14 Security Management

14.1 AAA

14.1.1 AAA Schemes

Context

Authentication, Authorization, and Accounting (AAA) provides a management mechanism for network security.

AAA provides the following functions:

Authentication: determines the users who can access the network. Authentication modes are as follows:
- Non-authentication: Users are trusted without the check on their validity. This mode is rarely used.
- Local authentication: Information about users is configured on a network access server (NAS). Local authentication features fast processing and low operation cost, whereas the amount of information that can be stored is limited by the hardware capacity of the device.
- Remote authentication: Information about users is configured on an authentication server. Remote authentication supports the Remote Authentication Dial In User Service (RADIUS) protocol and the Huawei Terminal Access Controller Access Control System (HWTACACS) protocol.
Authorization: authorizes users to use particular services. Authorization modes are as follows:
- Non-authorization: Users are not authorized.
- Local authorization: Users are authorized based on related attributes of the local user accounts configured on the NAS.
- HWTACACS authorization: A HWTACACS server authorizes users.
- if-authenticated authorization: Users are authorized after the users pass the authentication in either local or remote authentication mode.
- RADIUS authorization: Users pass the RADIUS authorization upon passing the RADIUS authentication. RADIUS integrates authentication and authorization. Therefore, RADIUS authorization cannot be performed separately.
Accounting: records the use of network resources by users. Accounting modes are as following:
- Non-accounting: Users are not charged.
- Remote accounting: A RADIUS server or a HWTACACS server performs remote accounting.

Procedure

Authentication scheme

Creating an authentication scheme

Choose Security Management > AAA > AAA Schemes.
Figure 14-1 AAA Schemes
Click Create in the Authentication Scheme area, and set parameters in the Create Authentication Scheme dialog box that is displayed. Table 14-1 describes the parameters.

Click OK.

Table 14-1 Authentication scheme parameters

Parameter	Description
Name	Name of an authentication scheme.
First authentication mode	The value can be RADIUS, HWTACACS, Local, or No Authentication.
Second authentication mode	The value can be a mode except the first authentication mode. When the authentication server of the first authentication mode does not respond, the second authentication mode is triggered. When the first authentication mode is no authentication, the second authentication mode cannot be configured.
Third authentication mode	The value can be a mode except the first and second authentication modes. When the authentication servers of the first and second authentication modes do not respond, the third authentication mode is triggered. When the second authentication mode is no authentication or not configured, the third authentication mode cannot be configured.
Fourth authentication mode	The value can be no authentication or not configured. When the authentication servers of the first, second, and third authentication modes do not respond, the fourth authentication mode is triggered. When the third authentication mode is no authentication or not configured, the fourth authentication mode cannot be configured.

Modifying an authentication scheme

Choose Security Management > AAA > AAA Schemes.
Select an authentication scheme in the Authentication Scheme area, and click .
In the Modify Authentication Scheme dialog box that is displayed, modify the parameters. The parameter Name cannot be modified.
Click OK.

Deleting an authentication scheme

Choose Security Management > AAA > AAA Schemes.
Select the check box of an authentication scheme in the Authentication Scheme area, and click Delete.
In the dialog box that is displayed, click OK.

Authorization scheme

Creating an authorization scheme

Choose Security Management > AAA > AAA Schemes.
Click Create in the Authorization Scheme area, and set parameters in the Create Authorization Scheme dialog box that is displayed. Table 14-2 describes the parameters.

Click OK.

Table 14-2 Authorization scheme parameters

Parameter	Description
Name	Name of an authorization scheme.
First authorization mode	The value can be IF-authenticated, HWTACACS, Local, or No Authorization.
Second authorization mode	The value can be a mode except the first authorization mode. When the authorization server of the first authorization mode does not respond, the second authorization mode is triggered. When the first authorization mode is no authorization, the second authorization mode cannot be configured.
Third authorization mode	The value can be a mode except the first and second authorization modes. When the authorization servers of the first and second authorization modes do not respond, the third authorization mode is triggered. When the second authorization mode is no authorization or not configured, the third authorization mode cannot be configured.
Fourth authorization mode	The value can be no authorization or not configured. When the authorization servers of the first, second, and third authorization modes do not respond, the fourth authorization mode is triggered. When the third authorization mode is no authorization or not configured, the fourth authorization mode cannot be configured.

Modifying an authorization scheme

Choose Security Management > AAA > AAA Schemes.
Select an authorization scheme in the Authorization Scheme area, and click .
In the Modify Authorization Scheme dialog box that is displayed, modify the parameters. The parameter Name cannot be modified.
Click OK.

Deleting an authorization scheme

Choose Security Management > AAA > AAA Schemes.
Select the check box of an authorization scheme in the Authorization Scheme area, and click Delete.
In the dialog box that is displayed, click OK.

Accounting scheme
- Creating an accounting scheme
1. Choose Security Management > AAA > AAA Schemes.
2. Click Create in the Accounting Scheme area, and set parameters in the Create Accounting Scheme dialog box that is displayed. Table 14-3 describes the parameters.
3. Click OK.
  Table 14-3 Accounting scheme parameters
  Parameter
  Description
  Name
  Name of an accounting scheme.
  Accounting mode
  The value can be RADIUS, HWTACACS, or No Accounting.
- Modifying an accounting scheme
1. Choose Security Management > AAA > AAA Schemes.
2. Select an accounting scheme in the Accounting Scheme area, and click .
3. In the Modify Accounting Scheme dialog box that is displayed, modify the parameters. The parameter Name cannot be modified.
4. Click OK.
- Deleting an accounting scheme
1. Choose Security Management > AAA > AAA Schemes.
2. Select the check box of an accounting scheme in the Accounting Scheme area, and click Delete.
3. In the dialog box that is displayed, click OK.

Parameter	Description
Name	Name of an accounting scheme.
Accounting mode	The value can be RADIUS, HWTACACS, or No Accounting.

14.1.2 RADIUS Setting

Context

RADIUS protects a network from unauthorized access. It is often used on the networks that require high security and remote user access control.

Procedure

RADIUS server template

Creating a RADIUS server template

Choose Security Management > AAA > RADIUS Setting.
Figure 14-2 RADIUS Setting
In the RADIUS Server Template area, click Create. In the Create RADIUS Server Template dialog box that is displayed, set parameters described in Table 14-4.

Click OK.

Table 14-4 Parameters for creating a RADIUS server template

Parameter	Description
Template name	Name of a RADIUS server template.
Cipher key	Shared key for the RADIUS server. The shared key is used to encrypt the password and generate the response authenticator.
Confirm key	Confirmed shared key of the RADIUS server.
User name	Whether the device encapsulates the domain name in the user name when sending RADIUS packets to a RADIUS server.
Mode	Active/standby: The server with the largest weight value functions as the active server, other servers function as standby servers. A standby server with a larger weight value has a higher priority. Load balancing: When configuring authentication or accounting servers, distribute authentication or accounting requests to servers according to weights of the servers.

Modifying a RADIUS server template

Choose Security Management > AAA > RADIUS Setting.
In the RADIUS Server Template area, select a RADIUS server template, and click .
In the Modify RADIUS Server Template dialog box that is displayed, modify the parameters. The parameter Template name cannot be modified.
Click OK.

Deleting a RADIUS server template

Choose Security Management > AAA > RADIUS Setting.
In the RADIUS Server Template area, select the check box of a RADIUS server template, and click Delete.
In the dialog box that is displayed, click OK.

Authentication/Accounting server

Creating an authentication or accounting server

Choose Security Management > AAA > RADIUS Setting.
In the Authentication/Accounting Server area, click Create. In the Create Authentication/Accounting Server dialog box that is displayed, set parameters described in Table 14-5.

Click OK.

Table 14-5 Parameters for creating an authentication or accounting server

Parameter	Description
Template name	Name of the created RADIUS server template.
Server type	RADIUS server type: authentication or accounting server.
IP address	IP address of the authentication or accounting server.
Port number	Port number of the authentication or accounting server.
Weight value	Weight of the authentication or accounting server.

NOTE:

You can quickly search for the created authentication or accounting servers based on the specified criteria.

Modifying an authentication or accounting server

Choose Security Management > AAA > RADIUS Setting.
In the Authentication/Accounting Server area, select an authentication or accounting server, and click .
In the Modify Authentication/Accounting Server dialog box that is displayed, modify the parameters. The parameters Template name and Server type cannot be modified.
Click OK.

