H3C WA Series WLAN Access Points. WLAN Configuration Guide. Hangzhou H3C Technologies Co., Ltd. Document Version: 6W

H3C WA Series WLAN Access Points WLAN Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W100-20100910

Copyright 2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface The H3C WA documentation set includes 10 configuration guides, which describe the software features for the H3C WA series WLAN access points and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply the software features to different network scenarios. The WLAN Configuration Guide describes WLAN interface, WLAN service, WLAN security, WLAN RRM, WLAN IDS, WLAN QoS, and WDS configurations. This preface includes: Audience Conventions About the H3C WA Documentation Set Obtaining Documentation Documentation Feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the WA series Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface italic [ ] { x y... } [ x y... ] { x y... } * [ x y... ] * Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none.

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Boldface > Convention Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. About the H3C WA Documentation Set The H3C WA documentation set includes: Category Documents Purposes Product description and specifications Hardware specifications and installation Software configuration Marketing brochures Technology white papers Compliance and safety manual Quick start Installation guide Getting started guide Configuration guides Command references Describe product specifications and benefits. Provide an in-depth description of software features and technologies. Provides regulatory information and the safety instructions that must be followed during installation. Guides you through initial installation and setup procedures to help you quickly set up and use your AP with the minimum configuration. Guides you through hardware specifications and installation methods to help you install your AP. Guides you through the main functions of your AP, and describes how to install and log in to your AP, perform basic configurations, maintain software, and troubleshoot your AP. Describe software features and configuration procedures. Provide a quick reference to all available commands.

Category Documents Purposes Operations and maintenance User FAQ Release notes Provides answers to some of the most frequently asked questions on how to troubleshoot your AP. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, getting started, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Documentation Feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.

Table of Contents 1 Applicable Models and Software Versions...1-1 2 Feature Matrix...2-1 3 Command/Parameter Matrix...3-1 4 WLAN Interface Configuration...4-1 Overview...4-1 WLAN-Radio Interface...4-1 Introduction...4-1 Configuring a WLAN-Radio Interface...4-1 WLAN-BSS Interface...4-2 Introduction...4-2 Configuring a WLAN-BSS Interface...4-2 WLAN Mesh Interface...4-3 Introduction...4-3 Entering WLAN Mesh Interface View...4-3 Configuring a WLAN Mesh Interface...4-3 WLAN Mesh Link Interface...4-3 Displaying and Maintaining a WLAN Interface...4-3 5 WLAN Security Configuration...5-1 WLAN Security Configuration...5-1 Overview...5-1 Authentication Modes...5-1 WLAN Data Security...5-2 Client Access Authentication...5-3 Protocols and Standards...5-4 Configuring WLAN Security...5-4 Enabling an Authentication Method...5-4 Configuring the PTK Lifetime...5-5 Configuring the GTK Rekey Method...5-5 Configuring Security IE...5-6 Configuring Cipher Suit...5-7 Configuring Port Security...5-9 Displaying and Maintaining WLAN Security...5-11 WLAN Security Configuration Examples...5-12 PSK Authentication Configuration Example...5-12 MAC-and-PSK Authentication Configuration Example...5-13 802.1X Authentication Configuration Example...5-16 Dynamic WEP Encryption-802.1X Authentication Configuration Example...5-23 Supported Combinations for Ciphers...5-25 i

6 WLAN RRM Configuration...6-1 Overview...6-1 Configuration Task list...6-1 Configuring Data Transmission Rates...6-2 Configuring 802.11a/802.11b/802.11g Rates...6-2 Configuring 802.11n Rates...6-2 Configuring Power Constraint...6-3 Prerequisites...6-3 Configuring Power Constraint...6-3 Configuring Only Non-802.11h Channels to Be Scanned...6-4 Configuring Only Non-802.11h Channels to Be Scanned...6-4 Enabling 802.11g Protection...6-4 Displaying and Maintaining WLAN RRM...6-4 7 WLAN IDS Configuration...7-1 WLAN IDS Overview...7-1 Terminology...7-1 WLAN IDS IPS...7-2 Configuring IDS Attack Detection...7-3 Configuring IDS Attack Detection...7-3 Displaying and Maintaining WLAN IDS...7-3 Frame Filtering...7-3 Overview...7-3 Configuring WIDS-Frame Filtering...7-4 Configuring Static White and Black Lists...7-5 Configuring Dynamic Blacklist Feature...7-5 Displaying and Maintaining WLAN IDS Frame Filtering...7-5 WLAN IDS Frame Filtering Configuration Example...7-5 8 WLAN QoS Configuration...8-1 WLAN QoS Overview...8-1 Terminology...8-1 WMM Protocol Overview...8-2 Protocols and Standards...8-4 WMM Configuration...8-4 Configuration Prerequisites...8-4 Configuring WMM...8-4 Displaying and Maintaining WMM...8-6 WMM Configuration Examples...8-6 WMM Basic Configuration...8-6 CAC Service Configuration Example...8-7 Troubleshooting...8-8 EDCA Parameter Configuration Failure...8-8 SVP or CAC Configuration Failure...8-8 9 WDS Configuration...9-1 Introduction to WDS...9-1 Advantages of WDS...9-1 ii

