profiles.

The STA blacklist and whitelist profiles must exist.

Views

VAP profile view, AP system profile view

Default Level

2: Configuration level

Usage Guidelines

STA blacklists and whitelists configured by using the sta-mac command take effect only after the STA blacklist and whitelist profiles are bound to VAP profiles or AP system profiles using the sta-access-mode command.

When STA blacklist and whitelist profiles are bound to different profiles, the effective scope of the STA blacklists and whitelists differs.
  • VAP profile: The STA blacklist and whitelist take effect on the corresponding VAP.
  • AP system profile: The STA blacklist and whitelist take effect on the corresponding AP.
  • VAP profile and AP system profile: A STA cannot go online if it cannot meet any of access requirements.

Example

# Bind the STA blacklist profile sta-blacklist-profile1 to the VAP profile vap-profile1.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap-profile1
[HUAWEI-wlan-vap-prof-vap-profile1] sta-access-mode blacklist sta-blacklist-profile1
Related Topics

sta-blacklist-profile

Function

The sta-blacklist-profile command creates a STA blacklist profile or displays the STA blacklist profile view.

The undo sta-blacklist-profile command deletes one or multiple STA blacklist profiles.

By default, no STA blacklist profile is created.

Format

sta-blacklist-profile name profile-name

undo sta-blacklist-profile { name profile-name | all }

Parameters

Parameter

Description

Value

name profile-name

Specifies the name of a STA blacklist profile.

The value is a string of 1 to 35 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot start or end with double quotation marks (" ").

all

Deletes all STA blacklist profiles.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the MAC address of a STA is in the blacklist, the STA cannot go online. If the STA blacklist profile is not referenced or the MAC address of a STA is not in the blacklist, the STA is allowed to go online.

The configured blacklist takes effect only after the STA blacklist profile is bound to a VAP profile or an AP system profile using the sta-access-mode command.

If a STA is added to the blacklist, the system automatically disconnects the STA.

Precautions

If STA blacklist profiles are bound to a VAP profile and an AP system profile, a STA cannot go online when the MAC address of the STA is in either of the STA blacklist profile.

Example

# Create the STA blacklist profile sta-blacklist-profile1.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta-blacklist-profile name sta-blacklist-profile1
[HUAWEI-wlan-blacklist-prof-sta-blacklist-profile1] 

sta-mac

Function

The sta-mac command adds the MAC addresses of a STA to the blacklist or whitelist.

The undo sta-mac command deletes a specified MAC address or all MAC addresses from the blacklist or whitelist.

By default, the MAC address of a STA is not added to the blacklist or whitelist.

Format

sta-mac mac-address [ description description ]

undo sta-mac { mac-address | all }

Parameters

Parameter

Description

Value

mac-address

Adds a MAC address to the blacklist or whitelist.

The value is in H-H-H format. An H is a hexadecimal number of four digits.

description

Adds MAC address description to a blacklist or whitelist.

The value is a string of 1 to 80 case-insensitive characters that can include Chinese or Chinese+English characters.

NOTE:

You can only use a command editor of the UTF-8 encoding format to edit Chinese characters.

all

Deletes all MAC addresses from the blacklist or whitelist.

-

Views

Blacklist profile view, whitelist profile view

Default Level

2: Configuration level

Usage Guidelines

If the blacklist function is enabled, all STAs in the blacklist cannot connect to the WLAN.

If the whitelist function is enabled, only STAs in the whitelist can connect to the WLAN.

MAC addresses and OUIs share the specifications of a STA whitelist. A maximum of 3276 MAC addresses or OUIs can be added to a STA whitelist.

You can configure a maximum of 3276 STA MAC addresses in a STA blacklist profile.

If a STA is added to the blacklist, the system automatically disconnects the STA.

Example

# Add MAC address 2C27-D720-746B of a STA to blacklist huawei.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta-blacklist-profile name sta-blacklist-profile1
[HUAWEI-wlan-blacklist-prof-sta-blacklist-profile1] sta-mac 2C27-D720-746B

sta-whitelist-profile

Function

The sta-whitelist-profile command creates a STA whitelist profile for VAPs or displays the STA whitelist profile view.

The undo sta-whitelist-profile command deletes a specified STA whitelist profile or all STA whitelist profiles for VAPs.

By default, no STA whitelist profile is created.

Format

sta-whitelist-profile name profile-name

undo sta-whitelist-profile { name profile-name | all }

Parameters

Parameter

Description

Value

name profile-name

Specifies the name of a STA whitelist profile.

The value is a string of 1 to 35 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot start or end with double quotation marks (" ").

all

Deletes all STA whitelist profiles.

-

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

The configured whitelist takes effect only after the STA whitelist profile is bound to a VAP profile or an AP system profile using the sta-access-mode command.

If the configured whitelist takes effect, only STAs in the whitelist can access the WLAN.

Example

# Create the STA whitelist profile sta-whitelist-profile1.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta-whitelist-profile name sta-whitelist-profile1
[HUAWEI-wlan-whitelist-prof-sta-whitelist-profile1] 

wapi asu

Function

The wapi asu command specifies an IP address for an authentication server unit (ASU) server.

The undo wapi asu command deletes the IP address of the ASU server.

By default, no IP address is specified for the ASU server.

Format

wapi asu ip ip-address

undo wapi asu ip

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address for the ASU server.

The value is in dotted decimal notation.

Views

Security profile view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If WAPI certificate authentication is configured, an AC sends WAPI authentication packets to the ASU server at the specified IP address.

Prerequisites

If WAPI certificate authentication is specified as a security policy in a security profile, run the wapi asu command to specify an IP address for the ASU server.

Precautions

The wapi asu command helps to determine to which ASU server WAPI packets are sent. Users must ensure the correctness of both ASU certificates and ASU servers; otherwise, they may fail in user authentication.

The system displays the message only when the security profile has been bound to the other profiles.

Example

# Specify IP address 10.164.10.10 for the ASU server.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi asu ip 10.164.10.10

wapi bk

Function

The wapi bk command sets the interval for updating a BK and the BK lifetime percentage.

The undo wapi bk command restores the default interval for updating a BK and the BK lifetime percentage.

By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

Format

wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

undo wapi { bk-threshold | bk-update-interval }

Parameters

Parameter

Description

Value

bk-threshold bk-threshold

Specifies the BK lifetime percentage.

The value is an integer that ranges from 1 to 100.

bk-update-interval bk-update-interval

Specifies the interval for updating a BK.

The value is an integer that ranges from 600 to 604800, in seconds.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

You can set the intervals for updating a BK to ensure security.

The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

Example

# Set the interval for updating a BK to 10000s and the BK lifetime percentage to 80%.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi bk-update-interval 10000
Warning: If the product of bk-update-interval and bk-threshold is smaller than 300s, users may be forced offline. Continue? [Y/N]:y
[HUAWEI-wlan-sec-prof-p1] wapi bk-threshold 80

wapi cert-retrans-count

Function

The wapi cert-retrans-count command sets the number of retransmissions of certificate authentication packets.

The undo wapi cert-retrans-count command restores the default number of retransmissions of certificate authentication packets.

By default, the number of retransmissions is 3.

Format

wapi cert-retrans-count cert-count

undo wapi cert-retrans-count

Parameters

Parameter

Description

Value

cert-count

Specifies the number of retransmissions of certificate authentication packets.

The value is an integer that ranges from 1 to 10.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

If WAPI authentication is specified as a security policy, run the wapi cert-retrans-count command to set the number of retransmissions of certificate authentication packets.

Example

# Set the number of retransmissions of certificate authentication packets to 5.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi cert-retrans-count 5

wapi import certificate

Function

The wapi import certificate command imports the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file.

The undo wapi certificate command deletes the imported AC certificate file, certificate of the AC certificate issuer, or ASU certificate file.

By default, the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file are not imported.

Format

wapi import certificate { ac | asu | issuer } format pkcs12 file-name file-name password password

wapi import certificate { ac | asu | issuer } format pem file-name file-name

undo wapi certificate { ac | asu | issuer }

Parameters

Parameter

Description

Value

ac

Specifies the AC certificate.

-

asu

Specifies the ASU certificate.

-

issuer

Specifies the certificate of the AC certificate issuer.

-

format pkcs12

Imports a certificate in P12 format.

-

format pem

Imports a certificate in PEM format.

-

file-name file-name

Specifies a certificate file name, which the complete path of a certificate file must be specified.

The value is a string of 1 to 255 characters. It cannot contain question marks (?) and cannot start or end with double quotation marks (" ") or spaces.

password password

Specifies the key of the P12 certificate.

The password can be in plain text or cipher text.
  • A plain text password is a string of 1 to 32 characters.
  • A cipher text password is a string of 48 or 68 characters.

Views

Security profile view

Default Level

3: Management level

Usage Guidelines

  • If WAPI certificate authentication is specified as a security policy in a security profile, run the wapi import certificate command to specify the AC certificate, certificate of the AC certificate issuer, and ASU certificate. STAs will fail to be authenticated if you do not run this command. The issuer certificate helps to check whether the AC certificate is modified.
  • Before using this command, store the AC certificate and ASU certificate to the storage of the device, and import the certificates and private key using TFTP. Certificates must be X509 V3 certificates and comply with the WAPI standard. Otherwise, certificates cannot be imported.
  • After this command is run:
    • When an issuer certificate is configured, the system checks correctness of the AC certificate.
    • If the authentication system uses only two certificates, the issuer certificate and ASU certificate have the same certificate file name and are the same certificate. If the authentication system uses three certificates, the issuer certificate and ASU certificate are different from each other and both must be imported.
NOTE:
  • The ASU certificate and issuer certificate must be imported.
  • Certificates to be imported must be valid and correct.
  • If the certificate with the same name but different contents has been imported by other security profiles, delete the earlier certificate first.

