Cara masuk wifi wpa/wpa2 enterprise di android

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network.

The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1X authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm.

Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP), a more secure encryption algorithm than those used in WPA.

Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption algorithms, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format.

The WPA/WPA2 security policy involves four steps:

Link authentication
Access authentication
Key negotiation
Data encryption

Link authentication can be completed in open system authentication or shared key authentication mode. WPA and WPA2 support only open system authentication. For details, see "Link Authentication" in STA Access.

WPA and WPA2 have an enterprise edition and a personal edition.

The WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication) uses a RADIUS server and the EAP protocol for authentication. Users provide authentication information, including the user name and password, and are authenticated by an authentication server (generally a RADIUS server).

Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.

For details about 802.1X authentication, see Principles of 802.1X Authentication in the Configuration Guide - User Access and Authentication Configuration Guide.

WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure 11-1 and Figure 11-2 show the EAP-TLS 802.1X authentication and EAP-PEAP 802.1X authentication processes.

Figure 11-1 EAP-TLS 802.1X authentication

Figure 11-2 EAP-PEAP 802.1X authentication
WPA/WPA2 personal edition:

A dedicated authentication server is expensive and difficult to maintain for small- and medium-scale enterprises and individual users. The WPA/WPA2 personal edition provides a simplified authentication mode: pre-shared key authentication (WPA/WPA2-PSK). This mode does not require a dedicated authentication server. Users only need to set a pre-shared key (PSK) on each WLAN node (including WLAN server, wireless router, and wireless network adapter).

A WLAN client can access the WLAN if its pre-shared key is the same as that configured on the WLAN server. The PSK is not used for encryption; therefore, it does not pose security risks like the 802.11 shared key authentication.

802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users.

PSK authentication requires that a STA and an AC be configured with the same PSK. The STA and AC authenticate each other through key negotiation. During key negotiation, the STA and AC use their PSKs to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK authentication is successful; otherwise, PSK authentication fails.

802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs.

During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.

In 802.1X authentication, a PMK is generated in the process shown in Figure 11-1.
In PSK authentication, the method to generate a PMK varies according to the form of the PSK, which is configured using a command:
- If the PSK is a hexadecimal numeral string, it is used as the PMK.
- If the PSK is a character string, the PMK is calculated using a hash algorithm based on the PSK and service set identifier (SSID).

Key negotiation consists of unicast key negotiation and multicast key negotiation.

Unicast key negotiation

Key negotiation is completed through a four-way handshake between a STA and an AC, during which the STA and AC send EAPOL-Key frames to exchange information, as shown in Figure 11-3.
Figure 11-3 Unicast key negotiation

The unicast key negotiation process consists of the following steps:
1. The AC sends an EAPOL-Key frame with a random value (ANonce) to the STA.
2. The STA calculates the PTK using its own MAC addresses and the MAC address of the AC, the PMK, ANonce, and SNonce, and sends an EAPOL-Key frame to the AC. The EAPOL-Key frame carries the SNonce, robust security network (RSN) information element, and message integrity code (MIC) of the EAPOL-Key frame. The AC calculates the PTK using the MAC addresses of its own and the STA, PMK, ANonce, and SNonce, and validates the MIC to determine whether STA's PMK is the same as its own PMK.
3. The AC sends an EAPOL-Key frame to the STA to request the STA to install the PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC, and encrypted GTK.
4. The STA sends an EAPOL-Key frame to the AC to notify the AC that the PTK has been installed and will be used. The AC installs the PTK after receiving the EAPOL-Key frame.
Multicast key negotiation

Multicast key negotiation is completed through a two-way handshake. The two-way handshake begins after the STA and AC generate and install a PTK through a four-way handshake. Figure 11-4 shows the two-way handshake process.
Figure 11-4 Multicast key negotiation

The multicast key negotiation process consists of the following steps:
1. The AC calculates the GTK, uses the unicast key to encrypt the GTK, and sends an EAPOL-Key frame to the STA.
2. After the STA receives the EAPOL-Key frame, it validates the MIC, decrypts the GTK, installs the GTK, and sends an EAPOL-Key ACK frame to the AC. After the AC receives the EAPOL-Key ACK frame, it validates the MIC and installs the GTK.

WPA and WPA2 support the TKIP and CCMP encryption algorithms.

TKIP

Unlike WEP, which uses a static shared key, TKIP uses a dynamic key negotiation and management mechanism. Each user obtains an independent key through dynamic negotiation. User keys are calculated using the PTK generated in key negotiation, the MAC address of the sender, and the packet sequence number.

TKIP uses MICs to ensure the integrity of frames received on the receiver and validity of data sent by the sender and receiver. This mechanism protects information integrity. A MIC is calculated using the MIC key generated during key negotiation, the destination MAC address, source MAC address, and data frame.
CCMP

While WEP and TKIP use a stream cipher algorithm, CCMP uses an Advanced Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects of the RC4 algorithm and provides a higher level of security.

This Document Applies to these Products

Page 2

Wired Equivalent Privacy (WEP), defined in IEEE 802.11, is used to protect the data of authorized users from tampering during transmission on a WLAN. WEP uses the RC4 algorithm to encrypt data using a 64-bit, 128-bit, or 152-bit encryption key. An encryption key contains a 24-bit initialization vector (IV) generated by the system, so the length of key configured on the WLAN server and client is 40-bit, 104-bit, or 128-bit. WEP uses a static encryption key. That is, all STAs associating with the same SSID use the same key to connect to the wireless network.

A WEP security policy defines a link authentication mechanism and a data encryption mechanism.

Link authentication mechanisms include open system authentication and shared key authentication. For details about link authentication, see "Link Authentication" in STA Access.

If open system authentication is used, data is not encrypted during link authentication. After a user goes online, service data can be encrypted by WEP or not, depending on the configuration.
If shared key authentication is used, the WLAN client and server complete key negotiation during link authentication. After a user goes online, service data is encrypted using the negotiated key.

This Document Applies to these Products

Page 3

A WDS profile contains major parameters required for configuring the WDS function. To enable radios of an AP group or a specified AP to set up Mesh links, a WDS profile must be applied to the radios.

When configuring WDS services, use the WDS profile with the following profiles:

Security profile: After a security profile is bound to a WDS profile, parameters in the security profile will be used for WDS link setup to ensure security of WDS links, The WPA2+PSK+AES security policy is recommended for a WDS security profile.
WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS, only APs with radios working in root mode and middle mode can have a whitelist configured. APs in leaf mode require no whitelist.
- A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local AP only after passing security authentication.
- If no WDS whitelist profile is used, all neighboring APs can access the local AP.
AP group radio or AP radio: You can configure major feature parameters for radios in an AP group or a specified AP radio, including the working channel and bandwidth, antenna gain, transmit power, and radio coverage distance. For example, when configuring the WDS function, configure the same channel for radios of WDS APs.
Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can configure other radio parameters for WDS links through a radio profile.

By default, the system provides the WDS profile default. By default, the security profile default-wds with the security policy WPA2+PSK+AES is referenced by a WDS profile regardless of whether the WDS profile is the default profile provided by the system or a WDS profile created by users. If the default security profile default-wds is used, you are advised to change the security key of the profile to ensure security. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

For details, see Configuring a WDS Profile.

This Document Applies to these Products

Page 4

WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to AP groups or APs so that they can take effect.

A WIDS profile supports the following functions:

WIDS device detection and countering
- APs detect Wi-Fi devices within their coverage range and determine whether they are authorized.
- You can configure a WIDS spoof SSID profile and a WIDS whitelist profile to identify spoofing SSIDs and add the trusted devices to the whitelist. After configuring these profiles, you bind them to the WIDS profile.
- Countermeasures are taken on the detected rogue device so that rogue STAs cannot access the network or authorized STAs will not access rogue APs.
WIDS attack detection and dynamic blacklist
- APs detect Wi-Fi devices on a network that launch attacks, including flood attacks, weak IV attacks, spoofing attacks, and Brute force PSK cracking attacks.
- After the dynamic blacklist function is enabled, attacking devices are added to the dynamic blacklist and packets from these devices are discarded.

This Document Applies to these Products

Page 5

An AP communicates with an IoT card through a serial port. Each IoT card interface uses independent serial communication parameters and framing parameters. The serial communication parameters and framing parameters can be set in a serial profile.

This Document Applies to these Products

Page 6

You can add APs in any of the following modes:

Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are configured on an AC before APs go online. The AC starts to set up connections with the APs if the MAC addresses or SNs of the APs match the configured ones.
Configuring the AC to automatically discover an AP: The AP authentication mode is set to no authentication; alternatively, the AP authentication mode is set to MAC or SN authentication and the AP whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC discovers the AP, and the AP goes online.
Manually confirming APs added to the list of unauthorized APs: The AP authentication mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC. When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of unauthorized APs. After the AP identity is confirmed, the AP can go online.

Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode. As shown in Figure 13-10, AP1 is a root node, AP2 is a middle node, and AP3 is a leaf node. You can configure an AP's working mode based on actual situations.

Figure 13-10 WDS networking

Add an AP offline.
Configure the AC to automatically discover an AP.

If no AP name or AP group is configured for an automatically discovered AP on the AC, the configuration file of the AP name or AP group will not be generated in the AP view.

If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.
- Set the AP authentication mode to no authentication.
  1. Run the system-view command to enter the system view.
  2. Run the wlan command to enter the WLAN view.
  3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.
    
    By default, no AP is in an AP blacklist.
  4. Run the ap auth-mode no-auth command to set the AP authentication mode to no authentication.
    
