HP Unified Wired-WLAN Products

Transcription

1 HP Unified Wired-WLAN Products WLAN Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/ G Unified Wired-WLAN Module Part number: Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/ G Module) Document version: 6W

2 Legal and notice information Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents Configuring WLAN interfaces 1 WLAN-ESS interface 1 Entering WLAN-ESS interface view 1 Configuring a WLAN-ESS interface 1 WLAN-DBSS interface 2 WLAN mesh interface 2 Entering WLAN mesh interface view 2 Configuring a WLAN mesh interface 2 Displaying and maintaining WLAN interfaces 3 Configuring WLAN access 4 WLAN access overview 4 Terminology 4 Wireless client access 4 WLAN access configuration task list 6 Enabling WLAN 7 Configuring the number of AP requests for getting online that an AC can process per second 7 Specifying a country/region code 7 Configuring auto AP 8 Enabling auto AP 8 Configuring auto-ap authentication 9 Enabling unauthenticated auto APs to pass authentication and provide WLAN services 10 Converting auto APs to configured APs 11 Configuring tunnel management 11 Configuring parameters for an AP 12 Enabling AC-AP tunnel encryption with IPsec 13 Configuring the echo interval for an AP 16 Managing APs 16 Specifying a configuration file for an AP 16 Renaming an AP 16 Configuring AP traffic protection 17 Enabling the AC to accept APs with a different software version 17 Upgrading APs 17 Configuring a WLAN service template 19 Creating a service template and specifying an SSID 19 Enabling an authentication method 19 Binding a WLAN-ESS interface to the service template 20 Configuring a forwarding mode 20 Configuring client authentication 22 Configuring the maximum number of associated clients 24 Configuring beacon measurement 24 Enabling fast association 25 Configuring the client cache aging time 25 Enabling a service template 25 Configuring radio parameters 26 Configuring basic radio parameters 26 Configuring a radio policy 28 Enabling automatic creation of radio policies by the SNMP set operation 29 Configuring n 30 i

4 Mapping a service template to the radio 31 Enabling a radio 32 Configuring ac 32 Configuring an AP group 33 Creating an AP group 34 Configuring IP address match criteria for an AP group 34 Configuring an AP group 34 Adding an AP to an AP group 37 Configuring the interval for an AP to send statistics report 38 Configuring the memory utilization threshold for an AP 38 Restoring the factory default settings of APs 38 Enabling automatic heating for an outdoor AP 38 Shutting down all LEDs on APs 39 Enabling SNMP traps for the WLAN module 39 Configuring client IP address monitoring 40 Displaying and maintaining WLAN access 40 Configuring a remote AP 43 Configuring WLAN access control 44 Configuring AP-based access control 44 Configuring SSID-based access control 45 WLAN access configuration examples 46 WLAN access configuration example 46 Configuring the same SSID to provide different access modes 47 Auto-AP configuration example 49 Auto-AP authentication configuration example 50 Configuring AC-AP tunnel encryption with IPsec through pre-shared key authentication 52 Configuring AC-AP tunnel encryption with IPsec through digital signature authentication 54 Policy-based forwarding configuration example n configuration example ac configuration example 63 Backup client authentication configuration example 64 Local client authentication configuration example 65 AP upgrade configuration example 67 AP version rollback configuration example 68 AC and AP version rollback configuration example 69 AP group configuration without roaming 70 AP group configuration for inter-ac roaming 73 Client IP address monitoring configuration example 76 Configuring WLAN security 77 Overview 77 Authentication modes 77 WLAN data security 78 Client access authentication 79 Protocols and standards 79 Configuring WLAN security 80 Configuration task list 80 Enabling an authentication method 80 Configuring the PTK lifetime 81 Configuring the GTK rekey method 81 Configuring security IE 82 Configuring cipher suite 83 Configuring port security 85 Specifying a key derivation type 87 Configuring management frame protection 87 ii

5 Displaying and maintaining WLAN security 89 WLAN security configuration examples 90 PSK authentication configuration example 90 MAC and PSK authentication configuration example X authentication configuration example 95 Dynamic WEP encryption-802.1x authentication configuration example 99 Supported combinations for ciphers 100 Configuring IACTP tunnel and WLAN roaming 103 IACTP tunnel 103 WLAN roaming overview 103 Terminology 103 WLAN roaming topologies 104 Configuring a mobility group 107 Isolating tunnels in a mobility group 108 Enabling WLAN roaming 108 Displaying and maintaining WLAN roaming 108 WLAN roaming configuration examples 109 Intra-AC roaming configuration example 109 Inter-AC roaming configuration example 112 Configuring WLAN RRM 117 Overview 117 Dynamic frequency selection 117 Transmit power control 118 Configuration task list 120 Configuring data transmit rates 121 Configuring a/802.11b/802.11g rates 121 Configuring n rates 122 Configuring ac rates 124 Configuring channel exclusion 127 Configuring the maximum bandwidth 127 Configuring g protection 128 Enabling g protection 128 Configuring g protection mode 128 Configuring n protection 129 Enabling n protection 129 Configuring n protection mode 130 Configuring DFS 130 Configuring auto-dfs 130 Executing one-time DFS 131 Configuring DFS trigger parameters 131 Configuring mesh DFS 132 Configuring automatic mesh DFS 132 Executing one-time mesh DFS 133 Executing channel persistence 133 Configuring TPC 133 Configuring auto-tpc 134 Executing one-time TPC 134 Configuring TPC trigger parameters 135 Configuring the minimum transmission power 135 Executing power persistence 135 Configuring a radio group 136 Configuring scan parameters 136 Configuring power constraint 137 iii

6 Configuring interference trap thresholds 137 Displaying and maintaining WLAN RRM 138 Load balancing 138 Overview 138 Load balancing configuration task list 141 Configuring a load balancing mode 142 Configuring group-based load balancing 142 Configuring parameters that affect load balancing 143 Displaying and maintaining load balancing 144 Configuring band navigation 144 Configuration guidelines 144 Configuration prerequisites 145 Enabling band navigation globally 145 Enabling band navigation for an AP 145 Configuring band navigation parameters 145 WLAN RRM configuration examples 146 Configuring auto DFS 147 Configuring mesh auto DFS 148 Configuring auto TPC 148 Configuring a radio group 150 Load balancing configuration examples 152 Configuring session-mode load balancing 152 Configuring traffic-mode load balancing 154 Configuring group-based session-mode load balancing 155 Configuring group-based traffic-mode load balancing 157 Band navigation configuration example 159 Configuring WLAN IDS 162 Overview 162 Terminology 162 Rogue detection 162 Attack detection 163 Blacklist and whitelist 164 WLAN IDS configuration task list 165 Configuring AP operating mode 165 Configuring rogue detection 166 Configuring detection of rogue devices 166 Taking countermeasures against attacks from detected rogue devices 169 Displaying and maintaining rogue detection 170 Configuring attack detection 171 Configuring attack detection 171 Displaying and maintaining attack detection 171 Configuring blacklist and whitelist 171 Configuring static lists 172 Configuring a dynamic blacklist 172 Displaying and maintaining blacklist and whitelist 172 WLAN IDS configuration examples 173 Rogue detection configuration example 173 Blacklist and whitelist configuration example 175 Configuring WLAN QoS 176 Overview 176 Terminology 176 WMM protocol 176 Protocols and standards 178 iv

7 Configuring WMM 178 Configuration restrictions and guidelines 178 Configuration procedure 179 Displaying and maintaining WMM 180 WMM configuration examples 180 Troubleshooting 185 Configuring bandwidth guaranteeing 185 Configuration procedure 186 Displaying and maintaining bandwidth guaranteeing 186 Bandwidth guaranteeing configuration example 186 Configuring client rate limiting 189 Configuration procedure 189 Displaying and maintaining client rate limiting 190 Client rate limiting configuration example 190 Configuring WLAN mesh link 193 Overview 193 Basic concepts 193 WLAN mesh advantages 193 Deployment scenarios 194 Protocols and standards 195 WLAN mesh configuration task list 196 Configuring an MKD ID 196 Configuring mesh port security 196 Configuring a mesh profile 197 Configuring mesh portal service 197 Configuring an MP policy 198 Mapping a mesh profile to the radio of an MP 199 Mapping an MP policy to the radio of an MP 199 Specifying a mesh working channel 199 Specifying a peer on the radio 200 Displaying and maintaining WLAN mesh link 200 WLAN mesh configuration examples 200 One-hop mesh link configuration example 201 Two-hop mesh link configuration example 203 Troubleshooting WLAN mesh link 206 Authentication process not started 206 Failure to ping MAP 206 Configuration download failure for zeroconfig device 207 Configuration download failure for MP 207 Debug error: neither local nor remote is connected to MKD 207 PMKMA delete is received by MPP for MP 208 Configuring WLAN sniffer 209 Configuring WLAN sniffer 209 Displaying and maintaining WLAN sniffer 211 WLAN sniffer configuration examples 211 Radio-based WLAN sniffer configuration example 211 Client-based WLAN sniffer configuration example 212 Configuring AP provision 214 Configuring basic network settings for an AP 214 Configuring an AP to support the 802.1X client function 216 AP provision configuration example 217 v

8 Configuring a VLAN pool 221 Configuring a VLAN pool on a radio 221 Displaying and maintaining VLAN pool 222 VLAN pool configuration example 222 Configuring wireless location 224 Overview 224 Configuring wireless location 225 Configuring static wireless location 226 Configuring dynamic wireless location 227 Displaying and maintaining wireless location 228 Wireless location configuration example 228 Configuring multicast optimization 231 Configuring multicast optimization 232 Displaying and maintaining multicast optimization 233 Multicast optimization configuration example 233 Configuring spectrum analysis 235 Configuration task list 235 Configuring the operating mode for an AP 235 Enabling spectrum analysis 236 Enabling SNMP traps 236 Enabling spectrum analysis to trigger channel adjustment 237 Displaying and maintaining spectrum analysis 238 Spectrum analysis configuration example 238 Configuring a guest access tunnel 240 Configuring a guest access tunnel 240 Configuration restrictions and guidelines 240 Configuration procedure 241 Displaying and maintaining guest access tunnels 242 Guest access tunnel configuration example 242 Configuring Bonjour gateway 245 Benefits 245 Working mechanism 245 Bonjour service advertisement snooping 245 Bonjour query snooping and response 246 Configuring Bonjour gateway 247 Enabling Bonjour gateway 247 Configuring a Bonjour policy 248 Applying a Bonjour policy 248 Configuring the threshold for starting sending multicast responses 249 Enabling active query for Bonjour services 250 Displaying and maintaining Bonjour gateway 250 Bonjour gateway configuration example 251 Configuring AC backup 253 Overview 253 Primary AC recovery 253 Active/active mode 253 AC backup 254 Configuring AC backup 254 Displaying AC backup connection status 256 AC backup configuration example 256 vi

9 Configuring client information backup 259 Configuring client information backup 260 Displaying and maintaining client information backup 260 Client information backup configuration example 261 Configuring uplink detection 264 Configuring uplink detection 264 Uplink detection configuration example 264 Configuring WIPS 266 Overview 266 Terminology 266 Wireless device classification 267 Wireless attack detection 269 Malformed packet detection 272 WIPS networking 274 WLAN IPS configuration task list 275 Enabling WIPS 276 Configuring a sensor 276 Enabling WIPS for a hybrid sensor that provides access services 277 Importing and exporting OUI information 278 Configuring a hotspot list 278 Configuring an AP classification rule 279 Configuring an attack detection policy 280 Configuring a malformed packet detection policy 282 Configuring a signature rule 284 System-defined signature rules 284 Configuring a signature rule 286 Configuring a signature policy 288 Adding a MAC address to the permitted or prohibited device list 288 Configuring a permitted channel list 289 Configuring a virtual security domain 289 Configuring countermeasures 290 Disabling rogue wireless devices from accessing the WLAN 290 Adding the MAC address of a wireless device to the static countermeasures address list 290 Configuring a countermeasures policy 291 Configuring an alarm-ignored device list 292 Configuring the aging time for a wireless device 292 Configuring the information update interval for wireless devices 293 Configuring the wireless packet statistics sending interval 293 Configuring the interval to re-classify wireless devices 293 Configuring the maximum size of WIPS logs 294 Enabling anti-denial-of-service 294 Configuring the WIPS device type for an AP 295 Displaying and maintaining WLAN IPS 295 WLAN IPS configuration examples 297 WIPS policy application 298 Malformed packet detection configuration example 305 Signature rule configuration example 310 Optimizing WLAN 313 Rejecting wireless clients with low RSSI 313 Enabling fair scheduling 313 Ignoring weak signals 314 Enabling n packet suppression 314 Enabling traffic shaping based on link status 315 vii

10 Configuring the rate algorithm 315 Enabling channel sharing adjustment 315 Enabling channel reuse adjustment 316 Disabling buffering of multicasts and broadcasts 316 Enabling per-packet TPC 317 Enabling the AP to trigger client reconnection 317 Enabling the AP to receive all broadcasts 318 Configuring roaming navigation 318 Enabling rate limit based on client type 318 Configuring the maximum transmission times for probe responses 319 Configuring the maximum interference threshold 319 WLAN optimization configuration examples 319 Optimizing a high-density WLAN 320 Optimizing a WLAN with multicast application 321 Optimizing an n WLAN 323 Optimizing some APs in a WLAN 324 Enabling per-packet TPC for a WLAN 326 Support and other resources 328 Contacting HP 328 Subscription service 328 Related information 328 Documents 328 Websites 328 Conventions 329 Index 331 viii

11 Configuring WLAN interfaces WLAN-ESS interface WLAN-ESS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols. A WLAN-ESS interface can also be used as a template for configuring WLAN-DBSS interfaces. WLAN-DBSS interfaces created on a WLAN-ESS interface adopt the configuration of the WLAN-ESS interface. Entering WLAN-ESS interface view 2. Enter WLAN-ESS interface view. 3. Restore the default settings of the WLAN-ESS interface. interface wlan-ess interface-number default If the WLAN-ESS interface does not exist, this command creates the WLAN-ESS interface first. Configuring a WLAN-ESS interface You can configure the description of a WLAN-ESS interface and assign the interface to a common VLAN or multicast VLAN. This section only lists features supported on WLAN-ESS interfaces. Before executing the port access vlan command, make sure the VLAN specified by the vlanid argument already exists. You can use the vlan command to create a VLAN. For more information about the port access vlan command, see Layer 2 Command Reference. Some configurations made on a WLAN-ESS interface with WLAN-DBSS interfaces created on it cannot be modified, and the WLAN-ESS interface cannot be removed either. To configure a WLAN-ESS interface: Step Command 1. Configure the description of the interface. description 2. Configure the VLAN. 3. Configure multicast. port access vlan port hybrid vlan port hybrid pvid vlan port link-type port multicast-vlan Configure multicast VLAN: port multicast-vlan Configure IPv6 multicast VLAN: port multicast-vlan ipv6 1

12 Step 4. Configure a MAC authentication guest VLAN. Command mac-authentication guest-vlan WLAN-DBSS interface WLAN-DBSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols and 802.1X. A WLAN-DBSS interface created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface. On an access controller, the WLAN module dynamically creates a WLAN-DBSS interface for each wireless access service and removes the interface after the service expires. WLAN mesh interface WLAN mesh interfaces are Layer 2 virtual interfaces. You can use them as configuration templates to make and save settings for WLAN mesh link interfaces. After a WLAN mesh link interface is created, you cannot change the settings on its associated WLAN mesh interface. Entering WLAN mesh interface view 2. Enter WLAN mesh interface view. 3. Restore the default settings of the WLAN mesh interface. interface wlan-mesh interface-number default If the specified WLAN mesh interface does not exist, this command creates the WLAN mesh interface first. Configuring a WLAN mesh interface Step 1. Configure the description of the WLAN mesh interface. 2. Configure VLAN settings. 3. Configure port security settings. Command description port link-type port access port trunk port hybrid port multicast-vlan port-security max-mac-count port-security port-mode port-security preshared-key port-security tx-key-type 11key 2

13 Displaying and maintaining WLAN interfaces Task Command Remarks Display information about WLAN-ESS interfaces. Display information about WLAN-DBSS interfaces. Display information about WLAN mesh interfaces. display interface [ wlan-ess ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-ess interface-number [ brief ] [ { begin exclude include } regular-expression ] display interface [ wlan-dbss ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-dbss interface-number [ brief ] [ { begin exclude include } regular-expression ] display interface [ wlan-mesh ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-mesh interface-number [ brief ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. 3

14 Configuring WLAN access This chapter describes how to configure WLAN access. WLAN access overview WLAN access provides the following services: WLAN client connectivity to conventional LANs Secured WLAN access with different authentication and encryption methods Seamless roaming of WLAN clients in a mobility domain Terminology Wireless Client A handheld computer or laptop with a wireless NIC or a terminal that supports WiFi. Access point An AP bridges frames between wireless and wired networks. Access controller An AC manages all APs in a WLAN and provides WLAN client authentication through an authentication server. Service set identifier An SSID identifies a wireless network. A client scans all wireless networks and selects an SSID to connect to a specific wireless network. Wireless medium Transmits frames between wireless devices. Radio frequency is the wireless medium in the WLAN system. Distribution system A distribution system is the backbone for transmitting frames among APs Split MAC In split MAC mode, APs and ACs manage different services. An AP manages real-time services, such as beacon generation, power management, fragmentation, and defragmentation. An AC manages packet distribution, association, dissociation, and re-association. Wireless client access A wireless client access process involves the steps as shown in Figure 1. 4

15 Figure 1 Establishing a client access Scanning Wireless clients use active scanning and passive scanning to obtain information about surrounding wireless networks. Active scanning A wireless client periodically sends probe request frames and obtains wireless network information from received probe response frames. Active scanning includes the following modes: Active scanning without an SSID The client periodically sends a probe request frame without an SSID on each of its supported channels. APs that receive the probe request send a probe response, which includes the available wireless network information. The client associates with the AP with the strongest signal. This mode enables the client to find the optimal wireless network. Figure 2 Active scanning without an SSID Probe request (with no SSID) Probe Response Probe request (with no SSID) Probe Response Active scanning with an SSID If the wireless client is configured to access a wireless network or has associated with a wireless network, the client periodically sends a probe request. The probe request. carries the SSID of that wireless network. When the target AP receives the probe request, it sends a probe response. This mode enables the client to access a specified wireless network. 5