Deleting an authentication or accounting server

Choose Security Management > AAA > RADIUS Setting.
In the Authentication/Accounting Server area, select the check box of an authentication or accounting server, and click Delete.
In the dialog box that is displayed, click OK.

Authorization server

Creating an authorization server

Choose Security Management > AAA > RADIUS Setting.
In the Authorization Server area, click Create. In the Create Authorization Serverdialog box that is displayed, set parameters described in Table 14-6.

Click OK.

Table 14-6 Parameters for creating an authorization server

Parameter	Description
Authorization server IP address	IP address of an authorization server.
Template name	Name of the created RADIUS server template.
Cipher key	Shared key of the RADIUS authorization server.
Confirm key	Confirmed shared key of the RADIUS authorization server.

Modifying an authorization server

Choose Security Management > AAA > RADIUS Setting.
In the Authorization Server area, select an authorization server, and click .
In the Modify Authorization Server dialog box that is displayed, modify the parameters. The parameters Authorization server IP address cannot be modified.
Click OK.

Deleting an authorization server

Choose Security Management > AAA > RADIUS Setting.
In the Authorization Server area, select the check box of an authorization server, and click Delete.
In the dialog box that is displayed, click OK.

14.1.3 HWTACACS Setting

Context

HWTACACS prevents unauthorized users from attacking a network and supports command-line authorization. Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and is more suitable for security control.

Procedure

HWTACACS global setting
1. Choose Security Management > AAA > HWTACACS Setting.
  Figure 14-3 HWTACACS Setting
2. In the Global Setting area, click Enabled and click Apply.

HWTACACS server template

Creating a HWTACACS server template

Choose Security Management > AAA > HWTACACS Setting.
In the HWTACACS Server Template area, click Create. In the Create HWTACACS Server Template dialog box that is displayed, set parameters described in Table 14-7.

Click OK.

Table 14-7 Parameters for creating a HWTACACS server template

Parameter	Description
Template name	Name of a HWTACACS server template.
Cipher key	Shared key for the HWTACACS server. The shared key is used to encrypt the password and generate the response authenticator.
Confirm key	Confirmed shared key of the HWTACACS server.
User name	Whether the device encapsulates the domain name in the user name when sending HWTACACS packets to a HWTACACS server.

Modifying a HWTACACS server template

Choose Security Management > AAA > HWTACACS Setting.
In the HWTACACS Server Template area, select the HWTACACS server template, and click .
In the Modify HWTACACS Server Template dialog box that is displayed, modify the parameters. The parameter Template name cannot be modified.
Click OK.

Deleting a HWTACACS server template

Choose Security Management > AAA > HWTACACS Setting.
In the HWTACACS Server Template area, select the check box of the HWTACACS server template, and click Delete.
In the dialog box that is displayed, click OK.

Authentication/Authorization/Accounting server

Creating an authentication, authorization, or accounting server

Choose Security Management > AAA > HWTACACS Setting.
In the Authentication/Authorization/Accounting Server area, click Create. In the Create Authentication/Authorization/Accounting Server dialog box that is displayed, set parameters described in Table 14-8.

Click OK.

Table 14-8 Parameters for creating an authentication, authorization, or accounting server

Parameter	Description
Template name	Name of the created HWTACACS server template.
Server type	HWTACACS server type: authentication, authorization, or accounting server.
Primary server IP address	IP address of the primary authentication, authorization, or accounting server.
Primary server port number	Port number of the primary authentication, authorization, or accounting server.
Secondary server IP address	IP address of the secondary authentication, authorization, or accounting server.
Secondary server port number	Port number of the secondary authentication, authorization, or accounting server.

NOTE:

You can quickly search for the created authentication, authorization, or accounting servers based on the specified criteria.

Modifying an authentication, authorization, or accounting server

Choose Security Management > AAA > HWTACACS Setting.
In the Authentication/Authorization/Accounting Server area, select an authentication, authorization, or accounting server, and click .
In the Modify Authentication/Authorization/Accounting Server dialog box that is displayed, modify the parameters. The parameters Template name and Server typecannot be modified.
Click OK.

Deleting an authentication, authorization, or accounting server

Choose Security Management > AAA > HWTACACS Setting.
In the Authentication/Authorization/Accounting Server area, select the check box of an authentication, authorization, or accounting server, and click Delete.
In the dialog box that is displayed, click OK.