Example

# Import the AC certificate.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi import certificate ac format pem file-name flash:/local_ac.cer

wapi import private-key

Function

The wapi import private-key command imports the AC private key file.

The undo wapi private-key command deletes the imported AC private key file.

By default, no AC private key file is imported.

Format

wapi import private-key format pkcs12 file-name file-name password password

wapi import private-key format pem file-name file-name

undo wapi private-key

Parameters

Parameter

Description

Value

format pkcs12

Imports a private key file in P12 format.

-

format pem

Imports a private key file in PEM format.

-

file-name file-name

Specifies the name of a private key file.

The value is a string of 1 to 255 characters. It cannot contain question marks (?) and cannot start or end with double quotation marks (" ") or spaces.

password password

Specifies the password in the private key file of the P12 format.

The password can be in plain text or cipher text.
  • A plain text password is a string of 1 to 32 characters.
  • A cipher text password is a string of 48 or 68 characters.

Views

Security profile view

Default Level

3: Management level

Usage Guidelines

  • If WAPI certificate authentication is specified as a security policy in a security profile, run the wapi import private-key command to specify the private key file for the AC certificate.
  • Before using this command, store the AC private key file to the storage of the device, and import the private key file using TFTP.
  • After this command is used, the system obtains the private key file and establishes the mapping between the certificate and private key.
NOTE:

The certificate and private key to be imported must be valid and correct.

Example

# Import the AC private key file ac_key.key.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi import private-key format pem file-name flash:/ac_key.key

wapi key-update

Function

The wapi key-update command sets the USK and MSK update mode.

The undo wapi key-update command restores the default USK and MSK update mode.

By default, USKs and MSKs are updated based on time.

Format

wapi { usk | msk } key-update { disable | time-based }

undo wapi { usk | msk } key-update

Parameters

Parameter

Description

Value

usk

Indicates USK update.

-

msk

Indicates MSK update.

-

disable

Disables key update.

-

time-based

Indicates time-based update.

You can run the wapi msk and wapi usk commands to respectively set the intervals for updating an MSK and a USK.

-

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

  • To ensure network security, update keys in a timely manner. There are several key update modes.
  • The wapi key-update command sets the USK and MSK update mode. If the interval for updating an MSK or a USK is too long , key security cannot be ensured.
  • If disable is specified, keys will not be updated.

Example

# Set the USK update mode to time-based update.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi usk key-update time-based
Related Topics

wapi msk

Function

The wapi msk command sets the interval for updating an MSK, and number of retransmissions of MSK negotiation packets.

The undo wapi msk command restores the default interval for updating an MCK, and number of retransmissions of MSK negotiation packets.

By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.

Format

wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }

undo wapi { msk-update-interval | msk-retrans-count }

Parameters

Parameter

Description

Value

msk-update-interval msk-interval

Specifies the interval for updating an MSK. When the MSK update mode is set to time-based update using the wapi key-update command, the interval for updating an MSK needs to be set.

The value is an integer that ranges from 600 to 604800, in seconds.

msk-retrans-count msk-count

Specifies the number of retransmissions of MSK negotiation packets.

The value is an integer that ranges from 1 to 10.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the USK and MSK have a lifetime. The USK or MSK needs to be updated when its lifetime ends.

Example

# Set the interval for updating an MSK to 10000s, and number of retransmissions of MSK negotiation packets to 5.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi msk key-update time-based
[HUAWEI-wlan-sec-prof-p1] wapi msk-update-interval 10000
[HUAWEI-wlan-sec-prof-p1] wapi msk-retrans-count 5
Related Topics

wapi sa-timeout

Function

The wapi sa-timeout command sets the timeout period of a security association (SA) of key encryption.

The undo wapi sa-timeout command restores the default timeout period of a SA for key encryption.

By default, the timeout period for a SA is 60s.

Format

wapi sa-timeout sa-time

undo wapi sa-timeout

Parameters

Parameter

Description

Value

sa-time

Specifies the timeout period of an SA.

The value is an integer that ranges from 1 to 255, in seconds.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

You can prolong the WAPI timeout period to increase the authentication success ratio.

Example

# Set the timeout period of an SA to 100s.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi sa-timeout 100

wapi source interface

Function

The wapi source interface command configures a source interface for an AC to communicate with an ASU server.

The undo wapi source interface command cancels the source interface for an AC to communicate with an ASU server.

By default, no source interface is configured for an AC to communicate with an ASU server.