16 Figure 3 Active scanning with an SSID Passive scanning A wireless client listens to the beacon frames periodically sent by APs to discover surrounding wireless networks. Passive scanning is used when a client wants to save battery power. Typically, VoIP clients adopt passive scanning. Figure 4 Passive scanning Authentication Association To secure wireless links, APs perform authentication on wireless clients. A wireless client must pass authentication before it can access a wireless network define two authentication methods: open system authentication and shared key authentication. For more information about the authentication methods, see "Configuring WLAN security." To access a wireless network via an AP, a client must associate with that AP. After the client passes authentication on the AP, the client sends an association request to the AP. The AP checks the capability information in the association request to determine the capability supported by the wireless client. The AP then sends an association response to notify the client of the association result. A client can associate with only one AP at a time, and an association process is always initiated by the client. WLAN access configuration task list Task Enabling WLAN Configuring the number of AP requests for getting online that an AC can process per second Specifying a country/region code Configuring auto AP Description Required. Required. 6

17 Task Configuring tunnel management Managing APs Configuring a WLAN service template Configuring radio parameters Configuring an AP group Shutting down all LEDs on APs Enabling SNMP traps for the WLAN module Configuring client IP address monitoring Description Required. Required. Required. Enabling WLAN You must enable WLAN before you can use WLAN services. To enable WLAN: 2. Enable WLAN. wlan enable By default, WLAN is enabled. Configuring the number of AP requests for getting online that an AC can process per second 2. Configure the number of AP requests for getting online that an AC can process per second. wlan ap-concurrency-limit number By default, the number is 32. The value range is 1 to the maximum number of supported APs. The maximum number of supported APs of an AC depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. Specifying a country/region code A country/region code determines the available wireless bands, channels, and power levels in the country where you deploy the WLAN. Follow these guidelines when you specify a country/region code: 7

18 If an AP is not configured with a country/region code, the AP uses the global country/region code. If an AP is configured with a country/region code, the AP uses its own country/region code. If the global country/region code and the country/region code for an AP conflict, the AC disconnects the AP. You need to configure a right country/region code for the AP to reconnect it to the AC. Some ACs and fit APs have a fixed country/region code that cannot be modified. If an AC has a fixed country/region code, all the fit APs managed by the AC must use the AC's fixed country/region code. If a fit AP has a fixed country/region code, the fit AP can only use the fixed country/region code. If an AC and a fit AP each have a different fixed country/region code, they use the fixed country/region code of the fit AP. If an AP is configured with a country/region code or has a fixed country/region code, changing the global country/region code does not affect the country/region code of the AP. Configure a valid country or region code to meet the specific country regulations. To specify a country/region code: 2. Specify the global country/region code. 3. Specify the AP name and its model number and enter AP template view. 4. Specify a country/region code for the AP. wlan country-code code wlan ap ap-name model model-name [ id ap-id ] country-code code By default, the global country/region code is not configured. You must specify the model name when you create an AP template. By default, the country/region code varies with the AP model. Configuring auto AP The auto AP feature enables APs to automatically associate with an AC. It can greatly reduce your workload when you deploy a wireless network with many APs. Enabling auto AP CAUTION: For security purposes, disable the auto-ap function after auto APs connect to the AC. You can enable auto AP in the following ways: Specify an auto-ap template and enable the auto-ap function. Create an auto-ap template by using the wlan ap command on the AC and enable the auto-ap function. The AC automatically associates with the APs of the model specified in the template, names the APs by using their MAC addresses, and assigns configurations in the template to APs. 8

19 Clients can associate with auto APs but the administrator cannot change the configuration of auto APs. Do not use the MAC address of an AP as the ap-name in the wlan ap ap-name model model-name command. The AC names auto APs by using their MAC addresses. Enable the auto-ap function. After you enable the auto-ap function, the AC automatically associates with all APs and names the APs by using their MAC addresses. Clients can associate with the auto APs but the administrator cannot change the configuration of the auto APs. You can enable an AP to connect to an AC by one of the following methods: Configure the serial ID of the AP Specify an auto-ap template Enable the auto AP function. The priorities of these configurations are in descending order. For example, if you configure the serial ID of an AP and enable the auto AP function, the AP gets online as a configured AP. To enable auto AP: 2. Enable the auto-ap function. wlan auto-ap enable By default, the auto-ap function is disabled. 3. Configure an auto-ap template. Enter AP template view: wlan ap ap-name [ model model-name [ id ap-id ] ] Enable auto AP serial ID configuration.: serial-id auto You must configure an auto-ap template when you want to connect the APs of a specific model. New settings for an auto-ap template only apply to APs that get online after the settings are configured. Configuring auto-ap authentication The auto-ap authentication function enables you to control and manage auto APs. It only takes effect for auto APs. APs in this section refer to auto APs. Auto-AP authentication has two modes: Local auto-ap authentication In local authentication mode, the AC directly authenticates APs by serial ID or by MAC address, and uses an ACL specified by the wlan ap-authentication acl command to match APs. Assume you adopt local authentication by serial ID. When an auto AP connects to the AC, the AC uses the serial ID of the AP to match ACL rules. If the serial ID matches a permit rule, the auto AP passes the authentication and connects to the AC. If the serial ID matches a deny rule, the auto AP fails the authentication and cannot connect to the AC. If the serial ID does not match any rule, the AP is an unauthenticated AP. The ACL can be manually configured or imported from a file. Remote auto-ap authentication In remote authentication mode, the AC contacts a remote authentication server to authenticate unauthenticated APs. The AC uses the serial ID or MAC address of an unauthenticated AP as the 9

20 username and password and sends them to the authentication server. If the remote authentication succeeds, the AC accepts the AP. If not, the AC denies the AP. You can also use remote authentication to authenticate all auto APs. The "unauthenticated AP" status is only available for local authentication. For remote authentication, the authentication result can only be "authentication failed" or "authentication succeeded." NOTE: To re-authenticate an online auto AP, use the reset wlan ap unauthenticated command to log off the auto AP. To configure auto-ap authentication: 2. Enable an auto-ap authentication method. 3. Configure local auto-ap authentication. 4. Configure remote auto-ap authentication. 5. Enable auto-ap authentication. wlan ap-authentication method { mac-address serial-id } Specify an ACL to authenticate auto APs: wlan ap-authentication acl acl-number Use ACL rules generated using the specified file to authenticate auto APs: wlan ap-authentication import file-name Specify an authentication domain and AAA scheme. Configure the username and password on the authentication server. Specify an authentication domain: wlan ap-authentication domain domain-name wlan ap-authentication enable By default, the AC authenticates APs by MAC address. The specified ACL must have been configured. For more information about ACL, see QoS and ACL Configuration Guide. For more information about authentication domain and AAA scheme, see Security Configuration Guide. The serial ID or MAC address of an auto AP is used as the username and password. By default, no authentication domain is specified for auto-ap authentication. By default, auto APs are not authenticated. Enabling unauthenticated auto APs to pass authentication and provide WLAN services You can configure the AC to accept unauthenticated auto APs by using the wlan ap-authentication permit-unauthenticated command, but the auto APs cannot provide WLAN services. To enable them to pass authentication and provide WLAN services, execute the wlan ap-authentication accept command. After they pass authentication, the system generates corresponding ACL rules. 10

21 To enable unauthenticated auto APs to pass authentication and provide WLAN services: 2. Enable the AC to accept unauthenticated auto APs. 3. Enable one or all unauthenticated auto APs to pass authentication and provide services and generate ACL rules. wlan ap-authentication permit-unauthenticated wlan ap-authentication { accept reject } ap unauthenticated { all name ap-name } By default, unauthenticated auto APs can connect to the AC but cannot provide WLAN services. Before you execute this command, use the wlan ap-authentication acl command to specify an ACL. ACL rules generated by this command are added to the specified ACL. This command also takes effect for authenticated online auto APs. Converting auto APs to configured APs 2. Convert an auto AP to a configured AP. 3. Enable converting auto APs to configured APs. wlan auto-ap persistent { all name auto-ap-name [ new-ap-name ] } wlan auto-persistent enable Use either approach. The wlan auto-persistent enable command takes effect only for auto APs that go online after the command is issued. To convert online auto APs to configured APs, you can only use the wlan auto-ap persistent command. Configuring tunnel management As shown in Figure 5, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets. The control tunnel is used for AP configuration and management. The AC can automatically configure and manage APs based on the information provided by the administrator. Figure 5 Network diagram 11

22 Configuring parameters for an AP Perform this task to configure parameters for an AP on the AC. The AC automatically assigns the parameters to the AP after the AP establishes a tunnel with it and enters Run state. To configure parameters for an AP: 2. Set the discovery policy. 3. Specify the AP name and its model number and enter AP template view. 4. Specify the serial ID of the AP or specify the auto AP. 5. Configure a description for the AP. wlan lwapp discovery-policy unicast wlan ap ap-name [ model model-name [ id ap-id ] ] serial-id { text auto } description text By default, the tunnel discovery policy is broadcast. If you configure the discovery policy as unicast, broadcast discovery packets will be discarded. You must specify the model name when you create an AP template. By default, no ID is specified for an AP. When you configure an auto AP, you must configure the wlan auto-ap enable command besides the serial-id auto command. 6. Enable the AP to send traps. trap enable 7. Configure the AP name. ap-name name 8. Set the maximum length of jumbo frames. jumboframe enable value By default, no AP name is configured. By default, jumbo frame transmission is disabled. 9. Enable the AP to respond to probe requests with null SSID from clients. 10. Specify the maximum idle time for connections between clients and the AP. 11. Specify the client keepalive interval. 12. Configure the interval for the AP to send statistics report. broadcast-probe reply client idle-timeout interval client keep-alive interval statistics-interval interval By default, the AP is enabled to respond to probe requests with null SSID from clients. The default is 3600 seconds. By default, the client keepalive function is disabled. By default, the AP sends statistics report at an interval of 50 seconds. 12

23 13. Set the network access server (NAS)-PORT-ID for the AP. nas-port-id text By default, no NAS-PORT-ID is configured for an AP. 14. Set the NAS-ID for the AP. nas-id text By default, no NAS-ID is configured for an AP. 15. Return to system view. quit N/A 16. Configure a WLAN service template and enter service template view. 17. Configure the way the AP treats packets from unknown clients. wlan service-template service-template-number { clear crypto } unknown-client { deauthenticate drop } You cannot change an existing template to another type. By default, when the AP receives a packet from an unknown client, it sends a deauthentication packet. Enabling AC-AP tunnel encryption with IPsec Packets are transmitted over an AC-AP tunnel in plain text. To improve security, you can use IPsec to encrypt control and data packets. To protect the key negotiation process, configure IKE to authenticate peers. IKE provides the following authentication methods: Pre-shared key authentication. Digital signature authentication. If you have configured AC hot backup and IPsec stateful failover at the same time, HP recommends that you use the undo ipsec synchronization enable command to disable the IPsec stateful failover function. AC-AP tunnel encryption with IPsec through pre-shared key authentication 1. Configure the AP and AC to establish a tunnel and make sure the AP is in Run state. 2. Configure IPsec encryption in AP configuration view, and execute the save wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP. 3. Reboot the AP to apply the new configuration. 4. Configure IPsec. For information about IPsec configuration, see Security Configuration Guide. Follow these guidelines when you configure IPsec: Specify the security protocol, encapsulation mode, authentication algorithm, and encryption algorithm as ESP, tunnel, SHA1, and AES, respectively. Use IKEv1 to set up SAs, use the default security proposal, and adopt only the main IKE negotiation mode. For more information about IPsec commands, see Security Command Reference. You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template. When you configure pre-shared key authentication for an IKE peer, the pre-shared key configured with the pre-shared-key command (the key on the AC) must be the same as that configured with the tunnel encryption ipsec pre-shared-key command (the key sent by the AC to the AP by using the AP provision function). When configuring IKE peers on an AC, you can use the remote-address command to specify the addresses or IP address ranges of APs that the AC accepts. If you do not configure IKE peers, 13

24 the AC accepts negotiation requests sent by any AP. If multiple APs with different pre-shared keys need to establish IPsec tunnels with the AC, their IP address ranges cannot overlap. For more information about the remote-address command, see Security Command Reference. To make sure SAs between the AC and an AP can be removed after the AP disconnects from the AC, perform the following configurations: Configure the Dead Peer Detection (DPD) function. Configure the ISAKMP SA keepalive interval by using the ike sa keepalive-timer interval command. Configure the ISAKMP SA keepalive timeout by using the ike sa keepalive-timer timeout command. Enable invalid security parameter index (SPI) recovery by using the ipsec invalid-spi-recovery enable command. 5. Apply the IPsec policy to the target VLAN interface. To configure AC-AP tunnel encryption with IPsec through pre-shared key authentication: 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] You must specify the model name when you create an AP template. 3. Enter AP configuration view. provision N/A 4. Configure the AP to use IPsec to encrypt the control tunnel. 5. Configure the AP to use IPsec to encrypt the data tunnel. tunnel encryption ipsec pre-shared-key { cipher simple } key data-tunnel encryption enable By default, the AP does not encrypt the control tunnel. By default, the AP does not encrypt the data tunnel. 6. Save the configuration to the wlan_ap_cfg.wcfg file of the specified AP. save wlan ap provision { all name ap-name } This command takes effect only for APs in Run state. For more information about the tunnel encryption ipsec pre-shared-key, data-tunnel encryption enable, and save wlan ap provision { all name ap-name } commands, see WLAN Command Reference. AC-AP tunnel encryption with IPsec through digital signature authentication 1. Write configurations about certificates that need to be downloaded to the AP into a text file. Execute the map-configuration command in AP view to download the configuration file to the AP. 2. Configure the AP and AC to establish a tunnel and make sure the AP is in Run state. 3. Configure IPsec encryption in AP configuration view, and execute the save wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP. 4. Reboot the AP to apply the new configuration. 5. Configure IPsec. For information about IPsec configuration, see Security Configuration Guide. Follow these guidelines when you configure IPsec: Specify the security protocol, encapsulation mode, authentication algorithm, and encryption algorithm as ESP, tunnel, SHA1, and AES, respectively. Use IKEv1 to set up SAs, use the default 14

25 security proposal, and adopt only the main IKE negotiation mode. For more information about IPsec commands, see Security Command Reference. You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template. To use the digital signature authentication method: Execute the authentication-method rsa-signature command to specify the RSA signatures as the authentication method. Execute the certificate domain command to configure a PKI domain for the certificate. When configuring IKE peers on an AC, you can use the remote-address command to specify the addresses or IP address ranges of APs that the AC accepts. If you do not configure IKE peers, the AC accepts negotiation requests sent by any AP. For more information about the remote-address command, see Security Command Reference. To make sure SAs between the AC and an AP can be removed after the AP disconnects from the AC, perform the following configurations: Configure the DPD function. Configure the ISAKMP SA keepalive interval by using the ike sa keepalive-timer interval command. Configure the ISAKMP SA keepalive timeout by using the ike sa keepalive-timer timeout command. Enable invalid security parameter index (SPI) recovery by using the ipsec invalid-spi-recovery enable command. 6. Apply the IPsec policy to the target VLAN interface. To configure AC-AP tunnel encryption with IPsec through digital signature authentication: 2. Enter AP template view. 3. Specify the configuration file to be downloaded to the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] map-configuration filename You must specify the model name when you create an AP template. By default, no configuration file is specified for an AP. 4. Enter AP configuration view. provision N/A 5. Configure the AP to use IPsec to encrypt the control tunnel. 6. Configure the AP to use IPsec to encrypt the data tunnel. tunnel encryption ipsec pre-shared-key { cipher simple } key data-tunnel encryption enable By default, the AP does not encrypt the control tunnel. By default, the AP does not encrypt the data tunnel. 7. Save the configuration to the wlan_ap_cfg.wcfg file of the specified AP. save wlan ap provision { all name ap-name } This command takes effect only for APs in Run state. For more information about the tunnel encryption ipsec pre-shared-key, data-tunnel encryption enable, and save wlan ap provision { all name ap-name } commands, see WLAN Command Reference. 15

26 Configuring the echo interval for an AP The AP sends echo requests to the AC at the echo interval, and the AC responds to echo requests by sending echo responses. The AC or AP tears down the tunnel if one of the following cases occurs: The AC does not receive an echo request from the AP within three times the echo interval. The AP does not receive an echo response from the AC within three times the echo interval. To configure the echo interval: 2. Enter AP template view. 3. Configure the interval at which the AP sends echo requests. wlan ap ap-name [ model model-name [ id ap-id ] ] echo-interval interval N/A By default, the echo interval is 10 seconds. Managing APs Specifying a configuration file for an AP After you specify a configuration file for an AP, the AP downloads the configuration file from the AC each time it associates with the AC and enters Run state. To specify a configuration file for an AP: 2. Enter AP template view. 3. Specify a configuration file for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] map-configuration filename You must specify the model name when you create an AP template. By default, no configuration file is specified for an AP. The commands in the configuration file must be in their complete form. Renaming an AP 2. Rename an AP. wlan rename-ap ap-name new-ap-name You cannot change the name of an auto AP before you convert it to a configured AP. 16

27 Configuring AP traffic protection Configure AP traffic protection to avoid frequent AP reboots caused by traffic that exceeds the AP's capability. To configure AP traffic protection: 2. Enter AP template view. 3. Set the CIR for packets sent from AC to AP. wlan ap ap-name [ model model-name [ id ap-id ] ] cir committed-information-rate [ cbs committed-burst-size ] You must specify the model name when you create an AP template. By default, no CIR is set for packets sent from AC to AP. Enabling the AC to accept APs with a different software version By default, the AC accepts only the APs that use the same software version as it. Perform this task if you want the AC to accept APs with a different software version. To enable the AC to accept APs with a different software version: 2. Enable the AC to accept APs with the specified software version. wlan apdb model-name hardware-version software-version By default, a fit AP must use the same software version as the AC. If you set the hardware version to Ver.A, the AC ignores hardware versions of APs with the specified software version. Upgrading APs An improper AP version can cause network problems when you upgrade versions for a large amount of APs at one time. To avoid the problem, you can upgrade a single AP, a group of APs, and all APs as needed. The version upgrade configuration priorities in system view, AP group view, and AP template view are in ascending order. If this function is not configured in a view, configuration in the view with a lower priority is used. If the version upgrade function is disabled, the AP and the AC establish a tunnel with each other without checking their versions. If the version upgrade function is enabled, the AC checks the AP's version before establishing a tunnel. If their versions are different, the AP downloads a new version from the AC and restarts. 17

