Example for Configuring WAPI-PSK Authentication
Networking Requirements
As shown in Figure 4-16, Router functions as a fat AP to provide wireless Internet access service and as a DHCP server to allocate IP addresses to STAs.
The administrator wants to use WAPI in preshared key-based mode (WAPI-PSK) in which the STAs and APs use the same preshared key huawei@123 and the USK and MSK update intervals are both 20000 seconds.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic attributes for the AP, including the country code and DHCP server address, so that the AP can assign IP addresses to STAs.
- Configure a WMM profile and a radio profile on the AP and bind the radio profile to a radio interface so that STAs can communicate with the AP.
- Configure a WLAN-BSS interface and bind it to a service set so that radio packets can be sent to the WLAN service module after reaching the AP.
- Configure a security profile, set the security policy to WAPI, set WAPI authentication mode to PSK, and configure the preshared key.
- Configure a traffic profile file and a service set on the AP, and bind the security profile, traffic profile, and WLAN-BSS interface to the service set to ensure access security and QoS for STAs.
- Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
Procedure
- Configure basic AP attributes.
# Configure the country code for the AP.
<Huawei> system-view [Huawei] wlan global country-code cn
# Create a VLANIF interface, assign an IP address to it for Layer 3 packet forwarding, and enable the DHCP server function on the VLANIF interface. In this example, an address pool is configured on VLANIF 100 to assign IP addresses to STAs.
[Huawei] dhcp enable [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 10.10.10.1 24 [Huawei-Vlanif100] dhcp select interface [Huawei-Vlanif100] quit
- Configure radios for APs.
# Create a WMM profile named wmm-1 and retain the default parameter settings.
[Huawei] wlan [Huawei-wlan-view] wmm-profile name wmm-1 id 1 [Huawei-wlan-wmm-prof-wmm-1] quit
# Create a radio profile named radio-1 and bind the WMM profile wmm-1 to it.
[Huawei-wlan-view] radio-profile name radio-1 [Huawei-wlan-radio-prof-radio-1] wmm-profile name wmm-1 [Huawei-wlan-radio-prof-radio-1] quit [Huawei-wlan-view] quit
# Bind the radio profile radio-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] radio-profile name radio-1 [Huawei-Wlan-Radio0/0/0] quit
- Configure service sets for APs.
# Configure a WLAN-BSS interface so that radio packets can be sent to the WLAN service module after reaching the AP.
[Huawei] interface wlan-bss 1 [Huawei-Wlan-Bss1] port hybrid tagged vlan 100 [Huawei-Wlan-Bss1] quit
# Configure a security profile named security-1 and set the authentication mode to WAPI-PSK.
Configure the WAPI security policy; set the WAPI authentication mode to PSK; set the key to huawei@123; and set USK and MSK update interval to 20000 seconds.
[Huawei] wlan [Huawei-wlan-view] security-profile name security-1 id 1 [Huawei-wlan-sec-prof-security-1] security-policy wapi [Huawei-wlan-sec-prof-security-1] wapi authentication-method psk pass-phrase cipher huawei@123 [Huawei-wlan-sec-prof-security-1] wapi usk key-update time-based [Huawei-wlan-sec-prof-security-1] wapi msk key-update time-based [Huawei-wlan-sec-prof-security-1] wapi msk-update-interval 20000 [Huawei-wlan-sec-prof-security-1] wapi usk-update-interval 20000 [Huawei-wlan-sec-prof-security-1] quit
# Create a traffic profile named traffic-1 and retain the default parameter settings.
[Huawei-wlan-view] traffic-profile name traffic-1 id 1 [Huawei-wlan-traffic-prof-traffic-1] quit
# Create a service set and bind the traffic profile, security profile, and WLAN-BSS interface to the service set.
[Huawei-wlan-view] service-set name huawei-1 id 1 [Huawei-wlan-service-set-huawei-1] ssid huawei [Huawei-wlan-service-set-huawei-1] traffic-profile name traffic-1 [Huawei-wlan-service-set-huawei-1] security-profile name security-1 [Huawei-wlan-service-set-huawei-1] wlan-bss 1 [Huawei-wlan-service-set-huawei-1] quit [Huawei-wlan-view] quit
- Configure a VAP.
# Bind the service set huawei-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] service-set name huawei-1 [Huawei-Wlan-Radio0/0/0] quit
- Verify the configurations.
# The WLAN with SSID huawei is available for STAs connected to the AP. You must enter the preshared key huawei@123 to use Internet services.
Configuration Files
- Configuration file of the Router
# vlan batch 100 # dhcp enable # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface # interface Wlan-Bss1 port hybrid tagged vlan 100 # wlan wmm-profile name wmmf id 0 wmm-profile name wmm-1 id 1 traffic-profile name traf id 0 traffic-profile name traffic-1 id 1 security-profile name secf id 0 security-profile name security-1 id 1 security-policy wapi wapi authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# wapi usk-update-interval 20000 wapi msk-update-interval 20000 service-set name huawei-1 id 1 Wlan-Bss 1 ssid huawei traffic-profile id 1 security-profile id 1 radio-profile name radiof id 0 wmm-profile id 0 radio-profile name radio-1 id 1 wmm-profile id 1 # interface Wlan-Radio0/0/0 radio-profile id 1 service-set id 1 wlan 1 # return