Format

wapi source interface { vlanif vlan-id | loopback loopback-number }

undo wapi source interface

Parameters

Parameter

Description

Value

vlanif vlan-id

Configures a VLANIF interface as the source interface.

The value is an integer that ranges from 1 to 4094.

loopback loopback-number

Configures a loopback interface as the source interface.

The value is an integer that ranges from 0 to 1023.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In WLAN applications, to use WAPI authentication and enable socket communication between an AC and an ASU server, the AC needs a WAPI source IP address using which all packets are sent to the ASU server.

Prerequisites

An IP address has been assigned to the specified loopback or VLANIF interface.

Precautions

The IP address of the WAPI source interface on the AC must be on the same network segment as the IP address of the ASU server. If no WAPI source interface is configured, the IP address of the AC source interface is used as the source IP address for sending WAPI packets to the WAPI server by default.

Example

# Configure a VLANIF interface as the source interface for the AC to communicate with the ASU server.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 192.168.10.1 24
[HUAWEI-Vlanif100] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi source interface Vlanif 100

wapi usk

Function

The wapi usk command sets the interval for updating a USK, and number of retransmissions of USK negotiation packets.

The undo wapi usk command restores the default interval for updating a USK, and number of retransmissions of USK negotiation packets.

By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.

Format

wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }

undo wapi { usk-update-interval | usk-retrans-count }

Parameters

Parameter

Description

Value

usk-update-interval usk-interval

Specifies the interval for updating a USK. When the USK update mode is set to time-based update using the wapi key-update command, the interval for updating a USK needs to be set.

The value is an integer that ranges from 600 to 604800, in seconds.

usk-retrans-count usk-count

Specifies the number of retransmissions of USK negotiation packets.

The value is an integer that ranges from 1 to 10.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the USK and MSK have a lifetime. The USK or MSK needs to be updated when its lifetime ends.

Example

# Set the interval for updating a USK to 10000s, and number of retransmissions of USK negotiation packets to 5.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wapi usk key-update time-based
[HUAWEI-wlan-sec-prof-p1] wapi usk-update-interval 10000
[HUAWEI-wlan-sec-prof-p1] wapi usk-retrans-count 5
Related Topics

weak-iv-detect quiet-time

Function

The weak-iv-detect quiet-time command sets the quiet time for an AP to report the detected weak IV attacks to the AC.

The undo weak-iv-detect quiet-time command restores the default quiet time for an AP to report the detected weak IV attacks to the AC.

By default, the quiet time is 600 seconds for an AP to report the detected weak IV attacks to the AC.

Format

weak-iv-detect quiet-time quiet-time-value

undo weak-iv-detect quiet-time

Parameters

Parameter

Description

Value

quiet-time-value

Specifies the quiet time for an AP to report the detected weak IV attacks to the AC.

The value is an integer that ranges from 60 to 36000, in seconds.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

After attack detection is enabled on an AP, the AP reports alarms upon attack detection. If an attack source launches attacks repeatedly, a large number of repeated alarms are generated. To prevent this situation, configure the quiet time for an AP to report alarms. When detecting attack sources of the same MAC address, the AP does not report alarms in the quiet time. However, if the AP still detects attacks from the attack source after the quiet time expires, the AP reports alarms. You can set the quiet time based on attack types.

To obtain attack information in a timely manner, set the quiet time to a small value. If attack detection is enabled on many APs, and attacks are frequently detected, set the quiet time to a large value to prevent frequent alarm reports.

Example

# Set the quiet time to 300 seconds for an AP to report the detected weak IV attacks to the AC.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable weak-iv
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name huawei
[HUAWEI-wlan-wids-prof-huawei] weak-iv-detect quiet-time 300

wep default-key

Function

The wep default-key command sets the default key ID for WEP authentication or encryption.

The undo wep default-key command restores the default key ID for WEP authentication or encryption.

By default, key 0 is used for WEP authentication or encryption.

Format

wep default-key key-id

undo wep default-key

Parameters

Parameter

Description

Value

key-id

Specifies the default key ID.

The key ID must exist.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

  • A maximum of four WEP keys can be configured, and only one WEP key is used for authentication and encryption. This command specifies which key to use.
  • After a key ID is specified, the specified key is used for authentication or encryption.
  • Each AP can have at most four key indexes configured. The key indexes used by different VAPs cannot be the same. That is, at most four VAPs can be configured on an AP using the security wep [ share-key ] command.

  • The system displays the message only when the security profile has been bound to the other profiles.

Example

# Set the default key ID to 1.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wep default-key 1
Related Topics

wep key

Function

The wep key command sets a WEP key.

The undo wep key command deletes the specified key.

By default, WEP-40 is used, and the key is Admin.

Format

wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value

undo wep key key-id

Parameters

Parameter

Description

Value

key-id

Specifies the key ID.

The value is an integer that ranges from 0 to 3.

wep-40

Configures WEP-40 authentication.