28 NOTE: If you enable the version upgrade function on the AC after an AC-AP tunnel is established, restart the AP manually so that the AP can automatically download a new version from the AC. Upgrading all APs 2. Enable or disable the AP version upgrade function for all APs. wlan ap-firmware-update { disable enable } By default, version upgrade for all APs is enabled. 3. Return to user view. quit N/A 4. Reset the AP. reset wlan ap { all name ap-name unauthenticated } Upgrading a group of APs To batch upgrade versions for multiple APs, add these APs into an AP group, and configure the AP version upgrade function in AP group view. To upgrade a group of APs: 2. Create an AP group and enter AP group view. 3. Enable or disable the AP version upgrade function. wlan ap-group group-name firmware-update { disable enable } By default, all APs are added into a default AP group named default_group. By default, version upgrade for a group of APs is enabled. 4. Return to user view. return N/A 5. Reset all APs in the AP group. reset wlan ap ap-group group-name Upgrading a single AP 2. Create an AP template. 3. Enable or disable the AP version upgrade function. wlan ap ap-name [ model model-name [ id ap-id ] ] firmware-update { disable enable } You must specify the model name when you create an AP template. By default, version upgrade for a single AP is enabled. 4. Return to user view. return N/A 18

29 5. Reset the specified AP. reset wlan ap name ap-name Configuring a WLAN service template Creating a service template and specifying an SSID 2. Create a WLAN service template and enter WLAN service template view. 3. Specify the service set identifier. 4. Configure a description for the template. 5. Disable the advertising of SSID in beacon frames. wlan service-template service-template-number { clear crypto } ssid ssid-name description string beacon ssid-hide You cannot change an existing service template to another type. You can create multiple service templates and specify different SSIDs or specify the same SSID for different service templates to enable one SSID to provide different access services. N/A By default, no description is configured for the template. A description identifies a service template to avoid misconfiguration of SSIDs when you configure the same SSID for different service templates. By default, the SSID is advertised in beacon frames. Enabling an authentication method 2. Enter WLAN service template view. 3. Enable the authentication method. wlan service-template service-template-number { clear crypto } authentication-method { open-system shared-key } You cannot change an existing service template to another type. By default, open system authentication is adopted. For more information about the command, see WLAN Command Reference. 19

30 Binding a WLAN-ESS interface to the service template 2. Create a WLAN service template and enter WLAN service template view. 3. Bind the WLAN-ESS interface to the service template. wlan service-template service-template-number { clear crypto } bind wlan-ess interface-index You cannot change an existing service template to another type. By default, no interface is bound to the service template. Configuring a forwarding mode WLAN supports the following forwarding modes: Centralized forwarding The AC performs data forwarding. Centralized forwarding comprises centralized forwarding and centralized forwarding. With centralized forwarding, APs change incoming frames to frames and tunnel the frames to the AC. With centralized forwarding, APs directly tunnel incoming frames to the AC. Local forwarding APs directly forward data frames. The AC still performs authentication on clients. This forwarding mode reduces the workload of the AC and retains the security and management advantages of the AC/fit AP architecture. Policy-based forwarding Based on the forwarding policy that matches the packets from clients, the AC chooses centralized forwarding mode or local forwarding mode. This forwarding mode reduces the workload of the AC. It only takes effect on packets sent by clients. Configuring the centralized forwarding mode 2. Create a WLAN service template and enter WLAN service template view. 3. Enable the centralized forwarding mode. wlan service-template service-template-number { clear crypto } client remote-forwarding format { dot3 dot11 } You cannot change an existing service template to another type. By default, data frames are encapsulated in format and forwarded by the AC. For an LWAPP tunnel, data frames can only be encapsulated in format. Configuring the local forwarding mode 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. 20

31 3. Enable the local forwarding mode. client forwarding-mode local [ vlan vlan-id-list ] By default, an AP forwards client data frames to the AC for centralized forwarding. Configuring the policy-based forwarding mode If the AC adopts the local authentication mode, it also uses the local forwarding mode. Configuration of policed-based forwarding mode is invalid. For more information about authentication modes, see "Configuring client authentication." Before you can apply a forwarding policy, create a forwarding policy and specify forwarding rules. The AC sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If a match is found, the AC forwards the packet according to this rule. If no match is found, or no rule is configured, the AC adopts the centralized forwarding mode by default. The AC ignores the permit and deny statements when matching ACL rules, and only uses them for packet classification. NOTE: If you configure the policy-based forwarding mode, HP recommends not deploying the AC and the AP in the same Layer 2 network. Table 1 Supported ACL category Category IPv4 basic ACL IPv6 basic ACL Match criteria Source IPv4 address Source IPv6 address IPv4 advanced ACL IPv6 advanced ACL IP TCP and UDP ICMP Source and destination IP addresses Source and destination port numbers Message type and message code of specified ICMP packets Ethernet frame header ACL Source and destination MAC addresses The forwarding modes can be applied to a user profile or service template: User profile If a client passes 802.1X authentication, the authentication server sends the user profile name used by the client to the AP. Then the AP obtains the forwarding mode applied to the user profile. You need to create and enable the user profile on the AC first. If you configure a QoS policy in the user profile at the same time, and the packets match both the QoS policy and the forwarding mode, the QoS policy enjoys a higher priority. Service template Clients associated with the AP adopt the forwarding mode in the service template. If you configure different forwarding modes in the user profile and the service template, the forwarding mode in the user profile has a higher priority. The forwarding mode takes effect only when applied to the AP. You need to use the map-configuration command to download the configuration file from the AC to the AP. The configuration file must contain ACL numbers and ACL rules. To apply the forwarding mode to the user profile, you must include user profile configurations in the configuration file. 21

32 To configure policy-based forwarding: 2. Create a forwarding policy and enter forwarding policy view. 3. Configure forwarding rules. wlan forwarding-policy policy-name classifier acl { acl-number ipv6 acl6-number } behavior { local remote } By default, no forwarding policy exists. By default, no forwarding rule is configured. 4. Return to system view. quit N/A 5. Create a WLAN service template. 6. Enable the policy-based forwarding mode. wlan service-template service-template-number { clear crypto } client forwarding-mode policy-based [ policy-name ] You cannot change an existing service template to another type. By default, the centralized forwarding mode is adopted. This command is required no matter whether or not you apply the mode to the user profile or the service template. Configuring client authentication WLAN access supports the following client authentication modes : Central The AC authenticates clients. In central authentication mode, the data forwarding mode is determined by the client forwarding-mode local command. If the connection between AC and AP fails, logging off clients associated with the AP depends on the hybrid-remote-ap enable command. For more information about this command, see "Configuring a remote AP." Local The AP authenticates clients. In this mode, the AP directly forwards data frames from clients. If the connection to the AC fails, the AP does not log off the clients and accepts new clients after they pass local authentication. Backup The AC authenticates clients. When the AC-AP connection fails, the AP deletes all authentication information, authenticates new clients, and performs local forwarding. Clients need to reassociate with the AP for authentication services, such as re-authentication. When the AP re-establishes a connection with the AC, the AP logs off all clients and the AC re-authenticates clients. The clients can associate with the AP only after they pass the authentication. Configuration guidelines Follow these guidelines when you configure client authentication: Portal authentication is not supported. Locally authenticated clients do not support roaming, or client information backup configured by the wlan backup-client enable command. You can execute the reset wlan client command on the AC to log off locally authenticated clients. For local authentication and backup authentication, do not modify the configuration on the AC if the AC and AP are disconnected. The AC checks the configuration after the connection recovers. If 22

33 Networking modes you change the configuration, the AC might log off online clients because of inconsistent configurations. For local authentication, you can use the following networking modes if an authentication server is needed. The networking mode shown in Figure 7 is recommended. In this mode, the authentication server is deployed at the AP side. Online clients are not logged off even if the connection between AP and AC fails. Figure 6 Network diagram Figure 7 Network diagram Server Internet AC AP Client Configuration prerequisites Use the hybrid-remote-ap enable command to enable the remote AP function before you configure the backup or local authentication mode. If the clients use 802.1X or MAC authentication, you need to edit the configuration file of the AP and then use the map-configuration command to download the configuration file to the AP. The configuration file of the AP must contain the following contents: If clients use local 802.1X or local MAC authentication, the configuration file must contain port security, ISP domain, and local user configurations. If clients use remote 802.1X or remote MAC authentication, the configuration file must contain port security, ISP domain, and RADIUS scheme configurations. Configuration procedure 2. Create a WLAN service template and enter WLAN service template view. 3. Specify an authentication mode. wlan service-template service-template-number { clear crypto } authentication-mode { backup local } You cannot change an existing service template to another type. By default, central authentication is adopted. That is, the AC authenticates clients. 23

34 Configuring the maximum number of associated clients 2. Create a WLAN service template and enter WLAN service template view. 3. Configure the maximum number of clients allowed to associate with a radio. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. client max-count max-number The default is 124. Configuring beacon measurement Beacon measurement, defined by k, provides a mechanism for APs and clients to measure the available radio resources. When this function is enabled, an AP periodically sends beacon requests to clients. Clients respond with beacon reports to inform the AP of the beacon measurement information they have collected. The beacon measurement function supports the following measure modes: active Enables the active beacon measurement mode. In this mode, the AP sends a beacon measurement request to a client. Upon receiving the request, the client broadcasts probe requests on all supported channels and sets a measurement duration timer. At the end of the measurement duration, the client compiles all received beacons and probe responses into a measurement report. beacon-table Enables the beacon-table beacon measurement mode. In this mode, the AP sends a beacon measurement request to a client. Upon receiving the request, the client measures beacons and returns a report to the AP. The report contains all beacon information stored on the client.. The client does not perform any additional measurements. passive Enables the passive beacon measurement mode. In this mode, the AP sends a beacon measurement request to a client. Upon receiving the request, the client sets a measurement duration timer. At the end of the measurement duration, the client compiles all received beacons and probe responses into a measurement report. NOTE: This function is only applicable to clients supporting the k protocol. To configure beacon measurement: 2. Create a WLAN service template and enter WLAN service template view. 3. Enable the beacon measurement function. wlan service-template service-template-number { clear crypto } beacon-measurement enable You cannot change an existing service template to another type. By default, this function is disabled. 24

35 4. Configure the beacon measurement type. 5. Configure the interval at which the AP sends beacon request to clients. beacon-measurement type { active beacon-table passive } beacon-measurement interval interval By default, the beacon-table bacon measurement mode is adopted. By default, the interval is 60 seconds. Enabling fast association 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. 3. Enable fast association. fast-association enable By default, fast association is disabled. When this function is enabled, the AP does not perform band navigation or load balancing calculation for clients bound to the SSID. Configuring the client cache aging time 2. Create a WLAN service template and enter WLAN service template view. 3. Configure the aging time for the client cache. wlan service-template service-template-number { clear crypto } client cache aging-time aging-time You cannot change an existing service template to another type. By default, the aging time is 180 seconds. Enabling a service template 2. Create a WLAN service template and enter WLAN service template view. wlan service-template service-template-number { clear crypto } You cannot change an existing service template to another type. 25

36 3. Enable the service template. service-template enable By default, the service template is disabled. Configuring radio parameters Configuring basic radio parameters 2. Enter AP template view. 3. Enter radio view. 4. Configure a channel. 5. Configure the radio power. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11ac dot11b dot11g dot11gn } ] Specify a channel for the radio: channel channel-number Set the channel mode to auto. In this mode, you can lock the current channel: a. channel auto b. channel lock Specify the maximum power: max-power radio-power Lock the current power, and set the maximum power as the power after power selection: power lock You must specify the model name when you create an AP template. The default varies by device. WLAN supports customizing the default radio type for AP models. By default, auto mode is enabled and no channel is locked. For more information about the commands, see WLAN Command Reference. By default: The maximum radio power varies depending on the country/region code, channel, AP model, radio type, and antenna type. If n is adopted, the maximum radio power also varies depending on the bandwidth mode. The current power is not locked. For more information about the commands, see WLAN Command Reference. 6. Specify the type of preamble. preamble { long short } 7. Enable the ANI function. ani enable By default, the short preamble is supported. By default, ANI is enabled. 26

37 8. Enable the green energy management function. 9. Configure the MIMO type for the radio. green-energy-management enable mimo { 1x1 2x2 3x3 } By default, the green energy management function is disabled. This function is only applicable to APs that support n and that can transmit at least two spatial streams. By default, the MIMO type is not configured. This function is only applicable to APs that support n and that can transmit at least two spatial streams. 10. Configure the antenna type. antenna type type The default setting for the command depends on the antenna model of the device. 11. Configure the gain for the third-party antenna. 12. Configure the smart antenna. antenna gain antenna-gain a. Enable the smart antenna: smart-antenna enable b. Configure a smart antenna policy: smart-antenna policy { auto high-reliability high-throughput } By default, the gain is 0. By default, the smart antenna is disabled. The smart antenna has the following functions: Ensures fast and stable bandwidth for clients in the coverage of the AP. Reduces interference between APs and clients, and avoids interference from non-wireless devices in a high-density wireless environment. The smart antenna is available only if you have configured the antenna type command. By default, the smart antenna policy is autosensing. The smart antenna policy takes effect only if you have enabled the smart antenna. 27

38 13. Enable Space-timed Block-Coding (STBC). 14. Configure the maximum distance that the radio can cover. stbc enable distance distance By default, STBC is enabled. Enabling STBC improves the SNR of the receiver and data transmission reliability. STBC can be used for wireless access and mesh links. When you enable STBC on a mesh link, HP recommends that you enable STBC on both the sender and receiver to get best performance. STBC takes effect only when the number of antennas on an AP is greater than the number of spatial streams corresponding to the rates used by the radio. For example, if the MCS is 8 and the corresponding spatial stream number is 2, STBC takes effect only when the AP has at least three antennas. By default, the radio can cover 1 km (0.62 miles) at most. 15. Enable LDPC. ldpc enable By default, LDPC is disabled. 16. Bind a radio policy to the current radio. radio-policy radio-policy-name By default, the default_rp radio policy is mapped to the current radio. The default radio policy default_rp cannot be modified. The radio policy must have been configured with the wlan radio-policy command. Configuring a radio policy 2. Create a radio policy and enter radio policy view. 3. Set the interval for sending beacon frames. wlan radio-policy radio-policy-name beacon-interval interval By default, the default radio policy default_rp exists. By default, the beacon interval is 100 TUs. 28

39 4. Set the DTIM counter. dtim counter By default, the DTIM counter is Specify the maximum length of packets that can be transmitted without fragmentation. 6. Set the maximum number of retransmission attempts for frames larger than the RTS threshold. 7. Specify the maximum number of attempts to transmit a frame shorter than the RTS threshold. 8. Specify the interval for the AP to hold received packets. 9. Specify the maximum number of associated clients. 10. Specify the request to send (RTS) threshold length. 11. Specify a collision avoidance mechanism. fragment-threshold size long-retry threshold count short-retry threshold count max-rx-duration interval client max-count max-number rts-threshold size protection-mode { cts-to-self rts-cts } By default, the fragment threshold is 2346 bytes. The specified fragment threshold must be an even number. By default, the long retry threshold is 4. By default, the short retry threshold is 7. By default, the interval is 2000 milliseconds. By default, the maximum number of associated clients is 64. By default, the RTS threshold is 2346 bytes. By default, the collision avoidance mechanism is CTS-to-Self. 12. Return to system view. quit N/A 13. Enter AP template view. 14. Enter radio view. 15. Bind a radio policy to the current radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11ac dot11an dot11b dot11g dot11gn } ] radio-policy radio-policy-name You must specify the model name when you create an AP template. The default setting varies by AP model. By default, the default_rp radio policy is bound to a radio. Enabling automatic creation of radio policies by the SNMP set operation After you enable this function, a radio policy is automatically created and bound to each radio of a new AP template created through SNMP. To enable automatic creation of radio policies by the SNMP set operation: 29

40 2. Enable automatic creation of radio policies by the SNMP set operation. wlan radio-policy auto-create snmp By default, automatic creation of radio policies by the SNMP operation is disabled. Configuring n As the next generation wireless LAN technology, n supports both 2.4GHz and 5GHz bands. It provides higher throughput by using the following methods: Increasing bandwidth: n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately. One channel acts as the primary channel and the other acts as the secondary channel, or the two channels work together as a 40-MHz channel. This provides a simple way of doubling the data rate. Improving channel utilization by using the following functions: A-MPDU Each A-MPDU uses only one PHY header to accommodate multiple MPDUs, reducing transmission overhead and the number of ACK frames. A-MSDU Each A-MSDU accommodates multiple MSDU, reducing MAC header overhead and improving MAC layer forwarding efficiency. Short GI Shortens the GI interval of 800 ns in a/g to 400 ns, increasing the rate by 10 percent. To configure n: 2. Enter AP template view. 3. Enter radio view. 4. Specify the bandwidth mode for the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number type { dot11an dot11gn } channel band-width { [ auto-switch ] 80 } You must specify the model name when you create an AP template. N/A By default, The channel bandwidths of the a/n radio, the g/n radio, and the ac radio are 40 MHz, 20 MHz, and 80MHz, respectively. When the channel bandwidth of the gn radio is 40 MHz, the automatic bandwidth switch function is disabled. To enable the function, use channel band-width 40 auto-switch command. 30

41 5. Enable access permission only for n clients. client dot11n-only By default, an a/n radio permits both a and an clients to access, and an g/n radio permits both g and gn clients to access. 6. Enable the short GI function. short-gi enable 7. Enable the A-MSDU function. a-msdu enable 8. Enable the A-MPDU function. a-mpdu enable 9. Enable the sflow function. sflow enable 10. Enable the radio. radio enable By default, the short GI function is enabled. By default, the A-MSDU function is enabled. The device receives but does not send A-MSDUs. By default, the A-MPDU function is enabled. By default, the sflow function is enabled. For more information about sflow, see Network Management and Monitoring Configuration Guide and Network Management and Monitoring Command Reference. By default, the radio is disabled. Before enabling the radio, you must configure the MCS. For more information about MCS index and mandatory and supported n rates, see "Configuring WLAN RRM." Mapping a service template to the radio 2. Enter AP template view. 3. Enter radio view. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11ac dot11an dot11b dot11g dot11gn } ] You must specify the model name when you create an AP template. The default setting of this command depends on the device model. 31

42 4. Map a service template to the current radio. service-template service-template-number [ vlan-id vlan-id ] [ vlan-pool vlan-pool-name ] [ nas-port-id nas-port-id nas-id nas-id ] [ ssid-hide ] You can map multiple service templates to the current radio. By default, no mapping exists between a service template and a radio. Enabling a radio 2. Enable/disable WLAN radios. 3. Enter AP template view. 4. Enter radio view. wlan radio { disable enable } { all dot11a dot11ac dot11an dot11b dot11g dot11gn radio-policy radio-policy-name } wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11ac dot11an dot11b dot11g dot11gn } ] By default, no WLAN radio is enabled. You must specify the model name when you create an AP template. The default setting of this command depends on the device model. 5. Enable the radio. radio enable By default, the radio is disabled. Configuring ac ac provides higher throughput by using the following methods: Binding four 20-MHz channels to form an 80-MHz channel. Improving channel utilization in the same way as n ac supports only 5 GHz bands. To configure ac: 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] Specify the model only when you create an AP template. 3. Enter radio view. radio radio-number type dot11ac N/A 4. Specify the bandwidth mode for the radio. channel band-width { } By default, the ac radio operates in 80 MHz mode. 32