    The default AP authentication mode is MAC address authentication.
    
    The non-authentication mode brings security risks. You are advised to set the authentication mode to MAC address authentication or SN authentication, which is more secure.
- Set the AP authentication mode to MAC address or SN authentication.
  1. Run the system-view command to enter the system view.
  2. Run the wlan command to enter the WLAN view.
  3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.
    
    By default, no AP is in an AP blacklist.
  4. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP authentication mode to MAC address authentication or SN authentication.
    
    The default AP authentication mode is MAC address authentication.
  5. Configure the AP whitelist.
    - Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the AP with the specified MAC address to the whitelist if the AP authentication mode is set to MAC address authentication.
      
      By default, no MAC address is added to the AP whitelist.
    - Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with the specified SN to the whitelist if the AP authentication mode is set to SN authentication.
      
      By default, no SN is added to the AP whitelist.
Manually confirm the AP added to the list of unauthorized APs.

This Document Applies to these Products

Page 7

You can add APs in any of the following modes:

Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are configured on an AC before APs go online. The AC starts to set up connections with the APs if the MAC addresses or SNs of the APs match the configured ones.
Configuring the AC to automatically discover an AP: The AP authentication mode is set to no authentication; alternatively, the AP authentication mode is set to MAC or SN authentication and the AP whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC discovers the AP, and the AP goes online.
Manually confirming APs added to the list of unauthorized APs: The AP authentication mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC. When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of unauthorized APs. After the AP identity is confirmed, the AP can go online.

On a Mesh network, you can deploy an AP as an MPP or MP based on the location of the AP, as shown in Figure 14-7. Select a proper method to add APs on an AC according to actual situations.

Figure 14-7 Mesh networking diagram

Mesh point portal (MPP): an MP that connects to a WMN or another type of network. An MPP connects Mesh nodes to external networks. Each WMN has at least one MPP.

You are not advised to configure access VAPs on an MPP to ensure a high throughput.
Mesh point (MP): a node that provides both mesh service and user access service. All nodes except MPPs on a WMN are MPs.

Add an AP offline.
Configure the AC to automatically discover an AP.

If no AP name or AP group is configured for an automatically discovered AP on the AC, the configuration file of the AP name or AP group will not be generated in the AP view.

If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.
- Set the AP authentication mode to no authentication.
  1. Run the system-view command to enter the system view.
  2. Run the wlan command to enter the WLAN view.
  3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.
    
    By default, no AP is in an AP blacklist.
  4. Run the ap auth-mode no-auth command to set the AP authentication mode to no authentication.
    
    The default AP authentication mode is MAC address authentication.
    
    The non-authentication mode brings security risks. You are advised to set the authentication mode to MAC address authentication or SN authentication, which is more secure.
- Set the AP authentication mode to MAC address or SN authentication.
  1. Run the system-view command to enter the system view.
  2. Run the wlan command to enter the WLAN view.
  3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.
    
    By default, no AP is in an AP blacklist.
  4. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP authentication mode to MAC address authentication or SN authentication.
    
    The default AP authentication mode is MAC address authentication.
  5. Configure the AP whitelist.
    - Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the AP with the specified MAC address to the whitelist if the AP authentication mode is set to MAC address authentication.
      
      By default, no MAC address is added to the AP whitelist.
    - Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with the specified SN to the whitelist if the AP authentication mode is set to SN authentication.
      
      By default, no SN is added to the AP whitelist.
Manually confirm the AP added to the list of unauthorized APs.

This Document Applies to these Products

Page 8

You can add APs in any of the following modes:

Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are configured on an AC before APs go online. The AC starts to set up connections with the APs if the MAC addresses or SNs of the APs match the configured ones.
Configuring the AC to automatically discover an AP: The AP authentication mode is set to no authentication; alternatively, the AP authentication mode is set to MAC or SN authentication and the AP whitelist is configured on the AC. When an AP in the whitelist connects to the AC, the AC discovers the AP, and the AP goes online.
Manually confirming APs added to the list of unauthorized APs: The AP authentication mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC. When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of unauthorized APs. After the AP identity is confirmed, the AP can go online.

When you add an AP in any of the preceding modes, the AP cannot connect to the AC if the MAC address of the AP is in the AP blacklist.

After you add an AP to an AC offline and configure AP parameters, for example, AP group which the AP joins by default, the AP can go online and use the configured data to work. When the AC is configured to automatically discover APs, an AP uses the default parameters to work after going online.

Adding an AP offline is recommended when the MAC address or SN of the AP is already learned.

The AP blacklist and whitelist can be configured at the same time. However, the MAC address of an AP cannot be added to the AP blacklist and whitelist at the same time.

If AP whitelist and blacklist are all configured, check whether an AP is on the blacklist first.

