rg-wlan series access point rgos configuration guide

RG-WLAN Series Access Point RGOS Configuration GuideConfiguration Guide, Release 10.4(1b19)p2
10.4(1b19)p2
Ruijie Networks ©2000-2015
All rights reserved.
Without our written permission, this document may not be excerpted, reproduced, transmitted, or otherwise in all or in part
by any party in any means.
,
, , , , ,
, are all registered trademarks of Ruijie Networks Co., Ltd. and are protected
by law.
Exemption statement
This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain
the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will
not shoulder any responsibility for losses and damages caused by content omissions, inaccuracies or errors.
Preface
Target Readers
Network engineers
Technical salespersons
Network administrators
product, with configuration examples.
parameter descriptions, usage guides, and related examples.
Hardware Installation Guide
Describes functional and physical features of the product and provides
installation procedure, hardware troubleshooting, module technical
specifications, and specifications and guidelines of cables and connectors.
Conventions in this Document
1. Universal Format Convention
Arial: Arial with the point size 10 is used for the body.
Note: A line is added respectively above and below the prompts such as caution and note to separate them from the body.
among the information shall be indicated with bolded characters.
2. Command Line Format Convention
Arial is used as the font for the command line. The meanings of specific formats are described below:
Bold: Key words in the command line, which shall be entered exactly as they are displayed, shall be indicated with bolded
characters.
Italic: Parameters in the command line, which must be replaced with actual values, shall be indicated with italic
characters.
[ ]: The part enclosed with [ ] means optional in the command.
{ x | y | ... }: It means one shall be selected among two or more options.
[ x | y | ... ]: It means one or none shall be selected among two or more options.
//:Lines starting with an exclamation mark "//" are annotated.
3. Signs
Various striking identifiers are adopted in this manual to indicate the matters that special attention should be paid in the
operation, as detailed below:
Descript, prompt, tip or any other necessary supplement or explanation for the operation.
The port types mentioned in the examples of this manual may not be consistent with the actual ones. In real network
environments, you need configure port types according to the support on various products.
The display information of some examples in this manual may include the information on other series
products, like model and description. The details are subject to the used equipments.
Warning, danger or alert in the operation.
Configuration Guide Configuring Fat AP
Configuring Fat AP
Understanding Fat AP
Overview
A fat access point (AP) is a wireless device that controls and manages wireless clients. It serves as a bridge between
the client and the local area network and forwards frames between the wired and wireless interfaces.
Working Principle
Single BSS
The area covered by an AP is called a basic service set (BSS). Each BSS is identified by a basic service set identifier
(BSSID). The simplest WLAN comprises one BSS and all wireless clients reside in the same BSS. If these clients are
granted the same authority, they can communicate with each other. Figure 2 is the network of a single BSS. These clients
can communicate with each other and also can access hosts on the network. Clients within the same BSS communicate
with each other through a fat AP.
Figure 1-2 Single BSS Network
Multiple ESS
Multiple extended service sets (ESS) topology is used in the case of multiple logical management domains or ESS. When
a mobile subscriber joins a fat AP, it can join an available ESS. Figure 3 is the network of multiple ESS.
Figure 1-3 Multiple ESS Network
Normally, a fat AP can provide multiple logical ESS at the same time. The fat AP broadcasts the information of ESS by
beacon packets or probe responses and help clients choose an ESS to join according to the situation.
You can configure different ESS domains on the same fat AP and enable the fat AP to announce and accept users that
have passed authentication.
Single ESS, Multiple BSS (In Case of Multi-Radio)
Figure 4 shows application of more than one radio in a single ESS. All radios support the same service set (within one
ESS), but as they belong to different BSS, the logical coverage differs.
Figure 1-4 Single ESS, Multiple BSS Network
The network of single ESS and multiple BSS is also applicable when both 802.11a and 802.11b/g are supported. Figure 4
shows two clients connecting to two radios while in the same ESS but different BSS.
Protocol Specification
Ruijie(config)#dot11 wlan 1 Enters WLAN configuration mode.
Ruijie(dot11-wlan-config)# vlan 1 Configures WLAN VLAN ID.
Ruijie(dot11-wlan-config)# broadcast-ssid Displays the configured SSID.
Configuring Dot11radio Sub-Interface
Ruijie(config)# interface Dot11radio 1/0.1 Enters Dot11radio sub-interface configuration mode.
Ruijie(config-subif)# encapsulation dot1Q 2 Configures Dot11radio sub-interface VLAN ID 2
Configuring WLAN ID
Ruijie(config)# interface Dot11radio 1/0 Enters Dot11radio main interface configuration mode.
Ruijie(config-if-Dot11radio 1/0)# wlan-id 1 Configures Dot11radio main interface to support WLAN
1.
Ruijie(config)# interface Dot11radio 1/0 Enters Dot11radio interface configuration mode.
Ruijie(config-if-Dot11radio 1/0)#channel 11 Configures radio channels.
Ruijie(config-if-Dot11radio 1/0)# antenna transmit 7 Configures the transmitting antenna.
Ruijie(config-if-Dot11radio 1/0)# antenna receive 7 Configures the receiving antenna.
Ruijie(config-if-Dot11radio 1/0)# beacon dtim-period 10 Sets the delivery traffic indication message (DTIM)
period.
Ruijie(config-if-Dot11radio 1/0)#radio-type 802.11b Configures the RF mode of the radio
Ruijie(config-if-Dot11radio 1/0)#country-code CNI Sets a country code.
Ruijie(config-if-Dot11radio 1/0)# fragment-threshold
Ruijie(config-if-Dot11radio 1/0)# chan-width 40 Sets the channel width to 40 MHz.
Ruijie(config-if-Dot11radio 1/0)# slottime long Sets long slot time.
Ruijie(config-if-Dot11radio 1/0)# short-preamble Sets the short preamble.
Ruijie(config-if-Dot11radio 1/0)# short-gi enable
Enables short guard interval (GI) in the channel width of
20 MHz.
Ruijie(config-if-Dot11radio 1/0)#response-rssi 10 Sets the received signal strength indicator (RSSI).
Ruijie(config-if-Dot11radio 1/0)#power local 20 Sets the value of power.
Ruijie(config-if-Dot11radio 1/0)# coverage-area-control
Ruijie(config-if-Dot11radio 1/0)#restries long 2 Sets the long retry limit.
Ruijie(config-if-Dot11radio 1/0)#restries short 6 Sets the short retry limit.
Ruijie(config-if-Dot11radio 1/0)#sta-limit 12 Sets STA limit.
Ruijie(config-if-Dot11radio 1/0)#sta-idle-time 900 Sets the STA idle time.
Ruijie(config-if-Dot11radio 1/0)#mcast_rate 130 Sets multicast rate.
Ruijie(config-if-Dot11radio 1/0)# 11bsupport enable Enables the AP to support 802.11b.
Ruijie(config-if-Dot11radio 1/0)# 11gsupport enable Enables the AP to support 802.11g.
Ruijie(config-if-Dot11radio 1/0)# 11nsupport enable Enables the AP to support 802.11n.
Ruijie(config-if-Dot11radio 1/0)# rate-set 11n
10 to mandatory on the 802.11n radio.
Ruijie(config-if-Dot11radio 1/0)# rate-set 11a disable 6 Sets the rate set on 802.11a.
Ruijie(config-if-Dot11radio 1/0)# rate-set 11g mandatory
54
Displaying the Configuration
show run Shows the configuration of the fat AP.
show dot11 wireless 1/0 Shows the related wireless parameters and configuration
of the wireless LAN card.
Configuration Examples
Networking Requirements
The 2.4 GHz (802.11g, Radio1) network operates in Channel 6. The SSID is RUIJIE-2G. Parameter configuration is
required;
The 5 GHz (802.11a, Radio2) network operates in Channel 149. The SSID is RUIJIE-5G. Parameter configuration is
required.
Configuration Tips
Ruijie(config)#interface vlan 1
Ruijie(config-subif)# encapsulation dot1Q 2
Ruijie(config)#interface vlan 2
Ruijie(config-subif)# encapsulation dot1Q 3
Ruijie(config-if-Dot11radio 1/0)# wlan-id 1
Ruijie(config-if-Dot11radio 1/0)# channel 6
Ruijie(config-if-Dot11radio 1/0)# no short-preamble
Ruijie(config-if-Dot11radio 1/0)# beacon period 200
Ruijie(config-if-Dot11radio 1/0)# beacon dtim-period 2
Ruijie(config-if-Dot11radio 1/0)# power local 100
Ruijie(config-if-Dot11radio 1/0)# coverage-area-control 12
Ruijie(config-if-Dot11radio 1/0)# sta-limit 12
Ruijie(config-if-Dot11radio 1/0)# sta-idle-time 900
Ruijie(config-if-Dot11radio 1/0)# mcast_rate 130
Ruijie(config-if-Dot11radio 1/0)# response-rssi 10
Ruijie(config-if-Dot11radio 1/0)# coverage-rssi 50
Ruijie(config-if-Dot11radio 2/0)# channel 149
Ruijie(config-if-Dot11radio 2/0)# no short-preamble
Ruijie(config-if-Dot11radio 2/0)# chan-width 40
Ruijie(config-if-Dot11radio 2/0)# slottime long
!
rate-set 11b mandatory 1 2 5 11
rate-set 11b support 1 2 5 11
rate-set 11g support 6 9 12 18 24 36 48 54
rate-set 11a mandatory 6 12 24
rate-set 11a support 9 18 36 48 54
rate-set 11n mcs-support 15
rate-set 11n mcs-mandatory 10
rate-set 11b mandatory 1 2 5 11
rate-set 11g mandatory 1 2 5 11
rate-set 11g support 6 9 12 18 24 36 48 54
rate-set 11a mandatory 6 12 24
rate-set 11a support 9 18 36 48 54
rate-set 11n mcs-support 15
station-role root-ap
mac-mode fat
no short-preamble
slottime long
chan-width 40
radio-type 802.11a
Configuring AMPDU software retransmission attempts
In a wireless network, AMPDU software retransmission is adopted to reduce the sub-frame loss. The more retransmission
attempts, the less the package loss. However excessive retransmission attempts increase the workload of air interfaces,
which reduce the immediacy of other packages. It is recommended to configure more retransmission attempts when
sub-frame loss frequently occurrs.
Ruijie(config)# ap-config ap-name Enter the configuration mode of the specified AP.
Ruijie(config-ap)#ampdu-retries times radio radio_id Configure the AMPDU software retransmission times on
the designated AP.
times: AMPDU software retransmission times; within the
range from 1 to 10; by default the value is 4.
radio_id: RF port number.
Configuring AMPDU RTS Protection
AMPDU RTS protection is able to avoid aggregation conflict on air interface, to avoid resource waste. However, RTS
interaction consumes some resources of the air interface which brings about side-effect to the air interface in most
scenario. The function is disabled by default.
Command Function
Ruijie(config-ap)#[no] stbc radio radio_id Use this command to enable AMPDU RTS protection on
the designated AP.
Use the no form of this command to disable AMPDU RTS
protection on the designated AP.
radio_id: RF port number.
Configuration Guide Configuring WLAN
To perform fast configuration on an unconfigured device, one-click WLAN configuration function is developed.
This function automatically makes the following configurations on the AC or the Fat AP:
(1) Vlan Division: On an AC, VLAN 1 is the AP’s VLAN, VLAN 2 is theSTA’s VLAN; On a Fat AP, VLAN 1 is STA’s VLAN.
(2) Address Pool:
On an AC, the network segment 192.168.1.0 is AP’s address pool; The network segment 192.168.2.0 is STA’s address
pool; By default, the IP address of VLAN 1 is 192.168.1.1 and the IP address of VLAN 2 is 192.168.2.1; The default
management IP address is 88.88.88.88.
On a Fat AP, the network segment 192.168.1.0 is STA’s address pool; The IP address of BVI 1 is 192.168.1.1.
(3) WLAN Configuration: Set the WLAN name to autowifi_XXXX, the last four digits is the same as that of the device’s
MAC address; Set the WLAN-ID to 1.
(4) Security: By default, WPA2 is used for encryption; the password is autowifi.
(5) WLAN-VLAN Mapping: On an AC, map WLAN-ID 1 to VLAN 1 in the ap-group default group; On a Fat AP encapsulate
VLAN 1 on the wireless interface and set the WLAN-ID to 1.
(6) Service: Enable DHCP service.
Command Function
configuration on the designated AP.
Use the no form of this command to disable one-click
WLAN configuration on the designated AP.
Configuring Received Ethernet Package Limit Per Time
You can improve the network performance by raising the received Ethernet package limit per time on an AP, at the cost of
reducing immediacy of key packages.With regard to applications which are multi-user current and immediacy sensitive,
such as electronic schoolbag, requiring only ordinary networks, you are recommended to decrease the value of received
Ethernet package limit per time to 25.
Command Function
Configuration Guide Configuring WLAN
the designated AP.
AP220-I v1.0, AP220-I v1.1, AP220-SI v1.0
AP220-SI v1.1, AP220-E v2.03, AP220-E v2.0
AP220-SH v2.0, AP220-SH (C) v3.0, AP220-E(M) v2.0,
AP220-E(M) v2.20, AP620-H(C) v2.0, AP220-E(C) v3.0,
AP220-E(M) v2.3, AP220-E v2.99, AP620-H(C) v2.99,
AP220-SH(C) v2.99
The default limit value of the following APs: 256
AP220-I v1.0, AP220-I v1.1, AP220-SI v1.0, AP220-SI
v1.1, AP220-E v2.03, AP220-E v2.0, AP220-SH v2.0,
AP220-SH (C) v3.0, AP220-E(M) v2.0, AP220-E(M)
v2.20, AP620-H(C) v2.0, AP220-E(C) v3.0, AP220-E(M)
v2.3, AP220-E v2.99, AP620-H(C) v2.99, AP220-SH(C)
v2.99, AP220-E(C) v2.99, AP530-I v1.0.
The default limit value of the following APs : 180
AP320-I v1.0, AP220-E(M)-V2 v3.0, AP320-I v1.1,
AP3220 v1.0, AP220-E(P) v1.0, AP220-E(C) v4.0,
AP220-E(M)-V2 v3.9.
AP330-I v1.1, AP220-E(P) v2.0.
Configuring Low-Density Parity-Check Code
As part of FEC (Forward Error Correction) technology, LDPC is a simple and easily-implemented linear error correcting
code developed in the early 1960s that used in the data transmission over noisy channels to improve the coding reliablity
and coding gain,so as to reduce the risk of data loss. However, only few terminals are incomparible with LDPC, featuring
package loss. This commands is used to enable or disable this function.
Command Function
Ruijie(config-ap)#[no] stbc radio radio_id Use this command to enable LDPC on the designated
AP.
Use the no form of this command to disable LDPC on the
designated AP.
Configuring 11n Space-Time Block Coding
Space–time block coding is a technique used in wireless communications to transmit multiple copies of a data stream
across a number of antennas at different time and to exploit the various received versions of the data to improve the
reliability of data-transfer. An obvious advantage of STBC is adopting simple maximum likelihood decoding to realize full
antenna gain. But some terminals may be incompatible with STBC. This commands is used to enable or disable this
function.
Ruijie(config-ap)#[no] stbc radio radio_id Use this command to enable STBC on the designated
AP.
Use the no form of this command to disable STBC on the
designated AP.
Configuration Guide Configuring WLAN-VLAN Mapping
Configuring WLAN-VLAN Mapping
Understanding VLAN Groups
Overview
A VLAN group including multiple VLANs can be associated with a wireless LAN (WLAN) to form mapping between a
WLAN and N VLANs, so that VLANs can be flexibly assigned to STAs that access the WLAN.
VLANs are assigned to STA based on the idle situation of the address pool of the DHCP server.
The VLAN group function is used in the following network topology:
In the figure above, multiple STAs access the same WLAN. VLANs in the VLAN group associated with the
WLAN are assigned to the STAs. The STAs in the same WLAN can be assigned with the same or different
VLANs.
To better understand the subsequent configuration process, learn about the following concepts:
VLAN Group
VLAN group: You can add multiple VLANs to one VLAN group. When STAs access a WLAN, VLANs in the VLAN group
associated with the WLAN are assigned to the STAs
VLAN Assignment Mode
VLAN assignment mode: VLANs in each VLAN group can be assigned based on the 802.1x assignment VLAN.
Working Principle
The process of assigning VLANs through 802.1x is as follows:
Before a user passes authentication, the VLAN that belongs to the user is the default VLAN of the VLAN group associated
with the current WLAN.
After the STA in the default VLAN is authenticated, the authentication server assigns a VLAN to the STA.
If the authentication server assigns a VLAN, packets sent by the STA are transmitted over the VLAN.
If the authentication server does not assign a VLAN to the STA, the packets from the STA are transmitted over the default
VLAN.
Default Configuration
The default VLAN group configuration is shown in the following table.
Feature Default Setting
VLAN group No VLAN group is created.
VLAN assignment mode VLAN assignment mode is unspecified and must be
manually configured.