43 5. Enable access permission for n and ac clients. 6. Enable access permission for ac clients. client dot11n-only client dot11ac-only By default, an ac radio permits a, a/n, and ac clients to access. By default, an ac radio permits a, a/n, and ac clients to access. 7. Enable the short GI function. short-gi enable 8. Enable the A-MSDU function. a-msdu enable 9. Enable the A-MPDU function. a-mpdu enable 10. Enable the radio. radio enable By default, the short GI function is enabled. By default, the A-MSDU function is enabled. The device receives but does not send A-MSDU packets. By default, the A-MPDU function is enabled. By default, the radio is disabled. Before enabling the radio, you must configure the NSS. For more information about mandatory NSS and supported NSS of ac, see "Configuring WLAN RRM." Configuring an AP group This feature enables you to configure multiple APs in one operation to reduce configuration workload. There is a default AP group named default_group. You cannot delete but can modify the default AP group. You can add APs with the same configurations or in the same subnet to the same AP group. The APs use the configuration of the AP group. If you add an auto AP template into a non-default AP group, the auto APs getting online through the template belong to the AP group. The auto APs use the configuration of the AP group to which the auto AP template belongs. Typically, commands executed in AP group view apply to all APs in the group. If an AP fails to execute a command, the system displays error messages and other APs can still execute the command. When you change the AP group of an AP, the AP restarts, and clears its configuration except the serial number. After the AP is added to the new AP group, the AP uses the configuration of the new AP group. 33

44 Creating an AP group 2. Create an AP group and enter its view. wlan ap-group group-name By default, a default group default_group exists. All APs belong to the default group. Configuring IP address match criteria for an AP group Perform this task to manage APs by matching IP addresses. Follow these guidelines when you configure IP address match criteria for an AP group: The IP address match criteria take effect when an AP requests to associate with the AC. Any change of the criteria does not affect associated APs. An AP that associates with the AC by matching IP address does not support VRRP even if it disassociates and then associates with the AC again. To enable the AP to support VRRP, manually add it to another AP group where the members are not in the same subnet as the AP. An AP (configured or auto) that has been manually added to an AP group is always in the group even if its IP address matches the subnet of another AP group. For an auto AP that is already in the default group default_group, if its IP address matches the subnet of a non-default AP group, the AC adds it to this AP group. To configure IP address match criteria for an AP group: 2. Create an AP group and enter its view. 3. Configure an IPv4 address match criterion for the AP group. 4. Configure an IPv6 address match criterion for the AP group. wlan ap-group group-name if-match ip ip-address { mask-length mask } if-match ipv6 { ipv6-address prefix-length ipv6-address/prefix-length } By default, a default group default_group exists. All APs belong to the default group. By default, no IPv4 address match criteria are configured. By default, no IPv6 address match criteria are configured. Configuring an AP group Follow these guidelines when you configure an AP group: You can configure APs one by one or add multiple at one time by using this feature. The most recent configuration takes effect. The dot11a radio enable, dot11a radio-policy, dot11a service-template, dot11bg radio enable, dot11bg radio-policy, dot11bg service-template, and work-mode commands might fail on some 34

45 APs in an AP group. For more information about these commands, see WLAN Command Reference. To configure an AP group: 2. Create an AP group and enter AP group view. 3. Configure a description for the AP group. 4. Enable the AP to respond to probe requests with null SSID from clients. 5. Specify the maximum idle time for connections between clients and the AP. 6. Specify the client keepalive interval. 7. Configure the IP address for the backup AC. 8. Specify a country/region code for the AP. 9. Configure the interval at which the AP sends echo requests. 10. Enabling the remote AP function for the AP. 11. Specify a configuration file for the AP. 12. Specify the AC connection priority for the AP. wlan ap-group group-name description string broadcast-probe reply client idle-timeout interval client keep-alive interval backup-ac { ip ipv4-address ipv6 ipv6-address } country-code code echo-interval interval hybrid-remote-ap enable map-configuration filename priority level priority By default, a default AP group default_group exists and all APs belong to this group. The maximum number of AP groups depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. By default, no description is configured for the AP group. By default, the AP is enabled to respond to probe requests with null SSID from clients. The default is 3600 seconds. By default, the client keepalive function is disabled. By default, no backup AC IP address is configured. By default, the AP has no country/region code. By default, the echo interval is 10 seconds. By default, the remote AP function is disabled. By default, no configuration file is specified for an AP. By default, the AP connection priority is 4. 35

46 13. Configure the interval for the AP to send statistics report. 14. Set the AP to operate in hybrid mode. 15. Set the AP to operate in monitor mode. 16. Enable sflow on 5 GHz radios of APs in the AP group. 17. Enable or disable the AP version upgrade function for a group of APs. 18. Map a service template to the 5 GHz radios of APs in the AP group. 19. Map a radio policy to the 5 GHz radios of APs in the AP group. 20. Enable the 5 GHz radios of APs in the AP group. statistics-interval interval device-detection enable work-mode monitor dot11a sflow enable firmware-update { disable enable } dot11a service-template service-template-number [ vlan-id vlan-id vlan-pool vlan-pool-name ] dot11a radio-policy radio-policy-name dot11a radio enable By default, the AP sends statistics report at an interval of 50 seconds. By default, the AP operates in normal mode and only provides WLAN data services. For more information about the command, see WLAN Command Reference. By default, the AP operates in normal mode to provide WLAN data services. For more information about the command, see WLAN Command Reference. By default, the sflow function in an AP group is enabled. For more information about sflow, see Network Management and Monitoring Configuration Guide and Network Management and Monitoring Command Reference. Optional By default, version upgrade for a group of APs is enabled. By default, no service template is configured for an AP group. By default, the 5 GHz radios of all APs in the AP group use the default radio policy default_rp. By default, the 5 GHz radios of APs in an AP group are disabled. 36

47 21. Enable sflow on 2.4 GHz radios of APs in the AP group. 22. Map a service template to the 2.4 GHz radios of APs in the AP group. 23. Map a radio policy to the 2.45 GHz radios of APs in the AP group. 24. Enable the 2.4 GHz radios of APs in the AP group. dot11bg sflow enable dot11bg service-template service-template-number [ vlan-id vlan-id vlan-pool vlan-pool-name ] dot11bg radio-policy radio-policy-name dot11bg radio enable By default, the sflow function in an AP group is enabled. For more information about sflow, see Network Management and Monitoring Configuration Guide and Network Management and Monitoring Command Reference. By default, no service template is configured for an AP group. By default, the 2.4 GHz radios of all APs in the AP group use the default radio policy default_rp. By default, the 2.4 GHz radios of APs in an AP group are disabled. Adding an AP to an AP group You use either method to add an AP to an AP group. Method 1: 2. Create an AP group and enter AP group view. wlan ap-group group-name By default, an AP group named default_group exists and all APs are in this group. 3. Add APs to the AP group. ap template-name-list By default, no APs exist in a new AP group created with the wlan ap-group command. Method 2: 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] You must specify the model name when you create an AP template. 3. Add the AP to the AP group. ap-group group-name By default, all APs are in the default AP group default_group. 37

48 Configuring the interval for an AP to send statistics report 2. Enter AP template view. 3. Configure the interval to send statistics reports. wlan ap ap-name [ model model-name [ id ap-id ] ] statistics-interval interval You must specify the model name when you create an AP template. The default interval is 50 seconds. Configuring the memory utilization threshold for an AP 2. Enter AP template view. 3. Configure the memory utilization threshold. wlan ap ap-name [ model model-name [ id ap-id ] ] memory-usage threshold integer You must specify the model name when you create an AP template. The default value is 90. When the threshold is exceeded, the AC sends alarms. Restoring the factory default settings of APs 2. Restore the factory default settings of one or all APs. wlan ap-execute { all name ap-name } conversion-to-factory By default, the default settings are not restored for any AP. Enabling automatic heating for an outdoor AP The automatic heating function enables an outdoor AP to operate correctly when the operating temperature is too low. To enable the automatic heating function: 38

49 2. Enable the automatic heating function. wlan ap-execute { all name ap-name } heatfilm { disable enable } By default, the automatic heating function is disabled. Shutting down all LEDs on APs 2. Enter AP template view. 3. Shut down all LEDs on all online APs using the current AP template. wlan ap ap-name [ model model-name [ id ap-id ] ] shut-all-led enable You must specify the model name when you create an AP template. By default, all LEDs on all the online APs of the current AP template light based on AP status. Enabling SNMP traps for the WLAN module This task enables the WLAN module to generate level-4 warning messages and send them to the information center of the device. You can configure the output channels and destinations for the trap messages. For more information, see Network Management and Monitoring Configuration Guide. To enable SNMP traps for the WLAN module: 2. Enable SNMP traps for the WLAN module. 3. Specify the threshold percentage for sending SNMP traps. 4. Enable the AC to send SNMP traps to the NMS when the number of concurrent online APs reaches or drops below the upper limit. snmp-agent trap enable wlan wlan trap ap-number threshold value snmp-agent trap enable wlan { above-ap-number below-ap-number } By default, SNMP traps for the WLAN module is enabled. The threshold percentage for sending SNMP traps is 100. By default, the AC sends SNMP traps to the NMS when the number of concurrent online APs reaches or drops below the upper limit. For more information about the snmp-agent trap enable wlan command, see Network Management and Monitoring Command Reference. 39

50 Configuring client IP address monitoring This task monitors IPv4 address changes of wireless clients, except wireless clients that use Portal or MAC address authentication. The AC monitors the IP address of a client as follows: If the client obtains an IP address through DHCP: a. The AP obtains the IP address of the client from the DHCPv4 packets transferred between the client and the DHCP server. b. The AP sends the IP address entry to the AC. c. The AC prints Syslog messages. If the client is manually configured a static IP address: a. The AP resolves ARP packets from the client to obtain its IP address. b. The AP sends the IP address entry to the AC. c. The AC prints Syslog messages. Follow these guidelines when you configure client IP address monitoring: If the AP fails to obtain an IP address of a clients, the AC does not print Syslog messages. If you manually modify the IP address of a client that has been associated with the AP, the AC prints Syslog messages. For the same client, the IP address assigned by the DHCP server has a higher priority. For example, a client obtains an IP address from the DHCP server and then associates with the AC. If you manually enter an IP address the same as the IP address obtained from the DHCP server, the AC considers this IP address as the one the client got from the DHCP server. To configure client IP address monitoring: 2. Enable client IP address monitoring. wlan client learn-ipaddr enable By default, the client IP address monitoring function is disabled. You can use the display wlan client source binding command to display IP addresses of clients on the AC. (See Security Command Reference.) Displaying and maintaining WLAN access Task Command Remarks Display the country/region code information for the AP. display wlan country-code ap { all name ap-name } [ { begin exclude include } regular-expression ] Available in any view. 40

51 Task Command Remarks Display AP information. Display AP address information. Display AP connection records. Display radio information. Display the model information of a specified AP or all APs supported on the AC. Display the reboot log information of an AP. Display forwarding policy information. Display WLAN radio policy information. Display WLAN service template information. Display AP connection statistics. Display wireless client statistics. Display bridge statistics. Display radio statistics. Display AP load information. Display service template statistics. display wlan ap { all name ap-name unauthenticated } [ verbose ] [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } address [ { begin exclude include } regular-expression ] display wlan ap connection record { all mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } radio [ { begin exclude include } regular-expression ] display wlan ap-model { all name ap-name } [ { begin exclude include } regular-expression ] display wlan ap reboot-log name ap-name [ { begin exclude include } regular-expression ] display wlan forwarding-policy [ forwarding-policy-name ] [ { begin exclude include } regular-expression ] display wlan radio-policy [ radio-policy-name ] [ { begin exclude include } regular-expression ] display wlan service-template [ service-template-number ] [ { begin exclude include } regular-expression ] display wlan statistics ap { all name ap-name } connect-history [ { begin exclude include } regular-expression ] display wlan statistics client { all mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan client bridge [ ap ap-name [ radio radio-number ] ] [ verbose ] [ { begin exclude include } regular-expression ] display wlan statistics radio [ ap ap-name ] [ { begin exclude include } regular-expression ] display wlan statistics radio [ ap ap-name ] load [ { begin exclude include } regular-expression ] display wlan statistics service-template service-template-number [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. 41

52 Task Command Remarks Display the connection history for all APs bound to a service template. Display WLAN client information. Display AP group information. Display the status of APs after their settings are restored to factory defaults. Display beacon reports sent by clients. Reset all APs in a specific AP group. Reset AP connections. Clear AP connection records. Clear AP reboot logs. Clear statistics of an AP or client. Cut off WLAN clients. RFPing a wireless client. display wlan statistics service-template service-template-number connect-history [ { begin exclude include } regular-expression ] display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] [ { begin exclude include } regular-expression ] display wlan ap-group [ group-name ] [ { begin exclude include } regular-expression ] display wlan ap-execute conversion-to-factory [ { begin exclude include } regular-expression ] display wlan client [ mac-address mac-address ] beacon-report [ { begin exclude include } regular-expression ] reset wlan ap ap-group group-name reset wlan ap { all name ap-name unauthenticated } reset wlan ap connection record { all mac-address mac-address } reset wlan ap reboot-log { all name ap-name } reset wlan statistics { client { all mac-address mac-address } radio [ ap-name ] } reset wlan client { all mac-address mac-address } wlan link-test mac-address Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in user view. Available in user view. Available in user view. Available in user view. Available in user view. Available in user view. Available in user view. You can use the wlan link-test command to perform a Radio Frequency Ping (RFPing) operation to a client. The operation results show information about signal strength and round trip time (RTT) between the AP and the client. 42

53 Configuring a remote AP Remote AP provides a wireless solution for remote branches and offices. It enables you to configure and control remote APs from the headquarters over the Internet without deploying an AC in each office or branch. As shown in Figure 8, the AC manages the remote APs over the Internet. When the tunnel between an AP and the AC fails, the AP automatically enables local forwarding (despite whether or not local forwarding is configured on the AC) to provide wireless access for logged-on clients. It does not permit new clients. When the tunnel recovers, the AP automatically switches to centralized forwarding mode and logs off all online clients. Figure 8 Network diagram Follow these guidelines when you enable the remote AP function: The remote AP and mesh functions cannot be used simultaneously. Do not shut down all physical ports on the remote AP. Otherwise, the AP cannot perform local forwarding and logs off all online clients. If an AP establishes tunnels to both the primary AC and a backup AC, it uses the backup tunnel to provide wireless access for logged-on clients when the primary tunnel fails. Disable the online user handshake function for the service template that uses 802.1X authentication on the AP. To enable the remote AP function: 2. Enter AP template view. 3. Enabling the remote AP function for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] hybrid-remote-ap enable You must specify the model name when you create an AP template. By default, the remote AP function is disabled. 43

54 Configuring WLAN access control Configuring AP-based access control Support for the AP group function depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. Some wireless service providers need to control the access positions of clients. For example, as shown in Figure 9, the provider needs to connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2, and 3, respectively. To achieve this, the provider could configure an AP group and then apply the AP group to a user profile. Figure 9 Network diagram Configuring an AP group 2. Create an AP group and enter AP group view. 3. Add specified APs into the AP group. 4. Configure a description for the AP group. wlan ap-group value ap template-name-list description string N/A By default, no AP is added. You can use this command repeatedly to add multiple APs, or to add up to 10 APs in one command line. A nonexistent AP can be added. By default, no description is configured for the AP group. Applying the AP group to a user profile 44

55 2. Enter user profile view. user-profile profile-name If the user profile does not exist, create it first. 3. Apply the AP group to the user profile. wlan permit-ap-group value By default, no AP group is applied to the user profile. For more information about user profile, see Security Configuration Guide. 4. Return to system view. quit N/A 5. Enable the user profile. user-profile profile-name enable By default, the user profile is not enabled. The user profile must have the same name as the external group on the RADIUS server. To support roaming, all ACs in a mobility group must have the same profile name configured. Displaying and maintaining AP group Task Command Remarks Display AP group information. display wlan ap-group [ group-id ] [ { begin exclude include } regular-expression ] Available in any view. Configuring SSID-based access control The administrator can specify a permitted SSID in the corresponding user profile so that a user can only access the WLAN through the SSID. To specify a permitted SSID: 2. Enter user profile view. user-profile profile-name 3. Specify a permitted SSID. wlan permit-ssid ssid-name If the specified user profile does not exist, this command creates it and enters its view. By default, no permitted SSID is specified, and users can access the WLAN without SSID limitation. 4. Return to system view. quit N/A 45

56 5. Enable the user profile. user-profile profile-name enable By default, the user profile is not enabled. The user profile needs to be enabled to take effect. For more information about user access control and user profile, see Security Configuration Guide. WLAN access configuration examples The configuration examples were created on the 11900/10500/ G unified wired-wlan module and might vary with device models. When configuring the 11900/10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/ G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch and an 870 appliance are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. WLAN access configuration example Network requirements As shown in Figure 10, enable the client to access the internal network resources at any time. The manually entered serial ID of the AP is CN2AD330S8. The AP adopts n and provides plain-text wireless access service with SSID service1. Figure 10 Network diagram Configuration procedure 1. Configure the AC: # Enable WLAN. <AC> system-view [AC] wlan enable # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit 46

57 # Create a clear-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] client max-count 10 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy. [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 # Create an AP template named ap1 and its model is MSM460-WW. Configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] description L3office # Specify the radio type as dot11an, and channel as 161. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] channel 161 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return 2. Verify the configuration: The clients can associate with the APs and then access the WLAN. You can use the display wlan client command to view the online clients. Configuring the same SSID to provide different access modes Network requirements As shown in Figure 11, a reception room provides only one SSID. Configure users on the first floor to access the WLAN through clear-type services and users on the second floor through PSK authentication. 47

58 Figure 11 Network diagram Configuration procedure 1. Configure the AC: # Enable WLAN. <AC> system-view [AC] wlan enable # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] description hall [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure an AP template named ap1, and its model is MSM460-WW. Configure the serial ID of the AP as CN2AD330S8. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit [AC] port-security enable # Create a WLAN-ESS interface, configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as [AC] interface wlan-ess 10 [AC-WLAN-ESS10] port-security port-mode psk 48

59 [AC-WLAN-ESS10] port-security preshared-key pass-phrase [AC-WLAN-ESS10] port-security tx-key-type 11key [AC-WLAN-ESS10] quit # Create a crypto-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 10 crypto [AC-wlan-st-10] ssid service [AC-wlan-st-10] bind WLAN-ESS 10 [AC-wlan-st-10] security-ie rsn [AC-wlan-st-10] cipher-suite ccmp [AC-wlan-st-10] authentication-method open-system [AC-wlan-st-10] description office [AC-wlan-st-10] service-template enable [AC-wlan-st-10] quit # Configure an AP template named ap2, and its model is MSM460-WW. Configure the serial ID of the AP as CN2AD330S9. [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] serial-id CN2AD330S9 # Bind service template 10 to radio 1. [AC-wlan-ap-ap2] radio 1 type dot11an [AC-wlan-ap-ap2-radio-1] service-template 10 [AC-wlan-ap-ap2-radio-1] radio enable 2. Verify the configuration: The clients can associate with the APs and access the WLAN. You can use the display wlan client command to view the online clients. Auto-AP configuration example Network requirements As shown in Figure 12, enable the auto AP function on the AC to establish connections to APs. The APs obtain their IP addresses from the DHCP server and provide clear-type WLAN access services with the SSID service1. Figure 12 Network diagram 49

60 Configuration procedure 1. Configure the AC: # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Define a clear-type WLAN service template, configure its SSID as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy. [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 [AC-wlan-rp-radpolicy1] quit # Enable the auto AP function. [AC] wlan auto-ap enable # Configure an auto-ap template for model MSM460-WW. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id auto # Bind service template 1 to radio 1 and enable the radio. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: You can use the display wlan ap command to view the two APs. The clients can associate with the APs and access the WLAN. Auto-AP authentication configuration example Network requirements As shown in Figure 12, enable the auto-ap function, and configure auto-ap authentication on the AC to permit AP 1 and deny AP 2. Use the DHCP server to assign IP addresses to authenticated APs. Use the RADIUS server to authenticate unauthenticated APs (AP 3 in this example). The serial IDs of AP 1, AP 2, and AP 3 are CN2AD330S7, CN2AD330S8, and CN2AD330S9, respectively. 50

61 Figure 13 Network diagram Configuration procedure 1. Configure the AC: # Create ACL 202. <AC> system-view [AC] acl number 202 # Configure ACL rules to permit AP 1 with serial ID CN2AD330S7 and deny AP 2 with serial ID CN2AD330S8. [AC-acl-ap-202] rule permit serial-id CN2AD330S7 [AC-acl-ap-202] rule deny serial-id CN2AD330S8 [AC-acl-ap-202] quit # Enable the serial-id authentication method. [AC] wlan ap-authentication method serial-id # Use ACL 202 to match auto APs. [AC] wlan ap-authentication acl 202 # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP address of the primary authentication server as [AC-radius-rad] primary authentication # Configure the shared key for RADIUS authentication packets as [AC-radius-rad] key authentication [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain auto by referencing RADIUS scheme rad. [AC] domain auto [AC-isp-auto] authentication wlan-ap radius-scheme rad [AC-isp-auto] quit [AC] wlan ap-authentication domain auto 51

62 # Enable the auto AP function. [AC] wlan auto-ap enable # Enable auto-ap authentication. [AC] wlan ap-authentication enable 2. Verify the configuration: AP 1 matches the permit rule, so it can connect to the AC. AP 2 matches the deny rule, so it cannot connect to the AC. AP 3 does not match any rule, so it is authenticated by the remote RADIUS server. If it passes the authentication, it can connect to the AC to provide WLAN services. Configuring AC-AP tunnel encryption with IPsec through pre-shared key authentication Network requirements As shown in Figure 14, the APs obtain their IP addresses from the DHCP server. The data and control packets between AP 1 and AC are transmitted in plain text. Use IPsec to encrypt the AC-AP control tunnel between AP 2 and the AC, and to encrypt the AC-AP control and data tunnels between AP 3 and the AC. Figure 14 Network diagram DHCP server AP 1 Client AC Switch AP 2 Client AP 3 Client Configuration procedure Before you configure provision function for AP 2 and AP 3, make sure AP 2 and AP 3 have established connections to the AC and are in Run state. 1. Configure the DHCP server: Assume the DHCP server assigns IP address ranges to to AP 1, to to AP 2, and to to AP 3. For more information about how to configure the DHCP server, see Layer 3 Configuration Guide. 2. Configure the AC: # Create AP 2 and enter AP configuration view, configure AP 2 to use IPsec key to encrypt the control tunnel. 52

63 <AC> system-view [AC] wlan ap ap2 model MSM460-WW [AC-wlan-ap-ap2] provision [AC-wlan-ap-ap2-prvs] tunnel encryption ipsec pre-shared-key simple # Save the configuration to the wlan_ap_cfg.wcfg file of AP 2. [AC-wlan-ap-ap2-prvs] save wlan ap provision name ap2 [AC-wlan-ap-ap2-prvs] quit [AC-wlan-ap-ap2] quit # Create AP 3 and enter AP configuration view, configure AP 3 to use IPsec key abcde to encrypt the control and data tunnels. [AC] wlan ap ap3 model MSM460-WW [AC-wlan-ap-ap3] provision [AC-wlan-ap-ap3-prvs] tunnel encryption ipsec pre-shared-key simple abcde [AC-wlan-ap-ap3-prvs] data-tunnel encryption enable # Save the configuration to the wlan_ap_cfg.wcfg file of AP 3. [AC-wlan-ap-ap3-prvs] save wlan ap provision name ap3 [AC-wlan-ap-ap3-prvs] return # Reboot AP 2 and AP 3 to apply the configuration. <AC> reset wlan ap name ap2 <AC> reset wlan ap name ap3 # Configure an IPsec security proposal. <AC> system-view [AC] ipsec transform-set tran1 [AC-ipsec-transform-set-tran1] encapsulation-mode tunnel [AC-ipsec-transform-set-tran1] transform esp [AC-ipsec-transform-set-tran1] esp encryption-algorithm des [AC-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [AC-ipsec-transform-set-tran1] quit # Create a DPD named dpd. [AC] ike dpd dpd [AC-ike-dpd-dpd] quit # Set the ISAKMP SA keepalive interval to 100 seconds. [AC] ike sa keepalive-timer interval 100 # Set the ISAKMP SA keepalive timeout to 300 seconds. [AC] ike sa keepalive-timer timeout 300 # Enable invalid SPI recovery. [AC] ipsec invalid-spi-recovery enable # Configure IKE peer ap2, configure the pre-shared key (the same as the key on AP 2), and apply a DPD detector to AP 2. [AC] ike peer ap2 [AC-ike-peer-ap2] remote-address [AC-ike-peer-ap2] pre-shared-key [AC-ike-peer-ap2] dpd dpd [AC-ike-peer-ap2] quit # Configure IKE peer ap3, configure the pre-shared key abcde (the same as the key on AP 3), and apply a DPD detector to AP 3. 53

64 [AC] ike peer ap3 [AC-ike-peer-ap3] remote-address [AC-ike-peer-ap3] pre-shared-key abcde [AC-ike-peer-ap3] dpd dpd [AC-ike-peer-ap3] quit # Create an IPsec policy template with the name pt and the sequence number 1. [AC] ipsec policy-template pt 1 # Configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap2. [AC-ipsec-policy-template-pt-1] transform-set tran1 [AC-ipsec-policy-template-pt-1] ike-peer ap2 [AC-ipsec-policy-template-pt-1] quit # Create an IPsec policy template with the name pt and the sequence number 2. [AC] ipsec policy-template pt 2 # Configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap3. [AC-ipsec-policy-template-pt-2] transform-set tran1 [AC-ipsec-policy-template-pt-2] ike-peer ap3 [AC-ipsec-policy-template-pt-2] quit # Reference IPsec policy template pt to create an IPsec policy with the name map and sequence number 1. [AC] ipsec policy map 1 isakmp template pt # Apply the IPsec policy to VLAN-interface 1. Tunnel establishment between AP 1 and the AC is not affected by this configuration. [AC] interface vlan-interface 1 [AC-Vlan-interface-1] ip address [AC-Vlan-interface-1] ipsec policy map Verifying the configuration Use the display ipsec sa command to display established SAs for IPsec. IKE establishes SAs after an AP sends Join requests to the AC. Configuring AC-AP tunnel encryption with IPsec through digital signature authentication Network requirements As shown in Figure 15, configure AC-AP tunnel encryption with IPsec through digital signature authentication. The AP and the client get IP addresses from the DHCP server, and the AC and the AP get certificates from the authentication server. 54

65 Figure 15 Network diagram Configuration procedure Before the configuration, make sure the AC and the authentication server, and the AP and the authentication server can reach each other. (Details not shown.) 1. Configure the DHCP server to assign subnet /16 to the AP. For more information about configuring DHCP server, see Layer 3 Configuration Guide. 2. Configure the configuration file: # Write and save the configuration file with the name map.txt. pki entity eap common-name ap pki domain eap ca identifier wlan certificate request url certificate request from ra certificate request entity eap certificate request mode auto password si root-certificate fingerprint md5 4843CC9BE77CA1A3F7802EB2114E7A88 crl url crl check disable ldap-server ip ike proposal 1 authentication-method rsa-signature ike peer peer1 certificate domain eap save # Use TFTP or FTP to upload the file to the AC. (Details not shown.) 3. Configure the AP: # Create AP template officeap1 and specify its model. This example uses model 425-AM. [AC] wlan ap officeap1 model 425-AM 55

66 # Specify the AP's serial number. This example uses serial number CN33G [AC-wlan-ap-officeap1] serial-id CN33G67024 # Download configuration file map.txt to the AP. [AC-wlan-ap-officeap1] map-configuration map.txt # Enter AP provision view. [AC-wlan-ap-officeap1] provision # Specify the IPsec key used to encrypt the control tunnel. [AC-wlan-ap-officeap1-prvs] tunnel encryption ipsec pre-shared-key simple # Enable the AP to use IPsec to encrypt the data tunnel. [AC-wlan-ap-officeap1-prvs] data-tunnel encryption enable [AC-wlan-ap-officeap1-prvs] return 4. Configure the AC: # Configure VLAN-interface 100 and assign it an IP address. [AC] vlan 100 [AC-vlan100] quit [AC] interface Vlan-interface 100 [AC-Vlan-interface100] ip address [AC-Vlan-interface100] quit # Create a DPD named dpd. [AC] ike dpd dpd [AC-ike-dpd-dpd] quit # Set the ISAKMP SA keepalive interval to 100 seconds. [AC] ike sa keepalive-timer interval 100 # Set the ISAKMP SA keepalive timeout to 300 seconds. [AC] ike sa keepalive-timer timeout 300 # Enable invalid SPI recovery. [AC] ipsec invalid-spi-recovery enable # Create a PKI entity named eap and configure its common name as eap. [AC] pki entity eap [AC-pki-entity-eap] common-name eap [AC-pki-entity-eap] quit # Create a PKI domain named eap and specify the entity for certificate request as eap. [AC] pki domain eap [AC-pki-domain-eap] certificate request entity eap # Configure the entity to request a certificate from the RA. [AC-pki-domain-eap] certificate request from ra # Disable CRL checking. [AC-pki-domain-eap] crl check disable # Configure the authentication server. [AC-pki-domain-eap] ca identifier wlan [AC-pki-domain-eap] certificate request url [AC-pki-domain-eap] certificate request mode auto password simple [AC-pki-domain-eap] root-certificate fingerprint md5 4843CC9BE77CA1A3F7802EB2114E7A88 56

67 [AC-pki-domain-eap] crl url [AC-pki-domain-eap] ldap-server ip [AC-pki-domain-eap] quit # Create IKE proposal 1 and specify the 1024-bit Diffie-Hellman group for the IKE proposal. [AC] ike proposal 1 [AC-ike-proposal-1] dh group2 # Configure IKE proposal 1 to use the RSA digital signature method. [AC-ike-proposal-1] authentication-method rsa-signature # Use 128-bit AES in CBC mode as the encryption algorithm. [AC-ike-proposal-1] encryption-algorithm aes-cbc 128 [AC-ike-proposal-1] quit # Create an IKE peer named peer1 and configure the IKE peer to reference IKE proposal 1. [AC] ike peer peer1 [AC-ike-peer-peer1] proposal 1 # Specify the pre-shared key used in IKE negotiation. [AC-ike-peer-peer1] pre-shared-key simple # Configure the IP address range of the remote security gateway. [AC-ike-peer-peer1] remote-address # Configure the PKI domain for IKE negotiation. [AC-ike-peer-peer1] certificate domain eap # Apply DPD named dpd to IKE peer peer1. [AC-ike-peer-peer1] dpd dpd [AC-ike-peer-peer1] quit # Create an IPsec transform set named 1 and specify SHA1 as the authentication algorithm for ESP. [AC] ipsec transform-set 1 [AC-ipsec-transform-set-1] esp authentication-algorithm sha1 # Use 128-bit AES in CBC mode as the encryption algorithm. [AC-ipsec-transform-set-1] esp encryption-algorithm aes-cbc-128 [AC-ipsec-transform-set-1] quit # Create an IPsec policy template with the name 1 and the sequence number 1. Configure the IPsec policy template to reference IKE peer1. [AC] ipsec policy-template 1 1 [AC-ipsec-policy-template-1-1] ike-peer peer1 # Configure the IPsec policy template to reference IPsec transform set 1. [AC-ipsec-policy-template-1-1] transform-set 1 [AC-ipsec-policy-template-1-1] quit # Create an IPsec policy with the name map and sequence number 1 by referencing IPsec policy template 1. [AC] ipsec policy map 1 isakmp template 1 # Apply IPsec policy group map to VLAN-interface 100. [AC] interface Vlan-interface100 [AC-Vlan-interface100] ipsec policy map [AC-Vlan-interface100] quit 57

68 Verifying the configuration 1. Verify that AP officeap1 has been associated with the AC. <AC> display wlan ap all Total Number of APs configured : 1 Total Number of configured APs connected : 1 Total Number of auto APs connected : 0 Total Number of APs connected : 1 Maximum AP capacity : 1024 Remaining AP capacity : 1023 AP Profiles State : I = Idle, J = Join, JA = JoinAck, IL = ImageLoad C = Config, R = Run, KU = KeyUpdate, KC = KeyCfm M = Master, B = Backup AP Name State Model Serial-ID officeap1 R/M 425-AM CN33G Verify that the AC and the AP have not established an IPsec tunnel. <AC> display ike sa total phase-1 SAs: 0 connection-id peer flag phase doi Save the configuration to the wlan_ap_cfg.wcfg file of AP officeap1, and reboot the AP. <AC> system-view [AC] save wlan ap provision name officeap1 [AC] quit <AC> reset wlan ap name officeap1 This command will reset only master connection AP. Do you want to continue [Y/N]:y 4. Verify that the AP and the AC have established an IPsec tunnel. <AC> display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi RD TO 1 IPSEC RD 2 IPSEC RD 2 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT 5. Verify that the IPsec tunnel between the AC and the AP has been established through RSA digital signature. <AC> display ike sa verbose connection id: 49 vpn-instance: 58

69 transmitting entity: responder local ip: local id type: DER_ASN1_DN local id: CN=eap remote ip: remote id type: DER_ASN1_DN remote id: CN=ap authentication-method: RSA_SIG authentication-algorithm: SHA encryption-algorithm: AES_CBC_128 life duration(sec): remaining key duration(sec): exchange-mode: MAIN diffie-hellman group: GROUP2 nat traversal: NO 6. View certificates the AC got from the authentication server automatically. <AC> dir Directory of cfa0:/ 0 -rw Mar :10:06 hp6000.bin 1 -rw- 632 Mar :00:42 map.txt 2 -rw Mar :09:24 eap_ca.cer 3 -rw Mar :09:24 eap_local.cer File system type of cfa0: FAT32 Policy-based forwarding configuration example Network requirements As shown in Figure 16, apply the policy-based forwarding mode to the service template or the user profile on the AC. Figure 16 Network diagram Configuration procedure 1. Edit the configuration file ACL.txt of the AP: # ACL and the user profile configurations must be included. acl number 3000 rule 0 permit icmp icmp-type echo 59

70 acl ipv6 number 3001 rule 0 permit icmpv6 icmp6-type echo-request undo user-profile aaa enable user-profile aaa wlan forwarding-policy us user-profile aaa enable 2. Configure the authentication server: Configure the shared key for AC authentication packets as Specify the name and password for the client. Make sure the name of the user profile is aaa. (Details not shown.) 3. Configure the AC: # Create forwarding policy st. Configure forwarding rules to forward packets that match ACL 3000 in local forwarding mode and packets that match ACL 3001 in centralized forwarding mode. <AC> system-view [AC] wlan forwarding-policy st [AC-wlan-fp-st] classifier acl 3000 behavior local [AC-wlan-fp-st] classifier acl ipv behavior remote [AC-wlan-fp-st] quit # Create forwarding policy us. Configure forwarding rules to forward packets that match ACL 3000 in centralized forwarding mode and packets that match ACL 3001 in local forwarding mode. [AC] wlan forwarding-policy us [AC-wlan-fp-us] classifier acl 3000 behavior remote [AC-wlan-fp-us] classifier acl ipv behavior local [AC-wlan-fp-us] quit # Enable port security. [AC] port-security enable # Enable EAP authentication mode. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Specify the IP address of the primary RADIUS authentication server and the primary accounting RADIUS server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication packets and accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting # Configure the AC to remove the domain name from the username sent to the RADIUS server. [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit 60

71 # Create authentication domain test, and specify the RADIUS authentication, authorization, and accounting schemes as rad. [AC] domain test [AC-isp-test] authentication lan-access radius-scheme rad [AC-isp-test] authorization lan-access radius-scheme rad [AC-isp-test] accounting lan-access radius-scheme rad [AC-isp-test] quit # Configure mandatory authentication domain test for 802.1X clients on interface WLAN-ESS 1. [AC] interface WLAN-ESS1 [AC-WLAN-ESS1] dot1x mandatory-domain test # Specify the port security mode as userlogin-secure-ext and enable 11key negotiation. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable 802.1x multicast trigger and online user handshake functions. [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] quit # Create a crypto-type service template, specify the SSID of the service template as dot1x, and specify the encryption type as TKIP and AES-CCMP. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite tkip [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn # Enable the policy-based forwarding mode and apply it to the service template. [AC-wlan-st-1] client forwarding-mode policy-based st # In the centralized forwarding mode, configure packets to be encapsulated in form. [AC-wlan-st-1] client remote-forwarding format dot3 # Enable the service template. [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Specify the model and serial number for AP 1 in the service template. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Download configuration file ACL.txt to AP 1. [AC-wlan-ap-ap1] map-configuration ACL.txt # Bind service template 1 to Radio 2 of AP 1, and enable the service template. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] quit [AC-wlan-ap-ap1] quit # Create and enable the user profile aaa. [AC] user-profile aaa 61

72 Verifying the configuration [AC-user-profile-aaa] quit [AC] user-profile aaa enable Verify that the forwarding policy us takes effect because the forwarding policy in the user profile has a higher priority. Use an IPv4 client to ping the IP address that connects the AP to the AC. The ICMP packet matches ACL 3000 and is forwarded by the AC. Use an IPv6 client to ping the IP address that connects the AP to the AC. The ICMPv6 packet matches ACL 3001 and is forwarded by the AP n configuration example Network requirements As shown in Figure 17, deploy an n network to provide high-bandwidth access for multimedia applications. The AP provides a plain-text wireless service with SSID 11nser vice gn is adopted to inter-work with existing g networks. Figure 17 Network diagram Configuration procedure 1. Configure the AC: # Create a WLAN-ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Configure a service template of clear type, configure the SSID of the service template as 11nservice, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid 11nservice [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure the AP on the AC, and the AP must support n. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure the radio of the AP to operate in g/n mode. [AC-wlan-ap-ap1] radio 1 type dot11gn # Bind the service template to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 62

73 2. Verify the configuration: The clients can associate with the APs and access the WLAN. You can use the display wlan client verbose command to view the online clients. The command output displays information about n clients ac configuration example Network requirements As shown in Figure 18, deploy an ac network to provide high-rate access for multimedia applications. The AP provides a plain-text wireless service with SSID 11ac ser vice. Figure 18 Network diagram Configuration procedure 1. Configure the AC: # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Configure a service template of clear type, configure the SSID of the service template as 11acservice, and bind the WLAN ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid 11acservice [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure the AP on the AC. The AP must support ac. [AC] wlan ap ap1 model 560-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Configure the radio of the AP to operate in ac mode. [AC-wlan-ap-ap1] radio 1 type dot11ac # Bind the service template to the radio. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: Verify that the client can associate with the AP and access the network. Display information about ac clients with the display wlan client verbose command. 63

74 Backup client authentication configuration example Network requirements As shown in Figure 19, configure backup client authentication on the AC to achieve the following purposes: The AC authenticates clients in the branch. When the AC-AP connection fails, the AP authenticates clients and does not log off online clients. A new client can go online by using local authentication. When the connection recovers, the AP logs off all clients and the AC re-authenticates clients. Figure 19 Network diagram Configuration procedure 1. Add the following commands to the configuration file of the AP: port-security enable domain branch.net authentication lan-access local authorization lan-access local accounting lan-access local local-user c-8a-43-ff password simple c-8a-43-ff service-type lan-access mac-authentication user-name-format mac-address with-hyphen lowercase Save the configuration file, name it as map.cfg, and put it to the storage media of the AC. 2. Configure the AC: # Create an access user. Specify both the username and password as the MAC address of the client: c-8a-43-ff. Specify the service type as lan-access. <AC> system-view [AC] local-user c-8a-43-ff [AC-luser c-8a-43-ff] password simple c-8a-43-ff [AC-luser c-8a-43-ff] service-type lan-access [AC-luser c-8a-43-ff] quit # Configure ISP domain branch.net to use local authentication for LAN access users. [AC] domain branch.net [AC-isp-branch.net] authentication lan-access local [AC-isp-branch.net] quit 64

75 # Enable port security. [AC] port-security enable # Enable MAC authentication and specify branch.net as the authentication domain. The authentication domain must be the same as the domain created in the configuration file of the AP. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode mac-authentication [AC-WLAN-ESS1] mac-authentication domain branch.net [AC-WLAN-ESS1] quit # Configure the type of user accounts for MAC authentication users. [AC] mac-authentication user-name-format mac-address with-hyphen lowercase # Configure a clear-type service template, configure the SSID of the service template as backup, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid backup [AC-wlan-st-1] bind WLAN-ESS 1 # Specify the backup authentication mode. [AC-wlan-st-1] authentication-mode backup [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and specify the serial ID for the AP. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Enable the remote AP function. [AC-wlan-ap-ap1] hybrid-remote-ap enable # Download configuration file map.cfg to AP 1. [AC-wlan-ap-ap1] map-configuration map.cfg # Bind service template 1 with radio 2 of AP 1. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable Verifying the configuration Clients associated with the AP can access the network after passing central authentication. In the output of the display wlan client verbose command, the Central field shows that the AC authenticates the clients. When the connection between AC and AP fails, clients associated with the AP are not logged off. If a new client wants to associate with the AP, local authentication is performed. When the connection between AC and AP recovers, the AP logs off all associated clients. The clients can associate with the AP again after authenticated by the AC. In the output of the display wlan client verbose command, the authentication-mode field displays Central. Local client authentication configuration example Network requirements As shown in Figure 20, configure local client authentication on the AC so the AP performs 802.1X authentication on clients through the RADIUS server. 65

76 Deploy the RADIUS server at the AP side so associated 802.1X clients are not logged off when the connection between the branch and headquarters fails. Figure 20 Network diagram RADIUS server Branch Headquarter Internet AC AP Client Configuration procedure 1. Add the following commands to the configuration file of the AP: port-security enable dot1x authentication-method eap radius scheme rad primary authentication primary accounting key authentication simple key accounting simple user-name-format without-domain domain cams authentication default radius-scheme rad authorization default radius-scheme rad accounting default radius-scheme rad Then, save the configuration file, name it as map.cfg, and put it the storage media of the AC. 2. Configure the AC: # Specify mandatory 802.1X authentication domain cams on WLAN-ESS1. This domain must the same as the ISP domain created in the configuration file. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams # Configure the port security mode as userlogin-secure-ext and enable 11key negotiation. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable 802.1X multicast trigger and online user handshake functions. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit 66

77 Verifying the configuration # Configure a crypto-type service template, configure the SSID of the service template as local1x, and specify the encryption type as AES-CCMP. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid local1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn # Specify the local authentication mode. [AC-wlan-st-1] authentication-mode local [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and specify the serial ID for the AP. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Enable the remote AP function. [AC-wlan-ap-ap1] hybrid-remote-ap enable # Download configuration file map.cfg to AP 1. [AC-wlan-ap-ap1] map-configuration map.cfg # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable The AP performs 802.1X authentication on clients through the RADIUS server. Execute the display wlan client verbose command on the AC to view detailed client information. The Local field in the output shows that the AP authenticates clients. The output from the display connection, display dot1x, and display port-security commands on the AC does not contain client information because the AP authenticates clients. AP upgrade configuration example Network requirements As shown in Figure 21, configure the AP version upgrade function to upgrade AP 1 and AP 2. The AC has established an LWAPP tunnel with AP 1, AP 2, and AP 3, respectively. 67

78 Figure 21 Network diagram AP 1 AC Switch AP 2 AP 3 Configuration procedure Before the following configurations, assume that you have configured AP templates for the three APs on the AC. # Create AP group update, and add AP 1 and AP 2 to it. <AC> system-view [AC] wlan ap-group update [AC-ap-group-update] ap ap1 ap2 # Enable the AP version update function for the AP group. [AC-ap-group-update] firmware-update enable [AC-ap-group-update] quit [AC] quit # Enter the template view of AP 3, and disable the version update function. [AC] wlan ap ap3 model MSM460-WW [AC-wlan-ap-ap3] firmware-update disable # Download the AP version B108D001 to the AC. (Details not shown.) # Upgrade the AC's version to B109D001 and reset the AC. AP 1 and AP 2 will try to establish tunnels with the AC of the new version: AP 1 and AP 2 compare their versions with that the version of the AC, download the AP version B109D001 from the AC and restart. After reboot, they use version B109D001 to establish LWAPP tunnels with the AC. AP 3 does not compare its version with the AC, and uses version B96D001 to establish an LWAPP tunnel with the AC. Verifying the configuration Execute the display wlan ap verbose command. The output shows that the versions of AP 1 and AP 2 are B109D001, and the version of AP 3 is B96D001. AP version rollback configuration example Network requirements As shown in Figure 22, the AC has established an LWAPP tunnel with AP 1, AP 2, and AP 3, respectively. Configure AP version rollback so that versions of AP 1 and AP 2 can roll back to B

79 The version of the AC is B96D001, and the three APs are all of version B109D001. Figure 22 Network diagram AP 1 AC Switch AP 2 AP 3 Configuration procedure Assume that you have completed the following configurations: Configure AP templates for the three APs on the AC Enable the AC to accept AP 1, AP 2, and AP 3 with the software version MSM460-WW Ver.C V100R001B109D001, MSM430-WW Ver.C V100R001B109D001, and MSM466-WW Ver.C V100R001B109D001, respectively. To configure AP version rollback: # Create AP group switchback, and add AP 1 and AP 2 to the group. <AC> system-view [AC] wlan ap-group switchback [AC-ap-group-switchback] ap ap1 ap2 [AC-ap-group-switchback] quit # Configure AP 1 and AP 2 to use the same software version as the AC. [AC] undo wlan apdb MSM460-WW Ver.C V100R001B109D001 [AC] undo wlan apdb MSM430-WW Ver.C V100R001B109D001 [AC] quit # Download the AP version B96D001 to the AC. (Details not shown.) # Reset all APs in the AP group. <AC> reset wlan ap ap-group switchback Verifying the configuration Execute the display wlan ap verbose command. The output shows that the versions of AP 1 and AP 2 are B96D001, and the version of AP 3 remains as B109D001. AC and AP version rollback configuration example Network requirements As shown in Figure 23, the AC has established an LWAPP tunnel with AP 1, AP 2 and AP 3, respectively. Configure AC and AP version rollback so that versions of the AC, AP 1 and AP 2 can roll back to B96D

80 The version of the AC and three APs are all of version B109D001. Figure 23 Network diagram AP 1 AC Switch AP 2 AP 3 Configuration procedure Before the following configurations, assume that you have configured AP templates for the three APs on the AC. To configure AC and AP version rollback: # Download the AC version B96D001 to the AC. # Download the AP version B96D001 to the AC. # Enable the AC to accept AP 3 with the software version MSM460-WW Ver.C V100R001B109D001. [AC] wlan apdb MSM460-WW Ver.C V100R001B109D001 # Restart the AC. Verifying the configuration Use display wlan ap verbose to view that versions of AP 1 and AP 2 are B96D001, and the version of AP 3 remains as B109D001. AP group configuration without roaming Network requirements As shown in Figure 24, configure an AP group and apply it in a user profile on the AC so a client can only access the WLAN through AP 1. 70

81 Figure 24 Network diagram Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Enable EAP authentication mode. [AC] dot1x authentication-method eap # Create a RADIUS scheme. [AC] radius scheme wlan-user-policy # Specify the RADIUS server and keys for authentication and accounting. [AC-radius-wlan-user-policy] server-type extended [AC-radius-wlan-user-policy] primary authentication [AC-radius-wlan-user-policy] primary accounting [AC-radius-wlan-user-policy] key authentication wlan [AC-radius-wlan-user-policy] key accounting wlan # Specify the IP address of the AC. [AC-radius-wlan-user-policy] nas-ip [AC-radius-wlan-user-policy] quit # Configure an ISP domain named universal by referencing the configured RADIUS scheme. [AC] domain universal [AC-isp-universal] authentication default radius-scheme wlan-user-policy [AC-isp-universal] authorization default radius-scheme wlan-user-policy [AC-isp-universal] accounting default radius-scheme wlan-user-policy [AC-isp-universal] quit # Configure domain universal as the default domain. [AC] domain default enable universal # Configure port security on interface WLAN-ESS 1. 71

82 [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Configure a service template. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid test [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and its model is MSM460-WW. [AC] wlan ap ap1 model MSM460-WW # Configure the serial ID of the AP as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind the template to radio 1 of AP 1 and enable the radio. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio1] service-template 1 [AC-wlan-ap-ap1-radio1] radio enable [AC-wlan-ap-ap1-radio1] return # Add AP 1 to AP group 11, apply the AP group to user profile management and enable the user profile. <AC> system-view [AC] wlan ap-group 11 [AC-ap-group11] ap ap1 [AC-ap-group11] quit [AC] user-profile management [AC-user-profile-management] wlan permit-ap-group 11 [AC-user-profile-management] quit [AC] user-profile management enable 2. Configure the RADIUS server: # Deploy a user profile on the RADIUS server. Log in to IMC. On the left navigation tree, select Service Management > Service Config. Click Add on the page to enter the following configuration page. Select Deploy User Profile. Figure 25 Deploying a user profile 72

83 Verifying the configuration The AP group applied in the user profile contains only AP 1, so a client can only access the WLAN through AP 1. AP group configuration for inter-ac roaming Network requirements As shown in Figure 26, AC 1 and AC 2 belong to the same mobility group. Configure an AP group on the ACs so a client can still access the WLAN when it moves between APs. Figure 26 Network diagram Configuration procedure Configuration on the RADIUS server is similar with that in Configure the RADIUS server: and is omitted. 1. Configure AC 1: # Enable port security. <AC1> system-view [AC1] port-security enable # Enable EAP authentication mode. [AC1] dot1x authentication-method eap # Configure port security on interface WLAN-ESS 1. [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit 73

84 # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid abc [AC1-wlan-st-1] bind wlan-ess 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template named ap1, and its model is MSM460-WW. [AC1] wlan ap ap1 model MSM460-WW # Configure the serial ID of the AP as CN2AD330S8. [AC1-wlan-ap-ap1] serial-id CN2AD330S8 [AC1-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Configure mobility group abc and enable the mobility group. [AC1] wlan mobility-group abc [AC1-wlan-mg-abc] source ip [AC1-wlan-mg-abc] member ip [AC1-wlan-mg-abc] mobility-group enable [AC1-wlan-mg-abc] return # Configure AP group 1, add AP 1 and AP 2 in it, apply it to user profile management, and enable the user profile. <AC1> system-view [AC1] wlan ap-group 1 [AC1-ap-group1] ap ap1 ap2 [AC1-ap-group1] quit [AC1] user-profile management [AC1-user-profile-management] wlan permit-ap-group 1 [AC1-user-profile-management] quit [AC1] user-profile management enable 2. Configure AC 2: # Enable port security. <AC2> system-view [AC2] port-security enable # Enable EAP authentication mode. [AC2] dot1x authentication-method eap # Configure port security on interface WLAN-ESS 1. [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key 74

85 [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid abc [AC2-wlan-st-1] bind wlan-ess 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create an AP template named ap2. [AC2] wlan ap ap2 model MSM460-WW # Configure the serial ID of the AP as CN2AD330S9. [AC2-wlan-ap-ap2] serial-id CN2AD330S9 [AC2-wlan-ap-ap2] radio 1 type dot11an # Bind service template 1 to radio 1. [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Configure mobility group abc and enable the mobility group. [AC2] wlan mobility-group abc [AC2-wlan-mg-abc] source ip [AC2-wlan-mg-abc] member ip [AC2-wlan-mg-abc] mobility-group enable [AC2-wlan-mg-abc] quit # Configure AP group 1, add AP 1 and AP 2 in it, apply the AP group to user profile management, and enable the user profile. [AC2] wlan ap-group 1 [AC2-ap-group1] ap ap1 ap2 [AC2-ap-group1] quit [AC2] user-profile management [AC2-user-profile-management] wlan permit-ap-group 1 [AC2-user-profile-management] quit [AC2] user-profile management enable Verifying the configuration AP 1 and AP 2 are permitted in the AP group and a client can roam between them. 75

86 Client IP address monitoring configuration example Network requirements As shown in Figure 27, the AC serves as the DHCP server. The AP and the client obtain IP addresses from the DHCP server. Configure the client IP address monitoring function on the AC to monitor the IP address changes of the client. Figure 27 Network diagram Configuration procedure 1. Configure the DHCP service on the AC: # Enable the DHCP service. <AC> system-view [AC] dhcp enable [AC] interface vlan 1 [AC-Vlan-interface1] ip address [AC-Vlan-interface1] quit # Create DHCP address pool 1, and specify the subnet for dynamic allocation in the DHCP address pool. [AC] dhcp server ip-pool 1 [AC-dhcp-pool-1] network [AC-dhcp-pool-1] quit 2. Enable client IP address monitoring: [AC]wlan client learn-ipaddr enable Verifying the configuration 1. The AC prints a Syslog message when the IP address of the client changes. When the client gets online, goes offline, fails the authentication, or updates the IP address, the AC prints a Syslog message with the new IP address in it. 2. You can use the display command to view IP addresses of clients offered by the DHCP server. # Display the client IP address assigned by the DHCP server on the AC. [AC]display wlan client ip source binding Total Number of Clients : 1 IP Source Binding Information MAC Address APID/RID Type Binding IP Address c-f08f-f7f1 20/2 DHCP

87 Configuring WLAN security Overview This chapter describes WLAN security configuration. Authentication modes To secure wireless links, wireless clients must be authenticated before accessing the AP links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication: Open system authentication is the default authentication algorithm and is the simplest of the available authentication algorithms. It is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP determines if the wireless client passes the authentication and returns the result to the client. Figure 28 Open system authentication process Shared key authentication Figure 29 shows a shared key authentication process. The two parties have the same shared key configured. Shared key authentication uses the following process. a. The client sends an authentication request to the AP. b. The AP randomly generates a challenge and sends it to the client. c. The client uses the shared key to encrypt the challenge and sends the challenge to the AP. d. The AP uses the shared key to de-encrypt the challenge and compares the result with the original challenge sent to the client. If they are identical, the client passes the authentication. If not, the authentication fails. 77

88 Figure 29 Shared key authentication process WLAN data security WLAN networks are more susceptible than wired networks to attacks. All WLAN devices share the same medium and every device can receive data from any other sending device. Plain-text data is transmitted over the WLAN if there is no security service. To secure data transmission, protocols provide encryption methods to ensure that devices without the correct key cannot read encrypted data. 1. WEP encryption Wired Equivalent Privacy (WEP) protects data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream encryption method) for confidentiality. WEP encryption is either static or dynamic depending on how a WEP key is generated. Static WEP encryption With static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, all data that attackers receive is encrypted. In addition, periodical manual key update brings great management workload to administrators. Dynamic WEP encryption With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key. The keys can be updated periodically to further improve unicast frame transmission security. Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration. 2. TKIP encryption Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has several advantages over WEP, and provides more secure protection for WLAN. TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits. TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered. 78

89 TKIP offers MIC and countermeasures. If a packet fails the MIC, the data may be tampered, and the system could be attacked. If two packets fail the MIC in a specified period, the AP automatically takes countermeasures. For example, the AP will not provide services in a specified period to prevent attacks. 3. AES-CCMP encryption CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite. The key suite can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, which improves security. Client access authentication 1. PSK authentication To implement pre-shared key (PSK) authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass the PSK authentication X authentication As a port-based access control protocol, 802.1X authenticates and controls devices at the port level. A device that is connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication. 3. MAC address authentication MAC address authentication does not require any client software. The MAC address of a client is compared against a predefined list of allowed MAC addresses. If a match is found, the client can pass the authentication and access the WLAN. If no match is found, the authentication fails and access is denied. The user is not required to enter a username or password. This type of authentication is suited to small networks with fixed clients. MAC address authentication can be done locally or through a RADIUS server. Local MAC address authentication A list of usernames and passwords (the MAC addresses of allowed clients) is created on the wireless access device. The clients are authenticated by the wireless access device. Only clients whose MAC addresses are included in the list can pass the authentication and access the WLAN. MAC address authentication through RADIUS server The wireless access device serves as the RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the client passes the authentication on the RADIUS server, the client can access the WLAN within the authorization assigned by the RADIUS server. In this authentication mode, if different domains are defined, authentication information of different SSIDs are sent to different RADIUS servers based on their domains. For more information about access authentication, see Security Configuration Guide. Protocols and standards IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements

90 WI-FI Protected Access Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements , 1999 IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X i IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Configuring WLAN security To configure WLAN security in a service template, map the service template to a radio policy, and add radios to the radio policy. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure an SSID to support any combination of WPA, RSN, and Pre-RSN clients. Configuration task list Task Enabling an authentication method Configuring the PTK lifetime Configuring the GTK rekey method Configuring security IE Configuring cipher suite Configuring port security Specifying a key derivation type Configuring management frame protection Remarks Required. Required. Required. Enabling an authentication method You can enable open system or shared key authentication or both. To enable an authentication method: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 80

91 3. Enable the authentication method. authentication-method { open-system shared-key } By default, open system authentication is adopted. The shared-key authentication can be adopted only when WEP encryption is used, and you must configure the authentication-method shared-key command. For RSN and WPA, the authentication method must be open system authentication. Configuring the PTK lifetime A pairwise transient key (PTK) is generated through a 4-way handshake. During the handshake process, the pairwise master key (PMK), an AP random value (ANonce), a site random value (SNonce), the AP's MAC address, and the client's MAC address are used. To configure the PTK lifetime: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Configure the PTK lifetime. ptk-lifetime time By default, the PTK lifetime is seconds. Configuring the GTK rekey method An AC generates a group temporal key (GTK). Through group key handshake or the 4-way handshake, the AC sends the GTK to a client during the authentication process between an AP and the client. The client uses the GTK to decrypt broadcast and multicast packets. The Robust Security Network (RSN) negotiates the GTK through the 4-way handshake or group key handshake. The Wi-Fi Protected Access (WPA) negotiates the GTK only through group key handshake. The following GTK rekey methods can be configured: Time-based GTK rekey After the specified interval elapses, GTK rekey occurs. Packet-based GTK rekey After the specified number of packets is sent, GTK rekey occurs. By default, time-based GTK rekey is adopted, and the rekey interval is seconds. Configuring a new GTK rekey method overwrites the previous GTK rekey method. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect. You can also configure the device to start GTK rekey when a client goes offline. 81

92 Configuring GTK rekey based on time 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable 4. Configure the GTK rekey interval. gtk-rekey method time-based [ time ] By default, GTK rekey is enabled. By default, the interval is seconds. 5. Configure the device to start GTK rekey when a client goes offline. gtk-rekey client-offline enable By default, the device does not start GTK rekey when a client goes offline. This command takes effect only when you execute the gtk-rekey enable command. Configuring GTK rekey based on packet 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable By default, GTK rekey is enabled. 4. Configure GTK rekey based on packet. 5. Configure the device to start GTK rekey when a client goes offline. gtk-rekey method packet-based [ packet ] gtk-rekey client-offline enable The default packet number is By default, the device does not start GTK rekey when a client goes offline. This command takes effect only when you execute the gtk-rekey enable command. Configuring security IE WPA ensures greater protection than WEP. WPA operates in either WPA-PSK (or Personal) mode or WPA-802.1X (or Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1X and RADIUS servers and the EAP are used for authentication. Configuring WPA security IE 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 82

93 3. Enable the WPA-IE in the beacon and probe responses. security-ie wpa By default, WPA-IE is disabled. Configuring RSN security IE An RSN is a security network that only allows the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA. 2. Enter WLAN service template view. 3. Enable the RSN-IE in the beacon and probe responses. wlan service-template service-template-number crypto security-ie rsn N/A By default, RSN-IE is disabled. Configuring cipher suite A cipher suite is used for data encapsulation and de-encapsulation. It uses the following encryption methods: WEP40/WEP104/WEP128 TKIP AES-CCMP Configuring WEP cipher suite 1. Configure static WEP encryption: The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys. You can use WEP with either open system or shared key authentication mode: In open system authentication mode, the WEP key is used for encryption only and not for authentication. A client can access the network without having the same key as the authenticator. However, if the receiver has a different key from the sender, it discards the packets received from the sender. In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot pass the authentication. The access of the client is denied. To configure static WEP encryption: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 83

94 3. Enable the WEP cipher suite. 4. Configure the WEP default key. cipher-suite { wep40 wep104 wep128 } wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key By default, no cipher suite is selected. By default, the WEP default key index number is Specify a key index number. wep key-id { } By default, the key index number is Configure dynamic WEP encryption: 2. Enter WLAN service template view. 3. Enable dynamic WEP encryption. 4. Enable the WEP cipher suite. 5. Configure the WEP default key. wlan service-template service-template-number crypto wep mode dynamic cipher-suite { wep40 wep104 wep128 } wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key N/A By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. By default, no WEP default key is configured. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. 6. Specify a key index number. wep key-id { } By default, the key index number is 1. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. 84

95 Configuring TKIP cipher suite Message integrity check (MIC) is used to prevent attackers from modifying data. It ensures data security by using the Michael algorithm. When a MIC error occurs, the device considers that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP is suspended during the countermeasure interval and no TKIP associations can be established. The operating mode cannot be negotiated as n mode when clients that use TKIP cipher suite associate with an AP supporting n. To configure TKIP cipher suite: 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable the TKIP cipher suite. cipher-suite tkip By default, no cipher suite is selected. 4. Configure the TKIP countermeasure interval. tkip-cm-time time The default countermeasure interval is 0 seconds. No countermeasures are taken. Configuring AES-CCMP cipher suite 2. Enter WLAN service template view. 3. Enable the CCMP cipher suite. wlan service-template service-template-number crypto cipher-suite ccmp N/A By default, no cipher suite is selected. Configuring port security The authentication type configuration includes the following options: PSK 802.1X MAC PSK and MAC This document describes only common port security modes. For more information about other port security modes, see Security Configuration Guide. Before configuring port security, create the wireless port and enable port security. Configuring PSK authentication 85

96 2. Enter WLAN-ESS interface view. 3. Enable key negotiation. 4. Configure the pre-shared key. 5. Enable the PSK port security mode. interface wlan-ess interface-number port-security tx-key-type 11key port-security preshared-key { pass-phrase raw-key } [ cipher simple ] key port-security port-mode psk N/A By default, key negotiation is not enabled. By default, no pre-shared key is configured. N/A Configuring 802.1X authentication Step Command 1. Enter system view. system-view 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number 3. Enable the 802.1X port security mode. port-security port-mode { userlogin-secure userlogin-secure-ext } Configuring MAC address authentication i does not support MAC address authentication. To configure MAC address authentication: Step Command 1. Enter system view. system-view 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number 3. Enable MAC port security mode. port-security port-mode mac-authentication Configuring PSK and MAC address authentication For more information about port security configuration commands, see Security Configuration Guide. To configure PSK and MAC address authentication: 2. Enter WLAN-ESS interface view. 3. Enable key negotiation. 4. Enable the PSK and MAC port security mode. interface wlan-ess interface-number port-security tx-key-type 11key port-security port-mode mac-and-psk N/A By default, key negotiation is not enabled. N/A 86

97 5. Configure the pre-shared key. port-security preshared-key { pass-phrase raw-key } key The key is a string of 8 to 63 characters, or a 64-digit hex number. Specifying a key derivation type A key derivation type takes effect only when the authentication type is PSK or 802.1X. To specify a key derivation type: 2. Create a service template and enter its view. 3. Specify a key derivation type. wlan service-template service-template-number crypto key-derivation { sha1 sha1-and-sha256 sha256 } You cannot modify the type of a service template that already exists. By default, the key derivation type is sha1. Configuring management frame protection Perform this task to enable an AP to protect management frames, including deauthentication frames, deassociation frames, and some robust action frames. Management frame protection uses the PTK encrypt method to ensure privacy, integrity, and replay protection of unicast management frames. For multicast and broadcast management frames, this feature uses Broadcast Integrity Protocol (BIP) to ensure integrity and replay protection. BIP adds the Management MIC IE (MME) field to the end of the management frames to protect their privacy. NOTE: You can only configure management frame protection on a service template whose: Authentication type is PSK or 802.1X. Cipher suite is AES-CCMP. Security IE is RSN. Configuring management frame protection 2. Create a service template and enter its view. wlan service-template service-template-number crypto You cannot modify the type of a service template that already exists. 87

98 3. Enable management frame protection. pmf { mandatory optional } By default, management frame protection is disabled. If you select mandatory, HP recommends that you specify the key derivation type as sha256. Configuring auto SA Query If management frame protection is enabled, the AP uses SA Query to secure connections with clients. SA Query includes active SA Query and passive SA Query. Active SA Query. If the AP receives spoofing association or reassociation requests, this mechanism can prevent the AP from responding to clients. As shown in Figure 30, active SA Query operates as follows: a. The client sends an association or a reassociation request to the AP. b. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate later. The response contains an association comeback time specified by the pmf association-comeback command. c. The AP sends an SA Query request to the client. If the AP receives an SA Query response within the timeout time, it determines that the client is online. If the AP receives no SA Query response within the timeout time, it resends the request. If the AP receives an SA Query response within the retransmission time, it determines that the client is online. If the client is online, the AP does not respond to any association or reassociation request from the client within the association comeback time. If the AP receives no SA Query response within the retransmission time, it determines that the client is offline. The AP allows the client to reassociate. Figure 30 Active SA Query Passive SA Query. If a client receives unencrypted deassociation or deauthentication frames with failure code 6 or 7, this mechanism can prevent the client from going offline abnormally. As shown in Figure 31, passive SA Query operates as follows: 88

99 a. The client triggers the SA Query mechanism upon receiving an unencrypted deassociation or deauthentication frame. b. The client sends an SA Query request to the AP. c. The AP responds with an SA Query response. d. The client determines the AP is online because it receives the SA Query response. The client does not go offline. Figure 31 Passive SA Query To configure active SA Query: 2. Create a service template and enter its view. 3. Configure the timeout time for SA Query responses. 4. Configure the retransmission time for the AP to send SA Query requests. 5. Configure the association comeback time. wlan service-template service-template-number crypto pmf saquery timeout value pmf saquery retry value pmf association-comeback value You cannot modify the type of a service template that already exists. By default, the timeout time for SA Query responses is 200 milliseconds. By default, the retransmission time for the AP to send SA Query requests is 4. By default, the association comeback time is 1 second. Displaying and maintaining WLAN security For more information about related display commands, see Security Command Reference. Task Command Remarks Display WLAN service template information. display wlan service-template [ service-template-number ] [ { begin exclude include } regular-expression ] Available in any view. 89

100 Task Command Remarks Display client information. Display MAC address authentication information. Display the MAC address information of port security. Display the PSK user information of port security. Display the configuration information, running state and statistics of port security. Display 802.1X session information or statistics. display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] [ { begin exclude include } regular-expression ] display mac-authentication [ interface interface-list ] [ { begin exclude include } regular-expression ] display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ { begin exclude include } regular-expression ] display port-security preshared-key user [ interface interface-type interface-number ] [ { begin exclude include } regular-expression ] display port-security [ interface interface-list ] [ { begin exclude include } regular-expression ] display dot1x [ sessions statistics ] [ interface interface-list ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. Available in any view. WLAN security configuration examples The configuration examples were created on the 11900/10500/ G unified wired-wlan module and might vary with device models. When configuring the 11900/10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/ G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch and an 870 appliance are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. PSK authentication configuration example Network requirements As shown in Figure 32, an AC is connected to an AP through a Layer 2 switch, and they are in the same network. Perform PSK authentication with key on the client. 90

101 Figure 32 Network diagram Configuration procedure 1. Configure the AC: # Configure port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as [AC] interface wlan-ess 10 [AC-WLAN-ESS10] port-security port-mode psk [AC-WLAN-ESS10] port-security preshared-key pass-phrase [AC-WLAN-ESS10] port-security tx-key-type 11key [AC-WLAN-ESS10] quit # Create service template 10 of crypto type, configure its SSID as psktest, and bind WLAN-ESS10 to service template 10. [AC] wlan service-template 10 crypto [AC-wlan-st-10] ssid psktest [AC-wlan-st-10] bind WLAN-ESS 10 [AC-wlan-st-10] security-ie rsn [AC-wlan-st-10] cipher-suite ccmp [AC-wlan-st-10] authentication-method open-system [AC-wlan-st-10] service-template enable [AC-wlan-st-10] quit # Create an AP template named ap1 and its model is MSM460-WW. [AC] wlan ap ap1 model MSM460-WW # Configure the serial ID of AP 1 as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 10 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 10 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: Configure the same PSK key on the client. After that, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command and display port-security preshared-key user command to view the online clients. 91

102 MAC and PSK authentication configuration example Network requirements Perform MAC and PSK authentication on the client. Figure 33 Network diagram Configuring the AC # Enable port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, using MAC-and-PSK authentication. [AC] interface wlan-ess 2 [AC-WLAN-ESS2] port-security port-mode mac-and-psk [AC-WLAN-ESS2] port-security tx-key-type 11key [AC-WLAN-ESS2] port-security preshared-key pass-phrase [AC-WLAN-ESS2] quit # Create service template 2 of crypto type, configure its SSID as mactest, and bind WLAN-ESS2 to service template 2. [AC] wlan service-template 2 crypto [AC-wlan-st-2] ssid mactest [AC-wlan-st-2] bind wlan-ess 2 [AC-wlan-st-2] authentication-method open-system [AC-wlan-st-2] cipher-suite ccmp [AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # Create an AP template named ap1 and its model is MSM460-WW. [AC] wlan ap ap1 model MSM460-WW # Configure the serial ID of AP 1 as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 2 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 2 92

103 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Configure the MAC address authentication domain by referencing AAA domain cams. [AC] mac-authentication domain cams # Configure MAC address authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server). [AC] mac-authentication user-name-format mac-address without-hyphen Configuring the RADIUS server This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Add the AC to the IMC Platform as an access device: a. Log in to IMC, click the Service tab, and then select User Access Manager > Access Device Management > Access Device from the navigation tree. The Access Device page appears. b. Click Add. The Add Access Device page appears, as shown in Figure 34. c. In the Access Configuration area, enter as the Shared Key, select HP(General) from the Access Device Type list, keep the default values for other parameters, and select or manually add the access device with the IP address d. Click OK. 93

104 Figure 34 Adding an access device 2. Add a service: a. Click the Service tab and then select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. b. Click Add. The Add Service Configuration page appears, as shown in Figure 35. c. Set the service name to mac, keep the default values for other parameters, and click OK. Figure 35 Adding a service 3. Add an account: a. Click the User tab, and then select Access User View > All Access Users from the navigation tree. The All Access User page appears. b. Click Add. The Add Access User page appears, as shown in Figure 36. c. In the Access Information area, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click OK. 94

105 Figure 36 Adding an access user account Verifying the configuration After the client passes the MAC address authentication, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command, the display connection command, and the display mac-authentication command to view the online clients X authentication configuration example Network requirements As shown in Figure 37, perform 802.1X authentication on the client. Figure 37 Network diagram Configuring the AC # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. 95

106 [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Specify a mandatory 802.1X authentication domain on the interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams # Set the port mode for WLAN-ESS 1 to userlogin-secure-ext, and enable key negotiation. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as dot1x, and configure the tkip and ccmp cipher suite. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite tkip [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] security-ie wpa [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and its model is MSM460-WW. [AC] wlan ap ap1 model MSM460-WW # Configure the serial ID of AP 1 as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 96

107 [AC-wlan-ap-ap1-radio-1] radio enable Configuring the RADIUS server This section uses IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). 1. Add the AC to the IMC Platform as an access device: a. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. The Access Device page appears. b. Click Add. The Add Access Device page appears, as shown in Figure 38. c. In the Access Configuration area, enter as the Shared Key, select HP(General) from the Access Device Type list, keep the default values for other parameters, and select or manually add the access device with the IP address d. Click OK. Figure 38 Adding an access device 2. Add a service: a. Click the Service tab and select User Access Manager > Service Configuration from the navigation tree. The Service Configuration page appears. b. Click Add. The Add Service Configuration page appears, as shown in Figure 39. c. Set the Service Name to dot1x, the Certificate Type to EAP-PEAP AuthN and the Certificate Sub-Type to MS-CHAPV2 AuthN, and click OK. 97

108 Figure 39 Adding a service 3. Add an account: a. Click the User tab, and select Access User View > All Access Users from the navigation tree. The All Access User page appears. b. Click Add. The Add Access User page appears, as shown in Figure 40. c. In the Access Information area, enter username user, set the account name to user and password to dot1x, select the service dot1x, and click OK. Figure 40 Adding an access user account Verifying the configuration 1. The client can pass 802.1X authentication and associate with the AP. 2. You can use the display wlan client verbose command, the display connection command, and the display dot1x command to view the online clients. 98

109 Dynamic WEP encryption-802.1x authentication configuration example Network requirements As shown in Figure 41, perform dynamic WEP encryption. Figure 41 Network diagram Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication and accounting servers as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain bbb by referencing RADIUS scheme rad. [AC] domain bbb [AC-isp-bbb] authentication lan-access radius-scheme rad [AC-isp-bbb] authorization lan-access radius-scheme rad [AC-isp-bbb] accounting lan-access radius-scheme rad [AC-isp-bbb] quit # Specify a mandatory 802.1X authentication domain on the interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 99

110 [AC-WLAN-ESS1] dot1x mandatory-domain bbb # Set the port mode for WLAN-ESS 1 to userlogin-secure-ext. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as dot1x, and configure dynamic WEP encryption. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] wep mode dynamic [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and its model is MSM460-WW. [AC] wlan ap ap1 model MSM460-WW # Configure the serial ID as CN2AD330S8. [AC-wlan-ap-ap1] serial-id CN2AD330S8 # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Configure the RADIUS server: See "Configuring the RADIUS server." 3. Configure the wireless card (Windows XP): Verifying the configuration a. Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. b. Click the Properties button on the General tab. The Wireless Network Connection Properties window appears. c. On the Wireless Networks tab, select wireless network with the SSID dot1x. After you enter the username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command, the display connection command, and the display dot1x command to view online client information. Supported combinations for ciphers This section introduces the combinations that can be used during the cipher suite configuration. 100

111 RSN For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers. The WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for RSN. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK RSN CCMP WEP104 PSK RSN CCMP WEP128 PSK RSN CCMP TKIP PSK RSN CCMP CCMP PSK RSN TKIP WEP40 PSK RSN TKIP WEP104 PSK RSN TKIP WEP128 PSK RSN TKIP TKIP PSK RSN CCMP WEP X RSN CCMP WEP X RSN CCMP WEP X RSN CCMP TKIP 802.1X RSN CCMP CCMP 802.1X RSN TKIP WEP X RSN TKIP WEP X RSN TKIP WEP X RSN TKIP TKIP 802.1X RSN WPA For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers. The WEP cipher suites are only used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for WPA (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK WPA CCMP WEP104 PSK WPA CCMP WEP128 PSK WPA CCMP TKIP PSK WPA CCMP CCMP PSK WPA TKIP WEP40 PSK WPA TKIP WEP104 PSK WPA TKIP WEP128 PSK WPA 101

112 Unicast cipher Broadcast cipher Authentication method Security Type TKIP TKIP PSK WPA CCMP WEP X WPA CCMP WEP X WPA CCMP WEP X WPA CCMP TKIP 802.1X WPA CCMP CCMP 802.1X WPA TKIP WEP X WPA TKIP WEP X WPA TKIP WEP X WPA TKIP TKIP 802.1X WPA Pre-RSN For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type WEP40 WEP40 Open system no Sec Type WEP104 WEP104 Open system no Sec Type WEP128 WEP128 Open system no Sec Type WEP40 WEP40 Shared key no Sec Type WEP104 WEP104 Shared key no Sec Type WEP128 WEP128 Shared key no Sec Type 102

113 Configuring IACTP tunnel and WLAN roaming Support for this feature depends on the device model. IACTP tunnel The Inter AC Tunneling Protocol (IACTP) provides a generic packet encapsulation and transport mechanism for ACs to securely communicate with each other. IACTP provides a control tunnel to exchange control messages, and a data tunnel to transmit data packets between ACs. IACTP supports both IPv4 and IPv6. WLAN roaming, AC backup, and AC-BAS collaboration must support IACTP for inter-ac communication. WLAN roaming overview WLAN roaming enables clients to roam between ACs in a mobility group or within an AC. ACs in a mobility group communicate with each other through IACTP tunnels. When a client supporting fast roaming associates to one of the ACs in a mobility group for the first time, the AC (called the HA) performs 802.1X authentication and 11 Key exchange for the client. The client information is synchronized across ACs in the mobility group. When this client roams to another AC in the mobility group (called the FA), the FA uses stored client information to fast authenticate the client by skipping 802.1X authentication and performing only key exchange and associates with the client. Terminology HA The AC to which a wireless client is connected by associating with an AP for the first time is the HA of the client. FA An AC that is other than the HA and to which a client is currently connected is an FA of the client. Fast-roam client A wireless client that associates with an AC in the mobility-group and supports fast roaming (only key caching is supported). Roam-out client A wireless client that has associated with an AC other than the HA in the mobility-group is a roam-out client at its HA. Roam-in client A wireless client that has associated with an AC other than the HA in the mobility-group is a roam-in client at the FA. Intra-AC roaming A procedure where a wireless client roams from one AP to another AP. The APs are connected to the same AC. Inter-AC roaming A procedure where a wireless client roams from one AP to another AP. The APs are connected to different ACs. Inter-AC fast roaming capability If a client uses 802.1X (RSN) authentication through negotiation and supports key caching, this client has inter-ac fast roaming capability. 103

114 WLAN roaming topologies WLAN roaming topologies consist of: Intra-AC roaming topology Inter-AC roaming topology Intra-FA roaming topology Inter-FA roaming topology Roam-back topology Intra-AC roaming Figure 42 Intra-AC roaming AC Fast-roam association IP network Intra-AC roam association AP 1 AP 2 Intra-AC roaming 1. A client is associated with AP 1, which is connected to an AC. 2. The client disassociates with AP 1 and roams to AP 2 connected to the same AC. 3. The client is associated with AP 2 through intra-ac roam association. 104

115 Inter-AC roaming Figure 43 Inter-AC roaming Intra-FA roaming 1. A client is associated with AP 1, which is connected to AC The client disassociates with AP 1 and roams to AP 2 connected to AC The client is associated with AP 2 through inter-ac roam association. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. Figure 44 Intra-FA roaming Pre-roam sync AC 1 AC 2 IACTP Tunnel IP network IP network Fast-roam association Inter-AC roam association Intra-FA roam association AP 1 AP 2 AP 3 Inter-AC roaming Intra-FA roaming 1. A client associates with AP The client disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the client. 105

116 Inter-FA roaming 3. The client is associated with AP 2 through inter-ac roam association. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. 4. The client then disassociates with AP 2 and roams to AP 3 which is also connected to AC 2. The client is associated with AP 3 through intra-fa roam association. Figure 45 Inter-FA roaming 1. A client is associated with AP 1, which is connected to AC The client disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the client. 3. The client is associated with AP 2 through inter-ac roam association. 4. The client then disassociates with AP 2 and roams to AP 3 which is connected to AC 3, which now is its FA. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 and AC 3 through IACTP tunnels. 106

117 Roam-back Figure 46 Roam-back 1. A client is associated with AP 1, which is connected to AC The client disassociates with AP 1 and roams to AP 3 connected to AC 2. Now AC 2 is the FA for the client. 3. The client is associated with AP 3 through inter-ac roam association. Before inter-ac roaming, AC 1 must synchronize the client information with AC 2 through an IACTP tunnel. 4. The client then disassociates with AP 3 and roams back to AP 2 or AP 1 connected to AC 1, which is its HA. Configuring a mobility group 2. Create a mobility group and enter mobility group view. 3. Specify the IACTP tunnel protocol type. 4. Specify the tunnel source IP address. 5. Add a group member. 6. Specify an IACTP control message integrity authentication mode. wlan mobility-group name mobility-tunnel { iactp iactp6 } source { ip ipv4-address ipv6 ipv6-address } member { ip ipv4-address ipv6 ipv6-address } [ vlan vlan-id-list ] authentication-mode authentication-method [ cipher simple ] authentication-key ACs in the same mobility group must have the same group name. By default, the IACTP tunnel protocol type is IPv4. By default, no source IP address is configured. By default, no ACs exist in a mobility group. By default, IACTP control message integrity authentication is disabled. 107

118 7. Enable the IACTP service for the group. mobility-group enable By default, IACTP service is disabled. ACs in a mobility group must have the same user profile configurations. For more information about user profile, see Security Configuration Guide. Isolating tunnels in a mobility group This feature ensures that tunnels in a mobility group do not forward packets to each other. To isolate tunnels in a mobility group: 2. Isolate tunnels in a mobility group. wlan mobility-group-isolation enable By default, tunnel isolation in a mobility group is enabled. Enabling WLAN roaming To enable clients to roam between ACs, configure a mobility group and then enable WLAN roaming on the ACs. To enable WLAN roaming: 2. Enter mobility group view. wlan mobility-group name N/A 3. Enable WLAN roaming. roam enable By default, WLAN roaming is enabled. Before you enable or disable WLAN roaming, make sure mobility group is disabled. Displaying and maintaining WLAN roaming Task Command Remarks Display mobility group information. display wlan mobility-group [ member { ip IPv4-address ipv6 IPv6-address } ] [ { begin exclude include } regular-expression ] Available in any view. 108

119 Task Command Remarks Display the roam-track information of a client on the HA. Display the WLAN client roaming information. display wlan client roam-track mac-address mac-address [ { begin exclude include } regular-expression ] display wlan client { roam-in roam-out } [ member { ip IPv4-address ipv6 IPv6-address } ] [ verbose ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. WLAN roaming configuration examples The configuration examples were created on the 11900/10500/ G unified wired-wlan module and might vary with device models. When configuring the 11900/10500/ G unified wired-wlan module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/ G Unified Wired-WLAN Module Basic Configuration Guide. By default, the aggregate interfaces between the access controller engine and the switching engine on an 830 switch and an 870 appliance are Access interfaces in VLAN 1. When configuring the two aggregate interfaces, make sure their permitted VLANs are the same. HP also recommends that you set their link type to be the same. Intra-AC roaming configuration example Network requirements As shown in Figure 47, an AC has two APs associated and all of them are in VLAN 1. A client is associated with AP 1. Configure intra-ac roaming so that the client can associate with AP 2 when roaming to AP

120 Figure 47 Network diagram AC /24 RADIUS server /24 L2 Switch VLAN 1 VLAN 1 AP 1 AP 2 Roaming Client Configuration procedure For wireless service configuration, see "Configuring WLAN access." A client has inter-ac fast roaming capability only if it uses 802.1X (RSN) authentication. If you select an authentication mode involving remote authentication, configure the corresponding RADIUS server. For more information, see "Configuring WLAN security." 1. Configure the AC: # Set the port security mode for WLAN-ESS1 to userlogin-secure-ext, and enable the key negotiation function on the port. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as intra-roam, and bind WLAN-ESS1 to intra-roam. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid intra-roam [AC-wlan-st-1] bind wlan-ess 1 # Enable open system authentication and enable the CCMP cipher suite. [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] quit # Enable port security. [AC] port-security enable 110

121 # Configure the 802.1X authentication method as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC-radius-rad] nas-ip [AC-radius-rad] quit # Create ISP domain cams and configure the ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC] domain cams [AC-isp-cams] authentication default radius-scheme rad [AC-isp-cams] authorization default radius-scheme rad [AC-isp-cams] accounting default radius-scheme rad [AC-isp-cams] quit # Configure the mandatory authentication domain cams for 802.1X users on WLAN-ESS1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams [AC-WLAN-ESS1] quit # Create an AP template named ap1. [AC] wlan ap ap1 model MSM460-WW [AC-wlan-ap-ap1] serial-id CN2AD330S8 [AC-wlan-ap-ap1] radio 1 type dot11an # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Enable service template 1. [AC] wlan service-template 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap2 and its model is MSM460-WW. [AC] wlan ap ap2 model MSM460-WW # Configure the serial ID of AP 2 as CN2AD330S9. [AC-wlan-ap-ap2] serial-id CN2AD330S9 [AC-wlan-ap-ap2] radio 1 type dot11an # Bind service template 1 to radio 1 of AP 2 (Intra-AC roaming requires consistent SSIDs of different APs. Therefore, radio 1 of AP 2 should be bound to service template 1.). 111

122 [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return 2. Verify the configuration: After the client roams to AP 2, use the display wlan client verbose command to display detailed client information. You should find that the AP name and BSSID fields have been changed to those of AP 2. You can also use the display wlan client roam-track mac-address command to view client roaming track information. Inter-AC roaming configuration example Network requirements As shown in Figure 48, configure inter-ac roaming so that the client can associate with AP2 when roaming to it. Figure 48 Network diagram Configuration procedure For wireless service configuration, see "Configuring WLAN access." A client has inter-ac fast roaming capability only if it uses 802.1X (RSN) authentication through negotiation. If you select an authentication mode involving remote authentication, configure the corresponding RADIUS server. For more information, see "Configuring WLAN security." 1. Configure AC 1: # Set the port security mode for WLAN-ESS1 to userlogin-secure-ext, and enable the key negotiation function on the port. <AC1> system-view [AC1] interface wlan-ess 1 112

123 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to inter-roam. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid inter-roam [AC1-wlan-st-1] bind wlan-ess 1 # Enable open system authentication and enable the CCMP cipher suite. [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] quit # Enable port security. [AC1] port-security enable # Configure the 802.1X authentication method as EAP. [AC1] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC1] radius scheme rad [AC1-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC1-radius-rad] primary authentication [AC1-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC1-radius-rad] key authentication [AC1-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC1-radius-rad] nas-ip [AC1-radius-rad] quit # Configure ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC1] domain cams [AC1-isp-cams] authentication default radius-scheme rad [AC1-isp-cams] authorization default radius-scheme rad [AC1-isp-cams] accounting default radius-scheme rad [AC1-isp-cams] quit # Configure the mandatory authentication domain cams for 802.1X users on WLAN-ESS1. [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] dot1x mandatory-domain cams [AC1-WLAN-ESS1] quit # Create an AP template named ap1 and its model is MSM460-WW. [AC1] wlan ap ap1 model MSM460-WW 113

124 # Configure the serial ID of AP 1 as CN2AD330S8. [AC1-wlan-ap-ap1] serial-id CN2AD330S8 [AC1-wlan-ap-ap1] radio 1 type dot11an # Bind service template inter-roam to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Enable service template 1. [AC1] wlan service-template 1 [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create mobility group roam, specify the tunnel source IP as , and specify the IP address for AC 2. [AC1] wlan mobility-group roam [AC1-wlan-mg-roam] source ip [AC1-wlan-mg-roam] member ip [AC1-wlan-mg-roam] mobility-group enable # Enable WLAN roaming (by default, WLAN roaming is enabled, so this step is optional.). [AC1-wlan-mg-roam] roam enable # Enable mobility group. [AC1-wlan-mg-roam] mobility-group enable 2. Configure AC 2: # Set the port security mode for WLAN-ESS1 to userlogin-secure-ext, and enable the key negotiation function on the port. <AC2> system-view [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to intra-roam. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid inter-roam [AC2-wlan-st-1] bind wlan-ess 1 # Enable open system authentication and enable the CCMP cipher suite. [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn [AC2-wlan-st-1] quit # Enable port security. [AC2] port-security enable # Configure the 802.1X authentication method as EAP. 114

125 [AC2] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC2] radius scheme rad [AC2-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC2-radius-rad] primary authentication [AC2-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC2-radius-rad] key authentication [AC2-radius-rad] key accounting # Configure the source IP address for the AC to send RADIUS packets as [AC2-radius-rad] nas-ip [AC2-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC2] domain cams [AC2-isp-cams] authentication default radius-scheme rad [AC2-isp-cams] authorization default radius-scheme rad [AC2-isp-cams] accounting default radius-scheme rad [AC2-isp-cams] quit # Configure the 802.1X authentication domain by referencing AAA domain cams. [AC2] interface WLAN-ESS 1 [AC2-WLAN-ESS1] dot1x mandatory-domain cams [AC2-WLAN-ESS1] quit # Create an AP template named ap2 and its model is MSM460-WW. [AC2] wlan ap ap2 model MSM460-WW # Configure the serial ID of AP 2 as CN2AD330S9. [AC2-wlan-ap-ap2] serial-id CN2AD330S9 [AC2-wlan-ap-ap2] radio 1 type dot11an # Bind service template inter-roam to radio 1 of AP 2. (Inter-AC roaming requires consistent SSIDs of APs. Therefore, radio 1 of AP 2 must be bound to service template inter-roam.) [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Enable service template 1. [AC2] wlan service-template 1 [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create mobility group roam, specify the tunnel source IP as , and specify the IP address for AC 2. [AC2] wlan mobility-group roam [AC2-wlan-mg-roam] source ip [AC2-wlan-mg-roam] member ip [AC2-wlan-mg-roam] mobility-group enable # Enable WLAN roaming (by default, WLAN roaming is enabled, so this step is optional.). 115

126 [AC2-wlan-mg-roam] roam enable # Enable mobility group. [AC2-wlan-mg-roam] mobility-group enable 3. Verify the configuration: You can use the display wlan client roam-out command on AC 1 to display roamed out client information, and use the display wlan client roam-in command on AC 2 to display roamed in client information. You can also use the display wlan client roam-track mac-address command to view client roaming track information on AC

127 Configuring WLAN RRM Overview Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in different directions are very complex. Make careful plans before deploying a WLAN network. After WLAN deployment, the running parameters must still be adjusted because the radio environment is always varying due to interference from mobile obstacles, microwave ovens and so on. To adapt to environment changes, radio resources such as working channels and transmit power should be adjusted dynamically. Such adjustments are complex and require experienced personnel to implement regularly, which brings high maintenance costs. WLAN radio resource management (RRM) is a scalable radio resource management solution. APs collect radio environment information in real time. The AC analyzes the collected information. The AC makes radio resource adjustment configuration according to analysis results. APs implement the configuration made by the AC for radio resource optimization. Therefore, through information collection, information analysis, decision-making, and implementation, WLAN RRM delivers a real-time, intelligent, and integrated radio resource management solution. This enables a WLAN network to quickly adapt to radio environment changes and remain in a healthy state. Dynamic frequency selection A WLAN has limited working channels. Channel overlapping occurs very easily. In addition, other radio sources such as radar and microwave ovens might interfere with the operation of APs. Dynamic frequency selection (DFS) can solve these problems. With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference and interference from other radio sources. The following conditions determine DFS: Error code rate Physical layer error code and CRC errors. Interference Influence of and non wireless signals on wireless services. Retransmission APs retransmit data if they do not receive ACK messages from the AC. Radar signal detected on a working channel The AC immediately notifies the AP to change its working channel. If any of the first three conditions is met, the AC selects a new channel for the AP. However, the AP does not use the new channel until the channel quality difference between the new and old channels exceeds the tolerance level. 117

128 Figure 49 Dynamic channel adjustment Transmit power control Traditionally, an AP uses the maximum power to cover an area as large as possible. This method, however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements. Whether the transmission power of an AP is increased or decreased is determined by these factors: the maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor AP that performs power detection, and the power adjustment threshold. As shown in Figure 50, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor number 3 (configurable) is reached. Among all the neighbors AP 2, AP 3, and AP 4 of AP 1, the signal strength of AP 4 is the third, so AP 4 becomes the AP that performs power detection. If AP 4 detects that the power of AP 1 is 75 dbm, which is lower than the default power adjustment threshold 65 dbm (configurable), AP 1 increases its transmission power. If AP 4 detects that the power of AP 1 is 55 dbm, which is higher than the power adjustment threshold 65 dbm, AP 1 decreases its transmission power. The maximum number of neighbors and the neighbor AP that performs power detection are configured with the dot11a adjacency-factor or dot11bg adjacency-factor command. The adjusted transmission power cannot be smaller than the minimum transmission power. 118

129 Figure 50 Power reduction As shown in Figure 51, when AP 3 fails or goes offline, the other APs increase their transmission power to cover the signal blackhole. 119