-

wep-104

Configures WEP-104 authentication.

-

wep-128

Configures WEP-128 authentication.

-

pass-phrase

Specifies the key phrase.

-

hex

Specifies a hexadecimal number.

-

key-value

Specifies a password in cipher text.

The password can be in plain text or cipher text.
  • A plain text password is a string of case-sensitive characters.
    • If WEP-40 is used, the WEP key is 10 hexadecimal characters or 5 ASCII characters.
    • If WEP-104 is used, the WEP key is 26 hexadecimal characters or 13 ASCII characters.
    • If WEP-128 is used, the WEP key is 32 hexadecimal characters or 16 ASCII characters.
  • A cipher text password is a string of 48 or 68 characters.

A password cannot contain the space and double quotation mark (") at the same time. When the password contains a space, add the double quotation mark (") to the beginning and end of the string when entering the password. For example, if the password is abc123 ABC, enter "abc123 ABC".

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

To connect to a WLAN device in WEP shared-key authentication mode, run the wep key command to set a WEP key.

NOTE:

If the key is in hexadecimal notation, you can enter hexadecimal characters without entering 0x.

Precautions

The system displays the message only when the security profile has been bound to the other profiles.

Example

# Configure a WEP key and its ID.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] wep key 1 wep-128 hex 12345678123456781234567812345678
Related Topics

wids attack detect enable

Function

(AP group radio view) The wids attack detect enable command enables attack detection on all specified radios in an AP group.

(AP group radio view) The undo wids attack detect enable command disables attack detection on all l specified radios in an AP group.

(AP radio view) The wids attack detect enable command enables attack detection on an AP radio.

(AP radio view) The undo wids attack detect enable command cancels the configuration of the attack detection function on an AP radio. The status of this function on the AP radio is then determined by the status of this function in the AP group radio view.

By default, attack detection is disabled on AP radios.

Format

wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key }

undo wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key }

Parameters

Parameter

Description

Value

all

Enables all attack detection functions.

-

flood

Enables flood attack detection.

-

weak-iv

Enables weak IV attack detection.

-

spoof

Enables spoofing attack detection.

-

wpa-psk

Enables brute force attack detection for WPA-PSK authentication.

-

wpa2-psk

Enables brute force attack detection for WPA2-PSK authentication.

-

wapi-psk

Enables brute force attack detection for WAPI-PSK authentication.

-

wep-share-key

Enables brute force attack detection for shared key authentication.

-

Views

AP group radio view, AP radio view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To monitor and prevent malicious or unintentional attacks on WLANs in real time, network administrators can enable the following attack detection functions based on actual requirements:
  • flood: indicates flood attack detection used to detect whether an AP receives a large number of packets of the same type in a short period.
  • weak-iv: indicates weak IV attack detection used to detect whether weak IV is used for WEP encryption on a WLAN.
  • spoof: indicates spoofing attack detection used to detect whether a potential attacker pretends to be an AP to broadcast Deauthentication and Disassociation packets.
  • wpa-psk, wpa2-psk, wapi-psk, wep-share-key: indicates brute force attack detection. If the WPA-PSK, WPA2-PSK, WAPI-PSK, or WEP-SK security policy is configured on a WLAN, brute force attack detection can be enabled to increase the time required for password cracking and improve password security.

Precautions

The configuration in the AP radio view has a higher priority than that in the AP group radio view.

Follow-up Procedure

Run the dynamic-blacklist enable command to enable the dynamic blacklist function.

Example

# Enable brute force attack detection for WPA-PSK authentication on radio 0 in AP group office.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa-psk

wids contain enable

Function

(AP group radio view) The wids contain enable command enables rogue device containment on all specified radios in an AP group.

(AP group radio view) The undo wids contain enable command disables rogue device containment on all specified radios in an AP group.

(AP radio view) The wids contain enable command enables rogue device containment on an AP radio.

(AP radio view) The undo wids contain enable command cancels the configuration of the rogue device containment function on an AP radio. The status of this function on the AP radio is then determined by the status of this function in the AP group radio view.

By default, rogue device containment is disabled on AP radios.

Format

wids contain enable

undo wids contain enable

Parameters

None

Views

AP group radio view, AP radio view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Rogue devices pose serious security threats to enterprise networks.

After the containment mode is set against rogue APs, the monitor AP uses the identity of the rogue AP to broadcast disauthentication frames to forcibly disconnect STAs. To prevent the STAs from connecting to the rogue AP again, the monitor AP will periodically and continuously send disauthentication frames.

After the containment mode is set against rogue STAs or ad-hoc devices, the monitor AP uses the MAC address of a rogue device to continuously send unicast disauthentication frames.

Precautions

The configuration in the AP radio view has a higher priority than that in the AP group radio view.

After command keep-service enable is executed, if the wids device detect enable and wids contain enable commands are configured to enable rogue device detection and containment, the AP will continue providing data services after going offline. However, the AC considers the AP as a rogue device and adds it to the containment list. The containment mechanism will disconnect STAs from the AP. Therefore, service holding upon CAPWAP link disconnection does not take effect in this case.

After command keep-service enable allow new-access is executed, if the wids device detect enable and wids contain enable commands are configured to enable rogue device detection and containment, the AP will continue providing data services after going offline. However, the AC considers the AP as a rogue device and adds it to the containment list. The containment mechanism will disable the AP from allowing access of new STAs. Therefore, the function of enabling an offline AP to allow access of new STAs does not take effect in this case.

Follow-up Procedure

Run the contain-mode command to set the rogue device containment mode.

Example

# Enable rogue device containment on radio 0 in AP group office.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids contain enable
Related Topics

wids device detect enable

Function

(AP group radio view) The wids device detect enable command enables device detection on all specified radios in an AP group.

(AP group radio view) The undo wids device detect enable command disables device detection on all specified radios in an AP group.

(AP radio view) The wids device detect enable command enables device detection on an AP radio.

(AP radio view) The undo wids device detect enable command cancels the configuration of the device detection function on an AP radio. The status of this function on the AP radio is then determined by the status of this function in the AP group radio view.

By default, device detection is disabled on AP radios.

Format

wids device detect enable

undo wids device detect enable

Parameters

None

Views

AP group radio view, AP radio view

Default Level

2: Configuration level

Usage Guidelines

Application Scenario

After the wireless device detection function is enabled, the monitoring AP detects information about wireless devices in its coverage range and reports the information to the AC. The AC determines whether unauthorized devices exist on the WLAN.

Precautions

The configuration in the AP radio view has a higher priority than that in the AP group radio view.

After command keep-service enable is executed, if the wids device detect enable and wids contain enable commands are configured to enable rogue device detection and containment, the AP will continue providing data services after going offline. However, the AC considers the AP as a rogue device and adds it to the containment list. The containment mechanism will disconnect STAs from the AP. Therefore, service holding upon CAPWAP link disconnection does not take effect in this case.

After command keep-service enable allow new-access is executed, if the wids device detect enable and wids contain enable commands are configured to enable rogue device detection and containment, the AP will continue providing data services after going offline. However, the AC considers the AP as a rogue device and adds it to the containment list. The containment mechanism will disable the AP from allowing access of new STAs. Therefore, the function of enabling an offline AP to allow access of new STAs does not take effect in this case.

Example

# Enable device detection on radio 0 in AP group office.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids device detect enable

wids-whitelist-profile (WLAN view)

Function

The wids-whitelist-profile command creates a WIDS whitelist profile and displays the WIDS whitelist profile view.

The undo wids-whitelist-profile command deletes a WIDS whitelist profile.

By default, no WIDS whitelist profile exists in the system.

Format

wids-whitelist-profile name profile-name

undo wids-whitelist-profile { name profile-name | all }

Parameters

Parameter

Description

Value

name profile-name

Specifies the name of a WIDS whitelist profile.

The value is a string of 1 to 35 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot start or end with double quotation marks (" ").

all Deletes all WIDS whitelist profiles. -

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After WIDS/WIPS is enabled, rogue APs can be detected and countered. However, there may be APs of other vendors or on other networks working in the existing signal coverage areas. If these APs are countered, their services will be affected. To prevent this situation, configure an authorized AP list, including an authorized MAC address list, OUI list, and SSID list. If an unauthorized AP is detected but matches the authorized AP list, the AP is considered an authorized AP and will not be countered. After you create a WIDS whitelist profile using the wids-whitelist-profile command, run the permit-ap command to configure an authorized AP list.

Follow-up Procedure

Run the wids-whitelist-profile (WIDS profile view) command to bind the WIDS whitelist profile to a WIDS profile so that the WIDS whitelist profile can take effect.

Example

# Create the WIDS whitelist profile office.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-whitelist-profile name office
[HUAWEI-wlan-wids-whitelist-office]

wids-whitelist-profile (WIDS profile view)

Function

The wids-whitelist-profile command binds a WIDS whitelist profile to a WIDS profile.

The undo wids-whitelist-profile command unbinds a WIDS whitelist profile from a WIDS profile.

By default, no WIDS whitelist profile is bound to a WIDS profile.

Format

wids-whitelist-profile profile-name

undo wids-whitelist-profile

Parameters

Parameter

Description

Value

profile-name

Specifies the name of a WIDS whitelist profile.

The WIDS whitelist profile must already exist.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

After you create a WIDS whitelist profile using the wids-whitelist-profile (WLAN view) command, bind it to a WIDS profile so that the WIDS whitelist profile can take effect.

Example

# Bind the WIDS whitelist profile office01 to the WIDS profile wids-office01.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-whitelist-profile name office01
[HUAWEI-wlan-wids-whitelist-office01] quit
[HUAWEI-wlan-view] wids-profile name wids-office01
[HUAWEI-wlan-wids-prof-wids-office01] wids-whitelist-profile office01

wids-profile (WLAN view)

Function

The wids-profile command creates a WIDS profile and displays the WIDS profile view.

The undo wids-profile command deletes a WIDS profile.

By default, the system provides the WIDS profile default.

You can run the display wids-profile command to view configuration of the WIDS profile default.

Format

wids-profile name profile-name

undo wids-profile { name profile-name | all }

Parameters

Parameter

Description

Value

name profile-name

Specifies the name of a WIDS profile.

The value is a string of 1 to 35 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot start or end with double quotation marks (" ").

all Deletes all WIDS profiles.

The default WIDS profile default can be modified but cannot be deleted.

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure the WIDS function on a device to detect and counter rogue devices on a WLAN. The WIDS function also enables the device to detect attacks and add devices launching the attacks to a dynamic blacklist. Packets sent from the blacklisted devices will be rejected to protect authorized users.

After you create a WIDS profile using the wids-profile command, you can configure APs to detect and counter rogue devices, and detect attacks in the profile.

Follow-up Procedure

Run the wids-profile (AP group view and AP view) command to bind the WIDS profile to an AP group or AP so that the WIDS profile can take effect.

Example

# Create the WIDS profile office.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-profile name office
[HUAWEI-wlan-wids-prof-office]

wids-profile (AP group view and AP view)

Function

The wids-profile command binds a WIDS profile to an AP group or AP.

The undo wids-profile command unbinds a WIDS profile from an AP group or AP.

By default, no WIDS profile is bound to an AP, but the WIDS profile default is bound to the AP group.

Format

wids-profile profile-name

undo wids-profile

Parameters

Parameter

Description

Value

profile-name

Specifies the name of a WIDS profile.

The WIDS profile must exist.

Views

AP group view, AP view

Default Level

2: Configuration level

Usage Guidelines

After you create a WIDS profile using the wids-profile (WLAN view) command, bind it to an AP group or AP to make the profile take effect.

Example

# Bind the WIDS profile office01 to AP group AP-office01.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-profile name office01
[HUAWEI-wlan-wids-prof-office01] quit
[HUAWEI-wlan-view] ap-group name AP-office01
[HUAWEI-wlan-ap-group-AP-office01] wids-profile office01

# Bind the WIDS profile office01 to the AP with ID 1.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-profile name office01
[HUAWEI-wlan-wids-prof-office01] quit
[HUAWEI-wlan-view] ap-id 1
[HUAWEI-wlan-ap-1] wids-profile office01

wids-spoof-profile (WLAN view)

Function

The wids-spoof-profile command creates a WIDS spoof SSID profile and displays the WIDS spoof SSID profile view.

The undo wids-spoof-profile command deletes a WIDS spoof SSID profile.

By default, no WIDS spoof SSID profile exists in the system.

Format

wids-spoof-profile name profile-name

undo wids-spoof-profile { name profile-name | all }

Parameters

Parameter

Description

Value

name profile-name

Specifies the name of a WIDS spoof SSID profile.

The value is a string of 1 to 35 case-insensitive characters. It does not contain question marks (?) or spaces, and cannot start or end with double quotation marks (" ").

all Deletes all WIDS spoof SSID profiles. -

Views

WLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

WLAN services are available in public places, such as banks and airports. Users can connect to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to the rogue AP, which brings security risks. To address this problem, configure a fuzzy matching rule to identify spoofing SSIDs. After you create a WIDS spoof SSID profile using the wids-spoof-profile command, run the spoof-ssid command to configure a fuzzy matching rule to identify spoofing SSIDs.

Follow-up Procedure

Run the wids-spoof-profile (WIDS profile view) command to bind the WIDS spoof SSID profile to a WIDS profile to make the WIDS spoof SSID profile take effect.

Example

# Create the WIDS spoof SSID profile office.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-spoof-profile name office
[HUAWEI-wlan-wids-spoof-office]

wids-spoof-profile (WIDS profile view)

Function

The wids-spoof-profile command binds a WIDS spoof SSID profile to a WIDS profile.

The undo wids-spoof-profile command unbinds a WIDS spoof SSID profile from a WIDS profile.

By default, no WIDS spoof SSID profile is bound to a WIDS profile.

Format

wids-spoof-profile profile-name

undo wids-spoof-profile

Parameters

Parameter

Description

Value

profile-name

Specifies the name of a WIDS spoof SSID profile.

The WIDS spoof SSID profile must already exist.