The number of APs managed by an AC is restricted by the following factors:

License resource items: The total number of common APs and central APs does not exceed the maximum number of local license resource items on the AC. RUs do not occupy license resources.
Maximum number of APs managed by an AC: The total number of central APs, common APs, and RUs does not exceed the maximum number of APs that the AC can manage.

Add an AP offline.
Configure the AC to automatically discover an AP.

If no AP name or AP group is configured for an automatically discovered AP on the AC, the configuration file of the AP name or AP group will not be generated in the AP view.

If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.
- Set the AP authentication mode to no authentication.
  1. Run the system-view command to enter the system view.
  2. Run the wlan command to enter the WLAN view.
  3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.
    
    By default, no AP is in an AP blacklist.
  4. Run the ap auth-mode no-auth command to set the AP authentication mode to no authentication.
    
    The default AP authentication mode is MAC address authentication.
    
    The non-authentication mode brings security risks. You are advised to set the authentication mode to MAC address authentication or SN authentication, which is more secure.
- Set the AP authentication mode to MAC address or SN authentication.
  1. Run the system-view command to enter the system view.
  2. Run the wlan command to enter the WLAN view.
  3. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the AP to an AP blacklist.
    
    By default, no AP is in an AP blacklist.
  4. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP authentication mode to MAC address authentication or SN authentication.
    
    The default AP authentication mode is MAC address authentication.
  5. Configure the AP whitelist.
    - Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the AP with the specified MAC address to the whitelist if the AP authentication mode is set to MAC address authentication.
      
      By default, no MAC address is added to the AP whitelist.
    - Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with the specified SN to the whitelist if the AP authentication mode is set to SN authentication.
      
      By default, no SN is added to the AP whitelist.
Manually confirm the AP added to the list of unauthorized APs.

Run the display ap global configuration command to check the AP authentication mode.
Run the display ap blacklist command to check the AP blacklist.
Run the display ap whitelist { mac | sn } command to check the AP whitelist.

This Document Applies to these Products

Page 9

This Document Applies to these Products

Page 10

This Document Applies to these Products

Page 11

This Document Applies to these Products

Page 12

Figure 13-1 WDS networking

Service VAP: On a traditional WLAN, an AP is a physical entity that provides WLAN services to STAs. A service virtual access point (VAP) is a logical entity that provides access service for users. Multiple VAPs can be created on an AP to provide access service for multiple user groups. In Figure 13-1, VAP0 created on AP3 is a service VAP.
WDS VAP: On a WDS network, an AP is a functional entity that provides WDS service for neighboring devices. WDS VAPs include AP and STA VAPs. The ID of STA VAPs is fixed as 13, and that of AP VAPs is fixed at 12. AP VAPs provide connections for STA VAPs. In Figure 13-1, VAP13 created on AP3 is a STA VAP, and VAP12 created on AP2 is an AP VAP.
Wireless virtual link (WVL): a connection set up between a STA VAP and an AP VAP on neighboring APs, as shown in Figure 13-1.
AP working mode: Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode, as shown in Figure 13-1.
- Root: The AP directly connects to an AC through a wired link and uses an AP VAP to set up wireless virtual links with a STA VAP.
- Middle: The AP uses a STA VAP to connect to an AP VAP on an upstream AP and uses an AP VAP to connect to a STA VAP on a downstream AP.
- Leaf: The AP uses a STA VAP to connect to an AP VAP on an upstream AP.
Working mode of an AP's wired interface: On a WDS network, depending on the location of the AP, a wired interface works in root or endpoint mode.
- Root: The wired interface connects to an upstream wired network.
- Endpoint: The wired interface connects to a downstream user host or LAN.
On a WDS network, one wired interface must work in root mode to connect to the wired network.

AP online process

After WDS is enabled on an AP, the AP automatically creates WDS VAPs (AP VAP and STA VAP). The AP uses the WDS VAPs to set up WVLs with other APs. The AP connects to the AC through the WVL and obtains configurations from the AC.
Service intercommunication

On a WDS network, service data is transmitted over the WVLs. After an AP goes online, it needs to set up service links through WVLs. Figure 13-2 shows how a service link is set up between AP2 and AP3 on the WDS network shown in Figure 13-1.

