Configuring a WLAN Security Policy
You can configure WLAN security policies to authenticate identities of wireless terminals and encrypt user packets, protecting the security of the WLAN and users. The supported WLAN security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WPA3-SAE, WPA3-802.1X, WAPI-PSK, and WAPI-certificate. You can configure one of them in a security profile. Open system authentication and WPA/WPA2WPA3-802.1X need to be configured together with NAC to manage user access.
Pre-configuration Tasks
Before configuring security policy, configure basic WLAN services.
Procedure
WLAN security policies are configured using profiles. Figure 26-23 shows the configuration flowchart.
The configuration procedure is as follows:
Creating a Security Profile
Configuring a Security Policy
Context
The following table gives recommendations on configuring a WLAN security policy.
Security Policy |
Recommended Configuration Scenario |
Description |
User Access Authentication Mode |
|---|---|---|---|
Open system authentication |
Public places with high user mobility, such as airports, stations, business centers, conference halls, and sports stadiums. Open system authentication is configured together with Portal authentication, based on which user authentication, accounting, and authorization are supported, and customized pages can be pushed. |
It is not secure to use open system authentication independently. Any wireless terminals can access the network without authentication. You are advised to configure open system authentication together with Portal authentication or MAC address authentication. |
|
WEP |
None |
The WEP security policy is not recommended due to its low security. |
None |
WPA/WPA2-PSK |
Individual or home networks |
The WPA/WPA2-PSK security policy has higher security than WEP. Additionally, no third-party server is required, and the costs is low. |
None |
WPA3-SAE |
Individual or home networks |
This security policy has higher security than WPA/WPA2-PSK authentication. Additionally, no third-party server is required and the cost is low. |
None |
WPA/WPA2-802.1X |
Scenarios with fixed users and requiring high security, and centralized management and authorization, such as mobile office, campus networks, and mobile administration |
The security policy provides high security and requires a third-party server. |
802.1X authentication |
WPA3-802.1X |
Hotels and retail stores |
This security policy provides high security and requires a third-party server, with poor compatibility. |
802.1X authentication |
WAPI-PSK |
None |
WAPI-PSK has higher security than WEP and requires no third-party server. Only some terminals support the protocol. |
None |
WAPI-certificate |
None |
The WAPI-certificate security policy has high security and requires a third-party server. Only some terminals support the protocol. |
None |
Configuring Open System Authentication
Context
Open system authentication means no authentication and no encryption, and any one can connect to the network without authentication. To ensure network security, you are advised to configure open system authentication together with Portal authentication or MAC address authentication. For configuration of Portal authentication and MAC address authentication, see Configuring NAC.
Configuring Static WEP
Context
Static WEP uses a shared key to authenticate users and encrypt service packets. Since the shared key is easy to be deciphered, the WEP security policy is not recommended due to its low security. When configuring static WEP, you are advised to enable detection of brute force key cracking attacks. For details, see Configuring Attack Detection and Dynamic Blacklist.
The WEP encryption algorithm is insecure. WPA2 is recommended in scenarios that have high security requirements.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wep [ share-key ]
The security policy is set to static WEP.
By default, the security policy is open.
When the share-key parameter is present, WEP uses the configured shared key to authenticate wireless terminals and encrypt service packets. If the parameter is not present, WEP only encrypts the service packets. A shared key is configured on the wireless terminals regardless of whether the parameter is present.
Each AP can have at most four key indexes configured. The key indexes used by different VAPs cannot be the same.
- Run wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value
The static WEP shared key and key index are configured.
By default, WEP-40 is used. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
- Run wep default-key key-id
The index of the shared key used by WEP is configured.
By default, key 0 is used for WEP authentication or encryption.
Four shared keys can be configured for WEP. You can run the command to make the key with the specified index to take effect. The key index ID of the device starts from 0.
After an SSID of a WLAN is scanned, users cannot access the network by clicking or double-clicking the SSID on some terminals due to default terminal settings. In this situation, manually create a WLAN on the terminals, enter the SSID, identity authentication and encryption modes, key, and key index configured on the device. After that, users can connect to the WLAN through the terminals. The key index on some terminals starts from 1 and ranges from 1 to 4. The key indexes configured on the terminal must map those configured on the device in an ascending order. For example, if the key index 0 takes effect on the device, the key index should be set to 1 on the terminal.
Configure Dynamic WEP
Context
In static WEP encryption mode, the same WEP key is used for encrypting different users, bringing security risks. Before 802.11i is launched, no unified wireless encryption standard is available. Vendors enhance WEP encryption by leveraging 802.1X authentication to achieve dynamic WEP encryption. Keys for dynamic WEP encryption are dynamically generated and delivered by the server. In this manner, different WEP keys are used for encrypting different users.
- Configuration on the macOS operating system:
- Access the network management page. On the Wi-Fi tab, tap
to manually add a WLAN.
- On the page for manually adding a WLAN, set the network name to the SSID configured on the device, set the security policy to Dynamic WEP, and configure the user name and password.
- Access the network management page. On the Wi-Fi tab, tap
- Configuration on the Windows 7 operating system:
- Access the Manage wireless networks page, click Add and select Manually create a network profile. Set the network name to the SSID configured on the device, set the authentication mode to 802.1x and encryption mode to WEP, and click Next.
- Scan SSIDs and double-click SSID wlan-net. On the Security tab page, set EAP type to PEAP and click Settings. In the dialog box that is displayed, deselect Validate server certificate and click Configure. In the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK.
to manually add a WLAN.The WEP encryption algorithm is insecure. WPA2 is recommended in scenarios that have high security requirements.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wep dynamic
The security policy is set to dynamic WEP.
By default, the security policy is open.
- Run wep key key-id { wep-40 | wep-104 | wep-128 } dot1x
The dynamic WEP key index and length are configured.
By default, WEP-40 is used. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
- Run wep default-key key-id
The index of the shared key used by WEP is configured.
By default, key 0 is used for WEP authentication or encryption.
Four shared keys can be configured for WEP. You can run this command to make the key with the specified index to take effect. The key index ID of the device starts from 0.
- Configure 802.1X authentication. For details, see Configuring NAC.
Configuring WPA/WPA2-PSK
Context
Both WPA and WPA2 support PSK authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.
The WPA/WPA2-PSK security policy applies to individual, home, and SOHO networks that do not require high security. The implementation of the security policy does not require an authentication server. If a wireless terminal supports only WEP encryption, the terminal can implement PSK+TKIP without hardware upgrading, whereas the terminal may need to upgrade its hardware to implement PSK+AES.
Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip | aes-tkip }, or security wpa-wpa2 psk { pass-phrase | hex } key-value tkip aes
The security policy is set to WPA/WPA2-PSK.
- (Optional) Run wpa ptk-update enable
Periodic PTK update is enabled.
By default, periodic PTK update is disabled.
When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.
- (Optional) Run wpa ptk-update ptk-update-interval ptk-rekey-interval
The PTK update interval is configured.
By default, the interval for updating PTKs is 43200 seconds.
- (Optional) Run pmf { optional | mandatory }
The PMF function is configured.
By default, the PMF function is disabled for a VAP.
The authentication mode WPA2 and encryption mode AES are required.
Configuring WPA/WPA2-802.1X
Context
Both WPA and WPA2 support 802.1X authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.
WPA/WPA2-802.1X applies to enterprise networks that require high security. An independent authentication server needs to be deployed. If customers' devices support only WEP encryption, the devices can implement 802.1X+TKIP without hardware upgrading, whereas the devices may need to upgrade their hardware to implement 802.1X+AES.
Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }, or security wpa-wpa2 dot1x tkip aes
The security policy is set to WPA/WPA2-802.1X.
An authentication profile must be configured for 802.1X access authentication. For details, see Configuring NAC.
The authentication type in the security profile and authentication profile must both be set to 802.1X authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.
- (Optional) Run wpa ptk-update enable
Periodic PTK update is enabled.
By default, periodic PTK update is disabled.
When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.
- (Optional) Run wpa ptk-update ptk-update-interval ptk-rekey-interval
The PTK update interval is configured.
By default, the interval for updating PTKs is 43200 seconds.
- (Optional) Run pmf { optional | mandatory }
The PMF function is configured.
By default, the PMF function is disabled for a VAP.
The authentication mode WPA2 and encryption mode AES are required.
Configuring WPA3-SAE Authentication
Context
There are two types of WPA3 authentication: WPA3-802.1X authentication (also called WPA3-Enterprise) and WPA3-SAE authentication (also called WPA3-Personal).
Similar to WPA/WPA2-PSK authentication, WPA3-SAE authentication applies to individual, home, and small SOHO networks that do not require high network security or deployment of an authentication server. However, WPA3-SAE introduces the SAE handshake protocol. Compared with WPA/WPA2-PSK authentication, WPA3-SAE can effectively defend against offline dictionary attacks and increase the difficulty of brute force cracking. In addition, the SAE handshake protocol provides forward secrecy. Even if an attacker knows the password on the network, the attacker cannot decrypt or obtain traffic, greatly improving the security of the WPA3-Personal network.
WPA3 authentication automatically enables the PMF function in mandatory mode. That is, configuring the pmf { optional | mandatory } command does not take effect in WPA3 authentication scenarios.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wpa3 sae pass-phrase key-value aes
The security policy is set to WPA3-SAE authentication.
By default, the security policy is open.
Configuring WPA2-WPA3 Hybrid Authentication
Context
Because WPA2 is still widely used, to enable WPA3-incapable STAs to access a WPA3-configured network, the device supports the WPA3-SAE transition mode, that is, WPA2-WPA3 authentication.
This mode applies only to WPA3-Personal, not to WPA3-Enterprise. In addition, WPA3 can be used together only with WPA2, and only AES encryption is supported.
WPA2-WPA3 hybrid authentication automatically enables the PMF function in optional mode. That is, configuring the pmf { optional | mandatory } command does not take effect in WPA2-WPA3 hybrid authentication scenarios.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wpa2-wpa3 psk-sae pass-phrase key-value aes
The security policy is set to WPA2-WPA3 hybrid authentication.
By default, the security policy is open.
Configuring WPA3-802.1X Authentication
Context
There are two types of WPA3 authentication: WPA3-802.1X authentication (also called WPA3-Enterprise) and WPA3-SAE authentication (also called WPA3-Personal).
Compared with WPA2-802.1X authentication, WPA3-802.1X authentication enhances the algorithm strength by increasing the key length to 192 bits (WPA2 uses a 128-bit encryption key). WPA3-802.1X authentication is applicable to scenarios with high security requirements, such as governments and large enterprises.
WPA3-802.1X authentication has specific requirements on terminals and servers. To deploy WPA3-802.1X authentication, you may need to upgrade related hardware.
WPA3 authentication automatically enables the PMF function in mandatory mode. That is, configuring the pmf { optional | mandatory } command does not take effect in WPA3 authentication scenarios.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wpa3 dot1x gcmp256
The security policy is set to WPA3-802.1X authentication.
By default, the security policy is open.
- Configure 802.1X access authentication. For details, see Configuring NAC.
The authentication type in the security profile and authentication profile must both be set to 802.1X authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.
Configuring WAPI-PSK
Context
WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.
WAPI-PSK applies to home networks or small-scale enterprise networks. No additional certificate system is required.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wapi psk { pass-phrase | hex } key-value
The security policy is set to WAPI-PSK.
- (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }
The interval for updating a Base Key (BK) and the BK lifetime percentage are set.
The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
- (Optional) Run wapi sa-timeout sa-time
The timeout period of a security association is set.
By default, the timeout period for a SA is 60s.
If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.
- (Optional) Run wapi { usk | msk } key-update { disable | time-based }
The WAPI USK or MSK update mode is set.
By default, USKs and MSKs are updated based on time.
- (Optional) Run wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }
The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.
By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.
- (Optional) Run wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }
The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.
By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.
Configuring WAPI-Certificate
Context
WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.
WAPI-PSK applies to large-scale enterprise networks or carrier networks that can deploy and maintain an expensive certificate system.
WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The X.509 V3 certificate file has the name extension .cer. Before importing a certificate for WAPI, ensure that the certificate file is saved in the root directory of the storage medium.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wapi certificate
The security policy is set to WAPI-certificate.
- Configure the certificate file and ASU server.
- (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }
The interval for updating a Base Key (BK) and the BK lifetime percentage are set.
The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
- (Optional) Run wapi sa-timeout sa-time
The timeout period of a security association is set.
By default, the timeout period for a SA is 60s.
If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.
- (Optional) Run wapi { usk | msk } key-update { disable | time-based }
The WAPI USK or MSK update mode is set.
By default, USKs and MSKs are updated based on time.
- (Optional) Run wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }
The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.
By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.
- (Optional) Run wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }
The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.
By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.
Applying the Security Policy Configuration to a VAP Profile
Context
After a WLAN security policy is configured in a security profile, bind the security profile to a VAP profile. Each VAP profile contains one security profile. Wireless terminals can connect to the WLAN through an SSID only after they complete identity authentication according to the security policy configured in the VAP profile.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run vap-profile name profile-name
The VAP profile view is displayed.
- Run security-profile profile-name
The security profile is bound to the VAP profile.
By default, the security profile default is bound to a VAP profile.
Verifying the Security Policy Configuration
Context
After the WLAN security policy configuration is complete, check the security profiles on the device, including their configuration and profile reference information, and content of the certificate imported during WAPI-certificate authentication.
Procedure
- Run the display security-profile { all | name profile-name } command to check information about a security profile.
- Run the display references security-profile name profile-name command to check reference information about a security profile.
- Run the display wlan wapi certificate file-name file-name command to check the content of the certificate imported during WAPI-certificate authentication.