No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN V200R019C00 Typical Configuration Examples
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Profile

Security Profile

Overview

You can configure WLAN security policies to authenticate identities of wireless terminals and encrypt user packets, protecting the security of the WLAN and users. The supported WLAN security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WPA-WPA2, WPA3-SAE, WPA3-802.1X, WPA2-WPA3, OWE, WAPI-PSK, and WAPI-certificate. You can configure one of them in a security profile. Open system authentication and WPA/WPA2/WPA3-802.1X need to be configured together with NAC to manage user access.

CLI-based Procedure

To connect a STA to the WLAN, bind the security profile to a VAP profile. The STA can connect to the WLAN through an SSID only after it completes identity authentication according to the security policy configured in the VAP profile. For the detailed configuration, see Configuring a WLAN Security Policy in the Configuration- User Access and Authentication Configuration Guide.

For WDS services, bind the security profile to the WDS profile. To ensure WDS security, set the security policy to WPA2+PSK+AES. For details, see Configuring a Security Profile in the Configuration - WDS and Mesh Configuration Guide.

For Mesh services, bind the security profile to the Mesh profile. To ensure Mesh security, set the security policy to WPA2+PSK+AES. For details, see Configuring a Security Profile in the Configuration - WDS and Mesh Configuration Guide.

Web-based Procedure

  1. Log in to the web platform, and choose Configuration > AP Config > AP Group or Configuration > AP Config > AP Config. Click the AP group name or AP ID to access the AP group or AP configuration page.

  2. Click VAP Configuration and create a VAP profile.

  3. Select Security Profile. On the profile page that is displayed, create a security profile. Access the profile page and click Advanced Configuration.

    • Set Security policy to Open. Table 3-24 describes the parameters on this page.

      Figure 3-45 Security policy (Open)
      Table 3-24 Security policy (Open)

      Item

      Description

      Open

      Open system authentication. It is not secure to use open system authentication independently. Any wireless terminals can access the network without authentication. You are advised to configure open system authentication together with Portal authentication or MAC address authentication.

    • Set Security policy to WEP. Table 3-25 describes the parameters on this page.

      Figure 3-46 Security policy (WEP)
      Table 3-25 Security policy (WEP)

      Item

      Description

      WEP

      WEP authentication. The WEP security policy has security risks and is therefore not recommended.

      Authentication policy
      • Non-authentication: Only the shared key is used to encrypt service packets.
      • SHARE-KEY: The shared key is used to authenticate STAs and encrypt service packets.
      • Dot1x: Dynamic WEP authentication is used.

      Encryption mode
      WEP encryption mode, which can be:
      • WEP-40: WEP encryption with the key length of 40 bits
      • WEP-104: WEP encryption with the key length of 104 bits
      • WEP-128: WEP encryption with the key length of 128 bits

      Key type

      WEP key type, which can be:

      • HEX: The key is in hexadecimal format.
      • PASS-PHRASE: The key is a character string.
      • Dot1x: The key is used with 802.1X authentication.

      Key No

      Default key index used in WEP authentication or encryption.

      Key
      Encryption key for WEP authentication.
      • When the key type is HEX, the value is a hexadecimal number of 10 digits.
      • When the key type is PASS-PHRASE, the value is a string of 5 characters.

    • Set Security policy to WPA. Table 3-26 describes the parameters on this page.

      Figure 3-47 Security policy (WPA)
      Table 3-26 Security policy (WPA)

      Item

      Description

      WPA

      WPA authentication.

      There are two types of WPA/WPA2 authentication: WPA/WPA2-PSK authentication (also called WPA/WPA2-Personal) and WPA/WPA2 802.1X authentication (also called WPA/WPA2-Enterprise).

      Recommended configuration scenarios for WPA/WPA2-PSK: individual and home networks. WPA/WPA2-PSK has higher security than WEP, requires no third-party server, and is inexpensive to implement. Recommended configuration scenarios for WPA/WPA2-802.1X: networks with fixed users, high security requirements, and centralized management and authorization, for example, mobile office, campus networks, and mobile e-government. WPA/WPA2-802.1X has high security and requires a third-party server. The user access authentication mode is 802.1X authentication.

      Authentication policy
      Authentication mode, which can be:
      • PSK: WPA-PSK authentication is used.
      • Dot1x: WPA-802.1X authentication is used.
      • PPSK: WPA-PPSK authentication is used.

      Encryption mode
      Data encryption mode, which can be:
      • AES: The symmetric algorithm (AES) is used to encrypt data.
      • TKIP: The TKIP is used to encrypt data.
      • AES-TKIP: AES and TKIP are used together for encryption. After passing the authentication, STAs can use the AES or TKIP algorithm for data encryption.

      Key type
      Key type used in PSK authentication, which can be:
      • HEX: The key is in hexadecimal format.
      • PASS-PHRASE: The key is a character string.

      Key
      PSK authentication key.
      • When the key type is HEX, the value is a hexadecimal number of 64 digits.
      • When the key type is PASS-PHRASE, the value is a string of 8 to 63 characters.

      PTK update interval

      Whether to enable periodic PTK update. By default, the function is disabled.

      PTK update interval (s)

      Interval for updating the PTK.

      The value range is 43200 to 86400. The default value is 43200.

    • Set Security policy to WPA2. Table 3-27 describes the parameters on this page.

      Figure 3-48 Security policy (WPA2)
      Table 3-27 Security policy (WPA2)

      Item

      Description

      WPA2

      WPA2 authentication.

      There are two types of WPA/WPA2 authentication: WPA/WPA2-PSK authentication (also called WPA/WPA2-Personal) and WPA/WPA2 802.1X authentication (also called WPA/WPA2-Enterprise).

      Recommended configuration scenarios for WPA/WPA2-PSK: individual and home networks. WPA/WPA2-PSK has higher security than WEP, requires no third-party server, and is inexpensive to implement. Recommended configuration scenarios for WPA/WPA2-802.1X: networks with fixed users, high security requirements, and centralized management and authorization, for example, mobile office, campus networks, and mobile e-government. WPA/WPA2-802.1X has high security and requires a third-party server. The user access authentication mode is 802.1X authentication.

      Authentication policy
      Authentication mode, which can be:
      • PSK: WPA2-PSK authentication is used.
      • Dot1x: WPA2-802.1X authentication is used.
      • PPSK: WPA2-PPSK authentication is used.

      Encryption mode
      Data encryption mode, which can be:
      • AES: The symmetric algorithm (AES) is used to encrypt data.
      • TKIP: The TKIP is used to encrypt data.
      • AES-TKIP: AES and TKIP are used together for encryption. After passing the authentication, STAs can use the AES or TKIP algorithm for data encryption.

      Key type
      Key type used in PSK authentication, which can be:
      • HEX: The key is in hexadecimal format.
      • PASS-PHRASE: The key is a character string.

      Key
      PSK authentication key.
      • When the key type is HEX, the value is a hexadecimal number of 64 digits.
      • When the key type is PASS-PHRASE, the value is a string of 8 to 63 characters.

      Management frame protection

      PMF is a specification released by the Wi-Fi Alliance (WFA) based on IEEE 802.11w standards. It aims to apply security measures defined in WPA2 to unicast and multicast management action frames to improve network credibility. By default, the function is disabled.

      Forcibly enable management frame protection

      After this function is enabled, VAP permits access only from PMF-capable STAs.

      PTK update interval

      Whether to enable periodic PTK update. By default, the function is disabled.

      PTK update interval (s)

      Interval for updating the PTK.

      The value range is 43200 to 86400. The default value is 43200.

    • Set Security policy to WPA-WPA2. Table 3-28 describes the parameters on this page.

      Figure 3-49 Security policy (WPA-WPA2)
      Table 3-28 Security policy (WPA-WPA2)

      Item

      Description

      WPA-WPA2

      WPA-WPA2 authentication.

      There are two types of WPA/WPA2 authentication: WPA/WPA2-PSK authentication (also called WPA/WPA2-Personal) and WPA/WPA2 802.1X authentication (also called WPA/WPA2-Enterprise).

      Recommended configuration scenarios for WPA/WPA2-PSK: individual and home networks. WPA/WPA2-PSK has higher security than WEP, requires no third-party server, and is inexpensive to implement. Recommended configuration scenarios for WPA/WPA2-802.1X: networks with fixed users, high security requirements, and centralized management and authorization, for example, mobile office, campus networks, and mobile e-government. WPA/WPA2-802.1X has high security and requires a third-party server. The user access authentication mode is 802.1X authentication.

      Authentication policy
      Authentication mode, which can be:
      • PSK: WPA-WPA2-PSK authentication is used.
      • Dot1x: WPA-WPA2-802.1X authentication is used.
      • PPSK: WPA-WPA2-PPSK authentication is used.

      WPA encryption mode/WPA2 encryption mode
      Data encryption mode, which can be:
      • AES: The symmetric algorithm (AES) is used to encrypt data.
      • TKIP: The TKIP is used to encrypt data.
      • AES-TKIP: AES and TKIP are used together for encryption. After passing the authentication, STAs can use the AES or TKIP algorithm for data encryption.

      Key type
      Key type used in PSK authentication, which can be:
      • HEX: The key is in hexadecimal format.
      • PASS-PHRASE: The key is a character string.

      Key
      PSK authentication key.
      • When the key type is HEX, the value is a hexadecimal number of 64 digits.
      • When the key type is PASS-PHRASE, the value is a string of 8 to 63 characters.

      PTK update interval

      Whether to enable periodic PTK update. By default, the function is disabled.

      PTK update interval (s)

      Interval for updating the PTK.

      The value range is 43200 to 86400. The default value is 43200.

    • Set Security policy to WAPI. Table 3-29 describes the parameters on this page.

      Figure 3-50 Security policy (WAPI)
      Table 3-29 Security policy (WAPI)

      Item

      Description

      WAPI

      WAPI authentication. There are two types of WAPI authentication: WAPI-PSK authentication and WAPI-CERT authentication. WAPI-PSK has higher security than WEP and requires no third-party server. Only some STAs support WAPI-PSK. WAPI-CERT has high security and requires a third-party server. Only some STAs support WAPI-CERT.

      Authentication policy
      Authentication mode, which can be:
      • PSK: WAPI-PSK authentication is used.
      • Certificate: WAPI certificate authentication is used.

      Key type
      Key type used in PSK authentication, which can be:
      • HEX: The key is in hexadecimal format.
      • PASS-PHRASE: The key is a character string.

      Key
      PSK authentication key.
      • When the key type is HEX, the value is a hexadecimal number of 8 to 32 digits and must be an even number.
      • When the key type is PASS-PHRASE, the value is a string of 8 to 64 characters.

      Specify AC private key file/key

      Private key file and key of the AC certificate specified for the security profile when the security policy is set to WAPI.

      Specify AC certificate/key

      AC certificate and key specified for the security profile when the security policy is set to WAPI.

      NOTE:

      The certificates must be valid and correct.

      Specify issuer's certificate/key

      Issuer certificate and key specified for the security profile when the security policy is set to WAPI. The issuer certificate helps to check whether the AC certificate is modified.

      Specify ASU certificate/key

      ASU certificate and key specified for the security profile when the security policy is set to WAPI.

      NOTE:

      If the authentication system uses only two certificates, the issuer certificate is the same as the ASU certificate, with the same file name. If the authentication system uses three certificates, the issuer certificate and ASU certificate are different from each other and both must be imported.

      The certificates must be valid and correct.

      ASU IP

      IP address of the ASU server when the security policy is set to WAPI.

      NOTE:

      The parameter determines to which ASU server WAPI packets are sent. Users must ensure the correctness of both ASU certificates and ASU servers; otherwise, users may fail the authentication.

