Security Policy

WEP shared key authentication uses the Rivest Cipher 4 (RC4) symmetric stream cipher to encrypt data. Therefore, the same static key must be preconfigured on the server and clients. Both the encryption mechanism and algorithm, however, are prone to security threats. The Wi-Fi Alliance developed WPA to overcome WEP defects. In addition to the RC4 algorithm, WPA defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm on the basis of WEP, uses the 802.1X identity authentication framework, and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication. Later, 802.11i defined WPA2. WPA2 uses a more secure encryption algorithm: Counter Mode with CBC-MAC Protocol (CCMP).

Both WPA and WPA2 support 802.1X access authentication and the TKIP or CCMP encryption algorithm, giving better compatibility. With almost the same security level, they mainly differ in the protocol packet format.

The WPA/WPA2 security policy involves four phases: link authentication, access authentication, key negotiation, and data encryption.

Two authentication methods are available: WPA/WPA2-PSK authentication and WPA/WPA2-802.1X authentication.

• WPA/WPA2-PSK authentication

  Both WPA and WPA2 support PSK authentication and the TKIP or AES encryption algorithm. They have almost the same security level and mainly differ in the protocol packet format.

  WPA/WPA2-PSK authentication applies to personal, home, and small office networks that do not require high network security or deployment of an authentication server. If STAs support only WEP encryption, PSK+TKIP can be implemented without a hardware upgrade, whereas PSK+AES may be implemented only after a hardware upgrade.

• WPA/WPA2-802.1X authentication

  Both WPA and WPA2 support 802.1X authentication and the TKIP or AES encryption algorithm. They have almost the same security level and mainly differ in the protocol packet format.

  WPA/WPA2-802.1X authentication applies to networks that require high security, such as enterprise networks. An independent authentication server is required. If STAs support only WEP encryption, 802.1X+TKIP can be implemented without a hardware upgrade, whereas 802.1X+AES may be implemented only after a hardware upgrade.

STAs vary and support different authentication and encryption modes. To enable various types of STAs to access the network and facilitate management by network administrators, configure both WPA and WPA2. If the security policy is WPA-WPA2, STAs supporting WPA or WPA2 can be authenticated. If the encryption mode is TKIP-AES, any STAs supporting TKIP or AES can encrypt service packets.

Configuration Method

• Configure WPA/WPA2-PSK authentication.

  Configure WPA-WPA2, TKIP-AES, and PSK authentication.

  <HUAWEI> system-view 
  [HUAWEI] wlan 
  [HUAWEI-wlan-view] security-profile name p1 
  [HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 psk pass-phrase abcdfffffg123 aes-tkip

• Configure WPA/WPA2-802.1X authentication.

  Configure WPA-WPA2, TKIP-AES, and 802.1X authentication.

  <HUAWEI> system-view 
  [HUAWEI] wlan 
  [HUAWEI-wlan-view] security-profile name p1 
  [HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip

Verifying the Security Hardening Result

• Run the display vap all command to check the VAP authentication mode based on the Auth type field.
• Run the display security-profile name profile-name command to check the security policy configured in a security profile based on the Security policy field.
• Run the display references security-profile name profile-name command to check reference information about a security profile.

Security Policy

Based on application scenarios and security requirements, there are two WPA3 modes: WPA3-Enterprise and WPA3-Personal, that is, WPA3-802.1X and WPA3-SAE.

WPA3-Personal introduces the SAE handshake protocol. Compared with WPA/WPA2-PSK authentication, WPA3-SAE can effectively defend against offline dictionary attacks and mitigate brute force cracking posed by weak passwords. In addition, the SAE handshake protocol provides forward secrecy. Even if an attacker knows the password on the network, the attacker cannot decrypt the obtained traffic, greatly improving the security of a WPA3-Personal network.

WPA3-Enterprise still uses the authentication system of WPA2-Enterprise and uses the Extensible Authentication Protocol (EAP) for identity authentication. However, WPA3 enhances the algorithm strength by replacing the original cryptography suite with the Commercial National Security Algorithm (CNSA) Suite defined by the Federal Security Service (FSS). The CNSA Suite has a powerful encryption algorithm and applies to scenarios with extremely high security requirements.

WPA3-Enterprise supports Suite B, which uses 192-bit minimum-strength security and supports Galois Counter Mode Protocol-256 (GCMP-256), Galois Message Authentication Code-256 (GMAC-256), and SHA-384.

WPA2 is still widely used. To enable WPA3-incapable STAs to access a WPA3-configured network, the Wi-Fi Alliance defines the WPA3 transition mode. That is, WPA3 and WPA2 can coexist for a period of time in the future. This mode applies only to WPA3-Personal.

For open Wi-Fi networks, the Wi-Fi Alliance proposes Opportunistic Wireless Encryption (OWE) authentication based on open-system authentication of WPA3. OWE authentication is a Wi-Fi Enhanced Open authentication mode that allows for network access without the need to enter the password. In OWE authentication mode, a device uses the AES encryption algorithm to encrypt data on the network, thereby protecting data exchange between STAs and the Wi-Fi network.

The process of OWE authentication is similar to that of SAE. The difference is that OWE authentication eliminates the need for password maintenance. This authentication mode uses the Diffie-Hellman protocol to exchange keys to generate a PMK used for the subsequent four-way handshake. In addition to retaining the convenience of open networks, OWE authentication ensures data security for these networks.

The OWE transition mode provides backward compatibility with STAs that do not support OWE authentication. That is, non-OWE STAs access the network in open-system authentication mode, while OWE STAs access the network in OWE authentication mode. The OWE transition mode supports only the AES encryption mode.

In V200R019C00, ACs and APs support WPA3 authentication. In V200R019C10, only ACs support WPA3 authentication.

OWE authentication is available since V200R020C10.

Configuration Method

• Configure WPA3-SAE authentication and set the user password to YsHsjx_202206.

  <HUAWEI> system-view
  [HUAWEI] wlan
  [HUAWEI-wlan-view] security-profile name p1
  [HUAWEI-wlan-sec-prof-p1] security wpa3 sae pass-phrase YsHsjx_202206 aes

• Configure the WPA3-802.1X authentication mode.

  <HUAWEI> system-view
  [HUAWEI] wlan
  [HUAWEI-wlan-view] security-profile name p1
  [HUAWEI-wlan-sec-prof-p1] security wpa3 dot1x gcmp256

• Configure WPA2-WPA3 authentication and set the user password to YsHsjx_202206.

  <HUAWEI> system-view
  [HUAWEI] wlan
  [HUAWEI-wlan-view] security-profile name p1
  [HUAWEI-wlan-sec-prof-p1] security wpa2-wpa3 psk-sae pass-phrase YsHsjx_202206 aes

• Configure OWE authentication.

  <HUAWEI> system-view
  [HUAWEI] wlan
  [HUAWEI-wlan-view] security-profile name p1
  [HUAWEI-wlan-sec-prof-p1] security enhanced-open aes

• Set the authentication mode to the OWE transition mode and the SSID using the open-system authentication mode to wlan-net.

  <HUAWEI> system-view
  [HUAWEI] wlan
  [HUAWEI-wlan-view] security-profile name p1
  [HUAWEI-wlan-sec-prof-p1] security enhanced-open aes transition-ssid wlan-net

Verifying the Security Hardening Result

• Run the display vap all command to check the VAP authentication mode based on the Auth type field.
• Run the display security-profile name profile-name command to check the security policy configured in a security profile based on the Security policy field.
• Run the display references security-profile name profile-name command to check reference information about a security profile.

Security Policy

WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national security standard for WLANs, which was developed based on IEEE 802.11. WAPI provides higher security than WEP and WPA and consists of the following parts:

• WLAN Authentication Infrastructure (WAI): authenticates user identities and manages keys.
• WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and provides the data encryption, data verification, and anti-replay functions.

WAPI uses the elliptic curve cryptography (ECC) algorithm based on the public-key cryptography and the block cipher algorithm based on the symmetric-key cryptography. The ECC algorithm is used for digital certificates, certificate authentication, and key negotiation of wireless devices. The block cipher algorithm is used to encrypt and decrypt data transmitted between wireless devices. The two algorithms implement identity authentication, link authentication, access control, and user information encryption.

Two authentication methods are available: WAPI-PSK authentication and WAPI-certificate authentication.

• WAPI-PSK authentication

  WAPI-PSK authentication applies to home networks or small-scale enterprise networks. No additional certificate system is required.

• WAPI-certificate authentication

  WAPI-certificate authentication applies to large-scale enterprise networks or carrier networks where expensive certificate systems need to be deployed and maintained. WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The extension of an X.509 V3 certificate file is .cer. Before importing a certificate for WAPI, ensure that the certificate file has been stored in the root directory of the memory.

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if STAs use the same encryption key for a long time. WAPI provides the time-based key update mechanism. Both the Unicast Session Key (USK) and Multicast Session Key (MSK) have a lifetime and need to be updated when the lifetime ends.

Configuration Method

• Configure WAPI-PSK authentication.

  <HUAWEI> system-view 
  [HUAWEI] wlan 
  [HUAWEI-wlan-view] security-profile name p1 
  [HUAWEI-wlan-sec-prof-p1] security wapi psk pass-phrase testpassword123  // Set the authentication method to PSK authentication and enter the key.

• Configure WAPI-certificate authentication.

  <HUAWEI> system-view 
  [HUAWEI] wlan 
  [HUAWEI-wlan-view] security-profile name p1 
  [HUAWEI-wlan-sec-prof-p1] security wapi certificate  // Set the authentication method to WAPI-certificate authentication.
  [HUAWEI-wlan-sec-prof-p1] wapi import certificate ac format pem file-name flash:/ae.cer  // Load the AC certificate.
  [HUAWEI-wlan-sec-prof-p1] wapi import certificate asu format pem file-name flash:/as.cer  // Load the ASU certificate.
  [HUAWEI-wlan-sec-prof-p1] wapi import certificate issuer format pem file-name flash:/as.cer  // Load the issuer certificate.
  [HUAWEI-wlan-sec-prof-p1] wapi import private-key format pem file-name flash:/ae.cer  // Import the AC private key file.
  [HUAWEI-wlan-sec-prof-p1] wapi asu ip 10.164.10.10  // Set the IP address of the ASU server to 10.164.10.10.

Verifying the Security Hardening Result

• Run the display vap all command to check the VAP authentication mode based on the Auth type field.
• Run the display security-profile name profile-name command to check the security policy configured in a security profile based on the Security policy field.
• Run the display references security-profile name profile-name command to check reference information about a security profile.

Security Policy

On a WLAN, a STA blacklist or whitelist can be configured to filter access requests from STAs based on specified rules, allowing authorized STAs to access the WLAN and rejecting unauthorized STAs.

• STA whitelist

  A STA whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN. After the STA whitelist function is enabled, only the STAs matching the whitelist can connect to the WLAN.

• STA blacklist

  A STA blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN. After the STA blacklist function is enabled, STAs matching the blacklist cannot connect to the WLAN.

If the STA whitelist or blacklist function is enabled but the whitelist or blacklist is empty, all STAs can connect to the WLAN.

Configuration Method

Multiple STA whitelist and blacklist profiles can be configured on a WLAN device and applied to different virtual access point (VAP) profiles or AP system profiles. In a VAP profile or an AP system profile, either the STA whitelist profile or STA blacklist profile takes effect at one time.

• Configure a STA whitelist.
  1. Configure a STA whitelist profile.

     <HUAWEI> system-view 
     [HUAWEI] wlan 
     [HUAWEI-wlan-view] sta-whitelist-profile name sta-whitelist-profile1  // Create a whitelist profile named sta-whitelist-profile1.
     [HUAWEI-wlan-whitelist-prof-sta-whitelist-profile1] sta-mac 00E0-FC20-746B  // Add the MAC address of a STA.
     [HUAWEI-wlan-whitelist-prof-sta-whitelist-profile1] quit

  2. Apply the STA whitelist profile to a VAP profile or an AP system profile based on site requirements.
     • Apply the STA whitelist profile to a VAP profile.

