评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置攻击检测功能示例
配置流程
WLAN不同的特性和功能需要在不同类型的模板下进行配置和维护,这些模板统称为WLAN模板,如域管理模板、射频模板、VAP模板、AP系统模板、AP有线口模板、WIDS模板、WDS模板。当用户在配置WLAN业务功能时,需要在对应功能的WLAN模板中进行参数配置,配置完成后,须将此模板引用到AP组或AP中,配置下发到AP,进而配置的功能在AP上生效。由于模板之间是存在各相互引用关系的,因此在用户配置过程中,需要提前了解各个模板之间存在的逻辑关系。模板的逻辑关系和基本配置流程请参见WLAN业务配置流程。
组网需求
如图7-18所示,AC直接与AP连接,企业部署了WLAN基本业务实现移动办公。为了保障网络的稳定和安全,预防泛洪攻击和暴力破解PSK密钥攻击,可以配置攻击检测和动态黑名单。通过将检测到的攻击设备加入动态黑名单,丢弃攻击设备的报文,阻止攻击行为。
配置思路
- 配置WLAN基本业务,实现STA可以正常接入WLAN网络。
- 配置WPA2-PSK认证方式的防暴力破解密钥攻击检测和泛洪攻击检测功能,可以检测到发起攻击的设备信息。
- 配置动态黑名单功能,可以将发起攻击的设备信息加入动态黑名单,在配置的老化时间内,拒绝接收其发送的报文。
下面以在2.4G射频上配置攻击检测功能为例,5G射频上的配置与2.4G射频上的配置类似。
表7-3 数据规划表
配置项 |
数据 |
|---|---|
| DHCP服务器 | AC作为DHCP服务器为STA和AP分配IP地址 |
| AP的IP地址池 | 10.10.10.2~10.10.10.254/24 |
| STA的IP地址池 | 10.10.11.2~10.10.11.254/24 |
| AC的源接口IP地址 | VLANIF100:10.10.10.1/24 |
| AP组 |
|
| 域管理模板 |
|
| SSID模板 |
|
| 安全模板 |
|
| VAP模板 |
|
| WIDS模板 |
|
| AP系统模板 |
|
配置注意事项
纯组播报文由于协议要求在无线空口没有ACK机制保障,且无线空口链路不稳定,为了纯组播报文能够稳定发送,通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入,则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击,建议配置组播报文抑制功能。配置前请确认是否有组播业务,如果有,请谨慎配置限速值。
- 业务数据转发方式采用直接转发时,建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时,建议在AC的流量模板下配置组播报文抑制。
- 管理VLAN和业务VLAN不能配置为同一VLAN。
在配置多个VAP模板,且多个VAP模板共用同一个service-vlan的场景下,如果配置数据转发方式为tunnel模式,则需要启动service-vlan间的Proxy ARP功能。
操作步骤
- 配置AP与AC之间网络互通。
# 将接口Eth2/0/0加入VLAN100(管理VLAN)和VLAN101(业务VLAN)。
建议在AC连接AP的接口Eth2/0/0上配置端口隔离,如果不配置端口隔离,可能会在VLAN内存在不必要的广播报文,或者导致不同AP间的WLAN用户二层互通的问题。
<Huawei> system-view [Huawei] sysname AC [AC] vlan batch 100 101 [AC] interface ethernet 2/0/0 [AC-Ethernet2/0/0] port link-type trunk [AC-Ethernet2/0/0] port trunk pvid vlan 100 [AC-Ethernet2/0/0] port trunk allow-pass vlan 100 101 [AC-Ethernet2/0/0] port-isolate enable [AC-Ethernet2/0/0] quit
- 配置AC作为DHCP服务器,为STA和AP分配IP地址。
# 配置基于接口地址池的DHCP服务器,其中,VLANIF100接口为AP提供IP地址,VLANIF101为STA提供IP地址。
[AC] dhcp enable [AC] interface vlanif 100 [AC-Vlanif100] ip address 10.10.10.1 24 [AC-Vlanif100] dhcp select interface [AC-Vlanif100] quit [AC] interface vlanif 101 [AC-Vlanif101] ip address 10.10.11.1 24 [AC-Vlanif101] dhcp select interface [AC-Vlanif101] quit
- 配置AP上线。
# 创建AP组,用于将相同配置的AP都加入同一AP组中。
[AC] wlan ac [AC-wlan-view] ap-group name ap-group1 Info: This operation may take a few seconds. Please wait for a moment.done. [AC-wlan-ap-group-ap-group1] quit# 创建域管理模板,在域管理模板下配置AC的国家码并在AP组下引用域管理模板。
[AC-wlan-view] regulatory-domain-profile name domain1 [AC-wlan-regulate-domain-domain1] country-code cn Info: The current country code is same with the input country code. [AC-wlan-regulate-domain-domain1] quit [AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit [AC-wlan-view] quit
# 配置AC的源接口。
# 在AC上离线导入AP,并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360,并且根据AP的部署位置为AP配置名称,便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域,命名此AP为“area_1”。[AC] wlan ac [AC-wlan-view] ap auth-mode mac-auth [AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC-wlan-ap-0] ap-name area_1 [AC-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC-wlan-ap-0] quit
# 将AP上电后,当执行命令display ap all查看到AP的“State”字段为“nor”时,表示AP正常上线。
[AC-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] --------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime --------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S --------------------------------------------------------------------------------------------- Total: 1 - 配置攻击检测功能
# 开启WPA2-PSK认证方式的暴力破解密钥攻击检测功能和泛洪攻击检测功能。
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] radio 0 [AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk [AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood [AC-wlan-group-radio-ap-group1/0] quit [AC-wlan-ap-group-ap-group1] quit
# 创建名为“wlan-wids”的WIDS模板。
[AC-wlan-view] wids-profile name wlan-wids
# 配置WPA2-PSK认证方式的暴力破解密钥攻击检测的检测周期为70秒,检测周期内允许密钥错误的次数为25次,静默时间为700秒。
[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70 [AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25 [AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# 配置泛洪攻击检测的检测周期为70秒,泛洪攻击检测阈值为350个,静默时间为700秒。