Views

WIDS profile view

Default Level

2: Configuration level

Usage Guidelines

After you create a WIDS spoof SSID profile using the wids-spoof-profile (WLAN view) command, bind it to a WIDS profile so that the WIDS spoof SSID profile can take effect.

Example

# Bind the WIDS spoof SSID profile office01 to the WIDS profile office01.

<HUAWEI> system-view
[HUAWEI] wlan 
[HUAWEI-wlan-view] wids-spoof-profile name office01
[HUAWEI-wlan-wids-spoof-office01] quit
[HUAWEI-wlan-view] wids-profile name office01
[HUAWEI-wlan-wids-prof-office01] wids-spoof-profile office01

work-mode

Function

(AP group radio view) The work-mode command sets the working mode of all specified AP radios in an AP group.

(AP group radio view) The undo work-mode command restores the default working mode of all specified AP radios in an AP group.

(AP radio view) The work-mode command sets the working mode of a specified radio on an AP in an AP group.

(AP radio view) The undo work-mode command restores the working mode of a specified radio on an AP to the working mode configured in the AP group radio view.

By default, AP radios work in normal mode.

Format

work-mode { monitor [ dual-band-scan enable ] | normal }

undo work-mode

Parameters

Parameter

Description

Value

monitor

Indicates the monitor mode.

-

dual-band-scan enable

Indicates inter-band scanning.

-

normal

Indicates the normal mode.

-

Views

AP group radio view, AP radio view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An AP can work in two modes:
  • normal: indicates the normal mode.
    • If air scan functions (such as WIDS, spectrum analysis,, and terminal location) are disabled on a radio, the radio is used to transmit common WLAN services.
    • If air scan functions are enabled on a radio, the radio transmits common WLAN services and also provides the monitoring function. A transient increase in the WLAN service latency may occur, which does not affect network access. However, if any latency-sensitive service (such as videoconferencing) is running, it is recommended that a separate radio be used for air scan.
  • monitor: indicates the monitor mode.

    In this mode, the radio can only transmit WLAN services scanned by the air interface but cannot transmit common WLAN services.

Precautions

The change of the radio working mode can lead to interrupted services. Users cannot associate with the AP when its radio is working in monitoring mode.

The configuration in the AP radio view has a higher priority than that in the AP group radio view.

In monitor mode, the working channels and power of AP radios change at any time. In this situation, the working channels and power of the AP radios display as -.

Only the AP2010DN, AP4030TN, AP8130DN, and AP8130DN-W support the inter-band scanning mode. Radio 1 does not support inter-band scanning.

Example

# Set the working mode of radio 0 in AP group office to monitor.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] work-mode monitor
Warning: Modify the work mode may cause business interruption, continue?[y/n]
:y

wpa ptk-update enable

Function

The wpa ptk-update enable command enables periodic PTK update in WPA or WPA2 authentication and encryption.

The undo wpa ptk-update enable command disables periodic PTK update.

By default, periodic PTK update is disabled.

Format

wpa ptk-update enable

undo wpa ptk-update enable

Parameters

None

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In WPA or WPA2 authentication and encryption, a Pairwise Transient Key (PTK) is generated at the key negotiation stage to encrypt unicast radio packets. To ensure secure encryption, enable periodic PTK update so that the AP and STA use a new PTK to encrypt radio packets after a regular interval.

Precautions

When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.

Follow-up Procedure

Run the wpa ptk-update ptk-update-interval command to configure the periodic PTK update interval.

Example

# Enable the periodic PTK update function.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name huawei
[HUAWEI-wlan-sec-prof-huawei] wpa ptk-update enable

wpa ptk-update ptk-update-interval

Function

The wpa ptk-update ptk-update-interval command configures an interval for updating PTKs in WPA or WPA2 authentication and encryption.

The undo wpa ptk-update ptk-update-interval command restores the default PTK update interval.

By default, the interval for updating PTKs is 43200 seconds.

Format

wpa ptk-update ptk-update-interval ptk-rekey-interval

undo wpa ptk-update ptk-update-interval

Parameters

Parameter

Description

Value

ptk-rekey-interval

Specifies the PTK update interval.

The value is an integer ranging from 30 to 86400, in seconds.

Views

Security profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure secure encryption during WPA or WPA2 authentication, enable periodic PTK update. You can run this command to configure the PTK update interval. A smaller interval indicates faster PTK update and more secure data encryption. However, if the PTK update interval is set too small, the STA and AP implement more negotiations, affecting the throughput.

Precautions

The configured periodic PTK update interval takes effect only after you enable the periodic PTK update function using the wpa ptk-update enable command.

Example

# Set the periodic PTK update interval to 50,000 seconds.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name huawei
[HUAWEI-wlan-sec-prof-huawei] wpa ptk-update ptk-update-interval 50000
Related Topics
Translation
Download
Updated: 2019-10-09

Document ID: EDOC1000178165

Views: 48283

Downloads: 1163

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next