Table of Contents 1 WLAN Security Configuration Commands 1-1

Similar documents
H3C WA Series WLAN Access Points. WLAN Configuration Guide. Hangzhou H3C Technologies Co., Ltd. Document Version: 6W

Configuring a WLAN for Static WEP

Chapter 17. Wireless Network Security

HP A-MSR Router Series WLAN. Command Reference. Abstract

Wireless Network Security

Configuring Layer2 Security

WPA-GPG: Wireless authentication using GPG Key

H3C WA Series Access Points

Chapter 24 Wireless Network Security

Configuring WLAN Security

Configuring Cipher Suites and WEP

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Configuring a VAP on the WAP351, WAP131, and WAP371

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Appendix E Wireless Networking Basics

Configuring WLANsWireless Device Access

Network Encryption 3 4/20/17

WLAN The Wireless Local Area Network Consortium

Wireless Network Security

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Securing a Wireless LAN

IEEE i and wireless security

Loopback detection configuration commands

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Temporal Key Integrity Protocol: TKIP. Tim Fielder University of Tulsa Tulsa, Oklahoma

Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1

Table of Contents X Configuration 1-1

Configuring WEP and WEP Features

Configuring Authentication Types

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1262, CAP3502e, and CAP3502i Wireless LAN Access Points

Troubleshooting WLANs (Part 2)

Configuring WLANs CHAPTER

Wireless Network Security Spring 2016

Viewing Status and Statistics

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Wireless Network Security Spring 2015

Yealink T48S Wireless Settings

Table of Contents 1 Ethernet Interface Configuration Commands 1-1

Yealink T41S Wireless Settings

Yealink T46S Wireless Settings

Configuring the Client Adapter through the Windows XP Operating System

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless Security i. Lars Strand lars (at) unik no June 2004

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

PowerStation2 LiteStation2 LiteStation5 User s Guide

H3C WA Series WLAN Access Points. WLAN Command Reference

The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

CWA-854HT 54 Mbps Wireless-G High Transmission Access Point User s Guide

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

FAQ on Cisco Aironet Wireless Security

Physical and Link Layer Attacks

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

05 - WLAN Encryption and Data Integrity Protocols

PPP configuration commands

Configuring the Client Adapter

Wireless Security K. Raghunandan and Geoff Smith. Technology September 21, 2013

Lab Configure Enterprise Security on AP

Advanced WiFi Attacks Using Commodity Hardware

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Open System - No/Null authentication, anyone is able to join. Performed as a two way handshake.

Configuring the Client Adapter through the Windows XP Operating System

Configuring Wireless Security Settings on the RV130W

802.11r or Fast Transition (FT) for fast secure Roaming

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Configuring Management Frame Protection

Configuring Multiple SSIDs

WPA Passive Dictionary Attack Overview

FIPS Security Policy for Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, and AP1522 Wireless LAN Access Points

Wireless Attacks and Countermeasures

Link Security A Tutorial

Advanced User Manual

Wireless Security Guide (for Windows XP, Windows Vista, Windows 7, Mac OSx)

What you will learn. Summary Question and Answer

H3C WX Series Access Controllers

WarDriving. related fixed line attacks war dialing port scanning

Wireless g AP. User s Manual

Secure Wireless LAN Design and Deployment

XL-PB350CA. EoC bridge slave. User manual

Table of Contents 1 WLAN Service Configuration 1-1

WL-5420AP. User s Guide

WLAN Roaming and Fast-Secure Roaming on CUWN

transmitting on the same channel or adjacent channels

Configuring the Client Adapter through Windows CE.NET

Cisco Wireless LAN Controller Module

3Com Wireless LAN Mobility System Configuration and Deployment Guide

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Configuring the EAPs Globally via Omada Controller

Configuring the Wireless Parameters (CPE and WBS)

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

Wireless KRACK attack client side workaround and detection

H3C WA Series WLAN Access Points. Layer 2 WAN Command Reference. Hangzhou H3C Technologies Co., Ltd.

HP Unified Wired-WLAN Products

Command Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

11b/g Wireless Outdoor Multi- Client Bridge/AP

Oct 2007 Version 1.01

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Authentication and Security: IEEE 802.1x and protocols EAP based

Release Notes: Version Operating System

Transcription:

Table of Contents 1 WLAN Security Configuration Commands 1-1 authentication-method 1-1 cipher-suite 1-2 gtk-rekey client-offline enable 1-2 gtk-rekey enable 1-3 gtk-rekey method 1-4 ptk-lifetime 1-5 security-ie 1-5 tkip-cm-time 1-6 wep default-key 1-6 wep key-id 1-7 wep mode 1-8 i

The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region. Support of the H3C WA series WLAN access points (APs) for commands may vary by AP model. For more information, see Feature Matrix. The interface types and the number of interfaces vary by AP model. 1 WLAN Security Configuration Commands authentication-method authentication-method { open-system shared-key } undo authentication-method { open-system shared-key } WLAN service template view open-system: Enables open system authentication. shared-key: Enables shared key authentication. Use the authentication-method command to select 802.11 authentication method to be used. Use the undo authentication-method command to disable the selected authentication method. By default, open system authentication is enabled. When you use this command to set the authentication method, if the current service template is of crypto type, and the encryption mode is WEP, you can set the authentication method to either open system or shared key. If the current service template is of clear type, you can only enable open system authentication. If the current service template is of crypto type, you can enable open system or shared key authentication. 1-1

# Enable the open system authentication. [Sysname] wlan service-template 1 clear [Sysname-wlan-st-1] authentication-method open-system # Enable shared key authentication. [Sysname-wlan-st-1] authentication-method shared-key cipher-suite cipher-suite { ccmp tkip wep40 wep104 wep128}* undo cipher-suite { ccmp tkip wep40 wep104 wep128}* ccmp: Enables the CCMP cipher suite. CCMP is an AES-based encryption method. tkip: Enables the TKIP cipher suite. TKIP is an encryption method based on RC4 and dynamic key management. wep40: Enables the WEP-40 cipher suite. WEP is an encryption method based on RC4 and shared key management. wep104: Enables the WEP-104 cipher suite. wep128: Enables the WEP-128 cipher suite. Use cipher-suite command to select the cipher suite used in the encryption of frames. The cipher suites supported are CCMP, TKIP, WEP40, WEP104 and WEP128. Use the undo cipher-suite command to disable the selected cipher suite. By default, no cipher suite is selected. # Enable TKIP cipher suite. [Sysname-wlan-st-1] cipher-suite tkip gtk-rekey client-offline enable gtk-rekey client-offline enable undo gtk-rekey client-offline 1-2

None Use the gtk-rekey client-offline enable to enable refreshing group temporal key (GTK) when some client is off-line. This function is effective when the gtk-rekey enable command is executed. Use the undo gtk-rekey client-offline command to set not refreshing GTK when some client is off-line. By default, GTK is not refreshed when some client is off-line. # Enable GTK refreshing when some client is off-line. [Sysname-wlan-st-1] gtk-rekey client-offline enable gtk-rekey enable gtk-rekey enable undo gtk-rekey enable None Use the gtk-rekey enable command to allow GTK refresh. Use undo gtk-rekey enable command to disable GTK refresh. By default, GTK refresh is enabled. # Disable GTK refresh. [Sysname-wlan-st-1] undo gtk-rekey enable 1-3

gtk-rekey method gtk-rekey method { packet-based [ packet ] time-based [ time ] } undo gtk-rekey method packet-based: Indicates GTK will be rekeyed after transmitting a specified number of packets. packet: Number of packets (including multicasts and broadcasts) that are transmitted before the GTK is refreshed. The value ranges from 5000 to 4294967295. time-based: Indicates GTK will be rekeyed on time based. time: Specifies the time after which the GTK is refreshed. The value ranges from 180 to 604800 seconds. Use the gtk-rekey method command to select a mechanism for re-keying GTK. Use the undo gtk-rekey method command to set the refreshing method to the default value. By default, the GTK refreshing method is time-based, and the interval is 86400 seconds. If option time-based is selected then the GTK will be refreshed after a specified period of time, the range the time is 180 seconds to 604800 seconds, the default value is 86400 seconds. If option packet-based is selected then GTK will be refreshed after transmitting a specified number of packets, the range the number of packets is 5000 to 4294967295, and the default value is 10000000. The method which is configured later will overwrite the previous. For example if you configure packet-based method and configure the time-based method, then the time-based method will be enabled. # Enable packet-based GTK refreshing and the packets number is 60000. [Sysname-wlan-st-1] gtk-rekey method packet-based 60000 1-4

ptk-lifetime ptk-lifetime time undo ptk-lifetime time: Lifetime in seconds, which ranges from 180 to 604800. Use the ptk-lifetime command to change the life time of pairwise transient key (PTK). Use the undo ptk-lifetime command is used to set the PTK lifetime to the default value. By default, the lifetime of PTK is 43200 seconds. # Specify the PTK lifetime to 86400 seconds. [Sysname-wlan-st-1] ptk-lifetime 86400 security-ie security-ie { rsn wpa } undo security-ie { rsn wpa } rsn: Enables the RSN Information element in the beacon and probe response frames sent by AP. RSN IE advertises the Robust Security Network (RSN) capabilities of the AP. wpa: Enables the WPA Information element in the beacon and probe response frames sent by AP. WPA IE advertises the Wi-Fi Protected Access (WPA) capabilities of the AP. Use the security-ie command to enable WPA-IE or RSN-IE or both of them present in the Beacon and Probe response frame. Use the undo security-ie command to disable WPA -IE or RSN-IE present in the Beacon and Probe response frame. By default, both WPA-IE and RSN-IE are disabled. 1-5

# Enable the WPA-IE in the frames. [Sysname-wlan-st-1] security-ie wpa tkip-cm-time tkip-cm-time time undo tkip-cm-time time: Counter measure time for Message Integrity Check (MIC) failure in seconds. The value ranges from 0 to 3600 seconds. Use the tkip-cm-time command to set the Temporal Key Integrity Protocol (TKIP) Counter measure time. Use the undo tkip-cm-time command will change the TKIP counter measure time to the default value. By default, the TKIP counter measure time is 0 seconds, that is, no counter measures are taken. After countermeasures are enabled, if more than two MIC failures occur within a certain time, the TKIP associations are disassociated, and new associations are allowed to establish only after the specified TKIP counter measure time expires. # Set the TKIP counter measure time to 90 seconds. [Sysname-wlan-st-1] tkip-cm-time 90 wep default-key wep default-key key-index { wep40 wep104 wep128} { pass-phrase raw-key } [ cipher simple ] key undo wep default-key key-index 1-6

key-index: The key index values can be: 1: Configures the 1st wep default key. 2: Configures the 2nd wep default key. 3: Configures the 3rd wep default key. 4: Configures the 4th wep default key. wep40: Indicates the wep40 key option. wep104: Indicates the wep104 key option. wep128: Indicates the wep128 key option. pass-phrase: Enables the pass-phrase option. Then a string of alphanumeric characters is used as the key. If WEP40 is selected, 5 alphanumeric characters should be entered as the key; if WEP104 is selected, 13 alphanumeric characters should be entered as the key; if WEP128 is selected, 16 alphanumeric characters should be entered as the key. raw-key: Enables the raw-key option. The key is entered as a hexadecimal number. If WEP40 is selected, a 10-digit hexadecimal number should be entered as the key; if WEP104 is selected, a 26-digit hexadecimal number should be entered as the key; if WEP128 is selected, a 32-digit hexadecimal number should be entered as the key. The length of the raw-key is fixed. cipher key: Sets the wep key in cipher text, and the key is displayed in cipher text. The key argument is a case sensitive string of 24 to 88 characters. simple key: Sets the wep key in simple text, and the key is displayed in simple text. The value range of the key argument (case sensitive) depends on the key option you select. If you provide neither the simple nor the cipher keyword, you set a wep key in simple text, and the key will be displayed in cipher text. The value range of the key argument is the same as the key specified by simple key. Use wep default-key command to configure the wep default key. Use undo wep default-key command to delete the configured wep default key. By default, no wep default key is configured. # Specify the wep default key 1(wep40) as hello. [Sysname-wlan-st-1] wep default-key 1 wep40 pass-phrase hello # Specify the wep default key as c25d3fe4483e867d1df96eaacd. [Sysname-wlan-st-1] wep default-key 1 wep104 raw-key c25d3fe4483e867d1df96eaacd wep key-id wep key-id { 1 2 3 4 } undo wep key-id 1-7

key-index: The key index ranges from 1 to 4: 1: Selects the key index as 1. 2: Selects the key index as 2. 3: Selects the key index as 3. 4: Selects the key index as 4. Use the wep key-id command to configure the key index. Use the undo wep key-id command to restore the default. By default, the key index is 1. There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding to the specified key index will be used for encrypting and decrypting the broadcast and multicast frames. # Set the key index to 2. [Sysname-wlan-st-1] wep key-id 2 wep mode wep mode dynamic undo wep mode Service template view dynamic: Enables dynamic WEP encryption. Use the wep mode command to enable WEP encryption. Use the undo wep mode command to restore the default. By default, static WEP encryption is enabled. Dynamic WEP encryption must be used together with 802.1X authentication, and the WEP key ID cannot be configured as 4. 1-8

With dynamic WEP encryption configured, the device automatically uses the WEP 104 encryption method. To change the encryption method, use the cipher-suite command. With dynamic WEP encryption configured, the WEP key used to encrypt unicast frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. Related commands: wep key-id, cipher-suite, and wep default-key. # Specify the WEP encryption mode as dynamic. [Sysname-wlan-st-1] wep mode dynamic 1-9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback