No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
NetEngine AR V300R019 CLI-based Configuration Guide - WLAN-FAT AP
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a WLAN-Fat AP Security Policy

Configuring a WLAN-Fat AP Security Policy

WLAN-Fat AP security policies include WEP, WPA, WPA2, and WAPI. You can deploy one of them.

Pre-configuration Tasks

Before configuring a WLAN-Fat AP security policy, complete the following task:

Configuration Procedure

Configure any one of the following security policies and check the configuration.

Configuring a WEP Security Policy

Context

The usage scenarios of a WEP security policy are as follows:
  • Open system authentication+non-encryption+Portal authentication: applies to carrier networks and public places. The Portal protocol is used for access authentication and accounting.
  • Shared-key authentication+WEP encryption: applies to personal WLANs where high security is not required. A shared key must be maintained.
For details about how to configure Portal authentication, see Configuring NAC.

Because a shared key is easy to be deciphered, the WEP security policy faces great security threats. Enterprise networks can use WEP shared-key authentication+WEP encryption, together with 802.1x authentication. An independent authentication server improves WLAN network security. For details about how to configure 802.1x authentication, see Configuring NAC.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run security-profile { id profile-id | name profile-name } *

    The security profile view is displayed.

  4. Run security-policy wep

    The WEP security policy is configured.

    The default security policy is WEP.

    By default, WEP uses open system authentication+non-encryption.

    The default security policy is insecure, portal authentication or WPA/WPA2 security policy is recommended.

  5. Configure authentication and encryption modes.

    • Configure open system authentication+non-encryption.

      Run wep authentication-method open-system [ data-encrypt ]

      WEP open system authentication is configured.

      The parameter data-encrypt indicates open system authentication+WEP encryption. In this scenario, run the wep key and wep default-key command to configure a WEP shared key. The WEP shared key is used to generate an encryption key to encrypt WLAN data packets.

    • Configure shared-key authentication+WEP encryption.

      In shared-key authentication mode, after a STA scans an SSID, if you double-click the SSID and enter the key, association may fail. This is because open system authentication is used when you double-click the SSID, which is inconsistent with the configured authentication method. To associate with an AP, manually create a WLAN network. You need to enter the SSID, identity authentication, and encryption mode, key, and key index configured on the AP.

      1. Run wep authentication-method share-key

        WEP shared-key authentication is configured.

      2. Run wep key { wep-40 | wep-104 } { pass-phrase | hex } key-id cipher cipher-key-value

        The WEP shared key and key index are configured.

        By default, no shared key is configured.

      3. Run wep default-key key-id

        The index of a shared key used in WEP is set.

        By default, the shared key with index as 0 is used.

        A maximum of four WEP keys can be configured, but only one WEP key can be used at a time.

Configuring a WPA/WPA2 Security Policy

Context

Both WPA and WPA2 support 802.1X/PSK authentication and TKIP/CCMP encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.

The usage scenarios of a WPA/WPA2 security policy are as follows:
  • PSK+TKIP and PSK+CCMP: applies to personal and SOHO networks that do not require high security. No authentication server is required. If customers' devices support only WEP encryption, PSK+TKIP can be implemented without hardware upgrading, whereas PSK+CCMP can be implemented by hardware upgrading.
  • 802.1X+TKIP and 802.1X+CCMP: applies to networks requiring high security such as enterprise networks. An independent authentication server is required. If customers' devices support only WEP encryption, 802.1X+TKIP can be implemented without hardware upgrading, whereas 802.1X+CCMP can be implemented by hardware upgrading.
For details about how to configure 802.1X authentication, see Configuring NAC. When a WLAN-BSS interface uses 802.1X authentication, configure the AP to function as an EAP relay.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run security-profile { id profile-id | name profile-name } *

    The security profile view is displayed.

  4. Run security-policy { wpa | wpa2 }

    The security policy is configured.

    The default security policy is WEP.
    • By default, WPA uses 802.1X+PEAP authentication+TKIP encryption.
    • By default, WPA2 uses 802.1X+PEAP authentication+CCMP encryption.

    After a security policy is specified, you can use the default authentication and encryption modes or configure the security and encryption modes in 5.

  5. Configure authentication and encryption modes.

    • Configure 802.1X authentication+TKIP/CCMP encryption.

      Run { wpa | wpa2 } authentication-method dot1x encryption-method { tkip | ccmp }

      The 802.1X authentication protocol and encryption algorithm are configured for WPA/WPA2.

    • Configure PSK authentication+TKIP/CCMP encryption.

      Run { wpa | wpa2 } authentication-method psk { pass-phrase | hex } cipher cipher-key encryption-method { tkip | ccmp }

      The pre-shared key and encryption algorithm are configured for WPA/WPA2.

Configuring a WAPI Security Policy

Context

WAPI allows only robust security network association (RSNA), providing higher security than WEP, WPA, and WPA2.

The usage scenarios of a WAPI security policy are as follows:
  • WAPI-CERT authentication+WPI encryption: applies to large-scale enterprise networks or carrier networks that can deploy and maintain an expensive certificate system.
    • WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The X.509 V3 certificate file name extension is .cer. Before importing certificate files for WAPI, ensure that the certificate files are saved on the root directory of the storage.
  • WAPI-PSK authentication+WPI encryption: applies to personal networks and small-scale enterprise networks. No certificate system is required.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the USK and MSK have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the following key update mechanisms:
  • Time-based key update: periodically updates a key.
  • Packet-based key update: updates a key when the number of packets encrypted using the key reaches the specified value.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run security-profile { id profile-id | name profile-name } *

    The security profile view is displayed.

  4. Run security-policy wapi

    The security policy is configured.

    The default security policy is WEP.

    By default, WAPI uses WAPI-CERT authentication+WPI encryption.

  5. Configure authentication mode for WAPI.

    • Set the authentication mode to WAPI-PSK, that is, pre-shard key authentication.

      Run wapi authentication-method psk { pass-phrase | hex } cipher cipher-key

      Pre-shared key authentication and the authentication key are configured for WAPI.

    • Set the authentication mode to WAPI-CERT, that is, certificate authentication.

      1. Run wapi authentication-method certificate

        Certificate authentication is configured for WAPI.

      2. Run wapi import certificate { ap | asu | issuer } file-name file-name [ password cipher password ]

        The AP certificate file, certificate of the AP certificate issuer, and ASU certificate file are imported.

      3. Run wapi import private-key file-name file-name [ password cipher cipher-password ]

        The AP private key file is imported.

      4. Run wapi asu ip ip-address

        An IP address is configured for the ASU certificate server to which the AP sends certificate files.

      5. (Optional) Run wapi cert-retrans-count cert-count

        The number of retransmissions of certificate authentication packets is set.

        The default number of retransmissions of certificate authentication packets is 3.

  6. (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

    The interval for updating a base key (BK) and the BK lifetime percentage are set.

    By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.

  7. (Optional) Run wapi sa-timeout sa-time

    The timeout period of a security association (SA) is set.

    The default timeout period of an SA is 60s.

    If a STA is not authenticated within the timeout period, no SA is established and the STA cannot connect to the AC.

  8. (Optional) Run wapi { usk | msk } key-update { disable | time-based | packet-based | timepacket-based }

    The USK or MSK update mode is set.

    By default, USKs and MSKs are updated based on time.

  9. (Optional) Run wapi { usk-update-interval usk-interval | usk-update-packet usk-packet | usk-retrans-count usk-count }

    The interval for updating a USK, number of packets that will trigger USK update, and number of retransmissions of USK negotiation packets are set.

    By default, the interval for updating a USK is 86400s; the number of packets that will trigger USK update is 10; number of retransmissions of USK negotiation packets is 3.

  10. (Optional) Run wapi { msk-update-interval msk-interval | msk-update-packet msk-packet | msk-retrans-count msk-count }

    The interval for updating an MSK, number of packets that will trigger MSK update, and number of retransmissions of MSK negotiation packets are set.

    By default, the interval for updating an MSK is 86400s; the number of packets that will trigger MSK update is 10; number of retransmissions of MSK negotiation packets is 3.

Verifying the WLAN Security Policy Configuration

Context

After a WLAN security policy is configured, check the configuration.

If a WAPI security policy is used, you can also view the certification content.

Procedure

  • Run the display security-profile { all | { id profile-id | name profile-name } [ detail ] } command to check the configuration of the WLAN security policy.
  • Run the display wapi certificate file-name file-name command to check the certificate content.
Translation
简体中文
Download
Updated: 2021-11-30

Document ID: EDOC1100112363

Views: 45307

Downloads: 213

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :