How to configure the WAPI security policy on WLAN devices

3

For V200R003 and V200R005, you can perform the following steps on ACs or Fat APs to configure the WAPI security policy:

1. Run the security-profile { id profile-id | name profile-name } * command in the WLAN view to display the security profile view. The variable profile-id specifies the ID of a security profile, and profile-name specifies the name of the security profile.

2. Run the security-policy wapi command in the security profile view to set the security policy to WAPI.

By default, WAPI uses WAPI-CERT authentication + WPI encryption.

3. Configure the authentication mode for WAPI:

- Set the authentication mode to WAPI-PSK, that is, PSK authentication.

Run the wapi authentication-method psk { pass-phrase | hex } cipher cipher-key command in the security profile view to set the authentication mode to PSK authentication for WAPI and configure the shared key. The variable cipher-key specifies the password in cipher text.

- Set the authentication mode to WAPI-CERT, that is, certificate authentication.

a. Run the wapi authentication-method certificate command in the security profile view to set the authentication mode to certificate authentication for WAPI.

b. For ACs: Run the wapi import certificate { ac | asu | issuer } file-name file-name [ password cipher cipher-password ] command in the security profile view to import the AC certificate file, certificate of the AC certificate issuer, and ASU certificate file. The variable file-name specifies the AC certificate file name, and cipher-password specifies the AC certificate key in cipher text.

For Fat APs: Run the wapi import certificate { ap | asu | issuer } file-name file-name [ password cipher cipher-password ] command in the security profile view to import the AP certificate file, certificate of the AP certificate issuer, and ASU certificate file. The variable file-name specifies the AP certificate file name, and cipher-password specifies the AP certificate key in cipher text.

c. For ACs: Run the wapi import private-key file-name file-name [ password cipher cipher-password ] command in the security profile view to import the AC private key file. The variable file-name specifies the name of the AC private key file, and cipher-password specifies the AC private key file in cipher text.

For Fat APs: Run the wapi import private-key file-name file-name [ password cipher cipher-password ] command in the security profile view to import the AP private key file. The variable file-name specifies the name of the AP private key file, and cipher-password specifies the AP private key file in cipher text.

d. Run the wapi asu ip ip-address command in the security profile view to configure the IP address of the ASU server. The variable ip-address specifies the IP address of the ASU server.

4. Run the commit { all | ap ap-id } command in the WLAN view to deliver configurations to the APs (applicable only to the AC). The variable ap-id specifies the AP ID.

Other related questions:
How to configure the WEP security policy on WLAN devices
For V200R003 and V200R005, you can perform the following steps on ACs or Fat APs to configure the WEP security policy: 1. Run the security-profile { id profile-id | name profile-name } * command in the WLAN view to display the security profile view. The variable profile-id specifies the ID of a security profile, and profile-name specifies the name of the security profile. 2. Run the security-policy wep command in the security profile view to set the security policy to WEP. By default, the security policy is WEP. By default, WEP uses open system authentication and non-encryption. The default configuration has security risks, so you are advised to configure the Portal security policy or use WPA/WPA2 authentication. 3. Configure the authentication and encryption modes: - Configure open system authentication + non-encryption: a. Run the wep authentication-method open-system [ data-encrypt ] command in the security profile view to configure WEP open system authentication. b. The variable data-encrypt indicates open system authentication and WEP encryption. In this case, you must run the wep key command and the wep default-key command to set the WEP shared key, which is used for generating the encryption key to encrypt WLAN data packets. - Configure the shared key authentication + WEP encryption: a. Run the wep authentication-method share-key command in the security profile view to configure WEP shared key authentication. b. Run the wep key { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-id cipher cipher-key-value command in the security profile view to configure the WEP shared key and key ID. The variable key-id specifies the key ID, and cipher-key-value specifies the password in cipher text. c. Run the wep default-key key-id command in the security profile view to set the key ID of the WEP shared key. The variable key-id specifies the default key ID. A maximum of four WEP keys can be configured, and only one WEP key is valid at a time. 4. Run the commit { all | ap ap-id } command in the WLAN view to deliver configurations to the APs (applicable only to the AC). The variable ap-id specifies the AP ID.

How to configure the WPA and WPA2 security policy on WLAN devices
For V200R003 and V200R005, you can perform the following steps on ACs or Fat APs to configure the WPA/WPA2 security policy: 1. Run the security-profile { id profile-id | name profile-name } * command in the WLAN view to display the security profile view. The variable profile-id specifies the ID of a security profile, and profile-name specifies the name of the security profile. 2. Run the security-policy { wpa | wpa2 | wpa-wpa2 } command in the security profile view to configure a security policy. - By default, WPA uses 802.1x authentication + TKIP encryption. - By default, WPA2 uses 802.1x authentication + CCMP encryption. By default, WPA-WPA2 uses 802.1x authentication + TKIP-CCMP encryption. After the security policy is specified, you can use its default authentication and encryption mode, or perform the following steps to configure the authentication and encryption modes. 3. Configure the authentication and encryption modes: - Configure 802.1x authentication + TKIP-CCMP encryption: Run the { wpa | wpa2 | wpa-wpa2 } authentication-method dot1x encryption-method { tkip | ccmp | tkip-ccmp } command in the security profile view to configure the 802.1x authentication and data encryption algorithm for WPA/WPA2. - Configure PSK authentication + TKIP-CCMP encryption: Run the { wpa | wpa2 | wpa-wpa2 } authentication-method psk { pass-phrase | hex } cipher cipher-key encryption-method { tkip | ccmp | tkip-ccmp } command in the security profile view to configure the PSK and data encryption algorithm for WPA/WPA2. The variable cipher-key specifies the password in cipher text. 4. Run the commit { all | ap ap-id } command in the WLAN view to deliver configurations to the APs (applicable only to the AC). The variable ap-id specifies the AP ID.

How to check the Security Policy Configuration ?
Run the display security-policy command to view the security policy. If the displayed policies do not include the relevant security policy, configure the relevant security policy.

Command for configuring a security policy on the USG6000
The procedure for configuring a security policy on the USG6000 is as follows: 1. Run the security-policy command to access the security policy view from the system view. 2. Run the rule name rule-name command to create a security policy rule in the security policy view and access the security policy rule view. 3. Define the match conditions of the security policy. (Run different commands based on various functions. For details, see "Configuring a Security Policy Using the CLI" in the product documentation.) 4. Run the action { permit | deny } command to configure the action for the security policy rule. For configuration details, see "Configuring a Security Policy Using the CLI" in the product documentation.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top