Deployment Scenarios...9-2 WDS Configuration Task List...9-3 Configuring WDS Port Security...9-3 Configuring a Mesh Profile...9-4 Configuring an MP Policy...9-4 Mapping a Mesh Profile to the Radio of an MP...9-5 Mapping an MP Policy to the Radio of an MP...9-5 Specifying a Peer MAC Address on the Radio...9-6 Displaying and Maintaining WDS...9-6 WDS Configuration Examples...9-6 WDS Point to Point Configuration Example...9-6 WDS Point to Multi-Point Configuration Example...9-8 10 WLAN Service Configuration...10-1 WLAN Service Overview...10-1 Terminology...10-1 Wireless Client Access...10-2 802.11 Overview...10-4 WLAN Topologies...10-5 Single BSS...10-5 Multi-ESS...10-5 Single ESS Multiple BSS (The multiple radio case)...10-6 Protocols and Standards...10-7 Configuring WLAN Service...10-7 Configuring Global WLAN Parameters...10-7 Specifying the Country Code...10-7 Configuring a Service Template...10-8 Configuring the Radio of an AP...10-9 Configuring a Radio Interface...10-9 Configuring 802.11n...10-10 Configuring Uplink Detection...10-11 Displaying and Maintaining WLAN Service...10-12 Configuring WLAN Client Isolation...10-12 Introduction...10-12 Enabling WLAN Client Isolation...10-13 WLAN Service Configuration Examples...10-13 WLAN Service Configuration Example...10-13 802.11n Configuration Example...10-14 11 Index...11-1 iii

The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region. Read this chapter before using an H3C WA series WLAN access point. 1 Applicable Models and Software Versions H3C WA series WLAN access points include the WA2200 series and WA2600 series. Table 1-1 shows the applicable models and software versions. Table 1-1 Applicable models and software versions Series Model Software version WA2200 series WA2200 series access points (indoors) WA2200 series access points (outdoors) WA2210-AG WA2220-AG WA2210X-G WA2220X-AG R 1115 WA2600 series WA2600 series access points (indoors) WA2610-AGN WA2612-AGN WA2620-AGN R 1106 WA2600 series access points (enhanced) WA2610E-AGN WA2620E-AGN R 1109 1-1

2 Feature Matrix Support of the H3C WA series WLAN access points for features, commands and parameters may vary by device model. See this document for more information. For information about feature support, see Table 2-1. For information about command and parameter support, see Table 3-1. The term AP in this document refers to common APs, wireless bridges, or mesh APs. Table 2-1 Feature matrix Document Feature WA2200 series WA2600 series Fundamentals Configuration Guide WLAN Configuration Guide Layer 2 LAN Switching Configuration Guide Layer 3 IP Services Configuration Guide IP Multicast Configuration Guide Security Configuration Guide HTTPS Not supported Supported 802.11n radio mode Not supported Supported 802.11n bandwidth mode Not supported Supported 802.11n rate configuration Not supported Supported Optical Ethernet interface Supported on WA2210X-G/WA2220X- AG only Not supported GE interface Not supported Supported DHCP server configuration Not supported Supported DHCPv6 configuration Not supported Supported IGMP snooping configuration Not supported Supported MLD snooping configuration Not supported Supported SSH2.0 Not supported Supported 2-1

3 Command/Parameter Matrix Table 3-1 Command/Parameter matrix Document Module Command/Parameter WA2200 series WA2600 series display ip https Not supported Supported Fundamentals Command Reference HTTP commands ip https acl Not supported Supported ip https certificate access-control-policy Not supported Supported ip https enable Not supported Supported a-mpdu enable Not supported Supported a-msdu enable Not supported Supported channel band-width Not supported Supported client dot11n-only Not supported Supported WLAN service commands preamble { long short } Only APs that support the 802.11b/g radio mode support this command. Only APs that support the 802.11b/g radio mode support this command. WLAN Command Reference radio-type Keywords dot11an and dot11gn not supported Supported short-gi enable Not supported Supported dot11a { disabled-rate mandatory-rate supported-rate } rate-value Only APs that support 802.11a radio mode support this command. Only APs that support 802.11a radio mode support this command. WLAN RRM commands dot11n mandatory maximum-mcs dot11n support maximum-mcs Not supported Not supported Supported Supported power-constraint power-constraint Only APs that support the 802.11a radio mode support this command. Only APs that support the 802.11a radio mode support this command. 3-1

Document Module Command/Parameter WA2200 series WA2600 series The maximum number of broadcast packets that can be forwarded on an Ethernet interface per second broadcast-suppression { ratio pps max-pps } pps max-pps ranges from 1 to 148810. pps max-pps ranges from 1 to 1488100. Layer 2 LAN Switching Command Reference The maximum number of multicast packets allowed on an Ethernet interface per second multicast-suppression { ratio pps max-pps } pps max-pps ranges from 1 to 148810. pps max-pps ranges from 1 to 1488100. The maximum number of unknown unicast packets allowed on an Ethernet interface per second unicast-suppression { ratio pps max-pps } pps max-pps ranges from 1 to 148810. pps max-pps ranges from 1 to 1488100. DHCP commands DHCP server configuration commands Not supported Supported display ipv6 dhcp client [ interface interface-type interface-number ] Not supported Supported Layer 3 - IP Services Command Reference DHCPv6 commands display ipv6 dhcp client statistics [ interface interface-type interface-number ] Not supported Supported display ipv6 dhcp duid Not supported Supported reset ipv6 dhcp client statistics [ interface interface-type interface-number ] Not supported Supported 3-2

To do Use the Command Remarks Set the description string for the interface Shut down the WLAN-Radio interface description text shutdown By default, the description string of an interface is interface-name + interface. By default, a WLAN-Radio interface is up. WLAN-BSS Interface Introduction WLAN-BSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 access Ethernet ports and have Layer 2 attributes. A WLAN-BSS interface supports multiple Layer 2 protocols. On a FAT AP, a WLAN-Radio interface bound to a WLAN-BSS interface operates as a Layer 2 interface. Configuring a WLAN-BSS Interface Follow these steps to configure a WLAN-BSS interface: To do Use the command Remarks Enter system view system-view Enter WLAN-BSS interface view Set the description string for the interface Add the WLAN-BSS interface to a VLAN Shut down the WLAN-BSS interface interface wlan-bss interface-number description text port access vlan vlan-id shutdown If the WLAN-BSS interface does not exist, this command creates the WLAN-BSS interface first. By default, the description string of an interface is interface-name + interface. By default, an interface belongs to VLAN 1 (the default VLAN). By default, a WLAN-BSS interface is up. Before executing the port access vlan command, make sure the VLAN identified by the vlan-id argument already exists. You can use the vlan command to create a VLAN. For more information about the port access vlan command, see VLAN in the Layer 2 LAN Switching Command Reference. 4-2

WLAN Mesh Interface Introduction WLAN mesh interfaces are Layer 2 virtual interfaces. You can use them as configuration templates to make and save settings for WLAN mesh link interfaces. Once a WLAN mesh link interface is created, you will not be allowed to change the settings on its associated WLAN mesh interface. Entering WLAN Mesh Interface View Follow these steps to enter WLAN mesh interface view: To do Use the command Remarks Enter system view system-view Enter WLAN mesh interface view interface wlan-mesh interface-number If the specified WLAN mesh interface does not exist, this command creates the WLAN mesh interface first. Configuring a WLAN Mesh Interface Follow these steps to configure a WLAN mesh interface. To do Use the command Remarks Configure the description of the WLAN mesh interface description Configure VLAN settings port link-type port access port trunk port hybrid WLAN Mesh Link Interface WLAN mesh link interfaces are similar to Layer 2 virtual Ethernet interfaces and have the features of Layer 2 interfaces. They are dynamically created or deleted by the WLAN module and are responsible for local data forwarding on the mesh network. WLAN mesh link interfaces use the settings you made on their corresponding WLAN mesh interfaces and are not configurable. Displaying and Maintaining a WLAN Interface To do Use the command Remarks Display WLAN-Radio interface information Display WLAN-BSS interface information Display WLAN mesh interface information display interface wlan-radio [ interface-number ] display interface wlan-bss [ interface-number ] display interface wlan-mesh [ interface-number ] Available in any view Available in any view Available in any view 4-3

