华为配置攻击检测功能示例

配置攻击检测功能示例

组网图形

图1 配置攻击检测功能示例组网图

业务需求
组网需求
数据规划
配置思路
配置注意事项
操作步骤
配置文件

业务需求

企业用户通过WLAN接入网络，以满足移动办公的最基本需求。且在覆盖区域内移动发生漫游时，不影响用户的业务使用。

为了保障网络的稳定和安全，预防泛洪攻击和暴力破解PSK密钥攻击，可以配置攻击检测和动态黑名单。通过将检测到的攻击设备加入动态黑名单，丢弃攻击设备的报文，阻止攻击行为。

组网需求

AC组网方式：旁挂二层组网。
DHCP部署方式：
- AC作为DHCP服务器为AP分配IP地址。
- 汇聚交换机SwitchB作为DHCP服务器为STA分配IP地址。
业务数据转发方式：隧道转发。

数据规划

表1 AC数据规划表
配置项	数据
AP管理VLAN	VLAN100
STA业务VLAN	VLAN101
DHCP服务器	AC作为DHCP服务器为AP分配IP地址汇聚交换机SwitchB作为DHCP服务器为STA分配IP地址，STA的默认网关为10.23.101.2
AP的IP地址池	10.23.100.2～10.23.100.254/24
STA的IP地址池	10.23.101.3～10.23.101.254/24
AC的源接口IP地址	VLANIF100：10.23.100.1/24
AP组	名称：ap-group1 引用模板：VAP模板wlan-net、域管理模板default、WIDS模板wlan-wids和AP系统模板wlan-system AP组射频的攻击检测类型：WPA2-PSK认证方式的暴力破解密钥攻击检测、泛洪攻击检测
域管理模板	名称：default 国家码：中国
SSID模板	名称：wlan-net SSID名称：wlan-net
安全模板	名称：wlan-net 安全策略：WPA-WPA2+PSK+AES 密码：a1234567
VAP模板	名称：wlan-net 转发模式：隧道转发业务VLAN：VLAN101 引用模板：SSID模板wlan-net、安全模板wlan-net
WIDS模板	名称：wlan-wids 暴力破解密钥攻击检测周期：70秒暴力破解密钥攻击检测的静默时间：700秒暴力破解密钥攻击检测周期内允许密钥错误的次数：25 泛洪攻击检测周期：70秒泛洪攻击检测的静默时间：700秒泛洪攻击检测阈值：350 动态黑名单功能：开启
AP系统模板	名称：wlan-system 动态黑名单老化时间：200秒

配置思路

配置WLAN基本业务，保证用户能够连接到无线网络。
配置WPA2-PSK认证方式的防暴力破解密钥攻击检测和泛洪攻击检测功能，使WLAN设备可以检测到发起此类攻击的设备信息。
配置动态黑名单功能，将攻击设备加入动态黑名单，在配置的老化时间内，拒绝接收其发送的报文。

配置注意事项

纯组播报文由于协议要求在无线空口没有ACK机制保障，且无线空口链路不稳定，为了纯组播报文能够稳定发送，通常会以低速报文形式发送。如果网络侧有大量异常组播流量涌入，则会造成无线空口拥堵。为了减小大量低速组播报文对无线网络造成的冲击，建议配置组播报文抑制功能。配置前请确认是否有组播业务，如果有，请谨慎配置限速值。
- 业务数据转发方式采用直接转发时，建议在直连AP的交换机接口上配置组播报文抑制。
- 业务数据转发方式采用隧道转发时，建议在AC的流量模板下配置组播报文抑制。
建议在与AP直连的设备接口上配置端口隔离，如果不配置端口隔离，尤其是业务数据转发方式采用直接转发时，可能会在VLAN内形成大量不必要的广播报文，导致网络阻塞，影响用户体验。
隧道转发模式下，管理VLAN和业务VLAN不能配置为同一VLAN，且AP和AC之间只能放通管理VLAN，不能放通业务VLAN。
V200R021C00版本开始，配置CAPWAP源接口或源地址时，会检查和安全相关的配置是否已存在，包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码，均已存在才能成功配置，否则会提示用户先完成相关的配置。
V200R021C00版本开始，AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能，添加AP时AP会上线失败，此时需要先开启CAPWAP DTLS不认证方式（capwap dtls no-auth enable）让AP上线，以便AP获取安全凭证，AP上线后应及时关闭该功能（undo capwap dtls no-auth enable），避免未授权AP上线。

操作步骤

配置周边设备

# 配置接入交换机SwitchA的GE0/0/1和GE0/0/2接口加入VLAN100，GE0/0/1的缺省VLAN为VLAN100。

<span style="color:#333333"><span style="background-color:#dddddd"><HUAWEI> <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1378448865190921">system-view</strong>
[HUAWEI] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1648629339190921">sysname SwitchA</strong>
[SwitchA] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1879648753190921">vlan batch 100</strong>
[SwitchA] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1340153122190921">interface gigabitethernet 0/0/1</strong>
[SwitchA-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b629503485190921">port link-type trunk</strong>
[SwitchA-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1384660746190921">port trunk pvid vlan 100</strong>
[SwitchA-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b857905420190921">port trunk allow-pass vlan 100</strong>
[SwitchA-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1233357300190921">port-isolate enable</strong>
[SwitchA-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b994568433190921">quit</strong>
[SwitchA] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b562585562190921">interface gigabitethernet 0/0/2</strong>
[SwitchA-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1829872941190921">port link-type trunk</strong>
[SwitchA-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1270991033190921">port trunk allow-pass vlan 100</strong>
[SwitchA-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b917081183190921">quit</strong></span></span>

# 配置汇聚交换机SwitchB的接口GE0/0/1和GE0/0/2加入VLAN100，接口GE0/0/2和GE0/0/3加入VLAN101。

<span style="color:#333333"><span style="background-color:#dddddd"><HUAWEI> <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1540762340190921">system-view</strong>
[HUAWEI] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b733737892190921">sysname SwitchB</strong>
[SwitchB] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b625700484190921">vlan batch 100 101</strong>
[SwitchB] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1740338427190921">interface gigabitethernet 0/0/1</strong>
[SwitchB-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b819345497190921">port link-type trunk</strong>
[SwitchB-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1981678118190921">port trunk allow-pass vlan 100</strong>
[SwitchB-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b788140868190921">quit</strong>
[SwitchB] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1074199566190921">interface gigabitethernet 0/0/2</strong>
[SwitchB-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b687704922190921">port link-type trunk</strong>
[SwitchB-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b963557263190921">port trunk allow-pass vlan 100 101</strong>
[SwitchB-GigabitEthernet0/0/2] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b208179163190921">quit</strong>
[SwitchB] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1144409798190921">interface gigabitethernet 0/0/3</strong>
[SwitchB-GigabitEthernet0/0/3] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1587006719190921">port link-type trunk</strong>
[SwitchB-GigabitEthernet0/0/3] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b936690975190921">port trunk allow-pass vlan 101</strong>
[SwitchB-GigabitEthernet0/0/3] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b128121589190921">quit</strong></span></span>

# 配置Router的接口GE1/0/0加入VLAN101，创建接口VLANIF101并配置IP地址为10.23.101.2/24。

<span style="color:#333333"><span style="background-color:#dddddd"><Huawei> <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b118005268190921">system-view</strong>
[Huawei] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1176501588190921">sysname Router</strong>
[Router] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b995805857190921">vlan batch 101</strong>
[Router] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b906637926190921">interface gigabitethernet 1/0/0</strong>
[Router-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b406876624190921">port link-type trunk</strong>
[Router-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1226529678190921">port trunk allow-pass vlan 101</strong>
[Router-GigabitEthernet1/0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1131638750190921">quit</strong>
[Router] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b648829236190921">interface vlanif 101</strong>
[Router-Vlanif101] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1969966747190921">ip address 10.23.101.2 24</strong>
[Router-Vlanif101] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1246477905190921">quit</strong></span></span>