Default VLAN in the VLAN group to be assigned VLAN assignment mode is unspecified and must be
manually configured.
List of the VLANs in the VLAN group The VLAN group has no VLAN. VLANs must be manually
added.
VLAN group associated with a WLAN The WLAN is not associated with any VLAN group.
Configuring a VLAN Group
Use the following commands to create a VLAN group and associate it with a WLAN: (For details about these commands,
refer to command reference.)
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# vlan-group group-id Creates a VLAN group and enters VLAN group
configuration mode.
group.
Ruijie(config-vlan-group)# vlan-list vlan-list Configures the list of VLANs in the VLAN group.
The example below shows how to create VLAN group 100, specify the 802.1x-based VLAN assignment mode, add
VLANs 1-10 to the VLAN group, and set VLAN 1 as the default VLAN:
Ruijie(config)# vlan-group 100
Ruijie(config-vlan-group)# vlan-assign-mode dot1x
Ruijie(config-vlan-group)# vlan-list 1-10
Ruijie(config-vlan-group)# default-vlan 1
You can create a maximum of 128 VLAN groups.
You can added a maximum of 128 VLANs to a VLAN group.
Mapping a WLAN to a VLAN Group
On an AP, use the following commands to map a WLAN to a VLAN group: (For details about these commands, refer to
command reference.)
Command Function
Ruijie(config)# dot11 wlan wlan-id Creates a WLAN and enter the WLAN configuration
mode.
Ruijie(dot11-wlan-config)# vlan-group group-id Maps a WLAN to the VLAN group.
Ruijie(dot11-wlan-config)# end Exits from the WLAN configuration mode.
Ruijie(config)# interface interface-name Enters WLAN sub-interface configuration mode.
Ruijie(config-subif)# encapsulation dot1Q group
sub-interface.
Ruijie(config-subif)# end Exits from WLAN configuration mode.
The example below shows how to map WLAN 100 to VLAN group 10 on a fat AP:
Ruijie(config)# dot11 wlan 100
Ruijie(config-subif)# end
Ruijie(config)# interface dot11radio 1/0
On an AC, use the following commands to map a WLAN to a VLAN group.
Command Function
Ruijie(config)# ap-group group-name Creates an AP group and enter the AP group
configuration mode.
Ruijie(config-ap-group)# end Exits from AP group configuration mode.
The example below shows how to map WLAN 100 to VLAN group 100 for the AP group default on an AC:
Ruijie(config)# ap-group default
Showing VLAN Group Configuration
In privileged EXEC mode, use the following command to show VLAN group configuration.
Command Function
Ruijie# show vlan-group [ group-id ] Shows configuration information about a specific VLAN
group or all VLAN groups.
The example below shows how to show configuration information about all VLAN groups.
Ruijie# show vlan-group
------------- ------------ ----------------- ---------------------------------------
Examples for Configuring the 802.1x-Based VLAN Assignment Mode
In a WLAN, users are classified into leaders, staff, and visitors. They can access the device through the same WLAN but
with different access rights.
Add VLANs 10, 20, and 30 to VLAN group 100.
Map WLAN 1 to VLAN group 100. When an STA accesses WLAN 1, the authentication server authenticates the STA
through 802.1x. If the STA passes the authentication, the authentication server assigns VLAN 10 to leaders, VLAN 20 to
staff, and VLAN 30 to visitors.
Key Points
Map a WLAN to a VLAN group to form mapping between a WLAN and N VLANs. Assign different VLANs to the STAs in
the same WLAN.
Configure 802.1x-based authentication for WLAN 1. Assign different VLANs to STAs in different WLANs.
Configuration Procedure
(1) Configure AP 1 and AP 2.
APs use the default shin AP plus aggregate forwarding mode. They are uniformly configured by the AC.
(2) Configure the AC.
Ruijie# configure terminal
Ruijie(config)# vlan range 10,20,30
Ruijie(config-vlan-range)# exit
Create a VLAN group, and add VLANs 10, 20, and 30 to the VLAN group. Set VLAN 30 as the default VLAN for visitors.
Ruijie(config)# vlan-group 100
Ruijie(config-vlan-group)# vlan-assign-mode dot1x
Ruijie(config-vlan-group)# vlan-list 10,20,30
Ruijie(config-vlan-group)# default-vlan 30
Create WLAN 1 and configure 802.1x-based authentication as the authentication mode and AES as the encryption mode
for the WLAN.
Ruijie(config)# ap-group default
Ruijie(config-ap-group)# interface-mapping 1 vlan-group 100
(3) Configure the authentication server.
If different types of user accounts are opened on the authentication server, specify the VLAN to be assigned for each type
of users.
Display configuration information about the VLAN group on the AC.
Ruijie# Ruijie# show vlan-group
------------- ------------ ----------- --------------------
Overview
WLAN-WLOG is used to collect, store, and check information about WLANs and terminals over a period of time. The
latest 24-hour information about WLANs, APs, and STAs provided through the CLI can help users analyze and locate
problems on WLANs.
Currently, WLAN-WLOG cannot automatically analyze the collected information. WLAN-WLOG is designed to provide
information over the past 24 hours for users to analyze and locate problems based on accurate status information about
WLANs and terminals.
Information collected by WLAN-WLOG is restored on ACs and APs. Currently, APs store only STA space information,
while others are stored on ACs.
Basic Concepts
Network Overview
Continuous running time of ACs
Number of online APs
Number of APs pre-deployed but offline
Version information about online APs, including number of APs of each version
Information about terminals of each WLAN (SSID)
1) Number of terminals that pass Web authentication
2) Number of terminals that pass the 802.1x authentication
3) Number of terminals free of authentication
AP Overview
Name of an AP
Information about each wired port of the AP
1) Input and output rates for the recent five minutes (bits/s)
2) Statistics on input and output unicast, broadcast, and multicast packets, and incorrect frames
Configuration Guide Configuring WLAN-WLOG
Information about each radio
Co-frequency interference intensity
Number of retransmission times of packets
STA Overview
IP address
Signal strength
Connection rate
STA Space Information
STA space information contains the statistics on data frames and management frames on terminals and all types of rates,
including:
Number of data frames/flows without response
Number of management frames/flows
Number of each type of frames sent at a common rate
Common rates include the following levels:
Level 0 1 2 3 4 5 6 7
Rate
(Mbps)
1/2 5.5/11 6/9 12/18 24/36 48/54 Reserved Reserved
Number of frames that are transmitted at each level of rate in MIMO mode
Transmission rates in MIMO mode include the following levels:
Level 0 1 2 3 4 5 6 7
Rate mcs0
Space information shows whether an STA is running at a low rate, whether the proportion of no-ACK frames is high, and
whether excessive management frames are received. It helps users to locate the problems caused by low-rate nodes,
management frame attacks, and tough network environment. STA Given that STA space information changes all the time,
the current collection frequency is once every five minutes. The information is stored only on APs due to its huge volume.
AP Actions
AP actions include: getting online, getting offline, and processing CAPWAP connection failures.
STA Actions
through Web authentication, getting online through 802.1x authentication, and getting offline through 802.1x
authentication.
Periodical collection
Information about whole network overview, AP overview and STA overview is collected and stored on a regular basis, for
example, on an hourly basis. Information about AP overview and STA overview contains all information about online APs
and STAs.
Collecting information when receiving a notification
“AP actions" define that information is collected and stored when a related module notifies the WLAN-WLOG module of
the occurrence of AP actions.
“STA actions" define that information is collected and stored when a related module notifies the WLAN-WLOG module of
the occurrence of STA actions.
On APs, only STA space information is collected. On STAs, information is collected periodically.
Default Configuration
The default WLAN-WLOG configuration is shown in the following table.
Feature Default Setting
WLAN-WLOG function Disabled
Enabling the WLAN-WLOG Function
The following command is used to enable the WLAN-WLOG function on an AC or AP:
The example below shows how to enable the WLAN-WLOG function:
Ruijie(config)#wlan diag enable
Ruijie(config)#no wlan diag enable
When the WLAN-WLOG function is enabled, memories are pre-allocated. If there is no sufficient memory,
the WLAN-WLOG function cannot be enabled.
When the WLAN-WLOG function is disabled, all memories including the pre-allocated ones for storing
information collected by the WLAN-WLOG module are reclaimed.
Showing the Configuration
Showing STA Statistics
The command for displaying STA statistics is supported on ACs and APs. The displayed statistics vary with options set in
the command.
The following command is used to display STA statistics on an AC:
Command Function
[ ip-range IP_PREFIX ] [ action ACTION [ result
RESULT ] ] [ number NUMBER ]
Shows STA statistics.
