Example for Configuring WAPI-CERT
Networking Requirements
As shown in Figure 4-17, Router functions as a fat AP to provide wireless Internet access service and as a DHCP server to allocate IP addresses to STAs.
The administrator wants to use WAPI in certificated-based mode (WAPI-CERT) to provide comprehensive STA identity authentication and data packet encryption functions.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic attributes for the AP, including the country code and DHCP server address, so that the AP can assign IP addresses to STAs.
- Configure a WMM profile and a radio profile on the AP and bind the radio profile to a radio interface so that STAs can communicate with the AP.
- Configure a WLAN-BSS interface and bind it to a service set so that radio packets can be sent to the WLAN service module after reaching the AP.
- Configure a security template and set the authentication mode to WAPI certificate authentication in the security policy.
- Configure a traffic profile file and a service set on the AP, and bind the security profile, traffic profile, and WLAN-BSS interface to the service set to ensure access security and QoS for STAs.
- Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
Ensure that reachable routes are available between Router and the ASU server.
Ensure that certificates have been imported to the STA and the ASU server and related configurations are completed.
Ensure that the AP certificate huawei-ap.cer, ASU certificate huawei-asu.cer, Issuer certificate huawei-issuer.cer, and key certificate huawei-ap.cer have been saved on Router.
Procedure
- Configure basic AP attributes.
# Configure the country code for the AP.
<Huawei> system-view [Huawei] wlan global country-code cn
# Create a VLANIF interface, assign an IP address to it for Layer 3 packet forwarding, and enable the DHCP server function on the VLANIF interface. In this example, an address pool is configured on VLANIF 100 to assign IP addresses to STAs.
[Huawei] dhcp enable [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 10.10.10.2 24 [Huawei-Vlanif100] dhcp select interface [Huawei-Vlanif100] quit
- Configure radios for APs.
# Create a WMM profile named wmm-1 and retain the default parameter settings.
[Huawei] wlan [Huawei-wlan-view] wmm-profile name wmm-1 id 1 [Huawei-wlan-wmm-prof-wmm-1] quit
# Create a radio profile named radio-1 and bind the WMM profile wmm-1 to it.
[Huawei-wlan-view] radio-profile name radio-1 [Huawei-wlan-radio-prof-radio-1] wmm-profile name wmm-1 [Huawei-wlan-radio-prof-radio-1] quit [Huawei-wlan-view] quit
# Bind the radio profile radio-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] radio-profile name radio-1 [Huawei-Wlan-Radio0/0/0] quit
- Configure service sets for APs.
# Configure the WLAN-BSS interface to allow user VLAN 100 to pass.
[Huawei] interface wlan-bss 1 [Huawei-Wlan-Bss1] port hybrid tagged vlan 100 [Huawei-Wlan-Bss1] quit
# Configure a security profile named security-1 and set the authentication mode to WAPI-CERT.
Configure WAPI as the security policy and use WPA-CERT authentication.
[Huawei] wlan [Huawei-wlan-view] security-profile name security-1 id 1 [Huawei-wlan-sec-prof-security-1] security-policy wapi [Huawei-wlan-sec-prof-security-1] wapi authentication-method certificate [Huawei-wlan-sec-prof-security-1] wapi asu ip 10.10.10.1 [Huawei-wlan-sec-prof-security-1] wapi import certificate ap file-name flash:/huawei-ap.cer [Huawei-wlan-sec-prof-security-1] wapi import certificate asu file-name flash:/huawei-asu.cer [Huawei-wlan-sec-prof-security-1] wapi import certificate issuer file-name flash:/huawei-issuer.cer [Huawei-wlan-sec-prof-security-1] wapi import private-key file-name flash:/huawei-ap.cer [Huawei-wlan-sec-prof-security-1] quit
# Create a traffic profile named traffic-1 and retain the default parameter settings.
[Huawei-wlan-view] traffic-profile name traffic-1 id 1 [Huawei-wlan-traffic-prof-traffic-1] quit
# Create a service set and bind the traffic profile, security profile, and WLAN-BSS interface to the service set.
[Huawei-wlan-view] service-set name huawei-1 id 1 [Huawei-wlan-service-set-huawei-1] ssid huawei [Huawei-wlan-service-set-huawei-1] traffic-profile name traffic-1 [Huawei-wlan-service-set-huawei-1] security-profile name security-1 [Huawei-wlan-service-set-huawei-1] wlan-bss 1 [Huawei-wlan-service-set-huawei-1] quit [Huawei-wlan-view] quit
- Configure a VAP.
# Bind the service set huawei-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] service-set name huawei-1 [Huawei-Wlan-Radio0/0/0] quit
- Verify the configurations.
# The WLAN with SSID huawei is available for STAs connected to the AP, and the STAs can associate with the WLAN.
Configuration Files
- Configuration file of the Router
# vlan batch 100 # dhcp enable # interface Vlanif100 ip address 10.10.10.2 255.255.255.0 dhcp select interface # interface Wlan-Bss1 port hybrid tagged vlan 100 # wlan wmm-profile name wmmf id 0 wmm-profile name wmm-1 id 1 traffic-profile name traf id 0 traffic-profile name traffic-1 id 1 security-profile name secf id 0 security-profile name security-1 id 1 security-policy wapi wapi asu ip 10.10.10.1 wapi import certificate ap file-name flash:/huawei-ap.cer wapi import certificate asu file-name flash:/huawei-asu.cer wapi import certificate issuer file-name flash:/huawei-issuer.cer wapi import private-key file-name flash:/huawei-ap.cer service-set name huawei-1 id 1 Wlan-Bss 1 ssid huawei traffic-profile id 1 security-profile id 1 radio-profile name radiof id 0 wmm-profile id 0 radio-profile name radio-1 id 1 wmm-profile id 1 # interface Wlan-Radio0/0/0 radio-profile id 1 service-set id 1 wlan 1 # return