配置AC与其它网络设备互通

如果AC直接连接AP，需要在AC直连AP的接口上配置缺省VLAN为管理VLAN100。

# 配置AC的接口GE0/0/1加入VLAN100和VLAN101。

<span style="color:#333333"><span style="background-color:#dddddd"><HUAWEI> <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1533901828190921">system-view</strong>
[HUAWEI] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b783909607190921">sysname AC</strong>
[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b362960974190921">vlan batch 100 101</strong>
[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1510739881190921">interface gigabitethernet 0/0/1</strong>
[AC-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1936092745190921">port link-type trunk</strong>
[AC-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b273575249190921">port trunk allow-pass vlan 100 101</strong>
[AC-GigabitEthernet0/0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1361668507190921">quit</strong></span></span>

配置DHCP服务器为STA和AP分配IP地址

# 在AC上配置VLANIF100接口为AP提供IP地址。

<span style="color:#333333"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b270083456190921">dhcp enable</strong>
[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1697431376190921">interface vlanif 100</strong>
[AC-Vlanif100] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1645914341190921">ip address 10.23.100.1 24</strong>
[AC-Vlanif100] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b2011614048190921">dhcp select interface</strong>
[AC-Vlanif100] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1870662344190921">quit</strong></span></span>

# 在SwitchB上配置VLANIF101接口为STA提供IP地址，并指定10.23.101.2作为STA的默认网关地址。

DNS服务器地址请根据实际需要配置。常用配置方法如下：

接口地址池场景，需要在VLANIF接口视图下执行命令dhcp server dns-list ip-address &<1-8>。
全局地址池场景，需要在IP地址池视图下执行命令dns-list ip-address &<1-8>。

<span style="color:#333333"><span style="background-color:#dddddd">[SwitchB] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1746102230190921">dhcp enable</strong>
[SwitchB] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b181711504190921">interface vlanif 101</strong>
[SwitchB-Vlanif101] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1130572979190921">ip address 10.23.101.1 24</strong>
[SwitchB-Vlanif101] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b133774347190921">dhcp select interface</strong>
[SwitchB-Vlanif101] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1216259955190921">dhcp server gateway-list 10.23.101.2</strong>
[SwitchB-Vlanif101] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b366557450190921">quit</strong></span></span>

配置AP上线

# 创建AP组，用于将相同配置的AP都加入同一AP组中。

<span style="color:#333333"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1451837292190921">wlan</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1710308668190921">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b294415960190921">quit</strong></span></span>

# 创建域管理模板，在域管理模板下配置AC的国家码并在AP组下引用域管理模板。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1815954045190921">regulatory-domain-profile name default</strong>
[AC-wlan-regulate-domain-default] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1765454957190921">country-code cn</strong>
[AC-wlan-regulate-domain-default] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b464951690190921">quit</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1132959133190921">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b4510754102210">regulatory-domain-profile default</strong>
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:<strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_zh-cn_task_0175818418_b17491131153716">y</strong>  
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b101836067190921">quit</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b465166413190921">quit</strong></span></span>

# 配置AC的源接口。

V200R021C00版本开始，配置CAPWAP源接口或源地址时，会检查和安全相关的配置是否已存在，包括DTLS加密的PSK、AC间DTLS加密的PSK、登录AP的用户名和密码、全局离线管理VAP的登录密码，均已存在才能成功配置，否则会提示用户先完成相关的配置。

<span style="color:#333333"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b806281647190921">capwap source interface vlanif 100</strong>
Set the DTLS PSK(contains 6-32 plain-text characters, or 48 or 68 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):******

Set the DTLS inter-controller PSK(contains 6-32 plain-text characters, or 48 or 68 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):******

Set the user name for FIT APs(contains 4-31 plain-text characters, which can only include letters, digits and underlines. And the first character must be a letter):admin

Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48-188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):********

Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):********</span></span>

# 开启CAPWAP DTLS不认证方式。（V200R021C00及之后版本）

<span style="color:#333333"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b15163144818377">capwap dtls no-auth enable</strong></span></span>

V200R021C00版本开始，AC默认开启CAPWAP控制隧道的DTLS加密功能。开启该功能，添加AP时AP会上线失败，此时需要先开启CAPWAP DTLS不认证方式让AP上线，以便AP获取安全凭证，AP上线后应及时关闭该功能，避免未授权AP上线。

# 在AC上离线导入AP，并将AP加入AP组“ap-group1”中。假设AP的MAC地址为60de-4476-e360，并且根据AP的部署位置为AP配置名称，便于从名称上就能够了解AP的部署位置。例如MAC地址为60de-4476-e360的AP部署在1号区域，命名此AP为area_1。

ap auth-mode命令缺省情况下为MAC认证，如果之前没有修改其缺省配置，可以不用执行ap auth-mode mac-auth。

举例中使用的AP为AP5030DN，具有射频0和射频1两个射频。AP5030DN的射频0为2.4GHz射频，射频1为5GHz射频。

<span style="color:#333333"><span style="background-color:#dddddd">[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b763711121190921">wlan</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1389711844190921">ap auth-mode mac-auth</strong>
[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1382708357190921">ap-id 0 ap-mac 60de-4476-e360</strong>
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1272920990190921">ap-name area_1</strong>
Warning: This operation may cause AP reset. Continue? [Y/N]:<strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_zh-cn_task_0175818418_b460951517190906">y</strong>  
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b614746147190921">ap-group ap-group1</strong>
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:<strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_zh-cn_task_0175818418_b1651706244190906">y</strong>  
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b959850628190921">quit</strong></span></span>

# 将AP上电后，当执行命令display ap all查看到AP的“State”字段为“nor”时，表示AP正常上线。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b482061123190921">display ap all</strong>
Total AP information:
nor  : normal          [1]
Extra information:
P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1</span></span>

# 关闭CAPWAP DTLS不认证方式。（V200R021C00及之后版本）

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b3420155514467">quit</strong>
[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1898583494615">undo capwap dtls no-auth enable</strong>
[AC] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b9381917104714">wlan</strong></span></span>

配置WLAN业务参数

# 创建名为“wlan-net”的安全模板，并配置安全策略。

举例中以配置WPA-WPA2+PSK+AES的安全策略为例，密码为“a1234567”，实际配置中请根据实际情况，配置符合实际要求的安全策略。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1991067776190921">security-profile name wlan-net</strong>
[AC-wlan-sec-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b851752672190921">security wpa-wpa2 psk pass-phrase a1234567 aes</strong>
[AC-wlan-sec-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b337241812190921">quit</strong></span></span>

# 创建名为“wlan-net”的SSID模板，并配置SSID名称为“wlan-net”。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b69022931190921">ssid-profile name wlan-net</strong>
[AC-wlan-ssid-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b36723145190921">ssid wlan-net</strong>
[AC-wlan-ssid-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1738903244190921">quit</strong></span></span>

# 创建名为“wlan-net”的VAP模板，配置业务数据转发模式、业务VLAN，并且引用安全模板和SSID模板。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1922555320190921">vap-profile name wlan-net</strong>
[AC-wlan-vap-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b13690656190921">forward-mode tunnel</strong>
[AC-wlan-vap-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1155220284190921">service-vlan vlan-id 101</strong>
[AC-wlan-vap-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1928564414190921">security-profile wlan-net</strong>
[AC-wlan-vap-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b889800077190921">ssid-profile wlan-net</strong>
[AC-wlan-vap-prof-wlan-net] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1869922190190921">quit</strong></span></span>

# 配置AP组引用VAP模板，AP上射频0和射频1都使用VAP模板“wlan-net”的配置。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b2051092768190921">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1753511747190921">vap-profile wlan-net wlan 1 radio 0</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b1212706755190921">vap-profile wlan-net wlan 1 radio 1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912351_b729861449190921">quit</strong></span></span>