The example below shows how to show STA statistics on an AC:
Ruijie# show wlan diag sta
sta_record: c83a.35c6.0c72
RADIO Action Result Reason
STA UP BY APMG SUCCESS
10:12:07 192.168.248.2 21 5500 00d0.f822.33b0 lxh-ssid 1
STA DOWN BY RSNA SUCCESS AP circular AC user is offline
The following command is used to show STA statistics on an AP.
Command Function
[ number NUMBER ]
whose statistics are displayed. If it is not set, statistics
about all STA are displayed.
The option [ number NUMBER ] specifies the maximum
number of records.
The example below shows how to show STA statistics on an AP:
Ruijie# show wlan diag sta
sta mac: c83a.35c6.0c72
tx_cnts_error tx_flow_error mgmt_cnts mgmt_flow
1 3 23 80 18 59 4384 5967 0 0
3 381
tx/rxmcs mcs0, mcs1 mcs2, mcs3 mcs4, mcs5 mcs6, mcs7 mcs8, mcs9 mcs10, mcs11
mcs12, mcs13 mcs14, mcs15
0
0
------------- ------- ------- ------- ------- ------- ------- ------- -------
The WLAN-WLOG function is used to collect, store, and display information about a local AC or AP. It has no special
requirements on network topology.
Verifying the Configuration
Use the show running-config command to check whether WLAN-WLOG is enabled.
Show information collected by the WLAN-WLOG module.
For details, see the sections "Displaying Network Overview Statistics", "Displaying AP Statistics", and "Displaying STA
Statistics."
Configuring WLAN Location
Overview
The whole system of WiFi-based standard solution adopts hardware based on 802.11a/b/g standard. With no need for
more hardware, enterprises can install the system rapidly to reduce initial costs and support costs in the long term.
Besides, WiFi-based location system also reduces the possibility of Radio Frequency (RF) interference. The fact that the
whole WIFI location system shares the network with other customers makes the installation of other independent wireless
networks unnecessary. Ruijie integrated wireless location is a technology that uses WiFi-based Radio Frequency
Identification (RFID) and devices such as the transducer and the mobile unit (MU) to locate, track and monitor the location
of the specified target. AP sends collected Tag or MU information to the location server for calculation. The location server
sends the calculated location information to the graphics software. From the graphics software, users can procure location
information visually in many ways such as maps, tables and reports.
Support indoor and outdoor deployment.
Support RSSI location, RDOA location and two location algorithms.
Accurate and reliable wireless RFID (MU and TAG).
Features
The location system is divided into three parts: the device or source to be located, the device receiving location
information and the location system.
The device or source to be located: It can be an AE-produced Tag (a portable RFID which is usually seated on or
pasted to the object to be located) or a MU. Namely, it can be whatever wireless terminal or device in line with
802.11 technologies. The devices share the same feature of sending wireless signals around periodically.
The device receiving location information: Ruijie adopts the AP with standard 820.11 technologies or the
AE-produced Tag exciter (a device which motivates Tag to send specified wireless signals and which is not engaged
in collecting location information).
The location system: includes the location server, AE calculation software and various graphics software.
Working Principle
TDOA location technology: Suppose in the location system there are two known locations (known through the built-in GPS
module or other specialized systems) and two location bases (BSs) with synchronized clocks (GPS clocks or other high
precision clocks). The distance between two locations is L. When BSs receive radio signals from the same MU, if they are
not the same far away from the MU, the radio waves will not arrive at the BSs at the same time. Therefore, the time
difference between arrivals can be identified. As the radio wave is transmitted at a known speed (the speed of light), the
time difference helps to calculate distance D, the distance between two BSs. With distance D known, it can be deduced
that the MU is located on the hyperbola that takes two BSs as focuses and value L/D as the eccentricity. If there is another
BS that can receive signals from the MU, the second hyperbola can be identified. The intersection of two hyperbolas in
figure 1-1 is the two-dimension position of the MU. This technology is hyperbolic location based on time difference.
Figure 1-1
Triangulation location technology using received signal strength indication (RSSI): The basic principle is to estimate
distance d, the distance from the MU to the BS through RSSI and the propagation mode of the wireless information
channel between them. For BS (i), the MU must be located at the circle with BS (i) as the center and distance d as the
radius. In this way, MU position can be identified using three or more BSs for distance calculation. The multipath effect in
wireless signal transmission and the shadow effect produced by signals passing through barriers are the main reasons
causing location error. In open space with no barriers, location precision can be ensured. However, in most environments,
location precision will be greatly affected by the multipath effect and uncertain factors caused by various barriers, such as
attenuation and scattering.
Default Specification
Function Default Settings
WLAN Location Disabled.
Configuring WLAN Location
Enabling WLAN Location
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)# ap-config apname Enters AP configuration mode on the fit AP or AC.
Or:
Ruijie(config-ap)# wlocation enable Enables WLAN location on the specified AP.
Configuration Example:
Ruijie(config)# apconfig apname
Ruijie(configap)# wlocation enable
Command Function
Or:
Enters wlocation mode on the fat AP.
Ruijie(config-ap)# wlocation ae-ip x.x.x.x Configures the IP address of the AE server connected
with the specified AP.
Ruijie(config)# ap-config apname
Configuring the Port of the AE Server
Command Function
Or:
Ruijie(config-ap)# wlocation ae-port NUM Configures the port of AE server connected with the
specified AP.
Configuring Aggregate Transmission of Wireless Location Information
Command Function
Or:
Ruijie(config-ap)# wlocation compound enable Enables aggregate transmission of wireless location
information on the specified AP.
Enable the function of transmitting aggregate data of wireless location.
Enabling MU Location
Or:
Configuration Guide Configuring WLAN Location
Ruijie(config-ap)# wlocation mu enable Enables MU location on the specified AP.
Enabling TAG Location
Or:
Ruijie(config-ap)# wlocation tag enable Enables Tag location on the specified AP.
Configuring the Frequency to Send MU Wireless Location Information
Command Function
Or:
Ruijie(config-ap)# wlocation send-mu-time x.x.x Configures the frequency to send MU wireless location
information on the specified AP. The default value is 300
ms.
Enter configuration commands, one per line. End with CNTL/Z.
Configuring the Frequency to Send TAG Wireless Location Information
Command Function
Or:
Ruijie(config-ap)# wlocation send-tag-time x.x.x Configures the frequency to send TAG wireless location
information on the specified AP. The default value is 300
ms.
Configuration Example
Networking Topology
Configuration Guide Configuring WLAN Location
Configuration Steps
Ruijie(config)# apconfig apname
Ruijie(ap-config)# wlocation ae-ip 1.1.1.1
This command is used to configure the IP address of the location server.
Ruijie(ap-config)# wlocation mu enable
This command is used to enable MU device location according to application requirement.
Ruijie(ap-config)# wlocation tag enable
This command is used to enable TAG location according to application requirement.
Verification
wlocation tag enable
Configuring Wireless LAN Security
Wireless LAN or WLAN security is a broad concept. This document focuses on the WLAN security based on the 802.11 or
Wired Equivalence Privacy (WEP), and the 802.11i standards.
Overview
WLAN security is an important component of WLAN system. Wireless network uses the open medium of electromagnetic
wave as the carrier for transmitting data signals, and there is no cable connection between both ends of communication. If
the transmission link is not properly encrypted, the risk of data transmission will increase considerably. Therefore, wireless
security is especially important in the WLAN network.
To enhance the security of wireless network, at least two security mechanisms shall be provided: authentication and
encryption.
can only be used by restricted users (authorized users).
Encryption mechanism: The encryption mechanism is used to encrypt the data transmitted on the wireless link, so that
such data can only be received and understood by anticipated users.
Basic Concepts
802.11i: new generation WLAN security standard -- an amendment to the original IEEE 802.11 in order to enhance its
weak encryption function. 802.11i proposes the concept of RSN (Robust Security Network), enhances the data encryption
and authentication performance of WLAN and makes various improvements in respect of the defects of WEP encryption
mechanism. The authentication scheme as suggested in 802.11i standard is based on 802.1X framework and Extensible
Authentication Protocol (EAP). The AES encryption algorithm is used for encryption operation.
RC4: In the field of cryptography, RC4 is the most widely applied stream encryption algorithm. It is one of symmetric
algorithms.
IV: Initialization Vector, the public cryptographic keying material in the encryption header.
EAPOL-KEY (EAP over LAN key): AP and STA carry out handshake via EAPoL-key frames.
PMK (Pairwise Master Key): The ultimate source of all cipher key data between the Supplicant and the Authenticator. It
can be dynamically generated upon the negotiation between the supplicant and the authentication server, or be directly
provided by the pre-shared key (PSK).