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70 [AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350 [AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
# 使能动态黑名单功能。
[AC-wlan-wids-prof-wlan-wids] dynamic-blacklist enable [AC-wlan-wids-prof-wlan-wids] quit
# 创建名为“wlan-system”的AP系统模板,配置动态黑名单老化时间为200秒。
[AC-wlan-view] ap-system-profile name wlan-system [AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200 [AC-wlan-ap-system-prof-wlan-system] quit
- 配置WLAN业务参数
# 创建名为“wlan-security”的安全模板,并配置安全策略。
举例中以配置WPA2+PSK+AES的安全策略为例,密码为“a1234567”,实际配置中请根据实际情况,配置符合实际要求的安全策略。
[AC-wlan-view] security-profile name wlan-security [AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC-wlan-sec-prof-wlan-security] quit
# 创建名为“wlan-ssid”的SSID模板,并配置SSID名称为“wlan-net”。
[AC-wlan-view] ssid-profile name wlan-ssid [AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC-wlan-ssid-prof-wlan-ssid] quit
# 创建名为“wlan-vap”的VAP模板,配置业务VLAN,并且引用安全模板和SSID模板。
[AC-wlan-view] vap-profile name wlan-vap [AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 Info: This operation may take a few seconds, please wait.done. [AC-wlan-vap-prof-wlan-vap] security-profile wlan-security Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid Info: This operation may take a few seconds, please wait..done. [AC-wlan-vap-prof-wlan-vap] quit
# 配置AP组引用VAP模板“wlan-vap”、WIDS模板“wlan-wids”和AP系统模板“wlan-system”。
[AC-wlan-view] ap-group name ap-group1 [AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all [AC-wlan-ap-group-ap-group1] wids-profile wlan-wids [AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system Warning: This action may cause service interruption. Continue?[Y/N]y [AC-wlan-ap-group-ap-group1] quit# 提交配置。
[AC-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
- 验证配置结果
#配置完成后,当有其他设备对WLAN网络进行攻击时,通过display wlan ids attack-detected all命令,可以查看到检测到的攻击设备。
[AC-wlan-view] display wlan ids attack-detected all #AP: Number of monitor APs that have detected the device AT: Last detcted attack type CH: Channel number act: Action frame asr: Association request aur: Authentication request daf: Deauthentication frame dar: Disassociation request wiv: Weak IV detected pbr: Probe request rar: Reassociation request eaps: EAPOL start frame eapl: EAPOL logoff frame saf: Spoofed disassociation frame sdf: Spoofed deauthentication frame otsf: Other types of spoofing frames ------------------------------------------------------------------------------------------------ MAC address AT CH RSSI(dBm) Last detected time #AP ------------------------------------------------------------------------------------------------ 261f-a0ec-c0f3 pbr 1 -60 2015-01-28/17:35:55 1 ------------------------------------------------------------------------------------------------ Total: 1, printed: 1
# 通过display wlan ids dynamic-blacklist all命令,可以查看加入动态黑名单的攻击设备。
[AC-wlan-view] display wlan ids dynamic-blacklist all #AP: Number of monitor APs that have detected the device act: Action frame asr: Association request aur: Authentication request daf: Deauthentication frame dar: Disassociation request eapl: EAPOL logoff frame pbr: Probe request rar: Reassociation request eaps: EAPOL start frame -------------------------------------------------------------------------------- MAC address Last detected time Reason #AP ------------------------------------------------------------------------------------------------ 261f-a0ec-c0f3 2015-01-28/17:35:55 pbr 1 ------------------------------------------------------------------------------------------------ Total: 1, printed: 1
配置文件
AC的配置文件
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
capwap source interface vlanif100
#
wlan ac
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#4R-.UpLuaWW`dGKS3R':Hg.h4g.hh:ygc7*P$q("%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-group name ap-group1
ap-system-profile wlan-system
regulatory-domain-profile domain1
wids-profile wlan-wids
radio 0
vap-profile wlan-vap wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
vap-profile wlan-vap wlan 1
radio 2
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
