Shulou(Shulou.com)06/01 Report--

WAPI is the authentication and security infrastructure of wireless local area network, a wireless security standard based on 802.11 wireless protocol proposed by China.

It consists of two parts:

1. WAI is the abbreviation of WLAN authentication infrastructure, and it is a security scheme for identity authentication and key management in WLAN.

2. WPI is the abbreviation of WLAN security infrastructure, and it is a security scheme for data transmission protection in WLAN (including data encryption, data authentication and replay protection).

AC is used to associate devices controlled and managed by AP

AP is an entity that can provide distributed access services to wireless terminals through wireless media.

STA sites, wireless terminal devices (mobile phones, laptops, etc.)

FAT AP traditional AP, cannot be used in association with AC

PSK pre-shared keys are static keys issued to STA

AS authentication server is used to authenticate users and devices, which is an important part of WAI based on public key technology.

BK is used to derive unicast session keys, either negotiated by a certificate authentication process or derived from a pre-shared key

Configuration ideas:

The configuration details are as follows,

In factory AC mode, enter cn in.

Oap connect slot 0 enters swap mode

Add vlan to the appropriate interface

Oap reboot

AC has two modes: switch mode configuration

The first step is to configure the corresponding IP address for vlan.

Vlan 1002

Int vlan 1002

Ip add 192.168.100.1 255.255.255.0

Step 2, configure the aggregation group (default group 1)

Interface bridge-aggregation 1 (aggregate groups are configured in this order)

Interface GigabitEthernet1/0/1

Port link-aggregation group 1

Interface GigabitEthernet1/0/2

Port link-aggregation group 1

Interface bridge-aggregation 1

Port link-type trunk

Port trunk permit vlan all # allows all vlan to pass through

Step 3, configure routing

Ip route-static 0.0.0.0 0.0.0.0 192.168.100.254

The above is the configuration in switching mode

The fourth step, CTRL+K is to exit the exchange mode and enter the AC mode

The same step is to establish the vlan interface and start trunk to refer to the route.

Configuration in AC mode

Step 5. The management vlan address of configuring AC cannot be the same as the address in switching mode.

Vlan 1002

Int vlan 1002

Ip add 192.168.100.3 255.255.255.0

Step 6. Aggregate group 1 is the default.

Interface bridge-aggregation 1 # (configure aggregation groups in this order)

Interface GigabitEthernet1/0/1

Port link-aggregation group 1

Interface GigabitEthernet1/0/2

Port link-aggregation group 1

Interface bridge-aggregation 1

Port link-type trunk

Port trunk permit vlan all # allows all vlan to pass (can be in access mode)

Step 7, configure routing

Ip route-static 0.0.0.0 0.0.0.0 192.168.100.254

Ping tests network connectivity

Ping 192.168.1.254 test connectivity

Step 8: AP go to the official website to activate the serial number.

Display device serial-number checks the serial number and check value

License register AP + authorization serial number

Establish the IP address of AP management segment and business segment

Vlan 10

Description client # computer mobile phone terminal

Vlan 20

Description AP fitAP

Interface Vlan-interface10

Ip address 192.168.10.254 255.255.255.0

Interface Vlan-interface20

Ip address 192.168.20.254 255.255.255.0

Dhcp enable enables DHCP

Dhcp server ip-pool wlan-user

Network 192.168.10.0 mask 255.255.255.0

Gateway-list 192.168.10.254

Dns-list 202.106.0.20

Option 43 hex 800 B 00 00 02 (XX XX XX XX XX XX XX) converts ip address decimal to hexadecimal in AC mode

Dhcp server ip-pool wlan-ap

Network 192.168.20.0 mask 255.255.255.0

Gateway-list 192.168.20.254

Option 43 hex 80 0B 00 00 02 XX XX XX XX XX XX XX

Interface WLAN-ESS1 # establish a wireless virtual interface

Port access vlan 10 # corresponds to the above vlan

1.port-security port-mode psk # authenticated encryption

2.port-security tx-key-type 11key

3.port-security preshared-key pass-phrase + password) (this is the encryption authentication, if not encrypted, you don't have to do it)

BSS (basic service set, basic Service set) is the basic unit that provides services for 802.11 networks.

SSID: service set identifier, used to distinguish between BSS

BSSID: fixed Mac address of AP, unable to traverse other AP

ESSID: the MAC address of AP is not fixed and can be traversed through other AP

Wlan service-template 10 crypto (crypto is changed to clear without password) to establish a wireless service template

Ssid # defines the wireless signal name

Bind WLAN-ESS 1 # bind virtual interface

Beacon ssid-hide # Hidden Wireless signal name

1.cipher-suite ccmp

2.security-ie rsn # see requirements (1. 2. You don't have to do it if it's not encrypted.

Service-template enable (must be turned on) change password needs to be turned off

Register for AP

Wlan ap 1 model WA2110-GN # here 1 can be defined according to its own meaning, WA2110-GN is the model of AP

Serial-id (210235A0UFC13A000101) # enter the AP serial number

Radio 1

Channel 6 # channel can be defined as auto according to its own requirements.