配置AP射频的信道和功率

射频的信道和功率自动调优功能默认开启，如果不关闭此功能则会导致手动配置不生效。举例中AP射频的信道和功率仅为示例，实际配置中请根据AP的国家码和网规结果进行配置。

# 关闭AP射频0的信道和功率自动调优功能，并配置AP射频0的信道和功率。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1423607009190921">ap-id 0</strong>
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1534489953190921">radio 0</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b733594144190921">calibrate auto-channel-select disable</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1154293079190921">calibrate auto-txpower-select disable</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1858200296190921">channel 20mhz 6</strong>
Warning: This action may cause service interruption. Continue?[Y/N]<strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_zh-cn_task_0175818418_b1384307436190906">y</strong> 
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b554899294190921">eirp 127</strong>
[AC-wlan-radio-0/0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1779547689190921">quit</strong></span></span>

# 关闭AP射频1的信道和功率自动调优功能，并配置AP射频1的信道和功率。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b33229250190921">radio 1</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b327597144190921">calibrate auto-channel-select disable</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1164564697190921">calibrate auto-txpower-select disable</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b201103780190921">channel 20mhz 149</strong>
Warning: This action may cause service interruption. Continue?[Y/N]<strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_zh-cn_task_0175818418_b1384307436190906_1">y</strong> 
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b652286665190921">eirp 127</strong>
[AC-wlan-radio-0/1] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b1440636620190921">quit</strong>
[AC-wlan-ap-0] <strong id="ZH-CN_TASK_0176912511__zh-cn_task_0176912356_b904227301190921">quit</strong></span></span>

配置攻击检测功能

# 开启WPA2-PSK认证方式的暴力破解密钥攻击检测功能和泛洪攻击检测功能。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__b977739584190922">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__b840004881190922">radio 0</strong>
[AC-wlan-group-radio-ap-group1/0] <strong id="ZH-CN_TASK_0176912511__b14531149104319">wids attack detect wpa2-psk enable</strong>
[AC-wlan-group-radio-ap-group1/0] <strong id="ZH-CN_TASK_0176912511__b768911304517">wids attack detect flood enable</strong>
[AC-wlan-group-radio-ap-group1/0] <strong id="ZH-CN_TASK_0176912511__b1177918651190922">quit</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__b1736012676190922">radio 1</strong>
[AC-wlan-group-radio-ap-group1/1] <strong id="ZH-CN_TASK_0176912511__b1627117111471">wids attack detect wpa2-psk enable</strong>
[AC-wlan-group-radio-ap-group1/1] <strong id="ZH-CN_TASK_0176912511__b3119114913485">wids attack detect flood enable</strong>
[AC-wlan-group-radio-ap-group1/1] <strong id="ZH-CN_TASK_0176912511__b630499311190922">quit</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__b68507858190922">quit</strong></span></span>

# 创建WIDS模板。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__b203309680191210">wids-profile name default</strong></span></span>

# 配置WPA2-PSK认证方式的暴力破解密钥攻击检测的检测周期为70秒，检测周期内允许密钥错误的次数为25次，静默时间为700秒。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b1347713199190922">brute-force-detect interval 70</strong>
[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b2054914072190922">brute-force-detect threshold 25</strong>
[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b980686433190922">brute-force-detect quiet-time 700</strong></span></span>

# 配置泛洪攻击检测的检测周期为70秒，泛洪攻击检测阈值为350个，静默时间为700秒。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b1862380200190922">flood-detect interval 70</strong>
[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b151720623190922">flood-detect threshold 350</strong>
[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b484356709190922">flood-detect quiet-time 700</strong></span></span>

配置动态黑名单功能

# 使能动态黑名单功能。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b4894617203">undo dynamic-blacklist disable</strong>
[AC-wlan-wids-prof-default] <strong id="ZH-CN_TASK_0176912511__b1973602061190922">quit</strong></span></span>

# 创建名为“wlan-system”的AP系统模板，配置动态黑名单老化时间为200秒。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__b1784292474190922">ap-system-profile name wlan-system</strong>
[AC-wlan-ap-system-prof-wlan-system] <strong id="ZH-CN_TASK_0176912511__b1518148419190922">dynamic-blacklist aging-time 200</strong>
[AC-wlan-ap-system-prof-wlan-system] <strong id="ZH-CN_TASK_0176912511__b597806412190922">quit</strong></span></span>

在AP组“ap-group1”中引用WIDS模板“wlan-wids”和AP系统模板“wlan-system”

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__b388743598190922">ap-group name ap-group1</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__b1950632949190922">ap-system-profile wlan-system</strong>
[AC-wlan-ap-group-ap-group1] <strong id="ZH-CN_TASK_0176912511__b1961496138190922">quit</strong></span></span>

验证配置结果

配置完成后，当有其他设备对WLAN网络进行攻击时，通过display wlan ids attack-detected all命令，可以查看到检测到的攻击设备。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__b1908231298190922">display wlan ids attack-detected all</strong>
#AP: Number of monitor APs that have detected the device
AT: Last detected attack type
CH: Channel number
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address     AT     CH   RSSI(dBm)  Last detected time     #AP
-------------------------------------------------------------------------------
000b-c002-9c81  pbr    165  -87        2014-11-20/15:51:13    1
0024-2376-03e9  pbr    165  -84        2014-11-20/15:51:13    1
0046-4b74-691f  act    165  -67        2014-11-20/15:51:13    1
-------------------------------------------------------------------------------
Total: 3, printed: 3</span></span>

通过display wlan dynamic-blacklist all命令，可以查看加入动态黑名单的攻击设备。

<span style="color:#333333"><span style="background-color:#dddddd">[AC-wlan-view] <strong id="ZH-CN_TASK_0176912511__b1961785952190922">display wlan dynamic-blacklist all</strong>
#AP: Number of monitor APs that have detected the device
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  eapl: EAPOL logoff frame
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address       Last detected time    Reason   #AP   LAT
-------------------------------------------------------------------------------
000b-c002-9c81    2014-11-20/16:15:53   pbr      1     100
0024-2376-03e9    2014-11-20/16:15:53   pbr      1     100
0046-4b74-691f    2014-11-20/16:15:53   act      1     100
-------------------------------------------------------------------------------
Total: 3, printed: 3
</span></span>

配置文件

SwitchA的配置文件

<span style="color:#333333"><span style="background-color:#dddddd">#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
 port-isolate enable group 1
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return</span></span>

SwitchB的配置文件

<span style="color:#333333"><span style="background-color:#dddddd">#
sysname SwitchB
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server gateway-list 10.23.101.2
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 101
#
return</span></span>

Router的配置文件

<span style="color:#333333"><span style="background-color:#dddddd">#
sysname Router
#
vlan batch 101
#
interface Vlanif101
 ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 101
#
return
</span></span>

AC的配置文件

<span style="color:#333333"><span style="background-color:#dddddd">#
 sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 wids-profile name default
  flood-detect interval 70
  flood-detect threshold 350
  flood-detect quiet-time 700
  brute-force-detect interval 70
  brute-force-detect threshold 25
  brute-force-detect quiet-time 700
 ap-system-profile name wlan-system
  dynamic-blacklist aging-time 200
 ap-group name ap-group1
  ap-system-profile wlan-system
  wids-profile default
  radio 0
   vap-profile wlan-net wlan 1
   wids attack detect flood enable
   wids attack detect wpa2-psk enable
  radio 1
   vap-profile wlan-net wlan 1
   wids attack detect flood enable
   wids attack detect wpa2-psk enable
 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
   calibrate auto-channel-select disable    calibrate auto-txpower-select disable
  radio 1
   channel 20mhz 149
   eirp 127
   calibrate auto-channel-select disable    calibrate auto-txpower-select disable
#
return</span></span>