Figure 13-2 Setting up a service link
1. Probe request
  
  AP3 broadcasts a Probe Request frame carrying a WDS-Name field (similar to SSID in WLAN service).
2. Probe response
  
  AP2 receives the Probe Request frame and sends AP3 a Probe Response frame.
3. Authentication request
  
  After AP3 receives the Probe Response frame, it sends AP2 an Authentication Request frame.
4. Authentication response
  
  After AP2 receives the Authentication Request frame, it determines whether to allow access from AP3, depending on the WDS whitelist configuration:
  - If the WDS whitelist is not enabled, AP2 allows access from AP3 and sends an Authentication Response frame to notify AP3 that the authentication has succeeded.
  - If the WDS whitelist is enabled, AP2 checks whether the MAC address of AP3 is included in the WDS whitelist.
    - If the MAC address of AP3 is included in the WDS whitelist, AP2 allows access from AP3 and sends an Authentication Response frame to notify AP3 that the authentication has succeeded.
    - If the MAC address of AP3 is not included in the WDS whitelist, AP2 sends an Authentication Response frame with an error code, indicating that the authentication has failed. The process ends and the service wireless virtual link (WVL) cannot be set up.
5. Association request
  
  After AP3 receives the Authentication Response frame indicating successful authentication, it sends an Association Request frame to AP2.
6. Association response
  
  After AP2 receives the Association Request frame, it sends an Association Response frame to request AP3 to start the access authentication.
7. Access authentication
  
  On a WDS network, the access authentication method for a STA VAP must be WPA2-PSK. Therefore, AP3 and AP2 use a pre-configured shared key for negotiation. If they decrypt messages sent from each other using the shared key, they have the same shared key and the access authentication is successful.
8. Key negotiation
  
  AP3 and AP2 negotiate an encryption key to encrypt service packets.

After a service link is set up, APs periodically send link status messages to each other. If one AP does not receive any from the other AP, it disconnects the service link and starts to set up a new one.
If the AC delivers new WDS parameter settings to APs, the APs use them to set up service links.

A WDS network can be deployed in point-to-point or point-to-multipoint mode.

Point-to-point deployment

As shown in Figure 13-3, AP1 sets up wireless virtual links with AP2 to provide wireless access service for users.

Figure 13-3 Point-to-point WDS deployment
Point-to-multipoint deployment

As shown in Figure 13-4, AP1, AP2, and AP3 set up wireless virtual links with AP4. Data from all STAs associating with AP1, AP2, and AP3 is forwarded by AP4.

Figure 13-4 Point-to-multipoint WDS deployment

This Document Applies to these Products

Page 13

Figure 19-1 shows the architecture of a network where an IoT AP works.

Figure 19-1 Architecture of a network where an IoT AP works

Components in the figure and related concepts are described as follows:

IoT STA: a terminal used to collect information, for example, RFID tags on persons or objects.
IoT card: a module integrating IoT functions. It is used to obtain data from air interfaces and report the data to the AP through serial communication.
AP: a device used to report the data from the IoT card to the host computer and receive instructions from the host computer. An AP is directly connected to a host computer, and delivers the IoT card configuration to the host computer but not to an AC.
AC: a device used to manage APs and deliver configurations to them.
Host computer: an upper-layer server to APs. It is used to receive data from IoT cards and deliver configurations to the IoT cards. In practice, data receiving and configuration delivery may be implemented by the same or different host computers.
Trusted host computer: a client host whose IP address is within the trusted IP address range of the AP functioning as the server to receive data.
- If a trusted host computer is configured, the AP checks whether a client IP address is in the list of trusted host computers. Only clients in the list can connect to the AP and send the IoT card configuration to the AP.
- If no trusted host computer is configured, any hosts with reachable routes to the AP can connect to the AP and deliver configurations to the AP.
A host computer can be configured as the trusted host computer, so that the same device receives data and delivers configurations.
Shared key: a parameter for encrypting packets exchanged between the AP and the host computer to improve data communication security.

An AP functions as a server or client to communicate with the host computer in bi-directional mode. When the AP reports data to the host computer, the AP functions as a client and the host computer functions as a server. When the AP receives data from the host computer, the AP functions as a server and the host computer functions as a client.

Figure 19-2 shows the communication mechanism.

Figure 19-2 Communication mechanism

The IoT STA obtains and sends data related to a target object.
The IoT card reports the collected data to the AP through serial communication.
Based on framing parameters, the AP sends the collected packets to the host computer in UDP/TCP mode.
The host computer parses the data content from the UDP/TCP packets and executes services accordingly.
The host computer delivers instructions to the IoT card using UDP/TCP packets.
The AP extracts the data content from the UDP/TCP packets, distinguishes the slot based on the destination port number, and sends the instructions to the IoT card through serial communication.
The IoT card executes the instructions delivered by the host computer.

This Document Applies to these Products

Page 14

To disconnect an AP from the current AC or enable an AP to go online on another AC, you can delete the AP from the current AC.

Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution when you delete an AP.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
undo ap { ap-name ap-name | ap-id ap-id | ap-mac ap-mac | ap-group group-name | all }
An AP is deleted.

This Document Applies to these Products

Page 15

If an AP cannot work properly after being upgraded, reset the AP. You can run the display ap all command to check the AP State field to determine whether an AP is working properly. If the State field displays name-conflicted, ver-mismatch, config, config-failed, committing, or commit-failed, an AP fails to work properly.

Exercise caution when resetting an AP because services on the AP will be interrupted.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id type-id } }
APs are reset.

This Document Applies to these Products

Page 16

On an AC + Fit AP network, one AC manages many APs. Usually, you need to perform the same configurations on the APs. In this situation, you can add the APs to an AP group and perform configurations uniformly in the AP group, which simplifies operations. All APs in the group use the same configurations.

Each AP must and can only join one AP group. An AP group contains configurations shared by all APs. You can configure configurations specific to a single AP in the AP view.

By default, an AP automatically joins the AP group default. The AP group default cannot be deleted, but you can modify configurations in the default AP group.

By default, an AP group has the following profiles bound: AP system profile default, 2G radio profile default, 5G radio profile default, regulatory domain profile default, WIDS profile default, and AP wired port profile default.

Before creating an AP group, perform the task of CLI Login Configuration.

Run:

system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
ap-group name group-name
An AP group is created, and the AP group view is displayed.

By default, the system provides the AP group default.

Run the display ap-group { all | name group-name } command to verify AP group configurations.

After an AP group is created, you need to add APs to the AP group so that the APs can use configurations in the group. For details, see Adding APs.

This Document Applies to these Products

Page 17

In a WIDS profile, you can configure various WIDS and WIPS services. You can create multiple WIDS profiles to carry different WIDS services and apply the profiles to different APs as required.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
wids-profile name profile-name
A WIDS profile is created and the WIDS profile view is displayed.

By default, the system provides the WIDS profile default.

This Document Applies to these Products

Page 18

An AP wired port profile provides configurations of AP wired ports. AP wired port link profiles can be bound to AP wired port profiles. AP wired port link profiles are used to configure link-layer parameters of AP wired ports.

The following configurations are performed in an AP wired port profile:

Add an AP's wired port to an Eth-Trunk.
Configure STP, working mode, and DHCP trusted port on an AP's wired port.
Configure STA address learning, IP source guard, and dynamic ARP probing on an AP's wired port.
Specify the maximum broadcast, multicast, and unknown unicast traffic allowed by an AP's wired port.
Associate STP with the error-triggered shutdown function on an AP's wired port.
Configure IGMP Snooping for an AP's wired port.

For details, see Managing an AP's Wired Interface.

This Document Applies to these Products

Page 19

After the rogue device containment function is enabled, rogue APs can be detected and contained. However, there may be APs of other vendors or on other networks working in the existing signal coverage areas. If these APs are contained, their services will be affected. To prevent this situation, you can configure the WIDS whitelist profile to add these APs to a WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list. When a rogue AP is detected but the AP's MAC address is in the authorized MAC address list, the AP is considered an authorized AP. However, if the AP's MAC address is not in the authorized MAC address list, the AP's OUI and SSID must be both in the authorized OUI and SSID lists; otherwise, the AP is a rogue AP.

This Document Applies to these Products

Page 20

On a WLAN, the operating status of APs is affected by the radio environment. For example, adjacent APs using the same working channel interfere with each other, and a large-power AP can interfere with adjacent APs if they work on overlapping channels. Radio calibration can dynamically adjust channels and power of APs managed by the same AC to ensure that the APs work in a way that optimizes performance.

Channel adjustment

On a WLAN, adjacent APs must work on non-overlapping channels to avoid radio interference. For example, the 2.4 GHz frequency band is divided into 14 overlapping 20 MHz channels, as shown in Figure 6-1.

Figure 6-1 Channels on the 2.4 GHz frequency band

The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz channels, APs working on the 5 GHz frequency band support 40 MHz, 80 MHz, and larger-bandwidth channels, as shown in Figure 6-2.

Figure 6-2 Channels
- Two neighboring 20 MHz channels are bonded into a 40 MHz channel. One of the two 20 MHz channels is the primary channel, and the other the auxiliary channel.
- Two neighboring 40 MHz channels are bonded into an 80 MHz channel. In an 80 MHz channel, one 20 MHz channel is selected as the primary channel. The other 20 MHz channel making up the 40 MHz channel with the primary channel is called the auxiliary 20 MHz channel. The 40 MHz channel not containing the primary channel is called the auxiliary 40 MHz channel.
- Two neighboring 80 MHz channels are bonded into a 160 MHz channel. In a 160 MHz channel, one 20 MHz channel is selected as the primary channel. The other 20 MHz channels making up the 80 MHz channel with the primary channel are called the auxiliary 20 MHz channels. The 40 MHz channels not containing the primary channel are called the auxiliary 40 MHz channels. The 80 MHz channel not containing the primary channel is called the auxiliary 80 MHz channel. At most two 160 MHz channels are supported on the 5 GHz frequency band.
- Two non-neighboring 80 MHz channels are bonded into an 80+80 MHz channel. The division of primary and auxiliary channels is similar to that for a 160 MHz channel. Compared to the 160 MHz channel, the 80+80 MHz channel allows for more than three non-overlapping channels on the 5 GHz frequency band, which can be used for cellular channel planning and meet wireless network deployment requirements.
Figure 6-3 shows the channel bonding.

Figure 6-3 Channel bonding example

The primary channel is used for transmission of the management and control packets. A channel is idle only when its primary channel is idle.

Figure 6-4 shows an example of channel distribution before and after channel adjustment. Before channel adjustment, both AP2 and AP4 use channel 6. After channel adjustment, AP4 uses channel 11 so that it does not interfere with AP2.

After channel adjustment, each AP is allocated an optimal channel to minimize or avoid adjacent-channel or co-channel interference, ensuring reliable data transmission on the network.

Figure 6-4 Channel adjustment

In addition to optimizing radio performance, channel adjustment can also be used for dynamic frequency selection (DFS). In some regions, radar systems work in the 5 GHz frequency band, which can interfere with radio signals of APs working in the 5 GHz frequency band. The DFS function enables APs to automatically switch to other channels when they detect interference on their current working channels.

During the DFS process, radar signals may be incorrectly determined. If radar signals are detected occasionally on a single AP, it may be a mistake. If radar signals are detected for multiple times on an AP or simultaneously on multiple APs, the radar signals may be determined. Then the APs can process the signals accordingly. To minimize misdetections, all Huawei AP models are optimized for DFS misdetections to distinguish radar signals and non-radar signals more accurately.
Power adjustment

An AP's transmit power determines its radio coverage area. APs with higher power have larger coverage areas. A traditional method to control the radio power is to set the transmit power to the maximum value to maximize the radio coverage area. However, a high transmit power may cause interference with other wireless devices. Therefore, an optimal power is required to balance the coverage area and signal quality.

The power adjustment function helps dynamically allocate proper power to APs according to the real-time radio environment. Power adjustment works according to the following:
- When an AP is added to the network, the transmit power of neighboring APs decreases, as shown in Figure 6-5. The area of the circle around an AP represents the AP's coverage area after transmit power adjustment. When AP4 is added to the network, the transmit power of each AP decreases automatically.
Figure 6-5 Transmit power of APs decreases
- When an AP goes offline or fails, power of neighboring APs increases, as shown in Figure 6-6.
Figure 6-6 Transmit power of APs increases

Radio calibration requires the following components for implementation:

AP: actively or passively collects radio environment information and sends the information to the AC. The AC then delivers the calibration results.
AC: maintains the AP neighbor topology based on radio environment information received from the AP, uses calibration algorithms to allocate AP channels and transmit power, sends calibration results to APs.

ACs support global radio calibration and partial radio calibration:

Global radio calibration:
Global radio calibration takes effect on all APs managed by an AC. The AC controls channels and transmit power of all APs in the region to achieve best radio performance. Generally, this calibration mode is used on a newly deployed WLAN or a WLAN with a few services.

The Figure 6-7 shows the global radio calibration process.
Figure 6-7 Implementation of global radio calibration

The global radio calibration process is as follows:
1. After global radio calibration is enabled, the AC sends a notification to each AP, requesting the AP to start neighbor probing.
2. The APs periodically implement neighbor probing and report neighbor information to the AC.
3. After the AC receives probe results from all of the APs, it uses the global radio calibration algorithm to allocate channels and power to the APs.
  
  The global radio calibration algorithm includes the Dynamic Channel Allocation (DCA) algorithm and Transmit Power Control (TPC) algorithm.
4. The AC delivers calibration results to the APs. After the AC implements global radio calibration for the first time, the AC starts the next global radio calibration until it receives neighboring information of all APs. The AC continuously implements global radio calibration in order to obtain the optimal and accurate calibration results.
Neighbor probe

Two neighbor probe modes are available.
- Active probe: The AP actively sends Probe Request frames to notify surrounding APs of its existence. Active probe is used to establish neighbor relationships and obtain the maximum interference signal strength.
  
  The active probe process is as follows:
  1. An AP periodically sends Probe Request frames destined for a specified multicast address on different channels.
  2. After receiving the frames, surrounding APs learn that the AP is a neighbor and collects information about the AP, in which the Received Signal Strength Indicator (RSSI) is the key factor.
- Passive probe: The AP receives neighbor information to detect neighboring APs. The passive probe is used to collect interference information from neighboring APs and rogue APs.
Global calibration algorithm

The global calibration algorithm achieves global optimization through partial optimizations. Global calibration is implemented through AP channel and power adjustment. Instead of being coupled to each other, the algorithms for channel adjustment (DCA) and power adjustment (TPC) are independent of each other.
- DCA algorithm: Global calibration divides all APs into several calibration groups based on the relationships between the APs and allocates channels to each group. In each radio calibration group, simple exhaustion and iteration algorithms are used to list all possible AP-Channel combinations and choose the optimal combination.
- TPC algorithm: The TPC algorithm aims to choose the proper transmit power which can meet coverage requirements, without causing large interference to neighboring APs. The TPC algorithm works in the following ways:
  1. The algorithm estimates the deployment density of APs based on the number of AP neighbors, and determines the initial transmit power, lower and upper interference thresholds.
    
    The level of interference specified by the lower interference threshold is low, and within the allowed range. In this case, two neighboring APs cannot detect interference from each other and can send packets simultaneously.
    
    The level of interference specified by the upper interference threshold is large. In this case, two neighboring APs can easily detect the interference and must compete to send packets through CSMA.
  2. The algorithm re-detects RSSIs of neighbors. If the interference caused by the neighbor is smaller than the lower interference threshold, the algorithm determines whether to raise transmit power according to their difference. If the interference caused by the neighbor is greater than the upper interference threshold, the algorithm determines whether to reduce transmit power according to their difference.
Partial radio calibration
Partial radio calibration aims to adjust working channels and power of some APs to optimize the radio environment if it deteriorates in only some areas. Similar to the global radio calibration, the partial radio calibration uses DCA and TPC algorithms. Partial radio calibration is triggered in the following scenarios:
- An AP goes online: When detecting that an AP goes online, the AC allocates a working channel and power to the new AP. To achieve the optimal performance, the AC may re-allocate the working channels and transmit power of neighboring APs. For example, to prevent interference between the new AP and its neighbors, the AC will reduce the transmit power of the AP neighbors.
- An AP goes offline: When detecting that an AP goes offline, the AC executes the calibration algorithm to increase the transmit power of neighboring APs to eliminate coverage holes. An AP may be restarted unexpectedly or manually restarted for temporary maintenance. In this situation, the AC does not start the calibration algorithm immediately. Instead, the AC starts radio calibration only after the neighbor information is updated.
- Interference from a rogue AP is detected: If a rogue AP is identified through neighbor probes, interference information is collected and used for radio calibration. If the interference value exceeds the threshold (-65 dBm by default), the interference is considered serious, and partial radio calibration is triggered. The device adjusts working channels of neighboring APs to avoid interference from the rogue AP.
- The radio environment deteriorates: Radio environment deteriorates due to an increase in lost packets and error codes caused by interference or weak signals. In scenario, partial radio calibration may be triggered if it can improve the radio environment.
- Interference from non-Wi-Fi devices is detected: Non-Wi-Fi devices, including microwave ovens and cordless phones, work on the same frequency as the APs, and may cause interference. If the spectrum analysis module identifies interference from non-Wi-Fi devices. If the interference is serious or large interference occurs multiple times in a specified period, the module triggers partial radio calibration and adjusts AP channels and power to avoid interference.

This Document Applies to these Products

Page 21

The WLAN service parameters configured on an AC take effect only after you run the commit (WLAN view) command to deliver the configuration to APs.

If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
Configurations are delivered to APs.

This Document Applies to these Products

Page 22

Configurations in the AP provisioning view are not automatically delivered to APs. You have to manually deliver them to APs.

After the configuration is committed, the AP receives the configuration and compares the configuration with its local configuration.

If they are consistent, the AP does not process the received configuration.
If they are different, the AP saves the committed configuration and automatically restarts, and the received configuration takes effect.

If the name or static IP address of an AP is specified in the AP provisioning view, the configuration is delivered only to the AP by specifying the AP name or MAC address, but cannot be delivered to APs in the specified AP group.

If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
provision-ap
The AP provisioning view is displayed.
Run:
commit { ap-name ap-name | ap-mac ap-mac-address | ap-id ap-id | ap-group ap-group-name | all }
The configurations are delivered to an AP, a group of APs, or all APs.

This Document Applies to these Products

Page 23

The WLAN service parameters configured on an AC take effect only after you run the commit (WLAN view) command to deliver the configuration to APs.

If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
Configurations are delivered to APs.

This Document Applies to these Products

Page 24

The WLAN service parameters configured on an AC take effect only after you run the commit (WLAN view) command to deliver the configuration to APs.

If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }
Configurations are delivered to APs.

This Document Applies to these Products

Page 25

Before re-configuring online parameters of APs in the AP provisioning view, clear existing configurations. The cleared configurations cannot be restored. Exercise caution when you run the following command.

Run:
system-view
The system view is displayed.
Run:
wlan
The WLAN view is displayed.
Run:
provision-ap
The AP provisioning view is displayed.
Run:
clear configuration this
All configurations are cleared in the AP provisioning view.

This Document Applies to these Products

Page 26

Run the reset wlan location device-info tag { all | ap-id ap-id | ap-name ap-name } command to clear tag information received by all APs or specified APs on the AC.