Shulou(Shulou.com)06/01 Report--

WLAN Security

II. Wireless device detection process

[AC-wlan-view]air-scan-profile name air-scan #Create an air-interface scan template

[AC-wlan-air-scan-prof-air-scan]scan-channel-set country-channel #Configure air interface scan channel set

[AC-wlan-air-scan-prof-air-scan]scan-interval 60000 #Configure air interface scan interval 60000ms (optional)

[AC-wlan-air-scan-prof-air-scan]scan-period 60 #Configure air interface scan duration 60ms (optional)

[AC-wlan-air-scan-prof-air-scan]quit

[AC-wlan-view]radio-5g-profile name 5G

[AC-wlan-radio-5g-prof-5G]air-scan-profile air-scan

[AC-wlan-view]wids-profile name WIDS

[AC-wlan-wids-prof-WIDS]contain-mode spoof-ssid-ap

[AC-wlan-wids-prof-WIDS]device report-interval 300 #Configure the interval between wireless devices that report detection to 300s

[AC-wlan-wids-prof-WIDS]device synchronization-interval 360 #Configure the interval between wireless devices reporting full detection 360 minutes

[AC-wlan-wids-prof-WIDS]brute-force-detect interval 70 Detection period 70s

[AC-wlan-wids-prof-WIDS]brute-force-detect threshold 25 Number of errors is 25

[AC-wlan-wids-prof-WIDS]brute-force-detect quiet-time 700 Quiet-time 700s

[AC-wlan-wids-prof-WIDS]flood-detect interval 70

[AC-wlan-wids-prof-WIDS]flood-detect threshold 350

[AC-wlan-wids-prof-WIDS]flood-detect quiet-time 700

[AC-wlan-wids-prof-WIDS]dynamic-blacklist enable Enable dynamic blacklist

[AC-wlan-wids-prof-WIDS]quit

[AC-wlan-view]ap-system-profile name ap-system

[AC-wlan-ap-system-prof-ap-system]dynamic-blacklist aging-time 200

[AC-wlan-ap-system-prof-ap-system]quit

[AC-wlan-view]wids-spoof-profile name wids-spoof

[AC-wlan-wids-spoof-prof-wids-spoof]spoof-ssid fuzzy-match regex

[AC-wlan-wids-spoof-prof-wids-spoof]quit

[AC-wlan-view] ap-group name office-group

[AC-wlan-ap-group-office-group]vap-profile VAP wlan 1 radio all

[AC-wlan-ap-group-office-group]wids-profile WIDS

[AC-wlan-ap-group-office-group]ap-system-profile ap-system

[AC-wlan-ap-group-office-group]radio 0

[AC-wlan-group-radio-group/0] widgets device detect enable #Enable device detection

[AC-wlan-group-radio-group/0]wids contain enable Enable illegal equipment counter-survey

[AC-wlan-group-radio-group/0]wids attack detect enable wap2-psk detect brute force key

[AC-wlan-group-radio-group/0]wids attack detect enable flood detect flooding ***

Wired for separate management, wireless for centralized management

AP 5030 Dual GE ports GE0 supports POE, GE1 does not support POE

AP 5130 Dual GE ports GE0 supports POE, GE1 does not support POE

AP7030 Dual GE ports GE0 supports POE, GE1 does not support POE

Switch naming convention:

S5720S-52P-SI-AC ，S5720-52X-PWR-SI-ACF; （S5700）

S stands for Park

7 stands for enterprise level

20 represents the next generation.

20 dual power supply, 20S stands for single power supply (support RPS redundancy, mainly for distribution);

X stands for 10 Gigabit uplink (4 Gigabit SFP+), P stands for Gigabit uplink (4 Gigabit SFP)

PWR stands for POE model;

ACF-PoE+ Full Version

DC stands for direct current, applied in special industries

TP stands for photoelectric multiplexing

C stands for optional

Q stands for 40Gb

Li stands for simplified version

Si stands for Standard Edition

Ei stands for enhanced version

Hi stands for Premium Edition

27, 37, 57, 97 are enterprise-class devices (7 in the middle stands for enterprise-class)

23, 33, 53, 93 are carrier-grade equipment (3 in the middle stands for carrier-grade)

The product is a distribution model, the price will be slightly lower, similar to the promotion (with S, also has the original warranty of 1 year)

S5720SI Combo port does not support stacking

When S5720SI is stacked, the stacked member ports on the same device are either all SFP+/SFP ports or all standard Ethernet ports.

Outline Design (Planning Engineer)

Checklist, engineering survey information, product model, WLAN Planner tool need clarification

Planning report and AP list: mainly including AP point, AP power, channel, antenna basic parameters and signal simulation

A project involving multiple APs should use tools to plan the network (generally purchase equipment to reserve 10%, spare, whether the budget cost is too different)

After-sales engineering survey (service engineer, customer, builder, integrator)

Request clarification Checklist, outline design, identification of installation points with integrator, routing of each point and installation plan

Engineering survey information: specific installation scheme, routing scheme

Detailed design (service engineer, customer, builder, integrator)

Checklist, outline design, after-sales engineering survey information need to be clarified

Detailed design report mainly involves installation, network configuration, security configuration, service configuration, etc.

Confirm whether the on-site building drawings are consistent, mark the inconsistent areas, take photos as far as possible, mark the room number and obstacles, pay attention to the key points

Deployment (network planning engineer, construction party)

Construction deployment, on-site supervision (it is best to participate in whether the construction is carried out according to the design, what problems exist in the process, etc., which may affect the quality of the subsequent network)

AP net mouth downward to avoid seepage into the net mouth

Operation and Maintenance (IT Operation and Maintenance Personnel)

Mainly for wlan equipment and switches and other network equipment management, including status monitoring alarm view, etc.

optimization

Network information collection (service engineers, customers)

Customer needs, network issues

Requirements clarification report: including network topology, building drawings, equipment models, etc.

Network Assessment (Service Engineer)

Requirements Clarification Report, WLAN Tester Tool

AP Capacity Planning

Network Status Analysis Report

How WLAN Data Forwarding Works

CSMA/CA: Carrier Sense Multiple Access/Collision Avoidance (because wireless work in half-duplex mode, only one device can send packets at the same time in the same area) to avoid overlapping signals on the same frequency, resulting in failure to mediate

CSMA/CD: Carrier Sense Multiple Access/Collision Detection (Ethernet)

The nominal power of the equipment is 100mW, which refers to the energy of the antenna in the chip. Once it enters the air, it will be diluted. The transmission in the wire is positive, and the air is negative. The wireless power unit is dBm. dB is only a counting unit.

It is suggested that the coverage radius of a single AP should be planned according to 20 meters, and the limit value of maximum emission intensity should be dBm.

1. Key areas: The main Internet access area of users shall be controlled at-40~-65dBm. Too strong power may easily lead to receiving overload, and too weak power may lead to connection rate decrease.

2. Edge selection-75dBm or more

3, interference field strength in the same area of the same frequency interference source is not greater than-80dBm

4. Wireless roaming: It is necessary to ensure that there are signals from other APs at the coverage boundary of the AP, and it is generally necessary to maintain a 20% overlap area.

Reception sensitivity (rate depends only on signal strength)

-75dBm for STA,-105dBm for AP,-95dBm for WLAN ambient noise

512kbps can meet the requirements of ordinary video services, 256kbps can meet the requirements of general service bandwidth

Total system bandwidth = total users * concurrency rate * bandwidth requirement per user

Number of APs = Total bandwidth requirement/Bandwidth per AP

Installation method: (AP installation position cannot be directly touched by people)

Indoor installation type: wall hanging, ceiling, ceiling wall, ceiling, bearing column

Indoor distribution: through feeder. Power splitter, coupler, etc. connected antenna

Outdoor type: roof holding pole, ground holding pole, external wall hanging building roof, building external wall, ground

The room AP sends out signals through feeder lines connected to external antennas

Combiner: Combines multiple input signals into one output, and then filters and separates the mixed signals in reverse

Power splitter: divide one way signal into two ways and three ways equally

Coupler: Takes the required signal energy from the trunk line to the near-end antenna and distributes more signal energy to the far-end antenna.

Antennas increase transmit power by design to achieve energy convergence to a single point

Local forwarding: also known as direct forwarding, AC only manages AP, and service data is forwarded directly locally.

Centralized forwarding: also known as tunnel forwarding, service data packets are uniformly encapsulated by AP and then reach AC for forwarding. AC not only does not manage AP, but also serves as forwarding hub for AP traffic.

Application:

Local forwarding advantage for campus networks, AC burden is small

Centralized Forwarding Advantage for Small Business Primary Security Control Strategy

Layer 2 roaming is the same address segment

Layer 3 roaming switches different network segments (when a terminal applies for association with AP1, AC will create relevant user data information, when the terminal crosses AP2 network for the first time, it will be disconnected and re-associated, and this time the database information will be updated)

Some terminals cannot be authenticated and require irrigation versions. Some POE switches are not fully equipped with power supply, and are deployed according to actual conditions.

Common reasons for AP upgrade failure

1. Link disconnection

2, AP memory is insufficient

3. AP upgrade file error

4. The upgrade control block is full or the number of APs being downloaded has reached the maximum number of FTP connections.

5. FTP configuration error

6. The network transmission capacity is too low, exceeding the maximum transmission time range.

The reason for the slow speed is

1. Low user access rate

2, the wireless environment is bad, serious interference

3. Too many users

4. Too many low-rate users cause poor network performance

5. Poor wired network quality

6. Poor terminal network card performance

Some older PCs can't connect to AP Try installing the latest network card, some things Network card compatibility issues

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.