Example for Configuring 802.1X Authentication and CCMP Encryption
Networking Requirements
As shown in Figure 4-15, Router functions as a Fat AP to provide wireless Internet access service and as a DHCP server to allocate IP addresses to STAs. The administrator wants to use 802.1X authentication and CCMP encryption to control access of STAs.
As networks rapidly develop, core services of enterprises are more likely to depend on the networks. Traditional shared networks cannot ensure security of WLANs. The 802.1X authentication mode can control unauthorized users at the access layer of networks, which improves security and saves bandwidth. The administrator wants to use 802.1X authentication and CCMP encryption to ensure data security for enterprises.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure an 802.1X access profile and an authentication profile, and enable 802.1X authentication on an interface.
- Configure 802.1X authentication using the RADIUS scheme.
- Create a domain used during 802.1X authentication, and apply RADIUS as the AAA authentication scheme to the domain.
- Configure basic attributes for the AP, including the country code and DHCP server address, so that the AP can assign IP addresses to STAs.
- Configure a WMM profile and a radio profile on the AP and bind the radio profile to a radio interface so that STAs can communicate with the AP.
- Configure a WLAN-BSS interface and enable 802.1X on the interface so that radio packets can be sent to the WLAN service module after reaching the AP.
- Configure a security profile and set 802.1X authentication and CCMP encryption in the security policy.
- Configure a traffic profile file and a service set on the AP, and bind the security profile, traffic profile, and WLAN-BSS interface to the service set to ensure access security and QoS for STAs.
- Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
Ensure that the RADIUS server IP address, port number, and shared key are correct.
CCMP encryption is recommended. TKIP encryption and WEP encryption both use the RC4 algorithm, providing low security.
When 802.1X authentication is used, the device supports the following security policies: WPA+802.1X+TKIP, WPA+802.1X+CCMP, WPA2+802.1X+TKIP and WPA2+802.1X+CCMP. To change the authentication or encryption mode, run the { wpa | wpa2 } authentication-method dot1x encryption-method { tkip | ccmp } command.
On a WLAN, when a Windows client uses the 802.1X authentication mode, you must run the dot1x authentication-method eap command to configure EAP authentication for STAs.
Procedure
- Configure the RADIUS scheme.
# Configure 802.1X authentication; configure the IP address and port number for the RADIUS authentication and accounting servers; and configure the shared key huawei for Router to exchange packets with the RADIUS authentication and accounting servers.
<Huawei> system-view [Huawei] radius-server template huawei [Huawei-radius-huawei] radius-server authentication 10.137.146.163 1812 [Huawei-radius-huawei] radius-server accounting 10.137.146.163 1813 [Huawei-radius-huawei] radius-server shared-key cipher huawei [Huawei-radius-huawei] quit
# Configure the 802.1X access profile d1. By default, an 802.1X access profile uses the EAP authentication mode.
<Huawei> system-view [Huawei] dot1x-access-profile name d1 [Huawei-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the authentication profile.
<Huawei> system-view [Huawei] authentication-profile name p1 [Huawei-authen-profile-p1] dot1x-access-profile d1 [Huawei-authen-profile-p1] quit
- Configure a domain.
# Configure an authentication scheme named huawei and use the RADIUS authentication mode.
[Huawei] aaa [Huawei-aaa] authentication-scheme huawei [Huawei-aaa-authen-huawei] authentication-mode radius [Huawei-aaa-authen-huawei] quit
# Configure an accounting scheme named huawei and use the RADIUS accounting mode.
[Huawei-aaa] accounting-scheme huawei [Huawei-aaa-accounting-huawei] accounting-mode radius [Huawei-aaa-accounting-huawei] quit
# Create a domain named peap.radius.com and apply the authentication scheme huawei, accounting scheme huawei, and RADIUS template huawei to the domain huawei.
[Huawei-aaa] domain peap.radius.com [Huawei-aaa-domain-peap.radius.com] authentication-scheme huawei [Huawei-aaa-domain-peap.radius.com] accounting-scheme huawei [Huawei-aaa-domain-peap.radius.com] radius-server huawei [Huawei-aaa-domain-peap.radius.com] quit [Huawei-aaa] quit
- Configure basic AP attributes.
# Configure the country code for the AP.
[Huawei] wlan global country-code cn
# Create a VLANIF interface, assign an IP address to it for Layer 3 packet forwarding, and enable the DHCP server function on the VLANIF interface. In this example, an address pool is configured on VLANIF 100 to assign IP addresses to STAs.
[Huawei] dhcp enable [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 10.10.10.1 24 [Huawei-Vlanif100] dhcp select interface [Huawei-Vlanif100] quit
- Configure radios for APs.
# Create a WMM profile named wmm-1 and retain the default parameter settings.
[Huawei] wlan [Huawei-wlan-view] wmm-profile name wmm-1 id 1 [Huawei-wlan-wmm-prof-wmm-1] quit
# Create a radio profile named radio-1 and bind the WMM profile wmm-1 to it.
[Huawei-wlan-view] radio-profile name radio-1 [Huawei-wlan-radio-prof-radio-1] wmm-profile name wmm-1 [Huawei-wlan-radio-prof-radio-1] quit [Huawei-wlan-view] quit
# Bind the radio profile radio-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] radio-profile name radio-1 [Huawei-Wlan-Radio0/0/0] quit
- Configure service sets for APs.
# Configure the user VLAN bound to the WLAN-BSS interface, and bind the authentication profile p1 and enable 802.1X authentication.
[Huawei] interface wlan-bss 1 [Huawei-Wlan-Bss1] port hybrid tagged vlan 100 [Huawei-Wlan-Bss1] authentication-profile p1 [Huawei-Wlan-Bss1] quit
# Configure a security profile named security-1 and set the authentication mode to 802.1X authentication and CCMP encryption.
Configure the WPA security policy for the security profile and set the authentication mode to 802.1X and encryption mode to CCMP.
[Huawei] wlan [Huawei-wlan-view] security-profile name security-1 id 1 [Huawei-wlan-sec-prof-security-1] security-policy wpa [Huawei-wlan-sec-prof-security-1] wpa authentication-method dot1x encryption-method ccmp [Huawei-wlan-sec-prof-security-1] quit
# Create a traffic profile named traffic-1 and retain the default parameter settings.
[Huawei-wlan-view] traffic-profile name traffic-1 id 1 [Huawei-wlan-traffic-prof-traffic-1] quit
# Create a service set, set the SSID to huawei, and bind the traffic profile, security profile, and WLAN-BSS interface to the service set.
[Huawei-wlan-view] service-set name huawei-1 id 1 [Huawei-wlan-service-set-huawei-1] ssid huawei [Huawei-wlan-service-set-huawei-1] traffic-profile name traffic-1 [Huawei-wlan-service-set-huawei-1] security-profile name security-1 [Huawei-wlan-service-set-huawei-1] wlan-bss 1 [Huawei-wlan-service-set-huawei-1] quit [Huawei-wlan-view] quit
- Configure a VAP.
# Bind the service set huawei-1 to a radio interface.
[Huawei] interface wlan-radio 0/0/0 [Huawei-Wlan-Radio0/0/0] service-set name huawei-1 [Huawei-Wlan-Radio0/0/0] quit
- Verify the configurations.
# The WLAN with SSID huawei is available for STAs connected to the AP.
# When a STA does not pass 802.1X authentication, it cannot access Internet resources.
# When STA1 uses 802.1X authentication and correct user name and password are entered, STA1 is authenticated and can access Internet resources. You must configure PEAP authentication on the clients.
Configuration on the Windows XP operating system:
- On the Association tab page of the Wireless network properties dialog box, add SSID huawei, set the authentication mode to WPA, encryption mode to CCMP, and encryption algorithm to AES.
- On the Authentication tab page, set EAP type to PEAP and click Properties. In the Protected EAP Properties dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
Configuration on the Windows 7 operating system:
- Access the Manage wireless networks page, click Add, and select Manually create a network profile. Add SSID huawei. Set the authentication mode to WPA-Enterprise, the encryption mode to CCMP, and the algorithm to AES. Click Next.
- Scan SSIDs and double-click SSID huawei. On the Security tab page, set EAP type to PEAP and click Settings. In the displayed dialog box, deselect Validate server certificate and click Configure. In the displayed dialog box, deselect Automatically use my Windows logon name and password and click OK.
Configuration Files
- Configuration file of the Router
# vlan batch 100 # dhcp enable # authentication-profile name p1 dot1x-access-profile d1 # radius-server template huawei radius-server authentication 10.137.146.163 1812 weight 80 radius-server accounting 10.137.146.163 1813 weight 80 # aaa authentication-scheme huawei authentication-mode radius accounting-scheme huawei accounting-mode radius domain peap.radius.com authentication-scheme huawei accounting-scheme huawei radius-server huawei # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface # interface Wlan-Bss1 port hybrid tagged vlan 100 authentication-profile p1 # dot1x-access-profile name d1 # wlan wmm-profile name wmmf id 0 wmm-profile name wmm-1 id 1 traffic-profile name traf id 0 traffic-profile name traffic-1 id 1 security-profile name secf id 0 security-profile name security-1 id 1 security-policy wpa wpa authentication-method dot1x encryption-method ccmp service-set name huawei-1 id 1 Wlan-Bss 1 ssid huawei traffic-profile id 1 security-profile id 1 radio-profile name radiof id 0 wmm-profile id 0 radio-profile name radio-1 id 1 wmm-profile id 1 # interface Wlan-Radio0/0/0 radio-profile id 1 service-set id 1 wlan 1 # return