      Retransmission count of certificate authentication packets

      Number of certificate authentication packet retransmissions specified for the security profile when the security policy is set to WAPI.

      The value range is 1 to 10. The default value is 3.

      Association timeout interval (s)

      You can prolong the WAPI timeout period to increase the authentication success ratio.

      The value range is 1 to 255. The default value is 60.

      BK lifetime percentage(%)

      BK lifetime percentage. You can set the interval for updating a BK to improve security.

      The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. Otherwise, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

      The value range is 1 to 100. The default value is 70.

      BK update interval

      BK update interval. You can set the interval for updating a BK to improve security.

      The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. Otherwise, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.

      The value range is 600 to 604800. The default value is 43200.

      Key update

      Key update function. You can select Unicast Key Update, Multicast Key Update, or both.

      Unicast Key Update/Multicast Key Update

      Update interval (s)

      Key update interval. When the key update mode is set to time-based key update, the key update interval needs to be configured.

      The value range is 600 to 604800. The default value is 86400.

      Retransmission count of negotiation packets

      Number of key negotiation packet retransmissions.

      The value range is 1 to 10. The default value is 3.
    • Set Security policy to WPA3. Table 3-30 describes the parameters on this page.
      Figure 3-51 Security policy (WPA3)
      Table 3-30 Security policy (WPA3)

      Item

      Description

      WPA3

      WPA3 authentication.

      WPA3 authentication is classified into the enterprise edition and personal edition, that is, WPA3-802.1X authentication and WPA3-SAE authentication.

      WPA3-SAE authentication applies to individual, home, and Small Office and Home Office (SOHO) networks that do not require high security. No authentication server is required.

      WPA3-802.1X authentication applies to scenarios that require high security, such as governments and large enterprises.

      Authentication policy

      Authentication mode, which can be:

      • SAE: WPA3-SAE authentication
      • Dot1x: WPA3-802.1X authentication

      Encryption mode

      Data encryption mode, which can be:

      • AES: AES encryption in WPA3-SAE authentication
      • AES256GCM: GCMP-256 encryption in WPA3-802.1X authentication

      Key type

      Type of the key used in SAE authentication.

      PASS-PHRASE indicates that the key is a character string.

      Key

      Key for SAE authentication.

      The value is a string of 8 to 108 characters.

      Management frame protection

      In WPA3 authentication, this function is forcibly enabled and cannot be configured.

      Forcibly enable management frame protection

      In WPA3 authentication, this function is forcibly enabled and cannot be configured.
    • Set Security policy to WPA2-WPA3. Table 3-31 describes the parameters on this page.
      Figure 3-52 Security policy (WPA2-WPA3)
      Table 3-31 Security policy (WPA2-WPA3)

      Item

      Description

      WPA2-WPA3

      WPA2-WPA3 authentication.

      Authentication policy

      WPA2-WPA3 authentication mode.

      Encryption mode

      Data encryption mode, which can be:

      Key type

      Type of the key used in WPA2-WPA3 authentication.

      PASS-PHRASE indicates that the key is a character string.

      Key

      Key for WPA2-WPA3 authentication.

      The value is a string of 8 to 108 characters.

      Management frame protection

      In WPA2-WPA3 authentication, this function is forcibly enabled and cannot be configured.

      Forcibly enable management frame protection

      In WPA2-WPA3 authentication, this function is forcibly disabled and cannot be configured.
    • Set Security policy to OWE. Table 3-32 describes the parameters on this page.
      Figure 3-53 Security policy (OWE)
      Table 3-32 Security policy (OWE)

      Item

      Description

      OWE

      OWE authentication.

      Encryption mode

      Data encryption mode.

      Transition SSID

      SSID used in OWE transition authentication.

      Management frame protection

      In OWE authentication, this function is forcibly enabled and cannot be configured.

      Forcibly enable management frame protection

      In OWE authentication, this function is forcibly enabled and cannot be configured.

Translation
简体中文
Download
Updated: 2021-11-18

Document ID: EDOC1100096116

Views: 365542

Downloads: 2538

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :