SupportDocumentationWLANACAC6000Configuration & CommissioningConfiguration Guide

Wireless Access Controller (AC and Fit AP) V200R019C10 CLI-based Configuration Guide

Configuration Limitations for WLAN Security Policies

Configuration Limitations for WLAN Security Policies

Involved Network Elements

AP
  • APs mentioned in this document are Huawei AP products. You are advised to use Huawei APs to connect to the AC.
  • You can run the display ap-type command to check the default AP types supported by the device.
AAA Server
  • Huawei Agile Controller or third-party AAA server, which implements authentication, accounting, and authorization on users.
Portal Server
  • Huawei Agile Controller or third-party Portal server, which receives authentication requests from Portal clients. It provides free Portal services and a web authentication GUI, and exchanges authentication information of authentication clients with the access device. This NE is required only when external Portal authentication is used.

Feature Dependencies and Limitations

The security policy and access authentication mode can be configured in different combinations. Table 23-1 lists the combinations supported by the device.
Table 23-1 Combinations between security policies and access authentication modes

Access Authentication Mode

Open

WEP

WPA/WPA2/WPA-WPA2

802.1X authentication

Y (supporting the combination between open authentication and 802.1X-PAP/802.1X-CHAP authentication)

Y (supporting the combination between dynamic WEP authentication and 802.1X-EAP authentication)

Y (supporting the combination between dynamic WPA/WPA2/WPA-WPA2 authentication and 802.1X-EAP authentication)

Portal authentication

Y

Y

Y

MAC address authentication

Y

Y

Y

MAC address-prioritized Portal authentication

Y

Y

Y
WPA/WPA2–PPSK
  • The name and password for each PPSK user must be unique.
  • After a branch AP group is specified for a PPSK user, the PPSK user does not support services related to this branch AP group in the link disconnection escape phase.

  • WAN escape in PPSK authentication mode is supported by APs with a flash memory of at least 64 MB. However, for APs with a flash memory of 64 MB, this function does not take effect if the APs are restarted. For the flash memory of APs, see the section "Basic Specifications" in the corresponding AP product description.

  • If the PPSK configuration is consistent on two ACs, PPSK users can carry out inter-AC 802.11r fast roaming. Otherwise, inter-AC 802.11r fast roaming is not supported.

  • To improve privacy protection capabilities, some mainstream smart terminals (such as Android terminals) can use random MAC addresses to associate with a WLAN. The MAC addresses used by STAs to associate with a WLAN may not be their real physical MAC addresses. Therefore, MAC address-based services cannot take effect. The following table provides service suggestions.

    MAC Address–related Service

    Service Suggestion

    MAC address authentication

    MAC address authentication is usually applicable to dumb terminals. You are not advised to configure MAC address authentication for smart terminals.

    PPSK authentication

    Do not bind STAs' MAC addresses when configuring the PPSK service. STAs' MAC addresses are dynamically bound when the STAs perform PPSK authentication.

    Static binding between MAC addresses and IP addresses in the DHCP address pool

    Do not configure static binding between IP addresses and MAC addresses for smart terminals.

    DHCP snooping static binding

    Do not configure static binding between IP addresses and MAC addresses for smart terminals.

    MAC address-prioritized Portal authentication

    If the encryption mode remains unchanged, a STA can use a fixed MAC address to access the same SSID. In most cases, MAC address-prioritized Portal authentication is not affected by randomization of MAC addresses.

    If you manually forget an SSID on a STA or restore the factory settings of the STA, the STA uses a new random MAC address to access the SSID next time and must perform Portal authentication again.

    STA blacklist and whitelist

    You are not advised to configure the static blacklist or whitelist service for smart terminals.
WPA3
  • In the WPA3-SAE transition mode, WPA3 must be used with WPA2 for hybrid authentication, only AES can be used for encryption, and WPA3 is not recommended in TKIP encryption scenarios.
  • WPA3-SAE authentication depends on the PMF function, but 802.11n APs do not support the PMF function. Therefore, 802.11n APs do not support WPA3-SAE authentication.
  • Only 802.11ac Wave 2 and 802.11ax APs support WPA3-802.1X authentication.
  • WPA3 is not available for the following models: AirEngine 5760-22W, AirEngine 5760-22WD, AirEngine 5760-51, AirEngine 6760R-51, AirEngine 6760R-51E, AirEngine 6760-X1, AirEngine 6760-X1E, AirEngine 8760R-X1, AirEngine 8760R-X1E, AirEngine 8760-X1-PRO.
  • WPA3 of the enterprise edition does not support the hybrid authentication mode.
  • WPA3-SAE does not support PPSK authentication.
  • WPA3 and 802.11r cannot be used at the same time.
  • WPA3 authentication is not supported in WDS and mesh scenarios.
WAPI

  • WAPI is not available for the following models: AirEngine 5760-22W, AirEngine 5760-22WD, AirEngine 5760-51, AirEngine 6760R-51, AirEngine 6760R-51E, AirEngine 6760-X1, AirEngine 6760-X1E, AirEngine 8760R-X1, AirEngine 8760R-X1E, AirEngine 8760-X1-PRO, AP7030DE, AP9330DN .