Service-template 10 # invocation service template

Radio enable

Radio 2

Channel 6 # avoid signal interference and modify different frequency bands

Service-template 10 # wireless templates are added according to your own definition

Radio enable

Additional: if two AC have one master and one standby

Wlan backup-ac ip + is the address of the other in AC mode

Hot-backup enable domain 1 (1 can be defined by itself)

Hot-backup vlan 1002

Probe

Wlan ap-execute ap1 exec-console enable enables APtelnet service

View command

Dis wlan ap name ap1 address / / "ap1" AP name

Display hot-backup state

Display wlan ap name www

Display wlan ap all the status is "Run" when FIT AP is successfully registered on the wireless controller; otherwise, the status is "Idle"

Configuration flow chart

Configuration on Poe switch

Vlan 20

Interface GigabitEthernet1/0/1 uplink interface (connected to the port of the aggregation switch)

Port link-type trunk

Port trunk permit vlan all

Interface GigabitEthernet1/0/2 downlink interface (port connected to wireless AP)

Port access vlan 20

Poe enable

AP converts 802.11mac frames to wired network frames (STA and STA do not need to be converted under one AP)

802.11 define two (wireless Medium) physical layers: the RF physical layer (2.4GHz and 5GHz) and the infrared physical layer

At 2.4G, the sensitivity of computer is higher than that of mobile phone.

In general, 10% of the AP should be reserved for deployment, and the AP network port is downward during deployment to avoid water seepage.

Step 5, install ap and outdoor ap template:

[AC] wlan

[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360 # add AP

[AC] interface wlan-ess 0 # create wlan-ess interface (for post-service set binding)

[AC-Wlan-Ess0] port link-type hybrid

[AC-Wlan-Ess0] port hybrid untagged vlan 100 # add Business vlan 100 to wlan-ess0

[AC] wlan

[AC-wlan-view] vmm-profile name test # named vmm template (can be used as Qos)

[AC-wlan-view] radio-profile name 2.4G-test # creates an RF template named 2.4G-test

[AC-wlan-radio-prof-2.4G-test] vmm-profile name test # calls vmm template

[AC-wlan-radio-prof-2.4G-test] radio-type 802.11bgn # RF type (indicates that all support 2.4GHz)

[AC-wlan-radio-prof-2.4G-test] channel-switch announcement enable enables channel switching without interruption

[AC-wlan-view] radio-profile name 5G-test # creates an RF template named 5G-test

[AC-wlan-radio-prof-5G-test] vmm-profile name test

[AC-wlan-radio-prof-5G-test] radio-type 802.11an # RF type (indicates that all support 5GHz)

[AC-wlan-radio-prof-5G-test] channel-switch announcement enable# enables channel switching without interruption

[AC-wlan-radio-prof-5G-test] channel-mode auto # channel mode automatic

[AC] wlan

[AC-wlan-view] traffic-profile name test # traffic template, which can be used as Qos

[AC-wlan-view] security-profile name test # security template, which provides encryption

[AC-wlan-traffic-prof-test] security-policy wpa2 # authentication method WPA2

[AC-wlan-traffic-prof-test] wpa2 authentication-method psk pass-phrase simple 12345678 encryption-method ccmp # WPA2 pre-shared key 12345678 uses ccmp encryption

[AC-wlan-view] ap 1 radio 0 # configure the RF of AP1

[AC-wlan-radio 1ap0] radio-profile name 2.4G-test # binds 2.4G-test and is compatible with 2.4G

[AC-wlan-radio 1ap0] channel 20mhz 1 # set bandwidth, set channel

[AC-wlan-radio 1ap0] service-set name test1 # bind service set test1

[Quidway-wlan-view] ap id 0

[Quidway-wlan-ap-0] access priority 5g configures AP0's 5G priority access function

Config: initializing configuration

Step 9: add AP automatically

[AC-wlan-view] after ap-confirm all 9430 is online, use this command to make R240D online and apply it under the condition of no information.

Step 10, if AP is not found, execute the following command to delete AP

[AC-wlan-view] undo ap ap-id 0 deletes ap with ap-id 0

Definition: a wireless distributed system connects two or more independent wired or wireless Lans through a wireless link to form an interworking network to realize data access.

For traditional Wlan services, AP must be connected to an existing wired network to provide network access services for wireless users.

(high cost and long cycle are required for cables, power supplies, switch equipment, etc.)

Using Wlan WDS technology, AP can be connected wirelessly, and AP can be connected to AC through wireless connection.

Features: convenient network deployment, installation, flexible networking. Low cost, high performance and good scalability

Usage rules:

Wireless bridge: a functional entity that provides WDS services on RF. It can be said that the bridge is AP, but this kind of AP does not work alone. AC is required to cooperate with AP to configure AP as a wireless bridge before AP can provide wireless connection services.

VAP means Virtual AP.

When a service set (service-set) is bound to APRF, a VAP is generated, and a VAP is a wireless signal. The radio frequency of an AP can release up to 16 sets of VAP, that is, 16 wireless signals with different names (SSID).

Business VAP:AP provides WLAN service access point for STA, also known as service VAP.

The access point provided for neighboring bridges to establish a wireless virtual link on a bridge-type VAP:AP bridge

WVL (Wireless Virtual Link): a connection established by two bridge-type VAP belonging to different AP bridges

Managed WVL: used for inter-AP management, is the foundation of building WDS environment

Service-based WVL: physical business used to transmit users

Working Mode (root/middle/leaf) root AP-middle AP,Middle AP-leaf AP,Leaf AP-STA of AP under WDS

Root mode: AP is directly wired to AC, providing terminal bridge access downwards with AP-type bridges (root mode connects up to 6 leafAP (depending on distance)

Middle mode: the terminal bridge is used to connect the AP bridge up, and the AP bridge is used to provide STA bridge access (intermediate bridged AP).

Leaf mode: AP is used as a leaf node to connect the AP-type bridge up with a terminal bridge (AP connected to the terminal)

Connection mode the AP connected to AC must be set to root mode, while under root AP, both middle AP and leaf AP,middle AP can be connected directly, only leaf AP can be connected.

White list

The AP whitelist on AC is used to control whether AP can register with AC.

The bridge whitelist is used to control the establishment of a WDS wireless bridge between two AP.

The bridge whitelist under Root AP is used to control AP access of middle and leaf types.

The bridge whitelist under middle AP is used to control the access to Leaf AP.

[AC] wlan

[AC-wlan-view] wmm-profile name wp01# creates WMM template

[AC-wlan-wmm-prof-wp01] quit

[AC] wlan

[AC-wlan-view]

[AC-wlan-view] radio-profile name rp01

[AC-wlan-radio-prof-rp01] wmm-profile name wp01 # configure Radio template and bind to AP RF

[AC-wlan-radio-prof-rp01] radio-type 80211an # modifies the RF type to 80211an, which is used to bind 5G RF

[AC-wlan-view] ap 1 radio0

[AC-wlan-radio-1/0] radio-profile name rp01

[AC-wlan-radio-1/0] quit

[AC-wlan-view] security-profile name sp01

[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase simple 12345678 encryption-method ccmp

[AC-wlan-sec-prof-sp01] quit

[AC-wlan-view] bridge-profile name bp01

[AC-wlan-bridge-prof-bp01] bridge-name chinanet01

[AC-wlan-bridge-prof-bp01] vlan tagged 101to106 allows business vlan to pass, but does not allow management vlan to pass, otherwise there is a loop

[AC-wlan-bridge-prof-bp01] security-profile name sp01

[AC] wlan

[AC-wlan-view] bridge-whitelist name bw01# configuration bridge whitelist

[AC-wlan-br-whitelist-bw01] peer ap mac 2222-2222-2222

[AC-wlan-view] bridge-whitelist name bw02

[AC-wlan-br-whitelist-bw02] peer ap mac 3333-3333-3333

[AC-wlan-view] ap 1 radio configuration AP1 is root AP

[AC-wlan-radio-1/1] bridge-profile name bp01

[AC-wlan-radio-1/1] bridge enable mode root

Info: This action will take effect after resetting ap.

[AC-wlan-radio-1/1] bridge whitelist enable

[AC-wlan-radio-1/1] bridge-whitelist name bw01

[AC-wlan-radio-1/1] quit

[AC-wlan-view] ap 2 radio 1 configures AP2 to middle AP

[AC-wlan-radio-2/1] bridge-profile name bp01

[AC-wlan-radio-2/1] bridge enable mode middle

Info: This action will take effect after resetting ap.

[AC-wlan-radio-2/1] bridge whitelist enable

[AC-wlan-radio-2/1] bridge-whitelist name bw02

[AC-wlan-radio-2/1] quit

[AC-wlan-view] ap 3 radio configuration AP3 is leaf AP

[AC-wlan-radio-3/1] bridge-profile name bp01

[AC-wlan-radio-3/1] bridge enable mode leaf

Info: This action will take effect after resetting ap.

[AC] wlan

[AC-wlan-view] service-set name ss01

[AC-wlan-service-set-ss01] security-profile name sp01

[AC-wlan-service-set-ss01] service-vlan 101

Info: This action may cause service interruption if you don't execute commit c

Ommand.

[AC-wlan-service-set-ss01] ssid chinaser01

[AC-wlan-service-set-ss01] wlan-ess 1

Configuration steps of service bridge

Configure routing reachability of devices between AC and AP (configure vlan)

Add AP modes offline

Create RF template and bind WMM template

Create whitelist and add mac address of AP

Create a bridge template, set the bridge name, bind the security template, and configure the VLAN allowed to pass

Set channel, power and AP mode. Restart will not take effect until AP is online.

Create a service set and bind it to the specified radio frequency of the specified AP

Issue service VAP

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.