The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region. Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix. The interface types and the number of interfaces vary by AP model. The radio types supported by the H3C WA series WLAN access points vary by AP model. The term AP in this document refers to common APs, wireless bridges, or mesh APs. 5 WLAN Security Configuration This chapter includes these sections: WLAN Security Configuration Configuring WLAN Security WLAN Security Configuration Examples Supported Combinations for Ciphers WLAN Security Configuration Overview The wireless security capabilities incorporated in 802.11 are inadequate for protecting networks containing sensitive information. It does a fairly good job of defending against the general public, but there are some good hackers lurking out there who can crack into a wireless networks. As a result, there is a need to implement advanced security mechanisms beyond the capability of 802.11 if we want to protect against unauthorized access to resources on our network. Authentication Modes To ensure WLAN security, an AP must authenticate clients. A client can be associated with an AP only when it passes authentication. The following two authentication modes are supported. Open system authentication Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful because an AP may decline to authenticate the client. Open system authentication involves a two-step authentication process. At the first step, the wireless client sends a request for authentication. At the second step, the AP determines whether the wireless client passes the authentication and returns the result to the client. 5-1

Figure 5-1 Open system authentication process Client AP Authentication request Authentication response Shared key authentication The following figure shows a shared key authentication process. The two parties have the same shared key configured. 1) The client sends an authentication request to the AP. 2) The AP randomly generates a challenge and sends it to the client. 3) The client uses the shared key to encrypt the challenge and sends it to the AP. 4) The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the link authentication. If not, the link authentication fails. Figure 5-2 Shared key authentication process WLAN Data Security Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN. To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data. 1) Simple text data No data packets are encrypted. It is in fact a WLAN service without any security protection. 2) WEP encryption 5-2

Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP encryption falls into static and dynamic encryption according to how a WEP key is generated. Static WEP encryption With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual key update brings great management workload. Dynamic WEP encryption Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security. Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration. 3) TKIP encryption Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more secure protection for WLAN as follows: First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128 bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits. Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered. Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes countermeasures. It will not provide services in a certain period to prevent attacks. 4) CCMP encryption CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent. Client Access Authentication After a wireless client sets up a wireless link with an AP, the wireless client is considered as having accessed the wireless network. However, for the security and management of the wireless network, the wireless client can access the network resources only after passing subsequent authentication. Among the authentication mechanisms, preshared key (PSK) authentication and 802.1X authentication accompany the dynamic key negotiation and management of the wireless link, and therefore, they are closely related to wireless link negotiation. However, they are not directly related to the wireless link. 5-3

1) PSK authentication Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK authentication, the client and the authenticator must have the same shared key configured. 2) 802.1X authentication As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication. 3) MAC authentication MAC authentication provides a way for authenticating users based on ports and MAC addresses. For this authentication, the user does not need to install any client software. When the device first detects the MAC address of a user, it starts the authentication for the user. During the authentication process, the user does not need to manually input username or password. In WLAN applications, MAC authentication needs to get the MAC addresses of the clients in advance. Therefore, MAC authentication is applicable to small-scaled networks with relatively fixed users, for example, SOHO and small offices. Protocols and Standards IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements -2004 WI-FI Protected Access Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements 802.11, 1999 IEEE Standard for Local and metropolitan area networks Port-Based Network Access Control 802.1X - 2004 Configuring WLAN Security To configure WLAN Security on a service template, map the service template to a radio. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure the SSID to support any combination of WPA, RSN, and non-wpa clients. Task Description Enabling an Authentication Method Configuring the PTK Lifetime Configuring the GTK Rekey Method Configuring Security IE Configuring Cipher Suit Configuring Port Security Enabling an Authentication Method You can enable both open system authentication and shared key authentication or either of them. 5-4

Follow these steps to enable the authentication method: To do Use the command Remarks Enter system view system-view Enter WLAN service template Enable an authentication method wlan service-template service-template-number crypto authentication-method { open-system shared-key } Open system authentication method is used by default. Shared key authentication is usable only when WEP encryption is adopted. In this case, you must configure the authentication-method shared-key command. For RSN and WPA, shared key authentication is not required and only open system authentication is required. Configuring the PTK Lifetime A pairwise transient key (PTK) is generated through a four-way handshake, during which, the pairwise master key, an AP random value (ANonce), a site random value (SNonce), the AP s MAC address and the client s MAC address are used. Follow these steps to configure the PTK lifetime: To do Use the command Remarks Enter system view system-view Enter WLAN service template Configure the PTK lifetime wlan service-template service-template-number crypto ptk-lifetime time By default, the PTK lifetime is 43200 second Configuring the GTK Rekey Method A fat AP generates a group transient key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through the group key handshake or 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. RSN negotiates the GTK through the 4-way handshake or group key handshake, while WPA negotiates the GTK only through group key handshake. Two GTK rekey methods can be configured: Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs. Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs. You can also configure the device to start GTK rekey when a client goes offline, provided that GTK rekey has been enabled with the gtk-rekey enable command. Configure GTK rekey based on time Follow these steps to configure GTK Rekey based on time: 5-5

To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable GTK rekey Configure the GTK rekey interval Configure the device the start GTK rekey when a client goes offline wlan service-template service-template-number crypto gtk-rekey enable gtk-rekey method time-based time gtk-rekey client-offline enable By default, GTK rekey is enabled. By default, the interval is 86400 seconds. By default, GTK rekey is not started when a client goes offline. Configure GTK rekey based on packet Follow these steps to configure GTK rekey based on packet: To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable GTK rekey Configure GTK rekey based on packet Start GTK rekey when a client goes offline wlan service-template service-template-number crypto gtk-rekey enable gtk-rekey method packet-based [ packet ] gtk-rekey client-offline enable By default, GTK rekey is enabled. The default packet number is 10000000. By default, GTK rekey is not started when a client goes offline. By default, time-based GTK rekey is adopted, and the rekey interval is 86400 seconds. Configuring a new GTK rekey method overwrites the previous one. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect. Configuring Security IE The security IE configuration includes WPA and RSN configuration. For WPA and RSN configuration, open system authentication is required. 5-6

Disable 802.1X online user handshake function before starting PTK and GTK negotiation. Configuring WPA security IE Wi-Fi Protected Access (WPA) ensures greater protection than WEP. WPA operates in either WPA-PSK (or called Personal) mode or WPA-802.1X (or called Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1X and RADIUS servers and the Extensible Authentication Protocol (EAP) are used for authentication. Follow these steps to configure WPA security IE: To do Use the command Remarks Enter system view system-view Enter WLAN service template wlan service-template service-template-number crypto Enable the WPA security IE security-ie wpa Configuring RSN security IE An RSN is a security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA. Follow these steps to configure the RSN security IE: To do Use the command Remarks Enter system view system-view Enter WLAN service template wlan service-template service-template-number crypto Enable the RSN security IE security-ie rsn Configuring Cipher Suit Cipher suite is used for data encapsulation and de-capsulation; it uses the following encryptions: WEP40/WEP104/WEP128 TKIP CCMP Configuring WEP 1) Configure static WEP encryption The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys. WEP can be used with either open system authentication mode or shared key authentication mode: 5-7

In open system authentication mode, a WEP key is used for encryption only. A client can go online without having the same key as the authenticator. But, if the receiver has a different key from the sender, it will discard the packets received from the sender. In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot go online. Follow these steps to configure static WEP encryption: To do Use the command Remarks Enter system view system-view Enter WLAN service template Enable the cipher suite Configure the WEP default keys wlan service-template service-template-number crypto cipher-suite { wep40 wep104 wep128 } wep default-key { 1 2 3 4 } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key Not configured by default. Configure the WEP key ID wep key-id { 1 2 3 4 } The default key ID is 1. 2) Configure dynamic WEP encryption Follow these steps to configure dynamic WEP encryption: To do Use the command Remarks Enter system view system-view Enter WLAN service template view Enable dynamic WEP encryption Enable the WEP cipher suite Configure the WEP default key wlan service-template service-template-number crypto wep mode dynamic cipher-suite { wep40 wep104 wep128 } wep default-key { 1 2 3 4 } { wep40 wep104 wep128 } { pass-phrase raw-key } key By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. No WEP default key is configured by default. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. Specify a key index number wep key-id { 1 2 3 } By default, the key index number is 1. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. 5-8

Configuring TKIP Follow these steps to configure TKIP: To do Use the command Remarks Enter system view system-view Enter WLAN service template wlan service-template service-template-number crypto Enable the TKIP cipher suite cipher-suite tkip Set TKIP counter measure time tkip-cm-time time By default, the counter measure time value is 60 seconds. Message integrity check (MIC) is used to prevent attackers from data modification. It ensures data security by using the Michael algorithm. When a fault occurs to the MIC, the device will consider that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP will suspend within the countermeasure interval, that is, no TKIP associations can be established within the interval. Configuring CCMP CCMP is the most secure data protection mechanism supported by WLAN. It adopts the AES encryption algorithm. Follow these steps to configure CCMP: To do Use the command Remarks Enter system view system-view Enter WLAN service template wlan service-template service-template-number crypto Enable the CCMP cipher suite cipher-suite ccmp Configuring Port Security Port security configuration includes authentication type configuration and the AAA server configuration. The authentication type configuration includes the following options: PSK 802.1X MAC PSK and MAC Before configuring port security, you must: Create the WLAN-BSS interface Enable port security globally Configure PSK authentication Follow these steps to configure PSK authentication: 5-9

To do Use the command Remarks Enter system view system-view Enter WLAN-BSS interface view Enable 11key negotiation Configure the key interface wlan-bss interface-number port-security tx-key-type 11key port-security preshared-key { pass-phrase raw-key } key Not enabled by default. Not configured by default. Enable the PSK port security mode port-security port-mode psk Configure 802.1X authentication Follow these steps to configure 802.1X authentication: To do Use the command Remarks Enter system view. system-view Enter WLAN-BSS interface view Enable 11key negotiation Enable the 802.1X port security mode. interface wlan-bss interface-number port-security tx-key-type 11key port-security port-mode userlogin-secure-ext Not enabled by default. Configure MAC authentication Follow these steps to configure MAC authentication: To do Use the command Remarks Enter system view system-view Enter WLAN-BSS interface view interface wlan-bss interface-number Enable MAC port security mode port-security port-mode mac-authentication 802.11i does not support MAC authentication. Configure PSK and MAC authentication Follow these steps to configure PSK and MAC authentication: To do Use the command Remarks Enter system view system-view Enter WLAN interface view interface wlan-bss interface-number 5-10

To do Use the command Remarks Enable 11key negotiation Enable the PSK and MAC port security mode. Configure the pre-shared key port-security tx-key-type 11key port-security port-mode mac-and-psk port-security preshared-key { pass-phrase raw-key } key Not enabled by default. The key is a string of 8 to 63 characters, or a 64-digit hex number. For more information about port security configuration commands, see Port Security in the Security Configuration Guide. Displaying and Maintaining WLAN Security To do Use the command Remarks Display WLAN service template information Display MAC authentication information Display the MAC address information of port security Display the PSK user information of port security Display the configuration information, running state and statistics of port security Display 802.1X session information or statistics display wlan service-template [ service-template-number ] display mac-authentication [ interface interface-list ] display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] display port-security preshared-key user [ interface interface-type interface-number ] display port-security [ interface interface-list ] display dot1x [ sessions statistics ] [ interface interface-list ] Available in any view For more information about related display commands, see Port Security, 802.1X, and MAC Authentication in the Security Command Reference. 5-11

WLAN Security Configuration Examples PSK Authentication Configuration Example Network requirements As shown in Figure 5-3, the AP is connected to the Switch. The PSK key configured on the client side is 12345678. The same PSK key is configured on the AP. It is required to perform PSK authentication on the client. Figure 5-3 Network diagram for PSK authentication configuration LAN Segment Configuration procedure 1) Configure the AP # Enable port security. <AP> system-view [AP] port-security enable # Configure the authentication mode as psk, and the pre-shared key as 12345678, and specify the key type as 802.11key. [AP] interface wlan-bss 1 [AP-WLAN-BSS1] port-security port-mode psk [AP-WLAN-BSS1] port-security preshared-key pass-phrase simple 12345678 [AP-WLAN-BSS1] port-security tx-key-type 11key [AP-WLAN-BSS1] quit # Create crypto-type service template 1, and configure its SSID as psktest.. [AP] wlan service-template 1 crypto [AP-wlan-st-1] ssid psktest # Enable the RSN information element in the beacon and probe response frames, and enable the CCMP cipher suite. [AP-wlan-st-1] security-ie rsn [AP-wlan-st-1] cipher-suite ccmp # Specify the open-system authentication mode, and enable the service template. [AP-wlan-st-1] authentication-method open-system [AP-wlan-st-1] service-template enable # Bind the WLAN-BSS interface to the service template on the radio interface. [AP] interface wlan-radio1/0/2 [AP-WLAN-Radio1/0/2] radio-type dot11g [AP-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1 2) Verify the configuration Configure the same PSK on the client. After that, the client can associate with the AP and access the WLAN. 5-12