PTK (Pairwise Transient Key): PTK is the key derived from Pairwise Master Key (PMK), and is used for encryption and
integrity verification.
Configuration Guide Configuring Wireless LAN Security
GMK (Group Master Key): The key used by an authenticator to derive the group transient key (GTK), and is usually a
group of random numbers generated by the authenticator.
GTK (Group Transient Key): Derived from the group master key (GMK) through cryptographic hash algorithm, and is used
to protect the key of broadcast and multicast data.
MIC (message integrity code): A hash value calculated over a set of protected data to guard against tampering.
Link Authentication
Link authentication refers to 802.11 authentication, which is a low-level authentication mechanism. It takes place earlier
than access authentication when STA and AP associate with 802.11. Before attempting to connect to the network, the
STA must be subject to 802.11 authentication, which can be considered as the starting point of the handshake process
before STA can be connected to network, as well as the first step of network connection.
IEEE 802.11 standard defines two link-level types of authentication:
Open System Authentication
Shared Key Authentication
Open System Authentication
Open System Authentication allows any user to access the wireless network. In this sense, no data protection is provided
actually (no authentication), which means: if the authentication type is set to open system authentication, then all STAs
requesting for authentication will all pass the authentication.
Open system authentication consists of two steps:
Step 1: STA requests for authentication by sending the authentication request, which contains the STA ID (typically the
MAC address).
Step 2: AP sends out authentication response containing a success or failure message about the authentication. If the
authentication result indicates "success", then STA and AP will carry out two-way authentication.
Figure 1 Open System Authentication
Shared Key Authentication
Shared key authentication is another authentication mechanism other than the open system authentication. STA and AP
need to be configured with the same shared key. The process of shared key authentication is detailed below:
Step 1: STA sends a authentication request to AP;
Step 2: AP will randomly generate a Challenge packet (a character string) which is then sent to STA;
Step 3: STA will copy the character string received to the new message, which is encrypted with the key before being sent
to AP;
Step 4: Upon receipt of this message, AP will decrypt the message with the key, and then compare the decrypted
character string with the character string formerly sent to STA. If they are same, it means that STA owns the same shared
key as the wireless device and the shared key authentication is successful. Otherwise, the shared key authentication is
failed.
Access Authentication
Access certification is a enhanced WLAN network security solution. When STA is associated with AP, the availability of
AP service depends on the result of access authentication. If the authentication is successful, then the wireless AP will
open this logical port for STA. Otherwise, the user is not allowed to access the network.
Two types of access authentication will be introduced below:
PSK access authentication
802.1x access authentication
PSK Access Authentication
PSK (Pre-shared key) is a kind of 802.11i authentication which uses the preconfigured static key for authentication. In
PSK authentication, the same pre-shared key needs to be configured at sides of both the wireless user and the wireless
access device. If the key is same, PSK access authentication will succeed; if the key is different, PSK access
authentication will fail.
802.1x Access Authentication
IEEE 802.1X protocol is a port-based network access control protocol. This authentication method implements
authentication and control of user devices at the port level of WLAN access device. If the user device connected to the
interface can pass the authentication, then it can access WLAN resources. Otherwise, it will be unable to access WLAN
resources.
A wireless network with 802.1x authentication function must have the following three elements before completing
port-based access control user authentication and authorization:
Supplicant
Generally it is installed on user's workstation. When the user needs to connect to the network, this client-side software will
be activated. After the user name and password required is entered, the client-side software will then sent out the access
request.
Authenticator
Wireless AP or communication device acting as wireless AP in the wireless network. Its primary function is to complete
the upload and download of user authentication information, and open or close the port according to the authentication
result.
Authentication server
It checks the identification (user name and password) information sent from client side to verify whether the user is entitled
to use the services provided by the network system, and instructs the authentication system to open or close the port
according to the authentication result.
Wireless Encryption
Compared with wired network, the wireless network is exposed to greater data security risks. Since all WLAN devices
share the same transmission medium in the area, any device can receive the data sent to all other devices. This feature is
a direct threat to the security of WLAN access data. IEEE 802.11 provides three kinds of encryption algorithms: Wired
Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES-CCMP).
WEP encryption
TKIP encryption
AES-CCMP encryption
WEP Encryption
WEP (Wired Equivalent Privacy) is the designated data encryption method applied in the former IEEE 802.11 standard.
As the basis of WLAN security authentication and encryption, it is used to protect the privacy of data exchanged by
authorized users in WLAN and avoid data interception.
WEP uses RC4 algorithm to protect data privacy and realize authentication via the shared key. Without specifying the
scheme for key management, WEP generally configures and maintains the key in a manual way. WEP without key
allocation is called manual WEP or static WEP.
WEP encryption key generally has 64 bits or 128 bits. Since the 24-Bit IV (Initialization Vector) is generated by the system,
the shared key to be configured on AP and STA remains only 40 bits or 104 bits. In practice, WEP with 104-bit key has
widely replaced the WEP with 40-bit key, and it is also called WEP-104. Although WEP104 enhances the security of WEP
encryption to a certain extent, due to the limitation of R4 encryption algorithm and statically configured key, WEP
encryption is exposed to greater security risks, and is unable to guarantee data privacy and integrity and carry out the
authentication of access users.
TKIP Encryption
TKIP (Temporal Key Integrity Protocol) was an interim solution developed by IEEE 802.11 association to fix the encryption
mechanism of WEP. Like WEP encryption mechanism, it uses RC4 algorithm, but provides better protection for WLAN
service than the WEP encryption mechanism, as detailed below:
1) The key of static WEP is manually configured, and all users in one service areas share one same key. The key of
TKIP is dynamically generated, and each data packet transmitted contains a different key.
2) TKIP extends the length of key from WEP 40 bits to 128 bits and the length of Initialization Vector (IV) from 24 bits to
48 bits, well enhancing the security of WEP encryption.
3) TKIP supports MIC (Message Integrity Check) authentication and is capable of defending against replay attack.
AES-CCMP Encryption
AES-CCMP (Counter mode with CBC-MAC Protocol) is by now the most advanced wireless security protocol.
IEEE 802.11i requires the use of CCMP to provide all four security services: authentication, confidentiality, integrity, and
replay protection. CCMP utilizes the 128-bit AES (Advanced Encryption Standard) encryption algorithm for confidentiality
and CBC-MAC (Cipher Block Chaining Message Authentication Code) to guarantee data integrity and authentication.
As a brand-new advanced encryption standard, AES encryption algorithm adopts symmetric block encryption technique to
provide higher encryption performance than the RC4 algorithm applied in WEP/TKIP. Upon the final approval of IEEE
802.11i, it has become a new-generation encryption technique replacing WEP, offering better security protection for the
wireless network.
WPA Security Technique
WPA (Wi-Fi Protected Access) is a WLAN security technique developed by Wi-Fi Alliance on the basis of IEEE 802.11i
draft, aiming to replace the conventional WEP security technique and provide a interim advanced security solution for
WLAN devices while maintaining the compatibility with future security protocols. WPA can be considered as a sub-class of
IEEE802.11i, with core being IEEE 802.1X and TKIP.
During the past years, the wireless security protocol has witnessed substantial development. The encryption technique
has developed from the traditional WEP encryption to the AES-CCMP encryption of IEEE 802.11i, and the authentication
method has also developed from WEP shared-key authentication to 802.1x security authentication. With the introduction
of new protocols and new technologies, the entire network architecture has become more complicated. The existing WPA
security technique allows the application of diversified authentication and encryption methods to implement WLAN access
control, key management and data encryption. For example, the access authentication can adopt pre-shared key (PSK)
authentication or 802.1X authentication, while the encryption method can use TKIP or AES. The combination of WPA with
these encryption and authentication methods well guarantees the security of data link layer and ensures that only
authorized users can access WLAN network.
RSN Security Technique
RSN (Robust Secure Network) is known as WPA2 security mode, the second edition of WPA. It is developed by Wi-Fi
Alliance upon the official release of IEEE 802.11i. Since RSN supports encryption algorithm, it theoretically provides better
security performance than WPA.
Similar to WPA, the existing RSN security technique can also be combined with multiple authentication and encryption
methods to build a safer WLAN. Different from WPA, during the process of security capability advertisement and
negotiation, WPA uses WPA IE (Information Element) to identify security configuration information, while RSN adopts the
standard RSN IE.
WPA Operating Mechanism
WPA operating mechanism is shown below, and can be summarized into the following four phases:
Figure 3 WPA operating mechanism
The operating process of RSN (WPA2) is basically the same as that of WPA. For the operating
mechanism of RSN, please refer to the operating mechanism of WPA.
Security Capability Advertisement and Negotiation
The security capability advertisement takes place at the phase when STA and AP associate with 802.11:
1. WPA capability advertisement of AP
In order to advertise its support to WPA, AP will send out a Beacon frame with WPA IE (Information Element), which
contains the security configuration information of AP (including such safety configuration information as encryption
algorithm and authentication method).
2. Link authentication between STA and AP
STA sends an Open System Authentication request to AP, which will reply with the authentication result. For details,
please refer to the section of "Open System Authentication".
3. STA and AP associate with 802.11
STA will select the corresponding security configurations according to the IE information contained in AP advertisement,
and send the safety configurations selected to AP. At this phase, if STA doesn't support any encryption and authentication
method supported by AP, then AP may deny the request to establish connection; if AP doesn't support any encryption and
authentication method supported by STA, then STA won't establish connection with AP.
Secure access authentication
This phase mainly involves user authentication which will generate the Pairwise Master Key (PMK).
PMK is the ultimate source of all cipher key data. It can be dynamically generated upon the negotiation between STA and
the authentication server, or be directly provided by the pre-shared key (PSK) configured.
For 802.1X authentication: PMK is generated upon the dynamic negotiation between STA and the authentication server
(as indicated in the authentication protocol). This process is transparent to AP, which will mainly complete the upload and
download of user authentication information, and open or close the port according to the authentication result.
For PSK authentication: PSK authentication doesn't have the process of PMK negotiation between STA and
authentication server. AP and STA will directly take the PSK configured as PMK.
STA and authentication server (for 802.1X authentication) will generate PMK for both sides only if the access
authentication is successful. For 802.1X access authentication, after successful authentication, the server will distribute
the PMK generated to AP.
Session Key Negotiation
This phase mainly involves communication key negotiation to generate PTK and GTK, which are used to encrypt the
unicast and multicast messages.
AP and STA will carry out 4-way WPA handshake via EAPOL-KEY frames. During this process, AP and STA will calculate
a 512-bit PTK on the basis of PMK, and divide this PTK into keys for multiple purposes: data encryption key, MIC key
(data integrity key), EAPOL-Key encryption key, EAPOL-Key integrity key and etc, which are used to provide encryption
and integrity protection for the subsequent unicast data frames and EAPOL-Key frames.
After successful 4-way handshake, AP will use certain fields of PTK to encrypt GTK and send the encrypted GTK to STA,
which will use PTK to decrypt GTK. GTK is a group of global encryption keys. AP uses GTK to encrypt broadcast and
multicast packets. All STAs associated with this AP can use the same GTK to decrypt the encrypted broadcast and
multicast packets sent by AP and check the MIC.
Enciphered data transmission
This phase mainly involves data encryption and transmission.
TKIP or AES encryption algorithm doesn't directly use the key generated from PTK/GTK as the key for packet encryption.
Instead, this key is used as the Base Key to generate a new key upon 2-step key mixing. A different key will be generated
during every packet transmission. In the subsequent communication, AP and STA will use this key to carry out encrypted
communication.
and metropolitan area networks— Specific requirements -2007
WI-FI Protected Access – Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
Information technology—Telecommunications and information exchange between systems—Local and metropolitan area
networks—Specific requirements—802.11, 1999 IEEE Standard for Local and metropolitan area networks “Port-Based
Network Access Control” 802.1X™- 2004
802.11i IEEE Standard for Information technology—Telecommunications and information exchange between
systems—Local and metropolitan area networks—Specific requirements
Default Configurations
Configure WPA security mode Disabled
Configure RSN security mode Disabled
Configure TKIP encryption Disabled
Configure ASE encryption Disabled
Configure PSK authentication Disabled
Configure 802.1X authentication Disabled
Configuring Wireless Security Encryption
In practical applications, different levels of wireless security policies shall be implemented as per different user needs.
Three security levels of the wireless security mechanism are shown below:
Security level Security Mechanism Description
Low WEP encryption and authentication
mechanism
and convenient deployment; easy to crack.
Applicable to ordinary home networks.
Medium
security based second-generation
wireless security mechanism
substantially enhances the security performance of wireless
networks through software upgrade without modifying the
original deployment.
environment without a dedicated authentication server)
High
mechanism
Based on the IEEE 802.11i draft protocol, it is currently a
necessary option to build a secure WLAN.
Applicable to public facilities, network operators, large- and
medium-sized businesses, financial institutions and etc (the
dedicated authentication server must be equipped).
Configuration Guide
and authentication combinations. According to the actual networking needs, the user can refer to the above security levels
and select an appropriate security configuration models:
Security Mode Encryption Mode Authentication Mode Description
Configure static
WPA and RSN security modes can be enabled simultaneously. If one WLAN enables WPA and RSN
simultaneously, then both security modes share the same encryption and authentication methods.
Configuring Static WEP
The following two configurations must be completed for the static WEP security encryption model:
1) (Required) Configuring WEP encryption
2) (Required) Configuring link authentication
Configuring Link Authentication
WEP encryption mode can be used with one of the following two link authentication modes.
Open System Authentication: WEP key will only be used for encryption. Even if the keys configured are different, the user
can still access the network, but the data transmitted subsequently will be discarded by the receiving end as a result of the
different keys. In one word, STA can connect to AP but cannot access Internet.
Shared key authentication: WEP key will be used for authentication and encryption. If the keys are different, STA will be
unable to access the network.
Command Function
Ruijie(config)# wlansec wlan-id Enters wireless security configuration mode. WLAN-ID
refers to an existing WLAN ID. A WLAN must be created
before this configuration.
namely there will be no authentication.
open: Open system authentication
share-key: Shared key authentication
WLAN.
The shared key authentication mode can only be configured during WEP encryption configuration.
When configuring WPA and RSN security modes, AP must operate under the open system authentication
mode.
Example: Configure the link authentication mode of WLAN1 to shared key authentication:
Ruijie (config)#wlansec 1
Ruijie(wlansec)#show wlan security 1
Security Policy :static WEP
WEP auth mode : share-key // Link authentication mode: shared key authentication
WEP index......... :0
WEP key length :5
Configuring WPA Security Mode
Among the existing WPA security solutions, two encryption methods can be adopted: TKIP and AES-CCMP, and two
authentication methods can be applied: PSK authentication and 802.11x authentication. The combination of WPA with
these encryption and authentication methods well guarantees the security of data link layer and ensures that only
authorized users can access WLAN network.
Steps of WPA security encryption model are shown below:
1) (Required) Enable WPA mode
2) (Required) Configure WPA encryption mode
3) (Required) Configure WPA authentication mode
4) (Optional) Configure pre-shared key (PSK)
The following steps indicate how to enable WPA security mode. Encryption and authentication modes can only be
configured after the security mode is enabled.
Command Function
Ruijie(config)# wlansec wlan-id
Enters wireless security configuration mode. WLAN-ID
Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified
WLAN.
For devices like AP220-E V1.x, AP220-SH V1.x, AP220-SE V1.x and AP220-E (M) V1.5, when they are
using WPA security mechanism, the encryption mode and authentication mode shall be configured
accordingly. If only the encryption mode or the authentication mode is configured, or if none of them is
configured, then STA will be unable to connect to the wireless network. For devices like AP220-E V2.x,
AP220-SH V2.x, AP220-1 and AP220-SI, when they are using WPA security mechanism, the encryption
mode and authentication mode shall be configured accordingly. If only the encryption mode or the
authentication mode is configured, or if none of them is configured, then STA will be unable to connect to the
wireless network, but not in the encryption mode.
When using WPA security mechanism, AP must work under the open system authentication mode.
Example: Enable WPA security mode of WLAN10
Ruijie(wlansec)# security wpa enable
Configuring RSN Security Mode
Similar to WPA, RSN also needs to configure both the encryption mode and the authentication mode to guarantee the
security of data link layer and ensures that only authorized users can access the WLAN.
The following configurations must be completed for RSN security encryption model:
1) (Required) Enabling RSN mode
2) (Required) Configuring RSN encryption mode
3) (Required) Configuring RSN authentication mode
4) (Optional) Configuring pre-shared key (PSK)
The following steps indicate how to enable RSN security mode. Encryption and authentication modes can only be
configured after the security mode is enabled.
Command Function
WLAN.
When using RSN security mechanism, the encryption mode and authentication mode shall be configured
accordingly. If only the encryption mode or the authentication mode is configured, or if none of them is
configured, then STA will be unable to connect to the wireless network.
When using RSN security mechanism, AP must operate under the open system authentication mode.
Wireless clients running Windows XP SP1/SP2 need an additional patch to support RSN security mode.
Example: Enable RSN security mode of WLAN10
Ruijie(wlansec)# security rsn enable
Configuring Security Encryption Mode
Configure the encryption mode of WPA/RSN in wireless security mode. WPA and RSN can both adopt the following two
encryption modes:
TKIP encryption
AES encryption
Command Function
enable
Configures the encryption mode of WPA to AES or TKIP,
or enable both.
Disabled by default.
WLAN.
WPA key negotiation mode is generally used together with TKIP algorithm or AES algorithm. Likewise,
RSN key negotiation mode is generally used together with AES algorithm or TKIP algorithm.
TKIP supports 802.11a/b/g. It does not support 802.11n.
Example: Enable RSN-AES encryption mode.
Ruijie(wlansec)# show wlan security 10
Security Policy: WPA none (no AKM)
WPA version : WPA2(RSN)
group cipher type :AES
Configuring Security Authentication Mode
Configure the authentication mode of WPA/RSN in wireless security mode. WPA and RSN can both adopt the following
two authentication modes:
enable
or IEEE802.1X, or enable both. When the authentication
mode is set to PSK, the PSK shall be configured. This
function is disabled by default.
WLAN.
To support WPA/RSN, AP must operate under the open system authentication mode.
After STA is associated with AP via WPA mode or RSN mode, if there is a Radius server in the network acting as the
authentication server, then STA can adopt 802.1x mode for authentication; if there is no Radius server in the network,
STA and AP can adopt PSK mode for authentication.
Example: Enable RSN-PSK authentication mode
Security Policy : WPA PSK
pairwise cipher type:AES
Configuring Pre-Shared Key (PSK)
When the authentication mode is set to PSK, the PSK shall be configured. This PSK will only make sense after PSK
authentication mode is configured.
key
By default, the PSK is not configured.
WLAN.
Ruijie(wlansec)# security wpa akm psk set-key ascci 12345
Security Policy : WPA none (no AKM)
wpa_passphrase :
31 32 33 34 35 // Passphrase (displayed in HEX format): the corresponding ASCII key
is 12345
Configuring MAB
In actual applications, there are some wireless devices that cannot be installed with 1X clients, but these devices need to
be connected to a wireless network requiring authentication. The MAB (MAC Authentication Bypass) which is a
MAC-address-based authentication mechanism without 1X clients can be used for such cases.
Command Function
Ruijie(wlansec)#dot1x-mab Enables the MAB feature. Use the no form of this
command to remove the configuration.
The MAB feature cannot coexist with the other security modes in the same WLAN.
Example: Configure the MAB feature for the WLAN1.
Ruijie(wlansec)# dot1x-mab
To switch over the WLAN security policies, please delete the WLANSEC configuration corresponding to this
WLAN before configuring new security policies.
Configuring Authentication Parameters
Command Function
The wlan-id specifies an existing WLAN ID, which must be
created before this configuration.
authentication. The range of timeout is from 0 to 86400
seconds.
configurations in any mode.
Command Function
show wlan security wlan-id Displays the security configuration of the specified
WLAN.
show wlan stainfo summury Displays the authentication state of current user.
Example 1: Display security configurations of WLAN 10
Ruijie#show wlan security 10
Security Policy :WPA2(RSN) PSK
wpa_passphrase :
30 30 30 31 31 31 32 32 32 // Passphrase (displayed in HEX format): the corresponding
ASCII key is 000111222
WEP auth mode :open
Command Function
Security Policy Security mode: static WEP, WPA none (no AKM), WPA
PSK, WPA 802.1x, unknown
preshare key
pairwise cipher type Type of unicast encryption: TKIP, AES, AES or TKIP,
NONE
group cipher type Type of multicast encryption: TKIP, AES, AES or TKIP,
NONE
wpa_passhraselen Key length; unit: byte
wpa_passphrase Passphrase; unit: HEX
Example 2: display the authentication state of current user.
Ruijie#show wlan stainfo summury
INDEX MAC-address WLAN ID VLAN ID Wireless-state PTK-state
1 00:23:cd:ad:d3:da 10 10 AUTH-and-ASSOC 11
Command Function
WLAN ID ID of the WLAN used by wireless user
VLAN ID ID of the VLAN used by wireless user
Wireless-state
Auth-and-Assoc (authorized and associated);
PTK-state Key negotiation state; value scope: 1-11.
Value 11 indicates that key negotiation is completed.
Example of Wireless Security Configuration
The followings will only explain configurations related to encryption and authentication.
Example of RSN Configuration
Network Topology
As shown below, the wireless AP is connected to the wireless AC via switch.
Figure 4 Networking diagram of RSN security mode
As there is no dedicated authentication server, the wireless clients will use PSK authentication to access network.
ASE encryption algorithm shall be used to ensure the high security of network data.
Configuration Tips
Enable RSN security mode
Enable AES encryption mode
Enable PSK authentication mode and configure PSK
To configure WPA/RSN security mode, the open system authentication must be enabled
Configuration Steps
Step 1: Create WLAN
1. Create a layer-3 virtual interface CVI on the basis of VLAN2
Ruijie(config)#vlan 2
Ruijie(config-vlan)#int vlan 2
Ruijie(config-if-VLAN 2)#exit
2. Create a WLAN with ID being 1024, and configure the mapping between WLAN1 and CVI 2, and then apply to radio 1
of all APs in the default AP group.
Ruijie(config)# wlan-config 100 pro-100 ssid_wlan100
Ruijie(config-wlan)#exit
Ruijie(config-ap-group)# show group-ap intf-wlan-map default
WlAN ID SSID Vlan Id Radio id Mib index
--------- ------- ------------ ---------- ----------
Step 2: Configure the security policy of WLAN1
1. Enable open system authentication. By default, the link authentication mode adopts open system authentication.
Ruijie(config)#wlansec 100
Ruijie(wlansec)#security rsn enable
Ruijie(wlansec)#security wpa ciphers aes enable
4. Enable PSK authentication mode and configure PSK to 12345678.
Ruijie(wlansec)# security wpa akm psk enable
Ruijie(wlansec)# security wpa akm psk set-key ascci 12345678
Verifying Configurations
Ruijie# show wlan security 100
Security Policy :WPA2(RSN)PSK
WEP auth mode :open
Step 2: Display the authentication state of current user
Ruijie# show wlan stainfo summury
INDEX MAC-address WLAN ID VLAN ID Wireless-state PTK-state
1 00:23:cd:ad:d3:da 100 2 AUTH-and-ASSOC 11
Step 3: Enter correct and wrong passphrase on the wireless client to verify whether the security function is effective or not.
By entering the correct PSK, the wireless client can successfully associate with AP and access Internet resources.
By entering the wrong PSK, the wireless client will be unable to associate with AP and access Internet resources (due to
the difference in user terminals, some wireless clients may be able to associate with AP but unable to access network).
Configuration Guide Configuring WIDS
Overview
Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is
thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are
susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.
Therefore, security has become an important factor inhibiting the development of WLAN.
WIDS (Wireless Intrusion Detection System) provides early detection of malicious attacks and intrusions and helps the
network administrator to proactively discover the hidden defects of network and take necessary countermeasures.
Currently, WIDS mainly provides the following features:
Rogue device detection, countermeasure
User isolation
Basic Concepts of WIDS
Rogue device: Unauthorized or malicious device on the network. It can be an illegal AP, illegal bridge or unauthorized
Ad-hoc device.
Rogue AP:An unauthorized or malicious AP on the network, such as an unauthorized AP, misconfigured AP or an
attacker operated AP.
Ad-hoc device: A wireless client in ad-hoc mode can directly communicate with other stations without support from any
other device. Since no basic facility is provided for Ad-hoc network, there would be certain security threats.
IDS attack detection: WIDS can detect the malicious or unintentional attacks on the WLAN network, such as Flooding
attack, Spoof attack and Weak IV attack by wireless users.
Rogue Device Detection and Countermeasure
Network devices on the network can generally be divided into: illegal devices (Rogue devices) and legal devices. Rogue
devices may have security vulnerabilities or be controlled by the attacker, thus imposing severe threats and hazards to the
network security. The Rogue device detection feature of WIDS can help monitor the abnormal devices in the entire WLAN
and assist the network administrator to detect hidden defects of the network.
Rogue device detection can detect multiple Rogue devices in the WLAN: Rogue AP, Rogue Client, Rogue wireless bridge,
and Ad-hoc network. Currently, only the detection of Rogue AP and Ad-hoc network can be supported.
Rogue device detection is performed by APs operating in monitor mode. WIDS deploys some APs in the wireless network
and instructs them to operating in monitor mode in order to capture the wireless packets transmitted over air medium.
Besides listening for packets, AP will also send broadcast detection requests and wait for the reply messages. Each
device adjacent to this AP will all receive such detection request and give replies. In this way, the AP operating in monitor
mode can identify the types of surrounding devices according to these response frames. Meanwhile, the network
administrator can also monitor the abnormal devices in the entire WLAN by configuring detection rules.
Rogue device countermeasure is used to attack fake authentication release frame sent by rogue device address in the list
to countermeasure rogue device.
Configure the following different monitor modes to detect Rogue devices:
Monitor AP:In this mode, AP will scan all devices in the WLAN, and will act only as the monitor AP instead of access AP.
When AP operates in Monitor mode, all WLAN services provided by this AP will be disabled. As shown in Fig 1, AP 1
works as an access AP, and AP 2 works as a monitor AP to listen to all 802.11 frames and detect illegal devices on the
wireless network. AP 2 cannot provide wireless access services.
Figure 1-1 Detect Rogue devices in Monitor mode
Hybrid AP:In this mode, AP can act as both access AP and Monitor AP. AP will scan devices in the WLAN and provide
WLAN data services. As shown in Fig 2, AP can both detect Rogue devices and provide WLAN access services for
Client1 and Client2.
After a Rogue device is detected, you can enable the countermeasures. The monitor AP downloads an attack list from the
AC according to the countermeasure mode and takes countermeasures against detected rogue devices. For example,
you the use the address of Rogue device to sent spoofed de-authentication frame to take countermeasure against the
Rogue device (this feature is not provided for the moment).
IDS Attack Detection
In order to timely detect and defend against malicious or unintentional attacks on the WLAN network, WIDS can detect
multiple kinds of intrusions or attacks. When attack is detected, WIDS will inform the network administrator of such attacks
through recording information or sending logs. The network administrator can timely adjust network configurations and
clear insecurity factors in the WLAN.
At present, IDS detection supports detection of the following three attacks:
Flooding attack detection
Spoof attack detection
Weak IV detection
Flooding Attack Detection
A flooding attack refers to the case in which WLAN devices receive large volumes of frames of the same kind within a
short span of time and get overwhelmed. As a result, such WLAN devices are unable to respond to the requests from
legal users.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each
device. When the traffic density of a device exceeds the threshold configured by the network administrator, the device is
considered flooding the network and will be blocked. Flooding attack detection can be used in conjunction with dynamic
blacklist. When Flooding attack is detected by WIDS, if the dynamic blacklist feature is enabled, the detected wireless
client will be added to the blacklist, so as to make sure the WLAN system will no longer be subject to the attacks from such
device.
Authentication requests and de-authentication requests
Association requests, disassociation requests and reassociation requests
Probe requests
Spoof Attack Detection
Spoof attack refers to the case in which a potential attacker sends a frame in the air on behalf of another device. For
instance, a spoofed de-authentication frame can cause a station to get de-authenticated from the network.
WIDS counters spoof attack by detecting broadcast de-authentication and disassociation frames. When such a frame is
received, this is identified as a spoofed frame, and the attack is immediately logged.
Weak IV Detection
Weak IV (Weak Initialization Vector) attack: During the process when WLAN uses WEP to encrypt each frame, the
attacker may intercept frames with weak IV to crack the shared key and eventually capture the enciphered messages.
When WLAN uses WEP to encrypt each frame, an IV will be generated for each frame. The IV and shared key are used to
generate a key string, which is encrypted with the plain texts to eventually generate the cipher texts. When a WEP frame
is sent, the IV used in encrypting the frame is also sent as part of the frame header. If a client generates IVs in an insecure
way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers.
When the shared secret key is compromised, the attacker can access network resources and threaten network security.
WIDS counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it will be
considered a defect and be immediately logged.
Frame Filtering
In WLAN network, WIDS can specify frame filtering rules to filter frames from wireless clients and thus implement access
control of wireless clients.
WIDS frame filtering function achieves wireless client access control through the following three types of filtering lists:
White List
White list contains MAC addresses of wireless clients whose frames can be processed. If the white list is used, only
wireless clients included in the white list can access the WLAN, and all frames from other wireless clients will be discarded
directly by AP, thus reducing the impacts of illegal frames on the wireless network.
Static Blacklist
The static blacklist contains the MAC addresses of wireless clients whose frames should be dropped. If the static blacklist
is used, then all frames from wireless clients included in the blacklist will be discarded directly by AP.
Dynamic Blacklist
The dynamic blacklist contains MAC addresses of wireless clients whose frames will be dropped. A client is dynamically
added to the list only if Flooding attack from this client is detected by WIDS. When WLAN detects the Flooding attack from
a terminal device, it will dynamically add the MAC address of this device into the blacklist and discard any frame received
from this device, allowing security protection of WLAN network.
User Isolation
Due to the mobility and uncertainty of wireless clients, the privacy of user information is especially important under certain
circumstances (especially in public places), and the direct access between clients shall be restricted. User isolation
enables the control of insecure access between wireless terminals in the wireless network (such as the access between
wireless clients via network neighborhood), avoiding the interception of personal information by others.
Without affect the normal network access of clients, user isolation can prevent clients from mutual access and ensure the
security of user services. The user isolation function can be divided into:
AP User Isolation
AP user isolation refers to the case where all users associated with the same AP cannot communicate directly with each
other. As shown below, Clients 1-4 access the network via the same AP. Wireless terminals can communicate with each
other while accessing Internet. After the AP user isolation function is enabled, Client 1-Client 4 associated with the same
AP won't be able to ping and communicate with each other, but they can still access Internet.
Figure 1-3 Networking diagram of AP user isolation
AC User Isolation
AC user isolation refers to the case where all users associated with the same AC (but not the same AP) cannot
communicate directly with each other.
As shown below, AP1 and AP2 are connected to the same AC via switch. Client 1 and Client 2 are connected to the
network via AP1, while Client 3 and Client 4 are connected to the network via AP2. Wireless terminals can communicate
with each other while accessing Internet. After the AC user isolation function is enabled, APs associated with the same
AC (but not the same AP) won't be able to communicate with each other, namely Client 1 cannot ping Client 3 and Client 4,
and Client 2 cannot ping Client 3 and Client 4. However, Client 1 can still ping Client 2, and Client 3 can still ping Client 4.
Client 1-Client 4 can maintain their access to Internet.
Figure 1-4 Networking diagram of AC user isolation
Default Configurations
Rogue device detection disabled
SSID list enabled; blank list
Vendor list enabled; blank list
Static attack list enabled; blank list
Rogue device detection
Flooding attack detection disabled
Spoof attack detection disabled
Dynamic blacklist function disabled
User isolation AP user isolation disabled
AC user isolation disabled
Configuring WIDS
Configuring AP Operation Mode
Due to the existence of Rogue devices, the network administrator may want some of APs in the WLAN to operate in
monitor mode in order to capture the wireless packets transmitted over air medium in a real-time manner, identify the
surrounding devices by analyzing message format (including device type, SSID, BSSID and CHAN), and record these
information into the list of devices detected. AP can operate in any of the three modes: Normal, Monitor and Hybrid.
Normal AP:Access AP. AP will transmit the data of WLAN users without monitoring these data.
Monitor AP:Network device that scans or monitors wireless medium and attempts to detect attacker devices on the
wireless network. In this mode, AP will act only as the monitor AP instead of access AP.
Hybrid AP:Act as both access AP and monitor AP. In this mode, AP can both scan devices in the WLAN and provide
WLAN data services.
AP operation mode can be configured on AC according to the following steps:
Command Function
Ruijie(config)# ap-config ap-name Enters the configuration mode of specified AP.
Ruijie(ap-config)# device mode {monitor | normal |
hybrid}
Ruijie(ap-config)#show Displays configurations
AP operation mode can be configured on Fat AP according to the following steps:
Command Function
Ruijie(config)# wids Enters WIDS configuration mode.
Ruijie(config-wids)# device mode {monitor | normal |
hybrid}
Ruijie(ap-config)#show Displays configurations
Configuring Rogue Device Detection
Configuring Detection Rules
Detection rule is the policy established for identifying Rogue devices. WIDS will check the frames according to the rule
configured in order to identify legal (Friendly) devices, unclassified devices and eventually illegal (Rogue) devices.
Rule for detecting Rogue devices:
Figure 2-1 Flow of Rogue device detection
The network administrator can preconfigure the policy for identifying legal devices, such as permitted MAC address list,
permitted SSID list and permitted vender list. Device failing to meet policy requirements will be considered as unclassified
devices or Rogue devices. As shown above, when the device detected meet the policy, it will be considered as a legal
(Friend) device, or else it will be considered as an unclassified

rg-wlan series access point rgos configuration guide

Documents