       [HUAWEI-wlan-view] vap-profile name vap1  // Create a VAP profile named vap1.
       [HUAWEI-wlan-vap-prof-vap1] sta-access-mode whitelist sta-whitelist-profile1  // Bind the STA whitelist profile sta-whitelist-profile1 to the VAP profile vap1.

     • Apply the STA whitelist profile to an AP system profile.

       [HUAWEI-wlan-view] ap-system-profile name ap-system1   // Create an AP system profile named ap-system1.
       [HUAWEI-wlan-ap-system-prof-ap-system1] sta-access-mode whitelist sta-whitelist-profile1  // Bind the STA whitelist profile sta-whitelist-profile1 to the AP system profile ap-system1.

• Configure a STA blacklist.
  1. Configure a STA blacklist profile.

     <HUAWEI> system-view 
     [HUAWEI] wlan 
     [HUAWEI-wlan-view] sta-blacklist-profile name sta-blacklist-profile1  // Create a blacklist profile named sta-blacklist-profile1.
     [HUAWEI-wlan-blacklist-prof-sta-blacklist-profile1] sta-mac 00E0-FC30-746B  // Add the MAC address of a STA.
     [HUAWEI-wlan-blacklist-prof-sta-blacklist-profile1] quit

  2. Apply the STA whitelist profile to a VAP profile or an AP system profile based on site requirements.
     • Apply the STA whitelist profile to a VAP profile.

       [HUAWEI-wlan-view] vap-profile name vap1  // Create a VAP profile named vap1.
       [HUAWEI-wlan-vap-prof-vap1] sta-access-mode blacklist sta-blacklist-profile1  // Bind the STA blacklist profile sta-blacklist-profile1 to the VAP profile vap1.

     • Apply the STA whitelist profile to an AP system profile.

       [HUAWEI-wlan-view] ap-system-profile name ap-system1   // Create an AP system profile named ap-system1.
       [HUAWEI-wlan-ap-system-prof-ap-system1] sta-access-mode blacklist sta-blacklist-profile1  // Bind the STA blacklist profile sta-blacklist-profile1 to the AP system profile ap-system1.

Verifying the Security Hardening Result

• Run the display sta-whitelist-profile name profile-name command to check configuration and reference information about a STA whitelist profile.
• Run the display sta-blacklist-profile name profile-name command to check configuration and reference information about a STA blacklist profile.
• Run the display ap-system-profile name profile-name command to check whether STA access control is enabled based on the STA access mode field, the STA whitelist profile referenced by the AP system profile based on the STA whitelist profile field, and the STA blacklist profile referenced by the AP system profile based on the STA blacklist profile field.
• Run the display vap-profile name profile-name command to check whether STA access control is enabled based on the STA access mode field, the STA whitelist profile referenced by the VAP profile based on the STA whitelist profile field, and the STA blacklist profile referenced by the VAP profile based on the STA blacklist profile field.
• Run the display references sta-whitelist-profile name profile-name command to check reference information about a STA whitelist profile.
• Run the display references sta-blacklist-profile name profile-name command to check reference information about a STA blacklist profile.

Attack Behavior

If management frames are not encrypted on a WLAN, security problems may be generated.

Security Policy

The Protected Management Frames (PMF) standard is released by Wi-Fi Alliance based on IEEE 802.11w. It aims to apply security measures defined in WPA2 to unicast and multicast management action frames to improve network trustworthiness.

Deploying PMF can solve the following attacks:

• Hackers intercept management frames exchanged between APs and STAs.
• Hackers forge APs and send Disassociation and Deauthentication frames to disconnect STAs.
• Hackers forge STAs and send Disassociation frames to APs to disconnect the STAs.