You can use the display wlan client and display port-security preshared-key user commands to view the online clients. MAC-and-PSK Authentication Configuration Example Network Requirements As shown in Figure 5-4, a fat AP is connected to a RADIUS server through a Layer 2 switch, and they are in the same network. It is required to perform MAC-and-PSK authentication on the client. After passing the authentication, the client uses the pre-configured pre-shared key to negotiate with the AP, and access the WLAN after a successful negotiation. Figure 5-4 Network diagram for MAC-and-PSK authentication configuration Configuration procedure 1) Configure the fat AP # Enable port security. <AP> system-view [AP] port-security enable # Configure the authentication mode as mac-and-psk, and the pre-shared key as 12345678, and specify the key type as 802.11key. [AP] interface wlan-bss 1 [AP-WLAN-BSS1] port-security port-mode mac-and-psk [AP-WLAN-BSS1] port-security preshared-key pass-phrase simple 12345678 [AP-WLAN-BSS1] port-security tx-key-type 11key [AP-WLAN-BSS1] quit # Create a crypto-type service template, and configure its SSID as mactest. [AP] wlan service-template 1 crypto [AP-wlan-st-1] ssid mactest # Enable the RSN information element in the beacon and probe response frames, and enable the CCMP cipher suite. [AP-wlan-st-1] security-ie rsn [AP-wlan-st-1] cipher-suite ccmp # Specify the open-system authentication mode, and enable the service template. [AP-wlan-st-1] authentication-method open-system [AP-wlan-st-1] service-template enable # Configure a RADIUS scheme named rad. Configure the IP addresses of both the primary authentication and authorization servers as 10.1.1.88, the shared key of the authentication, 5-13

authorization, and accounting servers as 12345678, specify the extended RADIUS server type, and configure the scheme to exclude the ISP domain name from the usernames sent to the RADIUS server. [AP] radius scheme rad [AP-radius-rad] primary authentication 10.1.1.88 [AP-radius-rad] primary accounting 10.1.1.88 [AP-radius-rad] key authentication 12345678 [AP-radius-rad] key accounting 12345678 [AP-radius-rad] server-type extended [AP-radius-rad] user-name-format without-domain [AP-radius-rad] quit # Configure AAA domain cams by referencing RADIUS authentication/authorization/accounting scheme rad. [AP] domain cams [AP-isp-cams] authentication lan-access radius-scheme rad [AP-isp-cams] authorization lan-access radius-scheme rad [AP-isp-cams] accounting lan-access radius-scheme rad [AP-isp-cams] quit # Configure the MAC authentication domain cams. [AP] mac-authentication domain cams # Configure MAC authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server). [AP] mac-authentication user-name-format mac-address without-hyphen # Bind the WLAN-BSS interface with the service template. [AP] interface wlan-radio1/0/2 [AP-WLAN-Radio1/0/2] radio-type dot11g [AP-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1 2) Configure the RADIUS server (imc) The following takes the imc (the imc versions are imc PLAT 3.20-R2602 and imc UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server. # Add access device. Log in to the imc management platform. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. Click Add on the page to enter the configuration page shown in Figure 5-5: Add 12345678 for Shared Key. Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively. Select LAN Access Service for Service Type. Select H3C for Access Device Type. Select or manually add an access device with the IP address 10.18.1.1. 5-14

Figure 5-5 Add access device # Add service. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the add service page. Then click Add on the page to enter the following configuration page. Set the service name to mac, and the others keep the default values. Figure 5-6 Add service # Add account. Select the User tab, and then select User > All Access Users from the navigation tree to enter the user page. Then, click Add on the page to enter the page shown in Figure 5-7. Enter a username. 5-15

Add an account and password 00146c8a43ff. Select the service mac. Figure 5-7 Add account 3) Verify the configuration After the client passes the MAC-and-PSK authentication, the client can associate with the AP and access the WLAN. You can use the display wlan client command, display connection command and display mac-authentication command to view the online clients. 802.1X Authentication Configuration Example Network requirements As shown in Figure 5-8, an AC with IP address 10.18.1.1, an AP and a RADIUS server with IP address 10.18.1.88 are connected through a Layer 2 switch. It is required to perform 802.1X authentication on the client. Figure 5-8 802.1X authentication configuration Configuration procedure 1) Configure the fat AP # Enable port security, and set the authentication method of the 802.1X user to eap. <AP> system-view [AP] port-security enable 5-16

[AP] dot1x authentication-method eap # Configure a RADIUS scheme name rad. Configure the IP addresses of both the primary authentication and authorization servers as 10.18.1.88, the shared key of the authentication, authorization, and accounting servers as 12345678, and configure the scheme to exclude the ISP domain name from the usernames sent to the RADIUS server. [AP] radius scheme rad [AP-radius-rad] primary authentication 10.18.1.88 [AP-radius-rad] primary accounting 10.18.1.88 [AP-radius-rad] key authentication 12345678 [AP-radius-rad] key accounting 12345678 [AP-radius-rad] user-name-format without-domain [AP-radius-rad] quit # Configure AAA domain cams by referencing RADIUS authentication/authorization/accounting scheme rad. [AP] domain cams [AP-isp-cams] authentication lan-access radius-scheme rad [AP-isp-cams] authorization lan-access radius-scheme rad [AP-isp-cams] accounting lan-access radius-scheme rad [AP-isp-cams] quit # Configure cams as the default ISP domain. [AP] domain default enable cams # Configure port security on interface WLAN-BSS 1: specify the port mode as userlogin-secure-ext, and the key type as 802.11 key. [AP] interface wlan-bss 1 [AP-WLAN-BSS1] port-security port-mode userlogin-secure-ext [AP-WLAN-BSS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AP-WLAN-BSS1] undo dot1x multicast-trigger [AP-WLAN-BSS1] undo dot1x handshake [AP-WLAN-BSS1] quit # Create a crypto-type WLAN service template, configure its SSID as dot1xtest. [AP] wlan service-template 1 crypto [AP-wlan-st-1] ssid dot1xtest # Enable the RSN information element in the beacon and probe response frames, and enable the CCMP cipher suite. [AP-wlan-st-1] security-ie rsn [AP-wlan-st-1] cipher-suite ccmp # Specify the open-system authentication mode, and enable the WLAN service template. [AP-wlan-st-1] authentication-method open-system [AP-wlan-st-1] security-ie rsn [AP-wlan-st-1] service-template enable [AP-wlan-st-1] quit # Configure the radio type as 802.11g for radio interface WLAN-Radio 1/0/2, and bind service template 1 to interface WLAN-BSS1 on the radio interface. [AP] interface wlan-radio1/0/2 [AP-WLAN-Radio1/0/2] radio-type dot11g [AP-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1 5-17

2) Configure the RADIUS server (imc) The following takes the imc (the imc versions are imc PLAT 3.20-R2602 and imc UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server. # Add access device. Log in to the imc management platform. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. Click Add on the page to enter the configuration page shown in Figure 5-9: Add 12345678 for Shared Key. Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively. Select LAN Access Service for Service Type. Select H3C for Access Device Type. Select or manually add an access device with the IP address 10.18.1.1. Figure 5-9 Add access device # Add service. Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to enter the add service page. Then click Add on the page to enter the configuration page shown in Figure 5-10. Set the service name to dot1x. Select EAP-PEAP AuthN from the Certificate Type drop-down list, and MS-CHAPV2 AuthN from the Certificate Sub-Type drop-down list. 5-18

Figure 5-10 Add service # Add account. Select the User tab, and then select Users > All Access Users from the navigation tree to enter the user page. Then, click Add on the page to enter the page shown in Figure 5-11. Enter a username. Add an account user and password dot1x. Select the dot1x option. Figure 5-11 Add account 3) Configure the wireless card 5-19

Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. Click the Properties button in the General tab. The Wireless Network Connection Properties window appears. In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select Protected EAP (PEAP) from the EAP type drop-down list, and click Properties. In the popup window, clear Validate server certificate, and click Configure. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). The configuration procedure is as shown in Figure 5-12 through Figure 5-14. 5-20

Figure 5-12 Configure the wireless card (I) 5-21

Figure 5-13 Configure the wireless card (II) 5-22

Figure 5-14 Configure the wireless card (III) 4) Verify the configuration. The client can pass 802.1X authentication and associate with the AP. You can use the display wlan client command, display connection command and display dot1x command to view the online clients. Dynamic WEP Encryption-802.1X Authentication Configuration Example Network requirements As shown in Figure 5-15, a fat AP with IP address 10.18.1.1 and a RADIUS server with IP address 10.18.1.88 are connected through a Layer 2 switch. It is required to perform dynamic WEP encryption. 5-23