Example for Configuring WPA Authentication (PSK Authentication and CCMP Encryption)
Networking Requirements
As shown in Figure 4-14, Router functions as a fat AP to provide wireless Internet access service and as a DHCP server to allocate IP addresses to users.
The WEP encryption mechanism is simple and the encrypted data is easy to decipher. The administrator wants to use a more secure mechanism to protect the WLAN. WPA using PSK authentication and CCMP encryption is more secure than WEP. The WPA mechanism uses pre-shared key authentication to control wireless user access and dynamically generates encryption keys to protect data from being intercepted during exchange.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic attributes for the AP, including the country code and DHCP server address, so that the AP can assign IP addresses to users.
- Configure a WMM profile and radio profile on the AP and bind the radio profile to a radio interface to enable STAs to communicate with the AP.
- Configure a WLAN-BSS interface so that radio packets can be sent to the WLAN service module after reaching the AP.
- Configure a security profile and set the security policy to WPA. Set the authentication method to PSK and encryption method to CCMP.
- Create a service set and traffic profile. Bind the security profile, traffic profile, and WLAN-BSS interface to the service set to apply security policies and QoS policies to STAs.
- Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
CCMP encryption is recommended because TKIP and WEP both use the RC4 algorithm to encrypt data and have a low security level.
When PSK authentication is used, the AP supports the following combinations: WPA+PSK+TKIP, WPA+PSK+CCMP, WPA2+PSK+TKIP, and WPA2+PSK+CCMP. Use the { wpa | wpa2 } authentication-method psk { pass-phrase | hex } cipher cipher-key encryption-method { tkip | ccmp } command to change the authentication or encryption method.
Procedure
- Configure basic AP attributes.
# Configure the country code for the AP.
<Huawei> system-view [Huawei] wlan global country-code cn
# Configure a VLANIF interface, assign an IP address to the VLANIF interface for Layer 3 packet forwarding, and enable the DHCP server function on the VLANIF interface. In this example, the DHCP server is configured on VLANIF 100 to assign IP addresses to STAs.
[Huawei] dhcp enable [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 10.10.10.1 24 [Huawei-Vlanif100] dhcp select interface [Huawei-Vlanif100] quit
- Configure radio of the AP.
# Create a WMM profile named wmm-1 and retain the default parameter settings.
[Huawei] wlan [Huawei-wlan-view] wmm-profile name wmm-1 id 1 [Huawei-wlan-wmm-prof-wmm-1] quit
# Create a radio profile named radio-1 and bind the WMM profile wmm-1 to it.
[Huawei-wlan-view] radio-profile name radio-1 [Huawei-wlan-radio-prof-radio-1] wmm-profile name wmm-1 [Huawei-wlan-radio-prof-radio-1] quit [Huawei-wlan-view] quit
# Bind the radio profile radio-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] radio-profile name radio-1 [Huawei-Wlan-Radio0/0/0] quit
- Configure a service set.
# Configure a WLAN-BSS interface so that radio packets sent from users can be sent to the WLAN service processing module after reaching the AP.
[Huawei] interface wlan-bss 1 [Huawei-Wlan-Bss1] port hybrid tagged vlan 100 [Huawei-Wlan-Bss1] quit
# Configure a security profile named security-1 and set the security policy to WPA. Set the authentication method to PSK and encryption method to CCMP.
The authentication key is huawei@123.
[Huawei] wlan [Huawei-wlan-view] security-profile name security-1 id 1 [Huawei-wlan-sec-prof-security-1] security-policy wpa [Huawei-wlan-sec-prof-security-1] wpa authentication-method psk pass-phrase cipher huawei@123 encryption-method ccmp [Huawei-wlan-sec-prof-security-1] quit
# Create a traffic profile named traffic-1 and retain the default parameter settings.
[Huawei-wlan-view] traffic-profile name traffic-1 id 1 [Huawei-wlan-traffic-prof-traffic-1] quit
# Create a service set and bind the traffic profile, security profile, and WLAN-BSS interface to the service set.
[Huawei-wlan-view] service-set name huawei-1 id 1 [Huawei-wlan-service-set-huawei-1] ssid huawei [Huawei-wlan-service-set-huawei-1] traffic-profile name traffic-1 [Huawei-wlan-service-set-huawei-1] security-profile name security-1 [Huawei-wlan-service-set-huawei-1] wlan-bss 1 [Huawei-wlan-service-set-huawei-1] quit [Huawei-wlan-view] quit
- Configure a VAP.
# Bind the service set huawei-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] service-set name huawei-1 [Huawei-Wlan-Radio0/0/0] quit
- Verify the configuration.
# The WLAN with the SSID huawei is available for STAs connected to the AP. Users must enter the pre-shared key huawei@123 to use WLAN services.
Configuration Files
- Configuration file of the Router
# vlan batch 100 # dhcp enable # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface # interface Wlan-Bss1 port hybrid tagged vlan 100 # wlan wmm-profile name wmmf id 0 wmm-profile name wmm-1 id 1 traffic-profile name traf id 0 traffic-profile name traffic-1 id 1 security-profile name secf id 0 security-profile name security-1 id 1 security-policy wpa wpa authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp service-set name huawei-1 id 1 Wlan-Bss 1 ssid huawei traffic-profile id 1 security-profile id 1 radio-profile name radiof id 0 wmm-profile id 0 radio-profile name radio-1 id 1 wmm-profile id 1 # interface Wlan-Radio0/0/0 radio-profile id 1 service-set id 1 wlan 1 # return