Configuration Method

Configure PMF in mandatory mode to allow only PMF-supported STAs to access the network.

<HUAWEI> system-view 
[HUAWEI] wlan 
[HUAWEI-wlan-view] security-profile name p1 
[HUAWEI-wlan-sec-prof-p1] security wpa2 psk pass-phrase abcdfffffg aes 
[HUAWEI-wlan-sec-prof-p1] pmf mandatory 

Verifying the Security Hardening Result

• Run the display security-profile name profile-name command to check whether the PMF function is enabled in a security profile based on the PMF field.
• Run the display references security-profile name profile-name command to check reference information about a security profile.

Attack Behavior

During a brute force attack, the attacker searches for a password by trying to use all possible password combinations. This method is also called the exhaustive attack method. For example, a password that contains only 4 digits may have a maximum of 10,000 combinations. Therefore, the password can be decrypted after a maximum of 10,000 attempts. Theoretically, the brute force method can decrypt any password. Attackers, however, are always looking for ways to shorten the time required to decrypt passwords. When a WLAN uses WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key as the security policy, attackers can use the brute force method to decrypt the password.

Security Policy

Defense against brute-force key cracking can prolong the time needed to decrypt passwords. An AP checks whether the number of key negotiation failures during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the configured threshold. If the threshold is exceeded, the AP considers that the user is using the brute force method to decrypt the password and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets of the user until the dynamic blacklist entry is aged.

Configuration Method

Set the maximum number of key negotiation failures allowed within a brute-force key cracking attack detection period (100 seconds) to 60. Enable the dynamic blacklist function so that when the number of key negotiation failures from a user exceeds 60, the user is added to the blacklist.

In V200R019C00 and earlier versions:

<HUAWEI> system-view 
[HUAWEI] wlan 
[HUAWEI-wlan-view] ap-group name office 
[HUAWEI-wlan-ap-group-office] radio 0 
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa-psk 
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wpa2-psk 
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wapi-psk
[HUAWEI-wlan-group-radio-office/0] wids attack detect enable wep-share-key
[HUAWEI-wlan-group-radio-office/0] quit 
[HUAWEI-wlan-ap-group-office] quit 
[HUAWEI-wlan-view] wids-profile name default 
[HUAWEI-wlan-wids-prof-default] brute-force-detect interval 100
[HUAWEI-wlan-wids-prof-default] brute-force-detect threshold 60
[HUAWEI-wlan-wids-prof-default] dynamic-blacklist enable

In versions later than V200R019C00:

<HUAWEI> system-view 
[HUAWEI] wlan 
[HUAWEI-wlan-view] ap-group name office 
[HUAWEI-wlan-ap-group-office] radio 0 
[HUAWEI-wlan-group-radio-office/0] wids attack detect wpa-psk enable  
[HUAWEI-wlan-group-radio-office/0] wids attack detect wpa2-psk enable 
[HUAWEI-wlan-group-radio-office/0] wids attack detect wapi-psk enable
[HUAWEI-wlan-group-radio-office/0] wids attack detect wep-share-key enable
[HUAWEI-wlan-group-radio-office/0] quit 
[HUAWEI-wlan-ap-group-office] quit 
[HUAWEI-wlan-view] wids-profile name default 
[HUAWEI-wlan-wids-prof-default] brute-force-detect interval 100
[HUAWEI-wlan-wids-prof-default] brute-force-detect threshold 60
[HUAWEI-wlan-wids-prof-default] undo dynamic-blacklist disable

Verifying the Security Hardening Result

• Run the display wids-profile name profile-name command to check the interval for brute force cracking detection based on the Brute force detect interval(s) field, the detection threshold for brute force cracking based on the Brute force detect threshold field, and whether the dynamic blacklist function is enabled based on the Dynamic blacklist field.
• Run the display ap-group name profile-name command to check the types of attacks for which detection is enabled based on the WIDS attack detect field.
• Run the display ap config-info { ap-id ap-id | ap-name ap-name } command to check the types of attacks for which detection is enabled based on the WIDS attack detect field.