No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
NetEngine AR V300R019 CLI-based Configuration Guide - WLAN-FAT AP
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring WIDS and WIPS

Configuring WIDS and WIPS

You can configure WIDS and WIPS to detect and defend against intrusion from unauthorized devices on WLAN networks and enable the AC to detect attacks and add devices initiating the attacks to the dynamic blacklist, ensuring security of authorized users.

Pre-configuration Tasks

Before configuring WIDS and WIPS, complete the following task:

Configuration Procedure

The device supports the configuration of detection and defense against intrusion from unauthorized devices, attack detection, and dynamic blacklist.

The configuration procedure is as follows:

Configuring the AP Attack Detection Function

Context

On small- and medium-scale WLANs, the attack detection function can be enabled to detect flooding attacks, weak initialization vector (IV), spoofing attacks, and brute force cracking of WPA/WPA2/WAPI preshared keys and WEP shared keys. This function enables an AP to add attackers to the dynamic blacklist and send alarms to alert administrators.

After the dynamic blacklist function is enabled, the AP can add the detected attackers to the dynamic blacklist. For details, see Configuring the Dynamic Blacklist Function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface wlan-radio wlan-radio-number

    The radio interface view is displayed.

  3. Run attack detection enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key }

    Attack detection is enabled on the radio.

    By default, attack detection is disabled on an AP radio.

  4. Configure attack detection parameters when enabling detection of flooding attacks and brute force cracking of WPA/WPA2/WAPI preshared keys and WEP shared keys.
    1. Run quit

      Return to the system view.

    2. Run wlan

      The WLAN view is displayed.

    3. Run attack detection flood interval intvalue times timesvalue

      The interval for flood attack detection and the maximum number of packets of the same type that an AP can receive within the interval are set.

      By default, the interval for flood attack detection is 60 seconds and an AP can receive a maximum of 300 packets of the same type within the interval.

    4. Run attack detection psk interval intvalue times timesvalue

      The interval for brute force preshared key cracking detection and the number of key negotiation attempts allowed within the interval are set.

      By default, the interval for brute force preshared key cracking detection is 60 seconds and an AP allows a maximum of 20 key negotiation attempts within the interval.

      The preshared keys in brute force cracking include those in WPA/WPA2-PSK, WAPI-PSK, and WEP-SK authentication modes.

Configuring the Dynamic Blacklist Function

Context

The device supports the attack detection function. When the device detects flooding attacks and brute force cracking of WPA/WPA2/WAPI preshared keys and WEP shared keys, the dynamic blacklist function can be configured. This function enables the AP to add attackers to the dynamic blacklist and reject any packets sent from the attackers until the dynamic blacklist entry ages.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run dynamic-blacklist enable

    The dynamic blacklist function is enabled.

    By default, the dynamic blacklist function is disabled on an AP.

  4. Run dynamic-blacklist aging-duration duration

    The aging time for the dynamic blacklist is set.

    By default, the aging time for the dynamic blacklist is 600 seconds.

Verifying the WIDS and WIPS Configuration

Context

After WIDS and WIPS are configured, you can check the WIDS and WIPS configuration and detected device information.

Procedure

  • Run the display ap command to check the configuration of an AP.
  • Run the display wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to check information about devices initiating attacks.
  • Run the display wlan ids attack-detected statistics command to check the number of attack times.
  • Run the display wlan ids dynamic-blacklist { all | mac-address mac-address } command to view devices added to the dynamic blacklist.
Translation
简体中文
Download
Updated: 2021-11-30

Document ID: EDOC1100112363

Views: 47473

Downloads: 222

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :