Page 1
HP A-MSR Router Series
Part number: 5998-2030
Software version: CMW520-R2207P02
Document version: 6PW100-20110810
WLAN
Configuration Guide
Abstract
This document describes the software features for the HP A Series products and guides you through the
software configuration procedures. These configuration guides also provide configuration examples to help
you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers, and
network administrators working with the HP A Series products.
Page 2
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior
written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for
incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Page 3
Contents
WLAN interface configuration ······································································································································· 1
WLAN-radio interface ······················································································································································ 1
Configuring a WLAN-radio interface ···················································································································· 1
WLAN-BSS interface ························································································································································· 1
Configuring a WLAN-BSS interface ······················································································································· 1
WLAN-Ethernet interface ·················································································································································· 2
Entering WLAN-Ethernet interface view ················································································································· 2
Configuring a WLAN-Ethernet interface ················································································································ 3
Displaying and maintaining a WLAN interface ············································································································ 8
WLAN service configuration ·········································································································································· 9
Basic concepts ·························································································································································· 9
Wireless client access ·············································································································································· 9
WLAN topologies ·························································································································································· 12
Protocols and standards ················································································································································ 14
Configuring WLAN service ··········································································································································· 14
Configuration task list ··········································································································································· 14
Configuring global WLAN parameters ·············································································································· 14
Specifying a country code···································································································································· 14
Configuring a WLAN service template ··············································································································· 15
Configuring radio parameters ····························································································································· 15
Configuring the radio of the AP ·························································································································· 16
Configuring 802.11n ··········································································································································· 17
Displaying and maintaining WLAN service ······································································································· 18
Configuring WLAN client isolation ······························································································································ 19
Enabling WLAN client isolation ·························································································································· 19
Configuring SSID-based access control ······················································································································· 19
Specifying a permitted SSID in a user profile ···································································································· 19
WLAN service configuration examples ······················································································································· 20
WLAN service configuration example ················································································································ 20
802.11n configuration example ························································································································· 21
WLAN RRM configuration ············································································································································ 23
Configuration task list ···················································································································································· 23
Configuring data transmit rates ···································································································································· 23
Configuring 802.11b/802.11g rates ················································································································ 23
Configuring 802.11n rates ·································································································································· 24
Configuring non-dot11h channel scanning ················································································································· 26
Enabling 802.11g protection ······································································································································· 26
Displaying and maintaining WLAN RRM ··················································································································· 27
WLAN security configuration ······································································································································· 28
Authentication modes ··········································································································································· 28
WLAN data security ············································································································································· 29
Client access authentication ································································································································· 30
Protocols and standards ······································································································································· 30
Configuring WLAN security ·········································································································································· 31
Configuration task list ··········································································································································· 31
Enabling an authentication method ····················································································································· 31
Configuring the PTK lifetime ································································································································· 31
Configuring the GTK rekey method ····················································································································· 32
iii
Page 4
Configuring security IE ·········································································································································· 33
Configuring cipher suite ······································································································································· 34
Configuring port security ······································································································································ 35
Displaying and maintaining WLAN security ······································································································ 37
WLAN security configuration examples ······················································································································ 37
PSK authentication configuration example ········································································································· 37
MAC and PSK authentication configuration example ······················································································· 38
802.1X authentication configuration example ·································································································· 41
Supported combinations for ciphers ···························································································································· 46
WLAN IDS configuration ·············································································································································· 49
Terminology ··························································································································································· 49
WIDS attack detection ·········································································································································· 49
WLAN IDS configuration task list ································································································································· 50
Configuring IDS attack detection ································································································································· 50
Displaying and maintaining IDS attack detection ······························································································ 51
WLAN IDS frame filtering configuration ····················································································································· 52
Blacklist and white list ··········································································································································· 52
Configuring WLAN IDS frame filtering ························································································································ 53
Displaying and maintaining WLAN IDS frame filtering ···························································································· 54
WLAN IDS frame filtering configuration example ······································································································ 54
WLAN QoS configuration ············································································································································ 55
Terminology ··························································································································································· 55
WMM protocol overview ····································································································································· 55
Protocols and standards ······································································································································· 57
WMM configuration ······················································································································································ 57
Displaying and maintaining WMM ····························································································································· 59
WMM configuration examples ···································································································································· 59
WMM basic configuration ··································································································································· 59
CAC service configuration example ··················································································································· 60
SVP service configuration example ····················································································································· 62
Troubleshooting ······························································································································································ 63
EDCA parameter configuration failure ··············································································································· 63
SVP or CAC configuration failure························································································································ 63
Support and other resources ········································································································································ 64
Contacting HP ································································································································································ 64
Subscription service ·············································································································································· 64
Related information ························································································································································ 64
Documents ······························································································································································ 64
Websites ································································································································································ 64
Conventions ···································································································································································· 65
Index ················································································································································································ 67
iv
Page 5
WLAN interface configuration
To do…
Use the Command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN-radio interface
view.
interface wlan-radio
interface-number
Required.
3. Set the description for the
interface.
description text
Optional.
By default, the description string of
an interface is interface-name +
Interface.
4. Restore the default settings of
the WLAN-radio interface.
default
Optional.
5. Shut down the WLAN-radio
interface.
shutdown
Optional.
By default, a WLAN-Radio
interface is up.
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
Wireless routers support WLAN-Radio interfaces, which are physical interfaces that provide wireless network
access.
Wireless routers support WLAN-BSS and WLAN-Ethernet virtual interfaces. Use WLAN-Radio interfaces on
routers as common physical access interfaces. You can bind them to WLAN-BSS interfaces and
WLAN-Ethernet interfaces.
WLAN-radio interface
WLAN-Radio interfaces are physical interfaces used to provide wireless access service. You can configure
them, but you cannot remove them manually.
Configuring a WLAN-radio interface
To configure a WLAN-radio interface:
WLAN-BSS interface
WLAN-BSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access
link type. A WLAN-BSS interface supports multiple Layer 2 protocols. On a wireless router, a WLAN-Radio
interface bound to a WLAN-BSS interface operates as a Layer 2 interface.
Configuring a WLAN-BSS interface
To configure a WLAN-BSS interface:
1
Page 6
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN-BSS interface
view.
interface wlan-bss
interface-number
Required.
If the WLAN-BSS interface does
not exist, this command creates the
WLAN-BSS interface first.
3. Set the description string for the
interface.
description text
Optional.
By default, the description string of
an interface is interface-name +
Interface.
4. Assign the WLAN-BSS
interface to a VLAN.
port access vlan vlan-id
Optional.
By default, an interface belongs to
VLAN 1 (the default VLAN).
5. Specify an authentication
domain for MAC
authentication users.
mac-authentication domain
domain-name
Optional.
By default, the default
authentication domain is used for
MAC authentication users.
6. Set the maximum number of
concurrent MAC
authentication users on a port.
mac-authentication max-user
user-number
Optional.
256 by default
7. Restore the default settings of
the WLAN-BSS interface.
default
Optional.
8. Shut down the WLAN-BSS
interface.
shutdown
Optional.
By default, a WLAN-BSS interface
is up.
Before you execute the port access vlan command, make sure the VLAN specified by the vlan-id parameter
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
already exists. Use the vlan command to create a VLAN. For more information about the port access vlan
command, see Layer 2—LAN Switching Command Reference.
For more information about the mac-authentication domain and mac-authentication max-user commands,
see Security Command Reference.
WLAN-Ethernet interface
WLAN-Ethernet interfaces are virtual Layer 3 interfaces. They operate like Layer 3 Ethernet interfaces. You
can assign an IP address to a WLAN-Ethernet interface. On a wireless router, a WLAN-Radio interface
bound to a WLAN-Ethernet interface operates as a Layer 3 interface.
Entering WLAN-Ethernet interface view
To enter WLAN-Ethernet interface view:
2
Page 7
To do…
Use the command…
Remarks
2. Enter WLAN-Ethernet interface
view.
interface wlan-ethernet
interface-number
Required.
If the WLAN-Ethernet interface
does not exist, this command
creates the WLAN-Ethernet
interface first.
3. Restore the default settings of
the WLAN-Ethernet interface.
default
Optional.
To do…
Use the command…
1. Configure an interface.
qos max-bandwidth
shutdown
mtu
description
enable snmp trap updown
2. Configure ARP.
arp max-learning-num
arp proxy enable
proxy-arp enable
3. Configure the interface as a BOOTP client.
ip address bootp-alloc
4. Configure
DHCP.
Configure DHCP server.
dhcp select server global-pool
Configure DHCP relay.
dhcp relay address-check
dhcp relay information enable
dhcp relay information format
dhcp relay information strategy
dhcp relay release
dhcp relay server-select
dhcp select relay
Configure DHCP client.
ip address dhcp-alloc
5. Configure IP accounting.
ip count firewall-denied
ip count inbound-packets
ip count outbound-packets
6. Assign an IP address to the interface.
ip address
7. Configure IP performance.
ip forward-broadcast
tcp mss
8. Configure policy-based routing.
ip policy-based-route
9. Configure UDP helper.
udp-helper server
10. Configure URPF.
ip urpf
11. Configure fast forwarding.
ip fast-forwarding
Configuring a WLAN-Ethernet interface
For a WLAN-Ethernet interface, you can configure basic settings such as MTU, and ARP, DHCP, and routing
protocols as listed in the following table. For information about the commands/features listed in the following
table, see related chapters in the corresponding volumes.
3
Page 8
To do…
Use the command…
12. Configure basic IPv6 settings.
ipv6 address
ipv6 address auto link-local
ipv6 mtu
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
ipv6 nd dad attempts
ipv6 nd ns retrans-timer
ipv6 nd nud reachable-time
ipv6 nd ra halt
ipv6 nd ra interval
ipv6 nd ra prefix
ipv6 nd ra router-lifetime
ipv6 neighbors max-learning-num
ipv6 policy-based-route
13. Configure NAT-PT.
natpt enable
14. Configure IS-IS.
isis authentication-mode
isis circuit-level
isis circuit-type p2p
isis cost
isis dis-name
isis dis-priority
isis enable
isis mesh-group
isis small-hello
isis timer csnp
isis timer hello
isis timer holding-multiplier
isis timer lsp
isis timer retransmit
isis silent
15. Configure OSPF.
ospf authentication-mode simple
ospf authentication-mode
ospf cost
ospf dr-priority
ospf mtu-enable
ospf network-type
ospf timer dead
ospf timer hello
ospf timer poll
ospf timer retransmit
ospf trans-delay
4
Page 9
To do…
Use the command…
16. Configure RIP.
rip authentication-mode
rip input
rip output
rip metricin
rip metricout
rip poison-reverse
rip split-horizon
rip summary-address
rip version
17. Configure IPv6 IS-IS.
isis ipv6 enable
18. Configure IPv6 OSPFv3.
ospfv3 cost
ospfv3 mtu-ignore
ospfv3 timer dead
ospfv3 timer hello
ospfv3 timer retransmit
ospfv3 area
ospfv3 dr-priority
ospfv3 trans-delay
19. Configure IPv6 RIPng.
ripng default-route
ripng enable
ripng metricin
ripng metricout
ripng poison-reverse
ripng split-horizon
ripng summary-address
20. Configure basic MPLS capabilities.
mpls
mpls ldp
mpls ldp timer hello-hold
mpls ldp timer keepalive-hold
mpls ldp transport-address
21. Configure BGP/MPLS VPN.
ip binding vpn-instance
22. Configure PPPoE.
pppoe-server bind virtual-template
pppoe-client dial-bundle-number
23. Configure bridge sets.
bridge-set
24. Configure
multicast.
Configure multicast routing and
forwarding.
multicast minimum-ttl
multicast ipv6 minimum-hoplimit
multicast boundary
multicast ipv6 boundary
Configure IPv6 multicast routing
and forwarding.
multicast ipv6 minimum-hoplimit
multicast ipv6 boundary
5
Page 10
To do…
Use the command…
Configure IGMP.
igmp enable
igmp fast-leave
igmp group-policy
igmp last-member-query-interval
igmp max-response-time
igmp require-router-alert
igmp robust-count
igmp send-router-alert
igmp static-group
igmp timer other-querier-present
igmp timer query
igmp version
Configure MLD.
mld enable
mld last-listener-query-interval
mld max-response-time
mld require-router-alert
mld send-router-alert
mld robust-count
mld timer other-querier-present
mld timer query
mld version
mld static-group
mld group-policy
mld fast-leave
Configure PIM.
pim bsr-boundary
pim hello-option
pim holdtime
pim require-genid
pim sm
pim dm
pim state-refresh-capable
pim timer graft-retry
pim timer hello
pim timer join-prune
pim triggered-hello-delay
6
Page 11
To do…
Use the command…
Configure IPv6 PIM.
pim ipv6 bsr-boundary
pim ipv6 hello-option
pim ipv6 holdtime
pim ipv6 require-genid
pim ipv6 sm
pim ipv6 dm
pim ipv6 state-refresh-capable
pim ipv6 timer graft-retry
pim ipv6 timer hello
pim ipv6 timer join-prune
pim ipv6 triggered-hello-delay
25. QoS
Configure traffic policing, traffic
shaping, and line rate.
qos car
qos gts any cir
qos gts acl
Apply a QoS policy.
qos apply policy
Configure congestion
avoidance.
qos max-bandwidth
26. Configure firewall.
firewall ethernet-frame-filter
firewall packet-filter
firewall packet-filter ipv6
firewall aspf
27. Configure NAT.
nat outbound
nat outbound static
nat server
28. Configure Portal.
portal auth-network
portal server
29. Configure IPsec.
ipsec policy
30. Configure the backup center.
standby interface
standby threshold
standby timer delay
standby timer flow-check
standby bandwidth
31. Configure NetStream.
ip netstream
32. Configure NTP.
ntp-service broadcast-client
ntp-service broadcast-server
ntp-service multicast-client
ntp-service multicast-server
ntp-service in-interface disable
33. Configure IPX.
ipx encapsulation
7
Page 12
To do…
Use the command…
34. Configure port security.
port-security authorization ignore
port-security max-mac-count
port-security port-mode { mac-and-psk |
mac-authentication | mac-else-userlogin-secure
| mac-else-userlogin-secure-ext | psk |
userlogin-secure | userlogin-secure-ext |
userlogin-secure-ext-or-psk |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext }
port-security preshared-key { pass-phrase |
raw-key }
port-security tx-key-type 11key
Displaying and maintaining a WLAN interface
To do…
Use the command…
Remarks
Display information about
WLAN-Radio interfaces.
display interface [ wlan-radio ]
[ brief [ down ] ] [ | { begin |
exclude | include }
regular-expression ]
display interface wlan-radio
interface-number [ brief ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display information about
WLAN-BSS interfaces.
display interface [ wlan-bss] [ brief
[ down ] ] [ | { begin | exclude |
include } regular-expression ]
display interface wlan-bss
interface-number [ brief ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display information about
WLAN-Ethernet interfaces.
display interface [ wlan-ethernet ]
[ brief [ down ] ] [ | { begin |
exclude | include }
regular-expression ]
display interface wlan-ethernet
interface-number [ brief ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
8
Page 13
WLAN service configuration
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
WLANs have become very popular because they are easy to set up and maintain. Generally, several APs
can cover a building or an area. Because the servers in the backbone are fixed, a WLAN is not a completely
wireless network.
The WLAN solution allows you to provide the following wireless LAN services to your customers:
WLAN client connectivity to conventional 802.3 LANs
Secured WLAN access with different authentication and encryption methods
Seamless roaming of WLAN clients in the mobility domain
Basic concepts
Client
A handheld computer or laptop with a wireless NIC can be a WLAN client.
Access point
An AP bridges frames between wireless and wired networks.
Fat AP
A fat AP controls and manages all associated wireless stations and bridges frames between wired and
wireless networks.
SSID
Service set identifier. A client scans all networks at first, and then selects a specific SSID to connect to a
specific wireless network.
Wireless medium
A medium used for transmitting frames between wireless clients. Radio frequency is used as the wireless
medium in the WLAN system.
Wireless client access
A wireless client access process involves three steps: active/passive scanning surrounding wireless services,
authentication, and association, as shown in Figure 1.
9
Page 14
AP
Client
Authentication request
Authentication response
Association request
Association response
Active/Passive scanning
AP 2
Client
AP 1
Probe request
(
with no SSID
)
Probe request
(
with no SSID
)
Probe Response
Probe Response
Scanning
Figure 1 Establish a client access
A wireless client can get the surrounding wireless network information in two ways: passive scanning or
active scanning. With passive scanning, a wireless client gets wireless network information through listening
to Beacon frames sent by surrounding APs. With active scanning, a wireless actively sends a probe request
frame during scanning, and gets network signals by received probe response frames.
Actually, when a wireless client operates, typically it uses both passive scanning and active scanning to get
information about surrounding wireless networks.
1. Active scanning
When a wireless client operates, it periodically searches for (scans) surrounding wireless networks. Active
scanning falls into two modes according to whether a specified SSID is carried in a probe request.
A client sends a probe request (with the SSID null, or, the SSID IE length is 0): The client periodically
Figure 2 Active scanning (the SSID of the probe request is null, or, no SSID information is carried)
sends a probe request frame on each of its supported channels to scan wireless networks. APs that
receive the probe request send a probe response, which carries the available wireless network
information. The client associates with the AP with the strongest signal. This active scanning mode
enables a client to actively get acquainted with the available wireless services and select to access the
proper wireless network as needed. The active scanning process of a wireless client is as shown in
Figure 2.
10
Page 15
Client
AP 1
(SSID=AP1)
Probe Request
(SSID=AP1)
Probe Response
AP
Client
Beacon
Client
Beacon
A client sends a probe request (with a specified SSID): When the wireless client is configured to access
a specific wireless network or has already successfully accessed a wireless network, the client
periodically sends a probe request carrying the specified SSID of the configured or connected wireless
network. When an AP that can provide the wireless service with the specified SSID receives the probe
request, it sends a probe response. This active scanning mode enables a client to access a specified
wireless network. The active scanning process is as shown in Figure 3.
Figure 3 Active scanning (the probe request carries the specified SSID AP 1)
2. Passive scanning
Passive scanning is used by clients to discover surrounding wireless networks by listening to the beacon
frames periodically sent by an AP. All APs providing wireless services periodically send beacons frames, so
that wireless clients can listen to beacon frames periodically on the supported channels to get information
about surrounding wireless networks. Passive scanning is used by a client when it wants to save battery
power. Typically, VoIP clients adopt the passive scanning mode. The passive scanning process is as shown
in Figure 4.
Figure 4 Passive scanning
Authentication
To secure wireless links, the wireless clients must be authenticated before accessing the AP, and only wireless
clients passing the authentication can be associated with the AP. 802.11 links define two authentication
mechanisms: open system authentication and shared key authentication.
For more information about the two authentication mechanisms, see the chapter ―WLAN security
configuration."
Association
A client that wants to access a wireless network via an AP must be associated with that AP. Once the client
chooses a compatible network with a specified SSID and passes the link authentication to an AP, it sends an
association request frame to the AP. The AP detects the capability information carried in the association
request frame, determines the capability supported by the wireless client, and sends an association response
to the client to notify the client of the association result. Usually, a client can associate with only one AP at a
time, and an association process is always initiated by the client.
11
Page 16
FAT AP
Gateway
Client1
Client 2
BSS
Internet
Other related procedures
1. De-authentication
A de-authentication frame can be sent by either an AP or wireless client to break an existing link. In a wireless
system, de-authentication can occur due to many reasons, such as:
Receiving an association/disassociation frame from a client which is unauthenticated.
Receiving a data frame from a client which is unauthenticated.
Receiving a PS-poll frame from a client which is unauthenticated.
2. Dissociation
A dissociation frame can be sent by an AP or a wireless client to break the current wireless link. In the wireless
system, dissociation can occur due to many reasons, such as:
Receiving a data frame from a client which is authenticated and unassociated.
Receiving a PS-Poll frame from a client which is authenticated and unassociated.
WLAN topologies
WLAN topologies for fat APs consist of:
Single BSS
Multi-ESS
Single ESS Multi-BSS
Single BSS
The coverage of an AP is a BSS. Each BSS is identified by a BSSID. The most basic WLAN network can be
established with only one BSS. All wireless clients associate with the same BSS. If these clients have the same
authorization, they can communicate with each other. Figure 5 shows a single BSS network.
Figure 5 Single BSS network
The clients can communicate with each other or reach a host in the Internet. Communications between clients
within the same BSS are carried out through the fat AP.
12
Page 17
FAT AP
Gateway
Client1 Client 2
Internet
ESS 1
ESS 2
FAT AP
Gateway
Client 2
Internet
Radio 2
Radio 1
Client 1
ESS 1
ESS 1
BSS 2
BSS 1
Multi-ESS
This topology describes a scenario where more than one ESS exists. When a mobile client joins the fat AP,
it can join one of the available ESSs. Figure 6 shows a multi-ESS network.
Figure 6 Multi-ESS network
Generally a fat AP can provide more than one logical ESS at the same time. The fat AP can broadcast the
current information of ESS by beacon or probe response frames. Clients can select an ESS it is interested to
join.
Different ESS domains can be configured on the fat AP. The fat AP can be configured to accept clients in
these ESS domains once their credentials are acceptable.
Single ESS Multi-BSS (the multi-radio case)
This topology describes a scenario where a fat AP has two radios that are in the same ESS but belong to
different BSSs.
Figure 7 Single ESS multiple BSS network
Use this network scenario when both 802.11a and 802.11b/g need to be supported. Figure 7 shows two
clients connected to different radios belong to the same ESS but different BSSs.
13
Page 18
Task
Description
Configuring global WLAN parameters
Optional
Specifying a country code
Required
Configuring a WLAN service template
Required
Configuring radio parameters
Required
Configuring the radio of the AP
Required
Configuring 802.11n
Optional
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Configure the client idle
timeout interval.
wlan client idle-timeout interval
Optional.
By default, the idle timeout interval
is 3600 seconds.
3. Configure the client keep alive
interval.
wlan client keep-alive interval
Optional.
By default, keep–alive function is
disabled.
4. Enable the fat AP to respond
to the probe requests with the
SSID null sent by the client.
wlan broadcast–probe reply
Optional.
Enabled by default.
Protocols and standards
ANSI/IEEE Std 802.11, 1999 Edition
IEEE Std 802.11a
IEEE Std 802.11b
IEEE Std 802.11g
IEEE Std 802.11i
IEEE Std 802.11-2004
IEEE Std 802.11n
Configuring WLAN service
Configuration task list
Configuring global WLAN parameters
To configure global WLAN parameters:
Specifying a country code
A country code identifies the country in which you want to operate radios. It determines characteristics such
as operating power level and total number of channels available for the transmission of frames. You must set
the valid country code or area code before configuring an AP.
14
Page 19
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Specify the country code.
wlan country-code code
By default, the country code for
North American models is US, and
for other models is CN.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Create a WLAN service
template and enter WLAN
service template view.
wlan service-template
service-template-number { clear |
crypto }
Required.
3. Specify the service set
identifier.
ssid ssid-name
Required.
By default, no SSID is set.
4. Hide the SSID in beacon
frames.
beacon ssid-hide
Optional.
By default the SSID is not hidden
in beacon frames.
5. Specify an authentication
method.
authentication-method { open system
| shared key }
Required.
For related configuration about
the shared key, see the chapter
―WLAN security configuration."
6. Specify the maximum number
of clients allowed to associate
with the same radio.
client max-count max-number
Optional.
32 by default.
7. Enable the service template.
service-template enable
Required.
Disabled by default.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
To specify the country code:
You cannot modify the country code for North American models. Country codes for other models can be
modified at the CLI.
For information about country codes, see WLAN Command Reference.
Configuring a WLAN service template
A WLAN service template includes attributes such as SSID and authentication method (open-system or
shared key) information. A service template can be of clear or crypto type. If a clear type service template
exists, you cannot change it to crypto. To do so, you must delete the clear type service template, and
configure a new service template with type as crypto.
To configure a service template:
Configuring radio parameters
To configure the radio of the AP:
15
Page 20
To do…
Use the command…
Remarks
2. Enter radio interface view.
interface wlan-radio
interface-number
—
3. Specify a radio type for the
radio.
radio-type [ type { dot11b | dot11g |
dot11gn } ]
Required.
4. Bind a service template to a
WLAN-ESS interface for the
radio.
service-template
service-template-number interface
wlan-bss interface-number
Required.
5. Specify a working channel for
the radio.
channel { channel-number | auto }
Optional.
By default, auto mode is enabled.
The working channel of a radio
varies with country codes and
radio types. The channel list
depends on your device model.
6. Specify the maximum radio
power.
max-power radio-power
Optional.
By default, the maximum radio
power varies with country codes,
channels, AP models, radio types
and antenna types. If 802.11n is
adopted, the maximum radio
power also depends on the
bandwidth mode.
7. Specify the type of preamble.
preamble { long | short }
Optional.
By default, the short preamble is
supported.
This command does not apply to
802.11a radios.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter radio view.
interface wlan-radio radio-number
Required.
3. Set the interval for sending
beacon frames.
beacon-interval interval
Optional.
By default, the beacon interval is
100 TUs.
4. Set the DTIM counter for
beacon frames.
dtim counter
Optional.
By default, the DTIM counter is 1.
5. Set the fragment threshold.
fragment-threshold size
Optional.
By default, the fragment threshold
is 2346 bytes and must be an
even number.
Configuring the radio of the AP
To configure the radio of the AP:
16
Page 21
To do…
Use the command…
Remarks
6. Specify the RTS threshold
length.
rts-threshold size
Optional.
By default, the RTS threshold is
2346 bytes.
7. Set the maximum number of
retransmission attempts for
frames larger than the RTS
threshold.
long-retry threshold count
Optional.
By default, the long retry
threshold is 4.
8. Specify the maximum number
of attempts to transmit a frame
shorter than the RTS threshold.
short-retry threshold count
Optional.
By default, the short retry
threshold is 7.
9. Specify the interval for which
a frame received by an AP
can stay in the buffer memory.
max-rx-duration interval
Optional.
By default, the interval for which a
frame received by an AP can stay
in the buffer memory is 2000
milliseconds.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter radio interface view.
interface wlan-radio
interface-number
—
3. Enter radio view.
radio radio-number type dot11gn
—
4. Specify the bandwidth mode
for the radio.
channel band-width { 20 | 40 }
Optional.
By default, the 802.11gn radio
operates in 20 MHz mode.
Configuring 802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher-speed services to customers by using the following methods:
1. Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz
channel. During data forwarding, the two 20-MHz channels can either work separately with one
channel acting as the primary channel and the other acting as the secondary channel; or both can
work together as a 40-MHz channel. This provides a simple way of doubling the data rate.
2. Improving channel usage through these methods:
802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can
accommodate multiple MPDUs which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and improves network throughput.
Similar with MPDU aggregation, multiple MSDU can be aggregated into a single A-MSDU. This
reduces the MAC header overhead and improves MAC layer forwarding efficiency.
To improve physical layer performance, 802.11n introduces the short GI function, which shortens the GI
interval of 800 us in 802.11a/g to 400 us. This can increase the data rate by 10 percent.
To configure 802.11n:
17
Page 22
To do…
Use the command…
Remarks
5. Enable access permission for
802.11n clients only.
client dot11n-only
Optional.
By default, an 802.11gn radio
permits both 802.11b/g and
802.11gn clients to access.
6. Enable the short GI function.
short-gi enable
Optional.
Enabled by default.
7. Enable the A-MSDU function.
a-msdu enable
Optional.
Enabled by default.
The device receives but does not
send A-MSDUs.
8. Enable the A-MPDU function.
a-mpdu enable
Optional.
Enabled by default.
Feature
A-MSR900
A-MSR20-1X
A-MSR20
A-MSR30
A-MSR50
802.11n
No
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
To do…
Use the command…
Remarks
Display WLAN client information.
display wlan client { interface
wlan-radio [ radio-number ] |
mac-address mac-address |
service-template
service-template-number }
[ verbose ] [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display WLAN service template
information.
display wlan service-template
[ service-template-number ] [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display WLAN client statistics.
display wlan statistics client { all |
mac-address mac-address } [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Cut off clients.
reset wlan client { all |
mac-address mac-address }
Available in user view
For information about MCS index and mandatory and supported 802.11n rates, see the chapter ―WLAN
RRM configuration."
The following matrix shows the feature and router compatibility:
Displaying and maintaining WLAN service
18
Page 23
To do…
Use the command…
Remarks
Clear client statistics.
reset wlan statistics client { all |
mac-address mac-address }
Available in user view
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enable WLAN client
isolation.
wlan-client-isolation enable
Optional
Disabled by default
Internet
Gateway
AP
Client 1
Client 2
Client3
Client4
Configuring WLAN client isolation
User isolation enables a fat AP to isolate Layer-2 packets (unicast/broadcast) exchanged between wireless
clients associated with it, disabling them from direct communication.
Figure 8 User isolation network diagram
As shown in Figure 8, after the fat AP is enabled with user isolation, clients 1 through 4 cannot access each
other directly, or learn one another’s MAC and IP addresses.
Enabling WLAN client isolation
To enable WLAN client isolation:
Configuring SSID-based access control
When a user wants to access a WLAN temporarily, the administrator can specify a permitted SSID in the
corresponding user profile so that the user can access the WLAN only through the SSID.
Specifying a permitted SSID in a user profile
After completing the configuration, the user profile needs to be enabled to take effect.
To specify a permitted SSID:
19
Page 24
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter user profile view.
user-profile profile-name
Required.
If the specified user profile does not
exist, this command creates it and
enters its view.
3. Specify a permitted
SSID.
wlan permit-ssid ssid-name
Required.
No permitted SSID is specified by
default, and users can access the
WLAN without SSID limitation.
4. Return to system view.
quit
—
5. Enable the user profile.
user-profile profile-name enable
Required.
Not enabled by default.
Client
Switch
AP
LAN Segment
For more information about user access control and user profile, see Security Configuration Guide.
WLAN service configuration examples
WLAN service configuration example
Network requirements
As shown in Figure 9, enable the client to access the internal network resources at any time. The AP provides
a plain-text wireless access service with SSID service. 802.11g is adopted.
Figure 9 Network diagram for WLAN service configuration
Configuration procedure
1. Configure the fat AP.
# Create a WLAN BSS interface.
<AP> system-view
[AP] interface wlan-bss 1
[AP-WLAN-BSS1] quit
# Configure a clear type WLAN service template, with no authentication.
[AP] wlan service-template 1 clear
[AP-wlan-st-1] ssid abc
[AP-wlan-st-1] authentication-method open-system
[AP-wlan-st-1] service-template enable
[AP-wlan-st-1] quit
# Bind WLAN-Radio 2/0 to service template 1 and WLAN-BSS 1.
20
Page 25
Feature
A-MSR900
A-MSR20-1X
A-MSR20
A-MSR30
A-MSR50
802.11n
No
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Client
Switch
AP
LAN Segment
[AP] interface wlan-radio 2/0
[AP-WLAN-Radio2/0] radio-type dot11g
[AP-WLAN-Radio2/0] channel 1
[AP-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
2. Verify the configuration
The clients can associate with the APs and access the WLAN.
You can use the display wlan client and display connection commands to view the online clients.
802.11n configuration example
The following matrix shows the feature and router compatibility:
Network requirements
As shown in Figure 10, deploy an 802.11n network to provide high bandwidth access for multi-media
applications. The AP provides a plain-text wireless service with SSID service. 802.11gn is adopted to
inter-work with the existing 802.11g network and protect the current investment.
Figure 10 Network diagram for 802.11n configuration
Configuration procedure
1. Configure the Fat AP.
# Create a WLAN BSS interface.
<AP> system-view
[AP] interface wlan-bss 1
[AP-WLAN-BSS1] quit
# Configure a clear type WLAN service template with no authentication.
[AP] wlan service-template 1 clear
[AP-wlan-st-1] ssid service
[AP-wlan-st-1] authentication-method open-system
[AP-wlan-st-1] service-template enable
[AP-wlan-st-1] quit
# Configure the bandwidth as 20 MHz, and bind WLAN-Radio 2/0 to service template 1 and WLAN-BSS
1.
[AP] interface WLAN-Radio 2/0
21
Page 26
[AP-WLAN-Radio2/0] radio-type dot11gn
[AP-WLAN-Radio2/0] channel 6
[AP-WLAN-Radio2/0] channel band-width 20
[AP-WLAN-Radio2/0] service-template 1 interface WLAN-BSS 1
2. Verify the configuration
The clients can associate with the APs and access the WLAN.
You can use the display wlan verbose command to view the online clients. The 802.11n client
information is displayed in the output information of the command.
22
Page 27
Task
Remarks
Configuring data transmit rates
Optional
Configuring non-dot11h channel scanning
Optional
Enabling 802.11g protection
Optional
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN RRM view.
wlan rrm
—
3. Configure rates for 802.11b.
dot11b { disabled-rate |
mandatory-rate | supported-rate }
rate-value
Optional.
By default, mandatory rates are 1
and 2; supported rates are 5.5
and 11; no rates are disabled.
WLAN RRM configuration
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in different
directions are very complex. Therefore, we need to make careful plans before deploying a WLAN network.
After WLAN deployment, the running parameters still need to be adjusted because the radio environment is
always varying due to interference from mobile obstacles, micro-wave ovens and so on. To adapt to
environment changes, radio resources such as working channels and transmit power should be dynamically
adjusted. Such adjustments are complex and require experienced personnel to implement regularly, which
brings high maintenance costs.
WLAN RRM is a scalable radio resource management solution. It delivers a real-time, intelligent, integrated
radio resource management solution, which enables a WLAN network to quickly adapt to radio environment
changes and keep staying in a healthy state.
Configuration task list
Complete the following tasks to configure WLAN RRM:
Configuring data transmit rates
Configuring 802.11b/802.11g rates
To configure data transmit rates for 802.11b/802.11g (in Mbps):
23
Page 28
To do…
Use the command…
Remarks
4. Configure rates for 802.11g.
dot11g { disabled-rate |
mandatory-rate | supported-rate }
rate-value
Optional.
By default, mandatory rates are
1, 2, 5.5, and 11; supported
rates are 6, 9, 12, 18, 24, 36,
48, and 54; no rates are
disabled.
MCS index
Number of spatial
streams
Modulation
Data rate (Mbps)
800ns GI
400ns GI
0 1 BPSK
6.5
7.2 1 1
QPSK
13.0
14.4
2 1 QPSK
19.5
21.7
3 1 16-QAM
26.0
28.9
4 1 16-QAM
39.0
43.3
5 1 64-QAM
52.0
57.8
6 1 64-QAM
58.5
65.0
7 1 64-QAM
65.0
72.2
8 2 BPSK
13.0
14.4
9 2 QPSK
26.0
28.9
10 2 QPSK
39.0
43.3
11 2 16-QAM
52.0
57.8
12 2 16-QAM
78.0
86.7
13 2 64-QAM
104.0
115.6
14 2 64-QAM
117.0
130.0
15 2 64-QAM
130.0
144.4
Configuring 802.11n rates
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum MCS
index. The MCS data rate table shows relations between data rates, MCS indexes, and parameters that
affect data rates. A sample MCS data rate table (20 MHz) is shown in Table 1, and a sample MCS data rate
table (40 MHz) is shown in Table 2. For the whole table, see IEEE P802.11n D2.00.
As shown in the two tables, MCS 0 through MCS 7 use one spatial stream, and the data rate corresponding
to MCS 7 is the highest; MCS 8 through MCS 15 use two spatial streams, and the data rate corresponding
to MCS 15 is the highest.
Table 1 MCS data rate table (20 MHz)
24
Page 29
MCS index
Number of spatial
streams
Modulation
Data rate (Mbps)
800ns GI
400ns GI
0 1 BPSK
13.5
15.0
1 1 QPSK
27.0
30.0
2 1 QPSK
40.5
45.0
3 1 16-QAM
54.0
60.0
4 1 16-QAM
81.0
90.0
5 1 64-QAM
108.0
120.0
6 1 64-QAM
121.5
135.0
7 1 64-QAM
135.0
150.0
8 2 BPSK
27.0
30.0
9 2 QPSK
54.0
60.0
10 2 QPSK
81.0
90.0
11 2 16-QAM
108.0
120.0
12 2 16-QAM
162.0
180.0
13 2 64-QAM
216.0
240.0
14 2 64-QAM
243.0
270.0
15 2 64-QAM
270.0
300.0
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter RRM view.
wlan rrm
—
3. Specify the maximum MCS
index for 802.11n mandatory
rates.
dot11n mandatory maximum-mcs
index
Optional.
No maximum MCS index is
specified for 802.11n
mandatory rates by default.
Table 2 MCS data rate table (40 MHz)
802.11 rates fall into the following types:
Mandatory rates: Mandatory rates must be supported by the AP. Clients can associate with the AP only
when they support the mandatory rates.
Supported rates: Higher rates supported by the AP besides the mandatory rates. Supported rates allow
some clients that support both mandatory and supported rates to choose higher rates when
communicating with the AP.
Multicast rates: Multicast rates supported by the AP besides the mandatory rates. Multicast rates allow
clients to send multicast traffic at the multicast rates.
When you specify the maximum MCS index, you actually specify a range. For example, if you specify the
maximum MCS index as 5 for mandatory rates, rates corresponding to MCS indexes 0 through 5 are
configured as 802.11n mandatory rates.
To configure 802.11n rates:
25
Page 30
To do…
Use the command…
Remarks
4. Specify the maximum MCS
index for 802.11n supported
rates.
dot11n support maximum-mcs index
Optional.
By default, the maximum MCS
index for 802.11n supported
rates is 76.
Feature
A-MSR900
A-MSR20-1X
A-MSR20
A-MSR30
A-MSR50
802.11n
No
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
Available for
routers with a
SIC_WLAN
module that
supports
802.11n
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN RRM view.
wlan rrm
—
3. Configure non-802.11h
channel scanning.
autochannel-set avoid-dot11h
Optional.
By default, all channels of the
country code are scanned.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
If you configure the client dot11n-only command for a radio, you must configure the maximum MCS index for
802.11n mandatory rates.
The following matrix shows the feature and router compatibility:
Configuring non-dot11h channel scanning
To configure non-dot11h channel scanning:
Enabling 802.11g protection
When both 802.11b and 802.11g clients access a WLAN network, interference easily occurs and access rate
is greatly degraded because they adopt different modulation modes. To enable both 802.11b and 802.11g
clients to operate properly, 802.11g protection needs to be enabled for an 802.11g device to send RTS/CTS
or CTS-to-self packets to 802.11b devices, which defer access to the medium.
Either of the following cases can start 802.11g protection on an 802.11g AP.
1. An 802.11b client associates with the 802.11g AP. In this case, 802.11g protection is always
enabled.
2. The 802.11g AP detects an overlapping 802.11b BSS or some 802.11b packets that are not
destined to it. For this case, you can use the following command to enable 802.11g protection or
disable it using the undo form of the command.
To enable 802.11g protection:
26
Page 31
To do…
Use the command…
Remarks
2. Enter WLAN RRM view.
wlan rrm
—
3. Enable 802.11g protection.
dot11g protection enable
Optional
Disabled by default
NOTE:
Enabling 802.11g protection reduces network performance.
To do…
Use the command…
Remarks
Display WLAN RRM configuration
information.
display wlan rrm [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Displaying and maintaining WLAN RRM
27
Page 32
APClient
Authentication request
Authentication response
WLAN security configuration
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
The wireless security capabilities incorporated in 802.11 are inadequate for protecting networks containing
sensitive information. They do a fairly good job for defending against the general public, but not good
hackers. As a result, there is a need to implement advanced security mechanisms beyond the capabilities of
802.11.
Authentication modes
To secure wireless links, the wireless clients must be authenticated before accessing the AP, and only wireless
clients passing the authentication can be associated with the AP. 802.11 links define two authentication
mechanisms: open system authentication and shared key authentication.
Open system authentication
Open system authentication is the default authentication algorithm. This is the simplest of the available
authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests
authentication with this algorithm can be authenticated. Open system authentication is not required to be
successful as an AP may decline to authenticate the client. Open system authentication involves a two-step
authentication process. In the first step, the wireless client sends a request for authentication. In the second
step, the AP determines whether the wireless client passes the authentication and returns the result to the
client.
Figure 11 Open system authentication process
Shared key authentication
The following figure shows a shared key authentication process. The two parties have the same shared key
configured.
1. The client sends an authentication request to the AP.
2. The AP randomly generates a challenge and sends it to the client.
3. The client uses the shared key to encrypt the challenge and sends it to the AP.
4. The AP uses the shared key to encrypt the challenge and compares the result with that received from
the client. If they are identical, the client passes the authentication. If not, the authentication fails.
28
Page 33
AP
Client
Authentication Request
Authentication Response(Challenge)
Authentication(Encrypted Challenge)
Authentication Response(Success)
Figure 12 Shared key authentication process
WLAN data security
Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices
share the same medium. Thus, every device can receive data from any other sending device. If no security
service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices
without the right key cannot read encrypted data.
1. Plain-text data
All data packets are not encrypted. It is in fact a WLAN service without any security protection.
2. WEP encryption
WEP was developed to protect data exchanged among authorized users in a wireless LAN from casual
eavesdropping. WEP uses RC4 encryption (a stream encryption algorithm) for confidentiality. WEP adopts
the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys.
3. TKIP encryption
TKIP and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more
secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48
bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a
single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be
easily deciphered.
Third, TKIP offers MIC and countermeasures. If a packet fails the MIC, the data may be tampered, and
the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes
countermeasures. It does not provide services in a certain period to prevent attacks.
4. CCMP encryption
CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and
CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and
selected portions of the IEEE 802.11 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and
a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that
each wireless client can dynamically negotiate a key suite, which can be updated periodically to further
29
Page 34
enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a
48-bit PN to ensure that each encrypted packet uses a different PN. This improves security to a certain extent.
Client access authentication
1. PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key configured.
Otherwise, the client cannot pass PSK authentication.
2. 802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port
level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the
resources on the WLAN only after passing authentication.
3. MAC address authentication
MAC address authentication does not require any client software. The MAC address of a client is compared
against a predefined list of allowed MAC addresses. If a match is found, the client can pass the
authentication and access the WLAN; if not, the authentication fails and access is denied. The entire process
does not require the user to enter a username or password. This type of authentication is suited to small
networks (such as families and small offices) with fixed clients.
MAC address authentication can be done locally or through a RADIUS server.
Local MAC address authentication: A list of usernames and passwords (the MAC addresses of allowed
clients) is created on the wireless access device and the clients are authenticated by the wireless access
device. Only clients whose MAC addresses are included in the list can pass the authentication and
access the WLAN.
MAC address authentication through RADIUS server: The wireless access device serves as the RADIUS
client and sends the MAC address of each requesting client to the RADIUS server. If the client passes the
authentication on the RADIUS server, the client can access the WLAN within the authorization assigned
by the RADIUS server. In this authentication mode, if different domains are defined, authentication
information of different SSIDs are sent to different RADIUS servers based on their domains.
For more information about access authentication, see Security Configuration Guide.
Protocols and standards
IEEE Standard for Information technology—Telecommunications and information exchange between
systems— Local and metropolitan area networks— Specific requirements -2004
WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug
2004
Information technology—Telecommunications and information exchange between systems—Local and
metropolitan area networks—Specific requirements—802.11, 1999
IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control"
802.1X™- 2004
802.11i IEEE Standard for Information technology—Telecommunications and information exchange
between systems—Local and metropolitan area networks—Specific requirements
30
Page 35
Task
Remarks
Enabling an authentication method
Required
Configuring the PTK lifetime
Optional
Configuring the GTK rekey method
Optional
Configuring security IE
Required
Configuring cipher suite
Required
Configuring port security
Optional
To do…
Use the command…
Remarks
Enter system view
system-view
—
1. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
2. Enable the authentication
method.
authentication-method { open-system |
shared-key }
Optional.
Open system authentication
method is used by default.
Shared key authentication is
usable only when WEP
encryption is adopted. In this
case, you must configure the
authentication-method
shared-key command.
For RSN and WPA, open
system authentication is
required.
Configuring WLAN security
Configuration task list
To configure WLAN security in a service template, map the service template to a radio policy, and add
radios to the radio policy. The SSID name, advertisement setting (beaconing), and encryption settings are
configured in the service template. You can configure an SSID to support any combination of WPA, RSN,
and Pre-RSN clients
Complete these tasks to configure WLAN security configuration tasks.
Enabling an authentication method
You can enable open system or shared key authentication or both.
To enable an authentication method:
Configuring the PTK lifetime
A PTK is generated through a four-way handshake, during which, the PMK, an AP random value (ANonce),
a site random value (SNonce), the AP’s MAC address and the client’s MAC address are used.
To configure the PTK lifetime:
31
Page 36
To do…
Use the command…
Remarks
Enter system view
system-view
—
1. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
2. Configure the PTK lifetime.
ptk-lifetime time
Optional.
By default, the PTK lifetime is
43,200 seconds.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
3. Enable GTK rekey.
gtk-rekey enable
Required.
By default, GTK rekey is
enabled.
4. Configure the GTK rekey
interval.
gtk-rekey method time-based [ time ]
Required.
By default, the interval is 86,400
seconds.
5. Configure the device to start
GTK rekey when a client goes
offline.
gtk-rekey client-offline enable
Optional.
Not configured by default.
This command takes effect only
when GTK rekey has been
enabled with the gtk-rekey
enable command.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
Configuring the GTK rekey method
A fat AP generates a GTK and sends the GTK to a client during the authentication process between an AP
and the client through group key handshake or the 4-way handshake. The client uses the GTK to decrypt
broadcast and multicast packets. RSN negotiates the GTK through the 4-way handshake or group key
handshake, and WPA negotiates the GTK only through group key handshake.
Two GTK rekey methods can be configured:
Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs.
Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs.
You can also configure the device to start GTK rekey when a client goes offline.
Configuring GTK rekey based on time
To configure GTK rekey based on time:
Configuring GTK rekey based on packet
To configure GTK rekey based on packet:
32
Page 37
To do…
Use the command…
Remarks
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
3. Enable GTK rekey.
gtk-rekey enable
Required.
By default, GTK rekey is enabled.
4. Configure GTK rekey based
on packet.
gtk-rekey method packet-based
[ packet ]
Required.
The default packet number is
10,000,000.
5. Configure the device to start
GTK rekey when a client
goes offline.
gtk-rekey client-offline enable
Optional.
Not configured by default.
This command takes effect only
when GTK rekey has been
enabled with the gtk-rekey
enable command.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
3. Enable the WPA IE in the
beacon and probe
responses.
security-ie wpa
Required.
By default, WPA IE is disabled.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
By default, time-based GTK rekey is adopted, and the rekey interval is 86,400 seconds.
Configuring a new GTK rekey method overwrites the previous one. For example, if time-based GTK rekey is
configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect.
Configuring security IE
The security IE configuration includes WPA and RSN configuration. For WPA and RSN configuration, open
system authentication is required.
WPA ensures greater protection than WEP. WPA operates in either WPA-PSK (or Personal) mode or
WPA-802.1X (or Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for
authentication. In Enterprise mode, 802.1X and RADIUS servers and the EAP are used for authentication.
Configuring WPA security IE
To configure the WPA security IE:
Configuring RSN security IE
An RSN is a security network that allows only the creation of RSNAs. An RSN can be identified by the
indication in the RSN IE of beacon frames. It provides greater protection than WEP and WPA.
33
Page 38
To do…
Use the command…
Remarks
3. Enable the RSN IE in the
beacon and probe
responses.
security-ie rsn
Required.
By default, RSN IE is disabled.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
3. Enable the WEP cipher suite.
cipher-suite { wep40 | wep104 |
wep128 }
Required.
4. Configure the WEP default
key.
wep default-key { 1 | 2 | 3 | 4 }
{ wep40 | wep104 | wep128 }
{ pass-phrase | raw-key } [ cipher |
simple ] key
Required.
By default, the WEP default key
index number is 1.
5. Specify a key index number.
wep key-id { 1 | 2 | 3 | 4 }
Optional.
By default, the key index number
is 1.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
Configuring cipher suite
A cipher suite is used for data encapsulation and de-encapsulation. It uses the following encryption methods:
WEP40/WEP104/WEP128
TKIP
CCMP
Configuring WEP cipher suite
The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key
configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104
and WEP128 keys.
You can use WEP with either open system authentication mode or share the key authentication mode:
In open system authentication mode, a WEP key is used for encryption only. A client can go online
without having the same key as the authenticator. But, if the receiver has a different key from the sender,
it discards the packets received from the sender.
In shared key authentication mode, the WEP key is used for both encryption and authentication. If the
key of a client is different from that of the authenticator, the client cannot go online.
To configure WEP encryption:
Configuring TKIP cipher suite
To configure the TKIP cipher suite:
34
Page 39
To do…
Use the command…
Remarks
3. Enable the TKIP cipher suite.
cipher-suite tkip
Required.
By default, no cipher suite is
enabled.
4. Configure the TKIP
countermeasure interval.
tkip-cm-time time
Optional.
The default countermeasure
interval is 0 seconds. No
countermeasures are taken.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN service
template view.
wlan service-template
service-template-number crypto
—
3. Enable the CCMP cipher
suite.
cipher-suite ccmp
Required.
By default, no cipher suite is
enabled.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
MIC is used to prevent attackers from data modification. It ensures data security by using the Michael
algorithm. When a fault occurs to the MIC, the device considers that the data has been modified and the
system is being attacked. Upon detecting the attack, TKIP suspends within the countermeasure interval. No
TKIP associations can be established within the interval.
Configuring CCMP cipher suite
CCMP adopts the AES encryption algorithm.
To configure the CCMP cipher suite:
Configuring port security
The authentication type configuration includes the following options:
PSK
802.1x
MAC
PSK and MAC
This document describes only several common port security modes. For more information about other port
security modes, see Security Configuration Guide.
Before configuring port security, you must:
1. Create the wireless port.
2. Enable port security.
Configuring PSK authentication
To configure PSK authentication:
35
Page 40
To do…
Use the command…
Remarks
2. Enter WLAN-BSS interface
view.
interface wlan-bss
interface-number
Required.
3. Enable 802.11 key
negotiation.
port-security tx-key-type 11key
Required.
Not enabled by default.
4. Configure the pre-shared key.
port-security preshared-key
{ pass-phrase | raw-key } [ cipher
| simple ] key
Required.
Not configured by default.
5. Enable the PSK port security
mode.
port-security port-mode psk
Required.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN-BSS interface
view.
interface wlan-bss interface-number
Required.
3. Enable 802.11key negotiation.
port-security tx-key-type 11key
Required.
Not enabled by default.
4. Enable the 802.1X port
security mode.
port-security port-mode
userlogin-secure-ext
Required.
port-security port-mode
userlogin-secure
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN-BSS interface
view.
interface wlan-bss interface-number
Required
3. Enable MAC port security
mode.
port-security port-mode
mac-authentication
Required
NOTE:
802.11i does not support MAC authentication.
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN-BSS interface
view.
interface wlan-bss interface-number
Required.
Configuring 802.1X authentication
To configure 802.1X authentication:
Configuring MAC authentication
To configure MAC authentication:
Configuring PSK and MAC authentication
To configure PSK and MAC authentication:
36
Page 41
To do…
Use the command…
Remarks
3. Enable 802.11 key
negotiation.
port-security tx-key-type 11key
Required.
Not enabled by default.
4. Enable the PSK and MAC port
security mode.
port-security port-mode mac-and-psk
Required.
5. Configure the pre-shared key.
port-security preshared-key { pass-phrase |
raw-key } key
Required.
The key is a string of 8 to
63 characters, or a
64-digit hex number.
To do…
Use the command…
Remarks
Display WLAN service template
information.
display wlan service-template
[ service-template-number ]
Available in any view
Display MAC authentication
information.
display mac-authentication
[ interface interface-list ]
Available in any view
Display the MAC address
information of port security.
display port-security mac-address
security [ interface interface-type
interface-number ] [ vlan vlan-id ]
[ count ]
Available in any view
Display the PSK user information of
port security.
display port-security
preshared-key user [ interface
interface-type interface-number ]
Available in any view
Display the configuration
information, running state and
statistics of port security.
display port-security [ interface
interface-list ]
Available in any view
Display 802.1x session
information or statistics.
display dot1x [ sessions |
statistics ] [ interface interface-list ]
Available in any view
For more information about port security configuration commands, see Security Configuration Guide.
Displaying and maintaining WLAN security
For more information about related display commands, see Security Command Reference.
WLAN security configuration examples
PSK authentication configuration example
Network requirements
As shown in Figure 13, perform PSK authentication with key 12345678 on the client.
37
Page 42
Client
Switch
AP
LAN Segment
Figure 13 Network diagram for PSK authentication configuration
Configuration procedure
1. Configure the fat AP.
# Enable port security.
<Sysname> system-view
[Sysname] port-security enable
# Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as
12345678.
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security port-mode psk
[Sysname-WLAN-BSS1] port-security preshared-key pass-phrase 12345678
[Sysname-WLAN-BSS1] port-security tx-key-type 11key
[Sysname-WLAN-BSS1] quit
# Create service template 1 of crypto type, configure its SSID as psktest, configure the open system
authentication, and enable the service template.
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] ssid psktest
[Sysname-wlan-st-1] security-ie rsn
[Sysname-wlan-st-1] cipher-suite ccmp
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] service-template enable
[Sysname-wlan-st-1] quit
# Bind interface WLAN-BSS 1 to service template 1 on interface WLAN-radio 2/0.
[Sysname] interface wlan-radio 2/0
[Sysname-WLAN-Radio2/0] radio-type dot11g
[Sysname-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
2. Verify the configuration
After the client has the same PSK configured, it can associate with the AP and access the WLAN.
You can use the display wlan client command and display port-security preshared-key user command to
view the online clients.
MAC and PSK authentication configuration example
Network requirements
As shown in Figure 14, perform MAC and PSK authentication on the client.
38
Page 43
IP network
L2 switch
FAT AP
Client
10.18.1.88/24
RADIUS server
10.18.1.1/24
Figure 14 MAC and PSK authentication
Configuration procedure
1. Configure the fat AP.
# Enable port security.
<Sysname> system-view
[Sysname] port-security enable
# Configure WLAN port security, configure the authentication mode as mac-and-psk, and the pre-shared key
as 12345678.
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security port-mode mac-and-psk
[Sysname-WLAN-BSS1] port-security preshared-key pass-phrase 12345678
[Sysname-WLAN-BSS1] port-security tx-key-type 11key
[Sysname-WLAN-BSS1] quit
# Create service template 1 of crypto type and configure its SSID as mactest.
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] ssid mactest
# Enable the RSN IE in the beacon and probe responses, and use the CCMP cipher suite.
[Sysname-wlan-st-1] security-ie rsn
[Sysname-wlan-st-1] cipher-suite ccmp
# Configure the open system authentication and enable the service template.
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] service-template enable
[Sysname-wlan-st-1] quit
# Configure a RADIUS scheme named rad, and configure the IP addresses of the primary authentication
server and accounting server as 10.18.1.88.
[Sysname] radius scheme rad
[Sysname-radius-rad] primary authentication 10.18.1.88
[Sysname-radius-rad] primary accounting 10.18.1.88
# Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[Sysname-radius-rad] key authentication 12345678
[Sysname-radius-rad] key accounting 12345678
[Sysname-radius-rad] server-type extended
[Sysname-radius-rad] user-name-format without-domain
[Sysname-radius-rad] quit
39
Page 44
# Configure AAA domain imc by referencing RADIUS scheme rad.
[Sysname] domain imc
[Sysname-isp-imc] authentication lan-access radius-scheme rad
[Sysname-isp-imc] authorization lan-access radius-scheme rad
[Sysname-isp-imc] accounting lan-access radius-scheme rad
[Sysname-isp-imc] quit
# Configure the MAC authentication domain.
[Sysname] mac-authentication domain imc
# Configure MAC authentication user name format, using MAC addresses without hyphen as username and
password (consistent with the format on the server).
[Sysname] mac-authentication user-name-format mac-address without-hyphen
# On interface WLAN-radio 2/0, bind interface WLAN-BSS 1 to service template 1.
[Sysname] interface wlan-radio2/0
[Sysname-WLAN-Radio2/0] radio-type dot11g
[Sysname-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
2. Configure the RADIUS server (IMC PLAT 5.0)
The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to
illustrate the basic configurations of the RADIUS server.
# Add an access device.
Log in to the IMC management platform. Select the Service tab, and then select User Access Manager >
Access Device Management > Access Device from the navigation tree to enter the access device
configuration page. Click Add on the page to enter the configuration page as shown in Figure 15:
Input 12345678 as the Shared Key. keep the default values for other parameters.
Select or manually add the access device with the IP address 10.18.1.1.
Figure 15 Add access device
# Add service.
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation tree
to enter the add service page. Then click Add on the page to enter the following configuration page. Set the
service name as mac, and keep the default values for other parameters.
40
Page 45
Figure 16 Add service
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user page.
Then, click Add on the page to enter the page as shown in Figure 17.
Enter username 00146c8a43ff.
Set the account name and password both as 00146c8a43ff.
Select the service mac.
Figure 17 Add account
3. Verify the configuration
After the client passes the MAC authentication, the client can associate with the AP and access the WLAN.
You can use the display wlan client command, display connection command and display
mac-authentication command to view the online clients.
802.1X authentication configuration example
Network requirements
As shown in Figure 18, configure the fat AP to perform 802.1x authentication on the client.
41
Page 46
IP network
L2 switch
FAT AP
Client
10.18.1.88/24
RADIUS server
10.18.1.1/24
Figure 18 802.1x authentication configuration
Configuration procedure
1. Configure the fat AP.
# Enable port security and configure the 802.1X authentication mode as EAP.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] dot1x authentication-method eap
# Configure a RADIUS scheme name rad and configure the IP addresses of the primary authentication server
and accounting server as 10.18.1.88.
