H3C WA Series Configuration manual

H3C WA Series WLAN Access Points

WLAN Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Document Version: 6W100-20100910

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H

3

Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V

2

G, V

n

G, PSPT,

XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,

Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C WA documentation set includes 10 configuration guides, which describe the software features

for the H3C WA series WLAN access points and guide you through the software configuration

procedures. These configuration guides also provide configuration examples to help you apply the

software features to different network scenarios.

The WLAN Configuration Guide describes WLAN interface, WLAN service, WLAN security, WLAN

RRM, WLAN IDS, WLAN QoS, and WDS configurations.

This preface includes:

z Audience

z Conventions

z About the H3C WA Documentation Set

z Obtaining Documentation

z Documentation Feedback

Audience

This documentation is intended for:

z Network planners

z Field technical support and servicing engineers

z Network administrators working with the WA series

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface Bold

text represents commands and keywords that you enter literally as shown.

italic

Italic text represents arguments that you replace with actual values.

[ ]

Square brackets enclose syntax choices (keywords or arguments) that are

optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars,

from which you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical

bars, from which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by

vertical bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by

vertical bars, from which you may select multiple choices or none.

Convention Description

&<1-n>

The argument or keyword and argument combination before the ampersand (&)

sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description

Boldface

Window names, button names, field names, and menu items are in Boldface.

For example, the

New User

window appears; click

OK

.

>

Multi-level menus are separated by angle brackets. For example,

File

>

Create

>

Folder

.

Symbols

Convention Description

Means reader be extremely careful. Improper operation may cause bodily

injury.

Means reader be careful. Improper operation may cause data loss or damage to

equipment.

Means an action or information that needs special attention to ensure

successful configuration or good performance.

Means a complementary description.

Means techniques helpful for you to make configuration with ease.

About the H3C WA Documentation Set

The H3C WA documentation set includes:

Category Documents Purposes

Marketing brochures Describe product specifications and benefits.

Product

description and

specifications

Technology white papers

Provide an in-depth description of software features and

technologies.

Compliance and safety

manual

Provides regulatory information and the safety instructions

that must be followed during installation.

Quick start

Guides you through initial installation and setup procedures to

help you quickly set up and use your AP with the minimum

configuration.

Hardware

specifications

and installation

Installation guide

Guides you through hardware specifications and installation

methods to help you install your AP.

Getting started guide

Guides you through the main functions of your AP, and

describes how to install and log in to your AP, perform basic

configurations, maintain software, and troubleshoot your AP.

Configuration guides Describe software features and configuration procedures.

Software

configuration

Command references Provide a quick reference to all available commands.

Category Documents Purposes

User FAQ

Provides answers to some of the most frequently asked

questions on how to troubleshoot your AP.

Operations and

maintenance

Release notes

Provide information about the product release, including the

version history, hardware and software compatibility matrix,

version upgrade information, technical support information,

and software upgrading.

Obtaining Documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at

http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software

upgrading, getting started, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with

the software version.

Documentation Feedback

You can e-mail your comments about product documentation to inf[email protected].

We appreciate your comments.

i

Table of Contents

1 Applicable Models and Software Versions.............................................................................................1-1

2 Feature Matrix............................................................................................................................................2-1

3 Command/Parameter Matrix.....................................................................................................................3-1

4 WLAN Interface Configuration.................................................................................................................4-1

Overview.................................................................................................................................................4-1

WLAN-Radio Interface............................................................................................................................4-1

Introduction......................................................................................................................................4-1

Configuring a WLAN-Radio Interface..............................................................................................4-1

WLAN-BSS Interface ..............................................................................................................................4-2

Introduction......................................................................................................................................4-2

Configuring a WLAN-BSS Interface................................................................................................4-2

WLAN Mesh Interface.............................................................................................................................4-3

Introduction......................................................................................................................................4-3

Entering WLAN Mesh Interface View..............................................................................................4-3

Configuring a WLAN Mesh Interface...............................................................................................4-3

WLAN Mesh Link Interface.....................................................................................................................4-3

Displaying and Maintaining a WLAN Interface .......................................................................................4-3

5 WLAN Security Configuration..................................................................................................................5-1

WLAN Security Configuration.................................................................................................................5-1

Overview..........................................................................................................................................5-1

Authentication Modes......................................................................................................................5-1

WLAN Data Security........................................................................................................................5-2

Client Access Authentication...........................................................................................................5-3

Protocols and Standards.................................................................................................................5-4

Configuring WLAN Security ....................................................................................................................5-4

Enabling an Authentication Method.................................................................................................5-4

Configuring the PTK Lifetime ..........................................................................................................5-5

Configuring the GTK Rekey Method ...............................................................................................5-5

Configuring Security IE....................................................................................................................5-6

Configuring Cipher Suit ...................................................................................................................5-7

Configuring Port Security ................................................................................................................5-9

Displaying and Maintaining WLAN Security..................................................................................5-11

WLAN Security Configuration Examples ..............................................................................................5-12

PSK Authentication Configuration Example..................................................................................5-12

MAC-and-PSK Authentication Configuration Example .................................................................5-13

802.1X Authentication Configuration Example..............................................................................5-16

Dynamic WEP Encryption-802.1X Authentication Configuration Example...................................5-23

Supported Combinations for Ciphers....................................................................................................5-25

ii

6 WLAN RRM Configuration........................................................................................................................6-1

Overview.................................................................................................................................................6-1

Configuration Task list.............................................................................................................................6-1

Configuring Data Transmission Rates....................................................................................................6-2

Configuring 802.11a/802.11b/802.11g Rates .................................................................................6-2

Configuring 802.11n Rates..............................................................................................................6-2

Configuring Power Constraint.................................................................................................................6-3

Prerequisites....................................................................................................................................6-3

Configuring Power Constraint .........................................................................................................6-3

Configuring Only Non-802.11h Channels to Be Scanned ......................................................................6-4

Configuring Only Non-802.11h Channels to Be Scanned...............................................................6-4

Enabling 802.11g Protection...................................................................................................................6-4

Displaying and Maintaining WLAN RRM ................................................................................................6-4

7 WLAN IDS Configuration ..........................................................................................................................7-1

WLAN IDS Overview...............................................................................................................................7-1

Terminology.....................................................................................................................................7-1

WLAN IDS IPS ................................................................................................................................7-2

Configuring IDS Attack Detection ...........................................................................................................7-3

Configuring IDS Attack Detection....................................................................................................7-3

Displaying and Maintaining WLAN IDS...........................................................................................7-3

Frame Filtering........................................................................................................................................7-3

Overview..........................................................................................................................................7-3

Configuring WIDS-Frame Filtering..........................................................................................................7-4

Configuring Static White and Black Lists.........................................................................................7-5

Configuring Dynamic Blacklist Feature ...........................................................................................7-5

Displaying and Maintaining WLAN IDS Frame Filtering.........................................................................7-5

WLAN IDS Frame Filtering Configuration Example................................................................................7-5

8 WLAN QoS Configuration.........................................................................................................................8-1

WLAN QoS Overview..............................................................................................................................8-1

Terminology.....................................................................................................................................8-1

WMM Protocol Overview.................................................................................................................8-2

Protocols and Standards.................................................................................................................8-4

WMM Configuration ................................................................................................................................8-4

Configuration Prerequisites.............................................................................................................8-4

Configuring WMM............................................................................................................................8-4

Displaying and Maintaining WMM...........................................................................................................8-6

WMM Configuration Examples ...............................................................................................................8-6

WMM Basic Configuration...............................................................................................................8-6

CAC Service Configuration Example ..............................................................................................8-7

Troubleshooting ......................................................................................................................................8-8

EDCA Parameter Configuration Failure..........................................................................................8-8

SVP or CAC Configuration Failure..................................................................................................8-8

9 WDS Configuration....................................................................................................................................9-1

Introduction to WDS................................................................................................................................9-1

Advantages of WDS........................................................................................................................9-1

iii

Deployment Scenarios ....................................................................................................................9-2

WDS Configuration Task List..................................................................................................................9-3

Configuring WDS Port Security.......................................................................................................9-3

Configuring a Mesh Profile..............................................................................................................9-4

Configuring an MP Policy................................................................................................................9-4

Mapping a Mesh Profile to the Radio of an MP...............................................................................9-5

Mapping an MP Policy to the Radio of an MP.................................................................................9-5

Specifying a Peer MAC Address on the Radio ...............................................................................9-6

Displaying and Maintaining WDS............................................................................................................9-6

WDS Configuration Examples ................................................................................................................9-6

WDS Point to Point Configuration Example....................................................................................9-6

WDS Point to Multi-Point Configuration Example ...........................................................................9-8

10 WLAN Service Configuration ...............................................................................................................10-1

WLAN Service Overview.......................................................................................................................10-1

Terminology...................................................................................................................................10-1

Wireless Client Access..................................................................................................................10-2

802.11 Overview...................................................................................................................................10-4

WLAN Topologies.................................................................................................................................10-5

Single BSS ....................................................................................................................................10-5

Multi-ESS.......................................................................................................................................10-5

Single ESS Multiple BSS (The multiple radio case)......................................................................10-6

Protocols and Standards.......................................................................................................................10-7

Configuring WLAN Service...................................................................................................................10-7

Configuring Global WLAN Parameters..........................................................................................10-7

Specifying the Country Code.........................................................................................................10-7

Configuring a Service Template....................................................................................................10-8

Configuring the Radio of an AP.....................................................................................................10-9

Configuring a Radio Interface........................................................................................................10-9

Configuring 802.11n....................................................................................................................10-10

Configuring Uplink Detection ..............................................................................................................10-11

Displaying and Maintaining WLAN Service.........................................................................................10-12

Configuring WLAN Client Isolation......................................................................................................10-12

Introduction..................................................................................................................................10-12

Enabling WLAN Client Isolation ..................................................................................................10-13

WLAN Service Configuration Examples .............................................................................................10-13

WLAN Service Configuration Example........................................................................................10-13

802.11n Configuration Example..................................................................................................10-14

11 Index .......................................................................................................................................................11-1

1-1

z The models listed in this document are not applicable to all regions. Please consult your local sales

office for the models applicable to your region.

z Read this chapter before using an H3C WA series WLAN access point.

1 Applicable Models and Software Versions

H3C WA series WLAN access points include the WA2200 series and WA2600 series. Table 1-1 shows

the applicable models and software versions.

Table 1-1 Applicable models and software versions

Series Model Software version

WA2210-AG

WA2200 series access

points (indoors)

WA2220-AG

WA2210X-G

WA2200 series

WA2200 series access

points (outdoors)

WA2220X-AG

R 1115

WA2610-AGN

WA2612-AGN

WA2600 series access

points (indoors)

WA2620-AGN

R 1106

WA2610E-AGN

WA2600 series

WA2600 series access

points (enhanced)

WA2620E-AGN

R 1109

2-1

2 Feature Matrix

z Support of the H3C WA series WLAN access points for features, commands and parameters may

vary by device model. See this document for more information.

z For information about feature support, see Table 2-1. For information about command and

parameter support, see

Table 3-1.

z The term AP in this document refers to common APs, wireless bridges, or mesh APs.

Table 2-1 Feature matrix

Document Feature WA2200 series WA2600 series

Fundamentals

Configuration Guide

HTTPS Not supported Supported

802.11n radio mode Not supported Supported

802.11n bandwidth mode Not supported Supported

WLAN Configuration

Guide

802.11n rate configuration Not supported Supported

Optical Ethernet interface

Supported on

WA2210X-G/WA2220X-

AG only

Not supported

Layer 2 – LAN

Switching

Configuration Guide

GE interface Not supported Supported

DHCP server configuration Not supported Supported

Layer 3 – IP Services

Configuration Guide

DHCPv6 configuration Not supported Supported

IGMP snooping configuration Not supported Supported

IP Multicast

Configuration Guide

MLD snooping configuration Not supported Supported

Security Configuration

Guide

SSH2.0 Not supported Supported

3-1

3 Command/Parameter Matrix

Table 3-1 Command/Parameter matrix

Document Module Command/Parameter WA2200 series WA2600 series

display ip https

Not supported Supported

ip https acl

Not supported Supported

ip https certificate

access-control-policy

Not supported Supported

Fundamentals

Command

Reference

HTTP commands

ip https enable

Not supported Supported

a-mpdu enable

Not supported Supported

a-msdu enable

Not supported Supported

channel band-width

Not supported Supported

client dot11n-only

Not supported Supported

preamble

{

long

|

short

}

Only APs that

support the

802.11b/g radio

mode support this

command.

Only APs that

support the

802.11b/g radio

mode support this

command.

radio-type

Keywords

dot11an

and

dot11gn

not

supported

Supported

WLAN service

commands

short-gi enable

Not supported Supported

dot11a

{

disabled-rate |

mandatory-rate |

supported-rate

} rate-value

Only APs that

support 802.11a

radio mode

support this

command.

Only APs that

support 802.11a

radio mode

support this

command.

dot11n mandatory

maximum-mcs

Not supported Supported

dot11n support

maximum-mcs

Not supported Supported

WLAN

Command

Reference

WLAN RRM

commands

power-constraint

Only APs that

support the

802.11a radio

mode support this

command.

Only APs that

support the

802.11a radio

mode support this

command.

3-2

Document Module Command/Parameter WA2200 series WA2600 series

The maximum

number of

broadcast packets

that can be

forwarded on an

Ethernet interface

per second

broadcast-suppression

{ ratio |

pps

max-pps }

pps

max-pps

ranges from 1 to

148810.

pps

max-pps

ranges from 1 to

1488100.

The maximum

number of multicast

packets allowed on

an Ethernet

interface per

second

multicast-suppression

{ ratio |

pps

max-pps }

pps

max-pps

ranges from 1 to

148810.

pps

max-pps

ranges from 1 to

1488100.

Layer 2 – LAN

Switching

Command

Reference

The maximum

number of unknown

unicast packets

allowed on an

Ethernet interface

per second

unicast-suppression

{ ratio

|

pps

max-pps }

pps

max-pps

ranges from 1 to

148810.

pps

max-pps

ranges from 1 to

1488100.

DHCP commands

DHCP server configuration

commands

Not supported Supported

display ipv6 dhcp client

[

interface

interface-type

interface-number ]

Not supported Supported

display ipv6 dhcp client

statistics

[

interface

interface-type

interface-number

]

Not supported Supported

display ipv6 dhcp duid

Not supported Supported

Layer 3 - IP

Services

Command

Reference

DHCPv6

commands

reset ipv6 dhcp client

statistics

[

interface

interface-type

interface-number

]

Not supported Supported

4-1

z The models listed in this document are not applicable to all regions. Please consult your local sales

office for the models applicable to your region.

z Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For

more information, see Feature Matrix.

z The interface types and the number of interfaces vary by AP model.

z The term AP in this document refers to common APs, wireless bridges, or mesh APs.

4 WLAN Interface Configuration

This chapter includes these sections:

z Overview

z WLAN-Radio Interface

z WLAN-BSS Interface

z WLAN Mesh Interface

z WLAN Mesh Link Interface

z Displaying and Maintaining a WLAN Interface

Overview

FAT APs support WLAN-Radio physical interfaces and WLAN-BSS virtual interfaces. WLAN-Radio

interfaces can be bound to WLAN-BSS interfaces to provide wireless network access.

WLAN-Radio Interface

Introduction

WLAN-Radio interfaces are physical interfaces and are used for providing wireless access service.

They can be configured but cannot be removed.

Configuring a WLAN-Radio Interface

Follow these steps to configure a WLAN-Radio interface:

To do… Use the Command… Remarks

Enter system view

system-view

—

Enter WLAN-Radio interface view

interface wlan-radio

interface-number

Required

4-2

To do… Use the Command… Remarks

Set the description string for the

interface

description

text

Optional

By default, the description string of an

interface is interface-name +

interface

.

Shut down the WLAN-Radio

interface

shutdown

Optional

By default, a WLAN-Radio interface is up.

WLAN-BSS Interface

Introduction

WLAN-BSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 access Ethernet ports

and have Layer 2 attributes. A WLAN-BSS interface supports multiple Layer 2 protocols. On a FAT AP, a

WLAN-Radio interface bound to a WLAN-BSS interface operates as a Layer 2 interface.

Configuring a WLAN-BSS Interface

Follow these steps to configure a WLAN-BSS interface:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter WLAN-BSS interface

view

interface wlan-bss

interface-number

Required

If the WLAN-BSS interface does not exist,

this command creates the WLAN-BSS

interface first.

Set the description string for

the interface

description

text

Optional

By default, the description string of an

interface is interface-name +

interface

.

Add the WLAN-BSS interface

to a VLAN

port access vlan

vlan-id

Optional

By default, an interface belongs to VLAN 1

(the default VLAN).

Shut down the WLAN-BSS

interface

shutdown

Optional

By default, a WLAN-BSS interface is up.

Before executing the port access vlan command, make sure the VLAN identified by the vlan-id

argument already exists. You can use the vlan command to create a VLAN. For more information about

the port access vlan command, see VLAN in the Layer 2 – LAN Switching Command Reference.

4-3

WLAN Mesh Interface

Introduction

WLAN mesh interfaces are Layer 2 virtual interfaces. You can use them as configuration templates to

make and save settings for WLAN mesh link interfaces. Once a WLAN mesh link interface is created,

you will not be allowed to change the settings on its associated WLAN mesh interface.

Entering WLAN Mesh Interface View

Follow these steps to enter WLAN mesh interface view:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter WLAN mesh

interface view

interface wlan-mesh

interface-number

Required

If the specified WLAN mesh interface does not exist,

this command creates the WLAN mesh interface first.

Configuring a WLAN Mesh Interface

Follow these steps to configure a WLAN mesh interface.

To do… Use the command… Remarks

Configure the description of the

WLAN mesh interface

description

—

Configure VLAN settings

z port link-type

z port access

z port trunk

z port hybrid

—

WLAN Mesh Link Interface

WLAN mesh link interfaces are similar to Layer 2 virtual Ethernet interfaces and have the features of

Layer 2 interfaces. They are dynamically created or deleted by the WLAN module and are responsible

for local data forwarding on the mesh network.

WLAN mesh link interfaces use the settings you made on their corresponding WLAN mesh interfaces

and are not configurable.

Displaying and Maintaining a WLAN Interface

To do… Use the command … Remarks

Display WLAN-Radio interface

information

display interface wlan-radio

[ interface-number ]

Available in any view

Display WLAN-BSS interface

information

display interface wlan-bss

[ interface-number ]

Available in any view

Display WLAN mesh interface

information

display interface wlan-mesh

[ interface-number ]

Available in any view

5-1

z The models listed in this document are not applicable to all regions. Please consult your local sales

office for the models applicable to your region.

z Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For

more information, see Feature Matrix.

z The interface types and the number of interfaces vary by AP model.

z The radio types supported by the H3C WA series WLAN access points vary by AP model.

z The term AP in this document refers to common APs, wireless bridges, or mesh APs.

5 WLAN Security Configuration

This chapter includes these sections:

z WLAN Security Configuration

z Configuring WLAN Security

z WLAN Security Configuration Examples

z Supported Combinations for Ciphers

WLAN Security Configuration

Overview

The wireless security capabilities incorporated in 802.11 are inadequate for protecting networks

containing sensitive information. It does a fairly good job of defending against the general public, but

there are some good hackers lurking out there who can crack into a wireless networks. As a result,

there is a need to implement advanced security mechanisms beyond the capability of 802.11 if we want

to protect against unauthorized access to resources on our network.

Authentication Modes

To ensure WLAN security, an AP must authenticate clients. A client can be associated with an AP only

when it passes authentication. The following two authentication modes are supported.

z Open system authentication

Open system authentication is the default authentication algorithm. This is the simplest of the available

authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests

authentication with this algorithm can become authenticated. Open system authentication is not

required to be successful because an AP may decline to authenticate the client. Open system

authentication involves a two-step authentication process. At the first step, the wireless client sends a

request for authentication. At the second step, the AP determines whether the wireless client passes

the authentication and returns the result to the client.

5-2

Figure 5-1 Open system authentication process

APClient

Authentication request

Authentication response

z Shared key authentication

The following figure shows a shared key authentication process. The two parties have the same shared

key configured.

1) The client sends an authentication request to the AP.

2) The AP randomly generates a challenge and sends it to the client.

3) The client uses the shared key to encrypt the challenge and sends it to the AP.

4) The AP uses the shared key to encrypt the challenge and compares the result with that received

from the client. If they are identical, the client passes the link authentication. If not, the link

authentication fails.

Figure 5-2 Shared key authentication process

WLAN Data Security

Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN

devices share the same medium and thus every device can receive data from any other sending device.

If no security service is provided, plain-text data is transmitted over the WLAN.

To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices

without the right key cannot read encrypted data.

1) Simple text data

No data packets are encrypted. It is in fact a WLAN service without any security protection.

2) WEP encryption

5-3

Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in

a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP

encryption falls into static and dynamic encryption according to how a WEP key is generated.

z Static WEP encryption

With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the

encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual

key update brings great management workload.

z Dynamic WEP encryption

Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP

encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that

each client is assigned a different WEP key, which can be updated periodically to further improve

unicast frame transmission security.

Although WEP encryption increases the difficulty of network interception and session hijacking, it still

has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.

3) TKIP encryption

Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many

advantages over WEP, and provides more secure protection for WLAN as follows:

z First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,

TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24

bits to 48 bits.

z Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a

single static key with a base key generated by an authentication server. TKIP dynamic keys cannot

be easily deciphered.

z Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC,

the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain

period, the AP automatically takes countermeasures. It will not provide services in a certain period

to prevent attacks.

4) CCMP encryption

CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM

combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the

integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES

block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a

dynamic key negotiation and management method, so that each wireless client can dynamically

negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP

encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to

ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.

Client Access Authentication

After a wireless client sets up a wireless link with an AP, the wireless client is considered as having

accessed the wireless network. However, for the security and management of the wireless network, the

wireless client can access the network resources only after passing subsequent authentication. Among

the authentication mechanisms, preshared key (PSK) authentication and 802.1X authentication

accompany the dynamic key negotiation and management of the wireless link, and therefore, they are

closely related to wireless link negotiation. However, they are not directly related to the wireless link.

5-4

1) PSK authentication

Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK

authentication, the client and the authenticator must have the same shared key configured.

2) 802.1X authentication

As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the

port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access

the resources on the WLAN only after passing authentication.

3) MAC authentication

MAC authentication provides a way for authenticating users based on ports and MAC addresses. For

this authentication, the user does not need to install any client software. When the device first detects

the MAC address of a user, it starts the authentication for the user. During the authentication process,

the user does not need to manually input username or password. In WLAN applications, MAC

authentication needs to get the MAC addresses of the clients in advance. Therefore, MAC

authentication is applicable to small-scaled networks with relatively fixed users, for example, SOHO

and small offices.

Protocols and Standards

z IEEE Standard for Information technology— Telecommunications and information exchange

between systems— Local and metropolitan area networks— Specific requirements -2004

z WI-FI Protected Access – Enhanced Security Implementation Based On IEEE P802.11i

Standard-Aug 2004

z Information technology—Telecommunications and information exchange between

systems—Local and metropolitan area networks—Specific requirements—802.11, 1999

z IEEE Standard for Local and metropolitan area networks” Port-Based Network Access

Control”802.1X™- 2004

Configuring WLAN Security

To configure WLAN Security on a service template, map the service template to a radio. The SSID

name, advertisement setting (beaconing), and encryption settings are configured in the service

template. You can configure the SSID to support any combination of WPA, RSN, and non-WPA clients.

Task Description

Enabling an Authentication Method Required

Configuring the PTK Lifetime Optional

Configuring the GTK Rekey Method Optional

Configuring Security IE Required

Configuring Cipher Suit Required

Configuring Port Security Optional

Enabling an Authentication Method

You can enable both open system authentication and shared key authentication or either of them.

5-5

Follow these steps to enable the authentication method:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter WLAN service

template

wlan service-template

service-template-number

crypto

Required

Enable an

authentication method

authentication-method

{ open-system |

shared-key }

Optional

Open system authentication method is used by

default.

z Shared key authentication is usable only when

WEP encryption is adopted. In this case, you

must configure the authentication-method

shared-key command.

z For RSN and WPA, shared key authentication is

not required and only open system

authentication is required.

Configuring the PTK Lifetime

A pairwise transient key (PTK) is generated through a four-way handshake, during which, the pairwise

master key, an AP random value (ANonce), a site random value (SNonce), the AP’s MAC address and

the client’s MAC address are used.

Follow these steps to configure the PTK lifetime:

To do… Use the command… Remarks

Enter system view

system-view

—

Enter WLAN service template

wlan service-template

service-template-number

crypto

—

Configure the PTK lifetime

ptk-lifetime

time

Optional

By default, the PTK lifetime is

43200 second

Configuring the GTK Rekey Method

A fat AP generates a group transient key (GTK) and sends the GTK to a client during the authentication

process between an AP and the client through the group key handshake or 4-way handshake. The

client uses the GTK to decrypt broadcast and multicast packets. RSN negotiates the GTK through the

4-way handshake or group key handshake, while WPA negotiates the GTK only through group key

handshake.

Two GTK rekey methods can be configured:

z Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs.

z Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs.

You can also configure the device to start GTK rekey when a client goes offline, provided that GTK

rekey has been enabled with the gtk-rekey enable command.

Configure GTK rekey based on time

Follow these steps to configure GTK Rekey based on time:

Page is loading ...

H3C WA Series Configuration manual

H3C WA Series Configuration manual

Related papers

Other documents