Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network. The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1X authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm. Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP), a more secure encryption algorithm than those used in WPA. Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption algorithms, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format. The WPA/WPA2 security policy involves four steps:
Link authentication can be completed in open system authentication or shared key authentication mode. WPA and WPA2 support only open system authentication. For details, see "Link Authentication" in STA Access. WPA and WPA2 have an enterprise edition and a personal edition.
802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users. PSK authentication requires that a STA and an AC be configured with the same PSK. The STA and AC authenticate each other through key negotiation. During key negotiation, the STA and AC use their PSKs to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK authentication is successful; otherwise, PSK authentication fails. 802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs. During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.
Key negotiation consists of unicast key negotiation and multicast key negotiation.
WPA and WPA2 support the TKIP and CCMP encryption algorithms.
This Document Applies to these Products Page 2
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Wired Equivalent Privacy (WEP), defined in IEEE 802.11, is used to protect the data of authorized users from tampering during transmission on a WLAN. WEP uses the RC4 algorithm to encrypt data using a 64-bit, 128-bit, or 152-bit encryption key. An encryption key contains a 24-bit initialization vector (IV) generated by the system, so the length of key configured on the WLAN server and client is 40-bit, 104-bit, or 128-bit. WEP uses a static encryption key. That is, all STAs associating with the same SSID use the same key to connect to the wireless network. A WEP security policy defines a link authentication mechanism and a data encryption mechanism. Link authentication mechanisms include open system authentication and shared key authentication. For details about link authentication, see "Link Authentication" in STA Access.
This Document Applies to these Products Page 3
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
A WDS profile contains major parameters required for configuring the WDS function. To enable radios of an AP group or a specified AP to set up Mesh links, a WDS profile must be applied to the radios. When configuring WDS services, use the WDS profile with the following profiles:
By default, the system provides the WDS profile default. By default, the security profile default-wds with the security policy WPA2+PSK+AES is referenced by a WDS profile regardless of whether the WDS profile is the default profile provided by the system or a WDS profile created by users. If the default security profile default-wds is used, you are advised to change the security key of the profile to ensure security. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it. For details, see Configuring a WDS Profile.
This Document Applies to these Products Page 4
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to AP groups or APs so that they can take effect. A WIDS profile supports the following functions:
This Document Applies to these Products Page 5
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
An AP communicates with an IoT card through a serial port. Each IoT card interface uses independent serial communication parameters and framing parameters. The serial communication parameters and framing parameters can be set in a serial profile.
This Document Applies to these Products Page 6
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
You can add APs in any of the following modes:
Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode. As shown in Figure 13-10, AP1 is a root node, AP2 is a middle node, and AP3 is a leaf node. You can configure an AP's working mode based on actual situations. Figure 13-10 WDS networking
This Document Applies to these Products Page 7
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
You can add APs in any of the following modes:
On a Mesh network, you can deploy an AP as an MPP or MP based on the location of the AP, as shown in Figure 14-7. Select a proper method to add APs on an AC according to actual situations. Figure 14-7 Mesh networking diagram
This Document Applies to these Products Page 8
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
You can add APs in any of the following modes:
When you add an AP in any of the preceding modes, the AP cannot connect to the AC if the MAC address of the AP is in the AP blacklist. After you add an AP to an AC offline and configure AP parameters, for example, AP group which the AP joins by default, the AP can go online and use the configured data to work. When the AC is configured to automatically discover APs, an AP uses the default parameters to work after going online. Adding an AP offline is recommended when the MAC address or SN of the AP is already learned. The AP blacklist and whitelist can be configured at the same time. However, the MAC address of an AP cannot be added to the AP blacklist and whitelist at the same time. If AP whitelist and blacklist are all configured, check whether an AP is on the blacklist first. The number of APs managed by an AC is restricted by the following factors:
This Document Applies to these Products Page 9
This Document Applies to these Products Page 10
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
This Document Applies to these Products Page 11
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
This Document Applies to these Products Page 12
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Figure 13-1 WDS networking
A WDS network can be deployed in point-to-point or point-to-multipoint mode.
This Document Applies to these Products Page 13
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Figure 19-1 shows the architecture of a network where an IoT AP works. Figure 19-1 Architecture of a network where an IoT AP works Components in the figure and related concepts are described as follows:
An AP functions as a server or client to communicate with the host computer in bi-directional mode. When the AP reports data to the host computer, the AP functions as a client and the host computer functions as a server. When the AP receives data from the host computer, the AP functions as a server and the host computer functions as a client. Figure 19-2 shows the communication mechanism. Figure 19-2 Communication mechanism
This Document Applies to these Products Page 14
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
To disconnect an AP from the current AC or enable an AP to go online on another AC, you can delete the AP from the current AC.
Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution when you delete an AP.
This Document Applies to these Products Page 15
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
If an AP cannot work properly after being upgraded, reset the AP. You can run the display ap all command to check the AP State field to determine whether an AP is working properly. If the State field displays name-conflicted, ver-mismatch, config, config-failed, committing, or commit-failed, an AP fails to work properly.
Exercise caution when resetting an AP because services on the AP will be interrupted.
This Document Applies to these Products Page 16
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
On an AC + Fit AP network, one AC manages many APs. Usually, you need to perform the same configurations on the APs. In this situation, you can add the APs to an AP group and perform configurations uniformly in the AP group, which simplifies operations. All APs in the group use the same configurations. Each AP must and can only join one AP group. An AP group contains configurations shared by all APs. You can configure configurations specific to a single AP in the AP view. By default, an AP automatically joins the AP group default. The AP group default cannot be deleted, but you can modify configurations in the default AP group. By default, an AP group has the following profiles bound: AP system profile default, 2G radio profile default, 5G radio profile default, regulatory domain profile default, WIDS profile default, and AP wired port profile default.
Before creating an AP group, perform the task of CLI Login Configuration.
After an AP group is created, you need to add APs to the AP group so that the APs can use configurations in the group. For details, see Adding APs.
This Document Applies to these Products Page 17
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
In a WIDS profile, you can configure various WIDS and WIPS services. You can create multiple WIDS profiles to carry different WIDS services and apply the profiles to different APs as required.
This Document Applies to these Products Page 18
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
An AP wired port profile provides configurations of AP wired ports. AP wired port link profiles can be bound to AP wired port profiles. AP wired port link profiles are used to configure link-layer parameters of AP wired ports. The following configurations are performed in an AP wired port profile:
For details, see Managing an AP's Wired Interface.
This Document Applies to these Products Page 19
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
After the rogue device containment function is enabled, rogue APs can be detected and contained. However, there may be APs of other vendors or on other networks working in the existing signal coverage areas. If these APs are contained, their services will be affected. To prevent this situation, you can configure the WIDS whitelist profile to add these APs to a WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list. When a rogue AP is detected but the AP's MAC address is in the authorized MAC address list, the AP is considered an authorized AP. However, if the AP's MAC address is not in the authorized MAC address list, the AP's OUI and SSID must be both in the authorized OUI and SSID lists; otherwise, the AP is a rogue AP.
This Document Applies to these Products Page 20
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
On a WLAN, the operating status of APs is affected by the radio environment. For example, adjacent APs using the same working channel interfere with each other, and a large-power AP can interfere with adjacent APs if they work on overlapping channels. Radio calibration can dynamically adjust channels and power of APs managed by the same AC to ensure that the APs work in a way that optimizes performance.
Radio calibration requires the following components for implementation:
ACs support global radio calibration and partial radio calibration:
This Document Applies to these Products Page 21
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
The WLAN service parameters configured on an AC take effect only after you run the commit (WLAN view) command to deliver the configuration to APs.
If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.
This Document Applies to these Products Page 22
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configurations in the AP provisioning view are not automatically delivered to APs. You have to manually deliver them to APs. After the configuration is committed, the AP receives the configuration and compares the configuration with its local configuration.
If the name or static IP address of an AP is specified in the AP provisioning view, the configuration is delivered only to the AP by specifying the AP name or MAC address, but cannot be delivered to APs in the specified AP group. If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.
This Document Applies to these Products Page 23
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
The WLAN service parameters configured on an AC take effect only after you run the commit (WLAN view) command to deliver the configuration to APs.
If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.
This Document Applies to these Products Page 24
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
The WLAN service parameters configured on an AC take effect only after you run the commit (WLAN view) command to deliver the configuration to APs.
If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive the configurations. In this case, you are advised to commit the configurations again.
This Document Applies to these Products Page 25
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Before re-configuring online parameters of APs in the AP provisioning view, clear existing configurations. The cleared configurations cannot be restored. Exercise caution when you run the following command.
This Document Applies to these Products Page 26
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
This Document Applies to these Products |