[Sysname] radius scheme rad
[Sysname-radius-rad] primary authentication 10.18.1.88
[Sysname-radius-rad] primary accounting 10.18.1.88
# Configure the shared key for RADIUS authentication/accounting packets as 12345678.
[Sysname-radius-rad] key authentication 12345678
[Sysname-radius-rad] key accounting 12345678
[Sysname-radius-rad] user-name-format without-domain
[Sysname-radius-radius1] quit
# Configure AAA domain imc by referencing RADIUS scheme rad.
[Sysname] domain imc
[Sysname-isp-imc] authentication lan-access radius-scheme rad
[Sysname-isp-imc] authorization lan-access radius-scheme rad
[Sysname-isp-imc] accounting lan-access radius-scheme rad
[Sysname-isp-imc] quit
# Configure the default ISP domain.
[Sysname] domain default enable imc
# Set the port mode for WLAN-ESS 1 to userlogin-secure-ext, and enable 802.11 key negotiation.
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security port-mode userlogin-secure-ext
[Sysname-WLAN-BSS1] port-security tx-key-type 11key
# Disable the multicast trigger function and the online user handshake function.
[Sysname-WLAN-BSS1] undo dot1x multicast-trigger
[Sysname-WLAN-BSS1] undo dot1x handshake
[Sysname-WLAN-BSS1] quit
# Create service template 1 of crypto type and configure its SSID as dot1x.
42
Page 47
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] ssid dot1x
# Enable the RSN IE in the beacon and probe responses, and use the CCMP cipher suite.
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] cipher-suite ccmp
[Sysname-wlan-st-1] security-ie rsn
[Sysname-wlan-st-1] service-template enable
[Sysname-wlan-st-1] quit
# On interface WLAN-radio 2/0, bind service template 1 to interface WLAN-BSS 1.
[Sysname] interface wlan-radio2/0
[Sysname-WLAN-Radio2/0] radio-type dot11g
[Sysname-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
2. Configure the RADIUS server (IMC PLAT 5.0)
See ―Configure the RADIUS server (IMC PLAT 5.0)."
3. Configure the wireless card
Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection
Status window appears. Click the Properties button in the General tab. The Wireless Network Connection
Properties window appears. In the Wireless Networks tab, select wireless network with the SSID dot1x, and
then click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select
Protected EAP (PEAP) from the EAP type drop-down list, and click Properties. In the popup window, clear
Validate server certificate, and click Configure. In the popup dialog box, clear Automatically use my
Windows logon name and password (and domain if any). The configuration procedure is as shown in Figure
19 through Figure 21.
43
Page 48
Figure 19 Configure the wireless card (I)
44
Page 49
Figure 20 Configure the wireless card (II)
45
Page 50
Unicast cipher
Broadcast cipher
Authentication method
Security Type
CCMP
WEP40
PSK
RSN
CCMP
WEP104
PSK
RSN
CCMP
WEP128
PSK
RSN
CCMP
TKIP
PSK
RSN
Figure 21 Configure the wireless card (III)
4. Verify the configuration.
The client can pass 802.1x authentication and access the WLAN.
You can use the display wlan client command, display connection command, and display dot1x command
to view the online clients.
Supported combinations for ciphers
This section introduces the combinations that can be used during the cipher suite configuration.
RSN
For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers and WEP
cipher suites are only used as group cipher suites. Below are the cipher suite combinations that
WLAN-WSEC supports for RSN. WEP40, WEP104 and WEP128 are mutually exclusive.
46
Page 51
Unicast cipher
Broadcast cipher
Authentication method
Security Type
CCMP
CCMP
PSK
RSN
TKIP
WEP40
PSK
RSN
TKIP
WEP104
PSK
RSN
TKIP
WEP128
PSK
RSN
TKIP
TKIP
PSK
RSN
CCMP
WEP40
802.1x
RSN
CCMP
WEP104
802.1x
RSN
CCMP
WEP128
802.1x
RSN
CCMP
TKIP
802.1x
RSN
CCMP
CCMP
802.1x
RSN
TKIP
WEP40
802.1x
RSN
TKIP
WEP104
802.1x
RSN
TKIP
WEP128
802.1x
RSN
TKIP
TKIP
802.1x
RSN
Unicast cipher
Broadcast cipher
Authentication method
Security Type
CCMP
WEP40
PSK
WPA
CCMP
WEP104
PSK
WPA
CCMP
WEP128
PSK
WPA
CCMP
TKIP
PSK
WPA
CCMP
CCMP
PSK
WPA
TKIP
WEP40
PSK
WPA
TKIP
WEP104
PSK
WPA
TKIP
WEP128
PSK
WPA
TKIP
TKIP
PSK
WPA
CCMP
WEP40
802.1x
WPA
CCMP
WEP104
802.1x
WPA
CCMP
WEP128
802.1x
WPA
CCMP
TKIP
802.1x
WPA
CCMP
CCMP
802.1x
WPA
TKIP
WEP40
802.1x
WPA
TKIP
WEP104
802.1x
WPA
WPA
For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers and WEP
cipher suites are only used as group cipher suites. Below are the cipher suite combinations that
WLAN-WSEC supports for WPA (WEP40, WEP104 and WEP128 are mutually exclusive).
47
Page 52
Unicast cipher
Broadcast cipher
Authentication method
Security Type
TKIP
WEP128
802.1x
WPA
TKIP
TKIP
802.1x
WPA
Unicast cipher
Broadcast cipher
Authentication method
Security Type
WEP40
WEP40
Open system
no Sec Type
WEP104
WEP104
Open system
no Sec Type
WEP128
WEP128
Open system
no Sec Type
WEP40
WEP40
Shared key
no Sec Type
WEP104
WEP104
Shared key
no Sec Type
WEP128
WEP128
Shared key
no Sec Type
Pre-RSN
For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and
WEP128 are mutually exclusive).
48
Page 53
WLAN IDS configuration
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad
hoc networks, and DoS attacks. Rogue devices are a serious threat to enterprise security. WIDS is used for
the early detection of malicious attacks and intrusions on a wireless network. WIPS helps to protect enterprise
networks and users from unauthorized wireless access. The rogue detection feature is a part of the
WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes
countermeasures to prevent rogue devices operation.
Terminology
WLAN intrusion detection system: WLAN IDS is designed to be deployed in an area that an existing
wireless network covers. It aids in the detection of malicious outsider attacks and intrusions via the
wireless network.
Rogue AP: An unauthorized or malicious access point on the network, such as an employee setup AP,
misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if any vulnerability
occurs on the AP, the hacker has an opportunity to compromise your network security.
Rogue client: An unauthorized or malicious client on the network.
Rogue wireless bridge: Unauthorized wireless bridge on the network.
Monitor AP: An AP that scans or listens to 802.11 frames to detect wireless attacks in the network.
Ad hoc mode: Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can directly
communicate with other stations without support from any other device.
Passive scanning: In passive scanning, a monitor AP listens to all the 802.11 frames over the air in that
channel.
Active scanning: In active scanning, a monitor AP, besides listening to all 802.11 frames, sends a
broadcast probe request and receives all probe response messages on that channel. Each AP in the
vicinity of the monitor AP replies to the probe request. This helps identify all authorized and
unauthorized APs by processing probe response frames. The monitor AP masquerades as a client when
sending the probe request.
WIDS attack detection
The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the
network administrator of the attacks through recording information or sending logs. At present, WIDS
detection supports detection of the following attacks:
Flood attack
Spoofing attack
Weak IV attack
Flood attack detection
49
Page 54
Task
Description
Configuring IDS attack detection
Displaying and maintaining
IDS attack detection
Optional
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind
within a short span of time. When this occurs, the WLAN devices are overwhelmed and, consequently, are
unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated
by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the
network. If the dynamic blacklist feature is enabled, it is added to the blacklist and is forbidden to access the
WLAN for a period of time.
WIDS inspects the following types of frames:
Authentication requests and de-authentication requests
Association requests, disassociation requests, and reassociation requests
Probe requests
802.11 null data frames
802.11 action frames
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance,
a client in a WLAN has been associated with an AP and works normally. In this case, a spoofed
de-authentication frame can cause a client to get de-authenticated from the network. This can affect the
normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication
and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a
spoofed frame, and the attack is immediately logged.
Weak IV detection
WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream. Thus, encryptions
using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is
also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, such as using a fixed IV for all frames, the
shared secret key may be exposed to any potential attackers. When the shared secret key is compromised,
the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak
IV is detected, it is logged immediately.
WLAN IDS configuration task list
Configuring IDS attack detection
To configure IDS attack detection:
50
Page 55
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter IDS view.
wlan ids
—
3. Enable IDS attack detection.
attack-detection enable { all | flood
| weak-iv | spoof }
Required
Disabled by default
To do…
Use the command…
Remarks
Display all the attacks detected
by WLAN IDS IPS.
display wlan ids history [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Display the count of attacks
detected by WLAN IDS IPS.
display wlan ids statistics [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Clear the history of attacks
detected by the WLAN system.
reset wlan ids history
Available in user view
Clear the statistics of attacks
detected in the WLAN system.
reset wlan ids statistics
Available in user view
Displaying and maintaining IDS attack detection
51
Page 56
WLAN IDS frame filtering configuration
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
Frame filtering is a feature of 802.11 MAC and a sub-feature of WLAN IDS.
An AC maintains a white list (entries in the list are permitted and can be configured through CLI), a static
blacklist (entries in the list are denied and can be configured through CLI), and a dynamic blacklist (entries
in the list are denied and are added when WLAN IDS detects flood attacks).
Blacklist and white list
Configure the blacklist and white list functions to filter frames from WLAN clients and implement client access
control.
WLAN client access control is accomplished through the following types of lists.
White list: Contains the MAC addresses of all clients allowed to access the WLAN. If you use the white
list, only permitted clients can access the WLAN, and all frames from other clients are discarded.
Static blacklist: Contains the MAC addresses of clients forbidden to access the WLAN. This list is
configured manually.
Dynamic blacklist: Contains the MAC addresses of clients forbidden to access the WLAN. A client is
added dynamically to the list if it is considered sending attacking frames, until the timer of the entry
expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any
attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information
about ARP detection, see Security Configuration Guide.
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame by following these rules:
If the source MAC address does not match any entry in the white list, the frame is dropped. If there is
a match, the frame is considered valid and is processed further.
If no white list entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
If there is no match, or no blacklist entries exist, the frame is considered valid and is processed further.
52
Page 57
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN IDS view.
wlan ids
—
3. Add an entry into the white list.
whitelist mac-address mac-address
Optional.
4. Add an entry into the static
blacklist.
static-blacklist mac-address
mac-address
Optional.
5. Enable the dynamic blacklist
feature.
dynamic-blacklist enable
Optional.
By default, the dynamic
blacklist feature is disabled.
IP network
L2 Switch
FAT AP
Client 1
Client 2 Client 3
Client 4
Figure 22 Frame filtering
If client 1 is present in the backlist, it cannot associate with the fat AP. If it is only in the white list, it can be
associated with the fat AP.
Configuring WLAN IDS frame filtering
WLAN IDS frame filtering configuration involves white list configuration, blacklist configuration, and
dynamic blacklist feature configuration.
In WLAN IDS view, you can configure the static blacklist, white list, enable dynamic blacklist feature
and configure the lifetime for dynamic entries.
Only entries present in the white list are permitted. You can add entries into or delete entries from the
list.
Entries present in the static blacklist are denied.
Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic blacklist.
You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the
device entry is removed from the dynamic blacklist. If a flood attack from the device is detected again
before the lifetime expires, the entry is refreshed.
To configure WLAN IDS frame filtering:
53
Page 58
To do…
Use the command…
Remarks
6. Configure the lifetime for
dynamic blacklist entries.
dynamic-blacklist lifetime lifetime
Optional.
By default, the lifetime is 300
seconds.
To do…
Use the command…
Remarks
Display blacklist entries.
display wlan
blacklist { static | dynamic } [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display white list entries.
display wlan whitelist [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Clear dynamic blacklist entries.
reset wlan dynamic-blacklist
{ mac-address mac-address | all }
Available in user view
IP network
L2 switch
FAT AP
Client 1
Client 2
Displaying and maintaining WLAN IDS frame
filtering
WLAN IDS frame filtering configuration example
Network requirements
As shown in Figure 23, Client 1 (0000-000f-1211) is a rogue client. To ensure WLAN security, add the MAC
address of the client into the blacklist on the AC to disable it from accessing the wireless network through any
AP.
Figure 23 WLAN IDS frame filtering configuration
Configuration procedure
# Add MAC address 0000-000f-1211 of Client 1 into the blacklist.
<Sysname> system-view
[Sysname] wlan ids
[Sysname-wlan-ids] static-blacklist mac-address 0000-000f-1211
After the configuration, Client 1 cannot access the AP, and other clients can access the network.
54
Page 59
WLAN QoS configuration
The terms AP and fat AP in this document refer to A-MSR900 and A-MSR20-1X routers with IEEE 802.11b/g
and A-MSR series routers installed with a SIC WLAN module.
An 802.11 network offers contention-based wireless access. To provide applications with QoS services, IEEE
developed 802.11e for the 802.11-based WLAN architecture.
While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the WMM standard to allow QoS
provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing
QoS services.
Terminology
1. WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority. Thus, it
guarantees better QoS services for voice and video applications in a wireless network.
2. EDCA
EDCA is a channel contention mechanism designed by WMM to preferentially transmit packets with high
priority and allocate more bandwidth to such packets.
3. AC
AC is used for channel contention. WMM defines four access categories. They are AC-VO (voice) queue,
AC-VI (video) queue, AC-BE (best-effort) queue, and AC-BK (background) queue, in the descending order of
priority. When contending for a channel, a high-priority AC queue preempts a low-priority AC queue.
4. CAC
CAC limits the number of clients that are using high-priority AC queues (including AC-VO and AC-VI queues)
to guarantee sufficient bandwidth for existing high-priority traffic.
5. U-APSD
U-APSD is a new power saving mechanism defined by WMM to enhance the power saving capability of
clients.
6. SVP
SVP is a voice priority protocol designed by Spectralink to guarantee QoS for voice traffic.
WMM protocol overview
The DCF in 802.11 stipulates that APs and clients use the CSMA/CA access mechanism. APs or clients listen
to the channel before they hold the channel for data transmission. When the specified idle duration of the
channel times out, APs or clients randomly select a backoff slot within the contention window to perform
backoff. The device that finishes backoff first gets the channel. With 802.11, all devices have the same idle
duration and contention window. Therefore, they are equal when contending for a channel. In WMM, this
fair contention mechanism is changed.
55
Page 60
Backoff slots
Backoff slots
Backoff slots
Backoff slots
Busy Medium
AIFS[AC-BE]
AIFS[AC-VI]
AIFS[AC-VO]
AIFS[AC-BK]
Contention Window
Next Frame
Backoff slots
DIFS
EDCA parameters
WMM assigns data packets in a BSS to four AC queues. By allowing a high-priority AC queue to have more
channel contention opportunities than a low-priority AC queue, WMM offers different service levels to
different AC queues.
WMM define a set of EDCA parameters for each AC queue, covering the following:
AIFSN: Different from the 802.11 protocol where the idle duration (set using DIFS) is a constant value,
WMM can define an idle duration per AC queue. The idle duration increases as the AIFSN value
increases (see Figure 24 for the AIFS durations).
ECWmin and ECWmax determine the average backoff slots, which increases as the two values
increase (see Figure 24 for the backoff slots).
TXOPLimit indicates the maximum time for which a user can hold a channel after a successful
contention. The greater the TXOPLimit is, the longer the user can hold the channel. The value 0 indicates
that the user can send only one packet each time it holds the channel.
Figure 24 Per-AC channel contention parameters in WMM
CAC admission policies
CAC requires that a client get permission of the AP before it can use a high-priority AC queue for transmission,
thus guaranteeing bandwidth to the clients that have gained access. CAC controls real time traffic (AC-VO
and AC-VI traffic), but not common data traffic (AC-BE and AC-BK traffic).
If a client wants to use a high-priority AC queue, it must send a request to the AP. The AP returns a positive
or negative response based on either of the following admission control policy:
Channel utilization-based admission policy: the AP calculates the total time that the existing
high-priority AC queues occupies the channel in one second, and then calculates the time that the
requesting traffic occupies the channel in one second. If the sum of the two values is smaller than or
equal to the maximum hold time of the channel, the client can use the requested AC queue. Otherwise,
the request is rejected.
Users-based admission policy: if the number of clients using high-priority AC queues plus the clients
requesting for high-priority AC queues is smaller than or equal to the maximum number of high-priority
AC queue clients, the request is accepted. Otherwise, the request is rejected. During calculation, a
client is counted once even if it is using both the AC-VO and AC-VI queues.
56
Page 61
To do…
Use the command…
Remarks
1. Enter system view.
system-view
—
2. Enter WLAN-radio interface
view.
interface wlan-radio
wlan-radio-number
Required.
U-APSD power-save mechanism
U-APSD improves the 802.11 APSD power saving mechanism. When associating clients with AC queues, you
can specify some AC queues as trigger-enabled, some AC queues as delivery-enabled, and the maximum
number of data packets that can be delivered after receiving a trigger packet. Both the trigger attribute and
the delivery attribute can be modified when flows are established using CAC. When a client sleeps, the
delivery-enabled AC queue packets destined for the client are buffered. The client must send a
trigger-enabled AC queue packet to get the buffered packets. After the AP receives the trigger packet,
packets in the transmit queue are sent. The number of sent packets depends on the agreement made when
the client was admitted. AC queues without the delivery attribute store and transmit packets as defined in the
802.11 protocol.
SVP
SVP can assign packets with the protocol ID 119 in the IP header to a specific AC queue. SVP stipulates that
random backoff is not performed for SVP packets. Therefore, you can set both ECWmin and ECWmax to 0
when there are only SVP packets in an AC queue.
ACK policy
WMM defines two ACK policies: Normal ACK and No ACK.
When the No ACK policy is used, the recipient does not acknowledge received packets during wireless
packet exchange. This policy is suitable in the environment where communication quality is fine and
interference is weak. While the No ACK policy helps improve transmission efficiency, it can cause
increased packet loss when communication quality deteriorates. When this policy is used, a sender
does not retransmit packets that have not been received by the recipient.
When the Normal ACK policy is used, the recipient acknowledges each received unicast packet.
Protocols and standards
802.11e-2005, Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, IEEE
Computer Society, 2005
Wi-Fi, WMM Specification version 1.1, Wi-Fi Alliance, 2005
WMM configuration
To configure WMM:
57
Page 62
To do…
Use the command…
Remarks
3. Enable WMM.
wmm enable
Required.
Enabled by default.
The 802.11n protocol stipulates
that all 802.11n clients support
WLAN QoS. When the radio
works in 802.11gn mode, you
should enable WMM. Otherwise,
the associated 802.11n clients
may fail to communicate.
4. Set the EDCA parameters of
AC-VO or AC-VI queues for
clients.
wmm edca client { ac-vo | ac-vi }
{ aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax
-value | txoplimit txoplimit-value |
cac } *
Optional.
By default, a client uses the default
EDCA parameters shown in Table
3.
5. Set the EDCA parameters of
AC-BE or AC-BK queues for
clients.
wmm edca client { ac-be | ac-bk }
{ aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax
-value | txoplimit txoplimit -value } *
Optional.
By default, a client uses the default
EDCA parameters shown in Table
3.
6. Set the EDCA parameters and
specify the ACK policy for the
radio.
wmm edca radio { ac-vo | ac-vi |
ac-be | ac-bk } { aifsn aifsn-value |
ecw ecwmin ecwmin-value ecwmax
ecwmax -value | txoplimit txoplimit
-value | noack } *
Optional.
By default, an AP uses the default
EDCA parameters shown in Table
4 and uses the Normal ACK
policy.
7. Set the CAC policy.
wmm cac policy { channelutilization
[ channelutilization-value ] | users
[ users-number ] }
Optional.
By default, the users-based
admission policy applies, with the
maximum number of users being
20.
8. Map SVP packets to a
specified AC queue.
wmm svp map-ac { ac-vi | ac-vo |
ac-be | ac-bk }
Optional.
By default, the SVP packet
mapping function is disabled.
SVP packet mapping applies to
non WMM clients, and does not
take effect on WMM clients.
If CAC is enabled for an AC queue, CAC is also enabled for the AC queues with higher priority. For example,
if you use the wmm edca client command to enable CAC for the AC-VI queue, CAC is also enabled for the
AC-VO queue. However, enabling CAC for the AC-VO queue does not enable CAC for the AC-VI queue.
HP recommends you use the default EDCA parameter settings for APs and clients (except the TXOPLimit
parameter for devices using 802.11b radio cards) unless it is necessary to modify the default settings.
When the radio card of a device is 802.11b, set the TXOPLimit values of the AC-BK, AC-BE, AC-VI, and
AC-VO queues to 0, 0, 188, and 102, respectively.
The SVP packet mapping function takes effect only after you enable WMM.
58
Page 63
AC queue
AIFSN
ECWmin
ECWmax
TXOP Limit
AC-BK queue
7 4 10
0
AC-BE queue
3 4 10 0 AC-VI queue
2 3 4
94
AC-VO queue
2 2 3
47
AC queue
AIFSN
ECWmin
ECWmax
TXOP Limit
AC-BK queue
7 4 10
0
AC-BE queue
3 4 6
0
AC-VI queue
1 3 4
94
AC-VO queue
1 2 3
47
To do...
Use the command…
Remarks
Display client WMM statistics.
display wlan statistics client { all |
mac-address mac-address } [ |
{ begin | exclude | include }
regular-expression ]
Available in any view
Display radio or client WMM
configuration information.
display wlan wmm { radio
[ interface wlan-radio
wlan-radio-number ] | client { all |
interface wlan-radio
wlan-radio-number | mac-address
mac-address } } [ | { begin |
exclude | include }
regular-expression ]
Available in any view
Clear radio or client WMM
statistics.
reset wlan wmm { radio [ interface
wlan-radio wlan-radio-number ] |
client { all | interface wlan-radio
wlan-radio-number | mac-address
mac-address } }
Available in user view
Table 3 The default EDCA parameters for clients
Table 4 The default EDCA parameters for APs
Displaying and maintaining WMM
WMM configuration examples
WMM basic configuration
Network requirements
As shown in Figure 25, enable WMM on the fat AP, so that the fat AP and client can prioritize the traffic.
59
Page 64
IP network
L2 switch
FAT AP
Client
Figure 25 Network diagram for WMM basic configuration
Configuration procedure
# Configure interface WLAN-BSS 1 to use the 802.11e priority of the received packets for priority mapping.
<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] qos trust dot11e
[Sysname-WLAN-BSS1] quit
# Configure interface Ethernet 1/0 to use the 802.1p priority of received packets for priority mapping.
[Sysname] interface Ethernet 1/0
[Sysname-Ethernet1/0] qos trust dot1p
[Sysname-Ethernet1/0] quit
# Create a clear-type WLAN service template, configure its SSID as market, configure its authentication
method as Open System, and then enable the WLAN service template.
[Sysname] wlan service-template 1 clear
[Sysname-wlan-st-1] ssid market
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] service-template enable
# Configure the radio type as 802.11g for radio interface WLAN-Radio 2/0, and map service template 1 to
interface WLAN-BSS1 on the radio interface.
[Sysname] interface wlan-radio 2/0
[Sysname-WLAN-Radio2/0] radio-type dot11g
[Sysname-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
# Enable WMM on radio interface WLAN-Radio 2/0.
[Sysname-WLAN-Radio2/0] wmm enable
[Sysname-WLAN-Radio2/0] quit
After WMM is enabled, you can use the display wlan wmm radio command to view WMM-related
information.
CAC service configuration example
Network requirements
As shown in Figure 26, a fat AP is connected to an Ethernet and has WMM enabled. Enable CAC for the
AC-VO and AC-VI queues of the fat AP. Use a user-based admission policy to allow up to 10 users to access,
so that enough bandwidth can be guaranteed for the clients using high-priority queues (AC-VO and AC-VI
queues).
60
Page 65
IP network
L2 Switch
FAT AP
Client
Figure 26 Network diagram for CAC service configuration
Configuration procedure
# Configure interface WLAN-BSS 1 to use the 802.11e priority of received packets for priority mapping.
<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] qos trust dot11e
[Sysname-WLAN-BSS1] quit
# Configure interface Ethernet 1/0 to use the 802.1p priority of received packets for priority mapping.
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] qos trust dot1p
[Sysname-Ethernet1/0] quit
# Create a clear-type WLAN service template, configure its SSID as market, configure its authentication
method as Open System, and then enable the WLAN service template.
[Sysname] wlan service-template 1 clear
[Sysname-wlan-st-1] ssid market
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] service-template enable
# Configure the radio type as 802.11g for radio interface WLAN-Radio 2/0, and map service template 1 to
interface WLAN-BSS1 on the radio interface.
[Sysname] interface wlan-radio 2/0
[Sysname-WLAN-Radio2/02] radio-type dot11g
[Sysname-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
# Configure radio interface WLAN-radio 2/0 to allow up to ten users to use high-priority AC queues
(including AC-VO and AC-VI queues).
[Sysname-WLAN-Radio2/0] wmm edca client ac-vo cac
[Sysname-WLAN-Radio2/0] wmm edca client ac-vi cac
[Sysname-WLAN-Radio2/0] wmm cac policy users 10
[Sysname-WLAN-Radio2/0] wmm enable
[Sysname-WLAN-Radio2/0] quit
If a client wants to use a high-priority AC queue (AC-VO or AC-VI queue), it must send a request to the AP.
If the number of clients using high-priority AC queues (including AC-VO and AC-VI queues) plus the clients
61
Page 66
IP network
L2 Switch
FAT AP
Client
requesting for high-priority AC queues on the AP is smaller than or equal to the maximum number of
high-priority AC clients (10 in this example), the request is accepted. Otherwise, the request is denied.
SVP service configuration example
Network requirements
As shown in Figure 27, the fat AP is connected to the Ethernet and has WMM enabled. On the fat AP, SVP
packets are assigned to the AC-VO queue. To guarantee the highest priority for the AC-VO queue, ECWmin
and ECWmax are set to 0 for the AC-VO queue.
Figure 27 SVP service configuration
Configuration procedure
# Configure interface WLAN-BSS 1 to use the 802.11e priority of received packets for priority mapping.
<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] qos trust dot11e
[Sysname-WLAN-BSS1] quit
# Configure interface Ethernet 1/0 to use the 802.1p priority of received packets for priority mapping.
[Sysname] interface ethernet 1/0
[Sysname-Ethernet1/0] qos trust dot1p
[Sysname-Ethernet1/0] quit
# Create a clear-type WLAN service template, configure its SSID as market, configure its authentication
method as Open System, and then enable the WLAN service template.
[Sysname] wlan service-template 1 clear
[Sysname-wlan-st-1] ssid market
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] service-template enable
# Configure the radio interface WLAN Radio 2/0.
[Sysname] interface wlan-radio 2/0
[Sysname-WLAN-Radio2/0] radio-type dot11g
[Sysname-WLAN-Radio2/0] service-template 1 interface wlan-bss 1
[Sysname-WLAN-Radio2/0] wmm enable
[Sysname-WLAN-Radio2/0] wmm svp map-ac ac-vo
62
Page 67
[Sysname-WLAN-Radio2/0] wmm edca radio ac-vo ecw ecwmin 0 ecwmax 0
[Sysname-WLAN-Radio2/0] quit
If a non-WMM client goes online and sends SVP packets to the AP, the SVP packets are assigned to the
AC-VO queue.
Troubleshooting
EDCA parameter configuration failure
Symptom
Configuring EDCA parameters for an AP failed.
Analysis
The EDCA parameter configuration of an AP is restricted by the radio chip of the AP.
Solution
1. Use the display wlan wmm radio ap ap-name command to view the support of the radio chip for the
EDCA parameters. Make sure the configured EDCA parameters are supported by the radio chip.
2. Check that the values configured for the EDCA parameters are valid.
SVP or CAC configuration failure
Symptom
The SVP packet priority mapping function configured with the wmm svp map-ac command does not take
effect.
CAC configured with the wmm edca client command does not take effect.
Analysis
The SVP packet priority mapping function or CAC takes effect only after WMM is enabled.
Solution
1. Use the wmm enable command to enable the WMM function.
2. Check the state of the SVP priority mapping function or CAC again.
63
Page 68
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
Product model names and numbers
Technical support registration number (if applicable)
Product serial numbers
Error messages
Operating system type and revision level
Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions, firmware
updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
For related documentation, navigate to the Networking section, and select a networking category.
For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
HP.com http://www.hp.com
HP Networking http://www.hp.com/go/networking
HP manuals http://www.hp.com/support/manuals
HP download drivers and software http://www.hp.com/support/downloads
HP software depot http://www.software.hp.com
64
Page 69
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[ ]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk-marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk-marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
#
A line that starts with a pound (#) sign is comments.
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
An alert that contains additional or supplementary information.
TIP
An alert that provides helpful information.
Conventions
This section describes the conventions used in this documentation set.
Command conventions
GUI conventions
Symbols
65
Page 70
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Network topology icons
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
66
Page 71
Index
802.11b/802.11g rates, 23
802.11g protection, 26
802.11n, 17
802.11n example, 21
802.11n rates, 24
802.1X authentication, 36
802.1X authentication example, 41
access point, 9
ACK policy, 57
association, 11
authentication, 11
authentication modes, 28
basic concepts, WLAN service, 9
blacklist, 52
blacklist and white list, 52
CAC admission policies, 56
CAC service example, 60
CCMP cipher suite, 35
cipher suite, 34
client, 9
client access authentication, 30
configuring a WLAN-BSS interface, 1
configuring a WLAN-Ethernet interface, 3
configuring a WLAN-radio interface, 1
configuring WLAN IDS frame filtering, 53
configuring WLAN security, 31
configuring WLAN service, 14
contacting HP, 64
country code, 14
data transmit rates, 23
documentation
conventions used, 65
website, 64
EDCA parameter configuration failure, 63
enabling an authentication method, 31
entering WLAN-Ethernet interface view, 2
fat AP, 9
flood attack detection, 49
global WLAN parameters, 14
GTK rekey based on packet, 32
GTK rekey based on time, 32
GTK rekey method, 32
HP
customer support and resources, 64
document conventions, 65
documents and manuals, 64
icons used, 65
subscription service, 64
support contact information, 64
symbols used, 65
websites, 64
icons, 65
IDS attack detection, 50
displaying and maintaining, 51
MAC and PSK authentication example, 38
MAC authentication, 36
manuals, 64
multi-ESS, 13
non-dot11h channel scanning, 26
open system authentication, 28
other related procedures, WLAN service, 12
port security, 35
pre-RSN, 48
PSK authentication, 35
PSK authentication example, 37
PTK lifetime, 31
QoS terminology, 55
radio of the AP, 16
radio parameters, 15
RSN, 46
RSN security IE, 33
scanning, 10
security IE, 33
shared key authentication, 28
single BSS, 12
single ESS Multi-BSS (the multi-radio case), 13
specifying a permitted SSID in a user profile, 19
spoofing attack detection, 50
SSID, 9
SSID-based access control, 19
subscription service, 64
support and other resources, 64
supported combinations for ciphers, 46
SVP, 57
SVP or CAC configuration failure, 63
SVP service example, 62
symbols, 65
TKIP cipher suite, 34
U-APSD power-save mechanism, 57
weak IV detection, 50
websites, 64
WEP cipher suite, 34
67
Page 72
white list, 52
WIDS attack detection, 49
wireless client access, 9
wireless medium, 9
WLAN client isolation, 19
WLAN data security, 29
WLAN IDS
configuration, 49
flood attack detection, 49
IDS attack detection, 50
spoofing attack detection, 50
task list, 50
terminology, 49
weak IV detection, 50
WIDS attack detection, 49
WLAN IDS configuration, 49
WLAN IDS frame filtering
blacklist and white list, 52
configuration, 52
configuring, 53
displaying and maintaining, 54
example, 54
WLAN IDS frame filtering configuration, 52
WLAN IDS frame filtering example, 54
network requirements, 54
WLAN IDS task list, 50
WLAN IDS terminology, 49
WLAN interface
configuration, 1
configuring a radio interface, 1
configuring a WLAN-BSS interface, 1
configuring a WLAN-Ethernet interface, 3
displaying and maintaining, 8
entering WLAN-Ethernet interface view, 2
Ethernet interface, 2
WLAN-BSS interface, 1
WLAN interface configuration, 1
WLAN QoS
ACK policy, 57
CAC admission policies, 56
configuration, 55
displaying and maintaining WMM, 59
EDCA parameters, 56
protocols and standards, 57
SVP, 57
terminology, 55
troubleshooting, 63
U-APSD power-save mechanism, 57
WMM configuration, 57
WMM protocol overview, 55
WLAN QoS configuration, 55
WLAN QoS examples
CAC service configuration example, 60
network requirements, 59, 60, 62
SVP service example, 62
WMM basic configuration, 59
WMM configuration examples, 59
WLAN QoS protocols and standards, 57
WLAN QoS troubleshooting, 63
EDCA parameter configuration failure, 63
SVP or CAC configuration failure, 63
WLAN RRM
802.11b/802.11g rates, 23
802.11g protection, 26
802.11n rates, 24
configuration, 23
data transmit rates, 23
displaying and maintaining, 27
non-dot11h channel scanning, 26
task list, 23
WLAN RRM configuration, 23
WLAN RRM task list, 23
WLAN security
802.1X authentication, 36
authentication modes, 28
CCMP cipher suite, 35
cipher suite, 34
client access authentication, 30
configuration, 28
configuring WLAN security, 31
displaying and maintaining, 37
enabling an authentication method, 31
examples, 37
GTK rekey based on packet, 32
GTK rekey based on time, 32
GTK rekey method, 32
MAC authentication, 36
open system authentication, 28
port security, 35
pre-RSN, 48
protocols and standards, 30
PSK and MAC authentication, 36
PSK authentication, 35
PTK lifetime, 31
RSN, 46
RSN security IE, 33
security IE, 33
shared key authentication, 28
supported combinations for ciphers, 46
task list, 31
TKIP cipher suite, 34
WEP cipher suite, 34
68
Page 73
WLAN data security, 29
WPA, 47
WPA security IE, 33
WLAN security configuration, 28
WLAN security examples, 37
802.1X authentication example, 41
MAC and PSK authentication example, 38
network requirements, 37, 38, 41
PSK authentication example, 37
WLAN security protocols and standards, 30
WLAN security task list, 31
WLAN service
802.11n, 17
access point, 9
association, 11
authentication, 11
basic concepts, 9
client, 9
configuration, 9
configuring WLAN service, 14
country code, 14
displaying and maintaining, 18
fat AP, 9
global WLAN parameters, 14
multi-ESS, 13
other related procedures, 12
protocols and standards, 14
radio of the AP, 16
radio parameters, 15
scanning, 10
single BSS, 12
single ESS Multi-BSS (the multi-radio case), 13
specifying a permitted SSID in a user profile, 19
SSID, 9
SSID-based access control, 19
task list, 14
topologies, 12
wireless client access, 9
wireless medium, 9
WLAN client isolation, 19
WLAN service examples, 20
WLAN service template, 15
WLAN service configuration, 9
WLAN service configuration example, 20
WLAN service configuration task list, 14
WLAN service examples, 20
802.11n example, 21
network requirements, 20, 21
WLAN service example, 20
WLAN service template, 15
WLAN topologies, 12
WLAN-BSS interface, 1
WLAN-Ethernet interface, 2
WLAN-interface
radio interface, 1
WLAN-radio interface, 1
WMM basic configuration, 59
WMM configuration, 57
WMM configuration examples, 59
WMM protocol overview, 55
WPA, 47
WPA security IE, 33
69
Loading...