14.1.4 Domain Management

Context

The created authentication, authorization, and accounting schemes take effect only after being applied to a domain.

Procedure

Creating a domain

Choose Security Management > AAA > Domain Management.
Figure 14-4 Domain Management
Click Create and set parameters in the Create Domain dialog box that is displayed. Table 14-9 describes the parameters.

Click OK.

Table 14-9 Domain parameters

Parameter	Description
Domain name	Name of a domain.
Authentication scheme	Created authentication scheme.
Authorization scheme	Created authorization scheme.
Accounting scheme	Created accounting scheme.
RADIUS server template	Created RADIUS server template.
HWTACACS server template	Created HWTACACS server template.
URL	When a user is authenticated in Portal authentication mode, the user is forcibly redirected to a web page when the user accesses web pages for the first time.
SSID	Specifies the SSID that users associate with.
URL Option	Click User-defined and set parameters for the URL in User-Defined URL. For details, see Table 14-10. URL Example displays the URL that carries the configured parameters.

6f91bd2813c54d0eb35f627dab9bc69c

Table 14-10 URL parameters

Parameter	Description
AC-IP	Specifies the AC IP address carried in the URL and sets the parameter name.
AC-MAC	Specifies the AC MAC address carried in the URL and sets the parameter name.
AP-IP	Specifies the AP IP address carried in the URL and sets the parameter name.
AP-MAC	Specifies the AP MAC address carried in the URL and sets the parameter name.
Redirect-to URL	Specifies the original URL that a user accesses carried in the URL and sets the parameter name.
SSID	Specifies the SSID associated that users associate with carried in the URL and sets the parameter name.
User IP address	Specifies the user IP address carried in the URL and sets the parameter name.
User MAC address	Specifies the user MAC address carried in the URL and sets the parameter name.
System name	Specifies the device system name carried in the URL and sets the parameter name.
MAC address format	Without hyphens. normal: Sets the MAC address format to XXXX-XXXX-XXXX. You can specify a character as the delimiter. compact: Sets the MAC address format to XX-XX-XX-XX-XX-XX. You can specify a character as the delimiter.

Modify a domain
1. Choose Security Management > AAA > Domain Management.
2. Select a domain in the Domains area, and click .
3. In the Modify Domain dialog box that is displayed, modify the parameters. The parameter Domain name cannot be modified.
4. Click OK.
Deleting a domain
1. Choose Security Management > AAA > Domain Management.
2. Select the check box of a domain in the Domains area, and click Delete.
3. In the dialog box that is displayed, click OK.

14.1.5 User Management

Context

You need to create a local user account and configure attributes of the local user so that the administrator can authenticate and authorize users who log in based on the local user information.

Procedure

Create a user.

Choose Security Management > AAA > User Management.
Figure 14-5 User Management
Click Create and set parameters in the Create User dialog box that is displayed. Table 14-11 describes the parameters.

Click OK.

Table 14-11 User parameters

Parameter	Description
User name	Indicates a new user name. If the user name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default one.
Password	Indicates a new password.
Confirm password	Confirms the password. The format of this parameter is the same as that of Password.
Access level	Indicates the user level. The value ranges from 0 to 15. A larger value indicates a higher user level. Users at different levels have different access rights. A user can run the commands of which the levels are equal to or lower than the user level. NOTE: the system supports user levels from 0 to 15, and users at level 3 can the commands at levels 0, 1, 2, and 3. The Level 15 user can access commands at all levels. Users at lower levels cannot create or modify a user at a higher level.
User status	Indicates the state of a local user. active: the device accepts and processes the authentication request from the user. blocked: the device rejects the authentication request from the user. NOTE: If a user has established a connection with the device, when the user is set in blocking state, the connection still takes effect but the device rejects subsequent authentication requests from the user.
Access type	Indicates the access type. After you specify the access type of a user, only the users of the specified access type can log in.

Modify a user
1. Choose Security Management > AAA > User Management.
2. Select a domain in the User Management area and click .
3. In the Modify User dialog box that is displayed, modify the parameters.
4. Click OK.
Deleting a user
1. Choose Security Management > AAA > User Management.
2. Select the check box of a user in the User Management area, and click Delete.
3. In the dialog box that is displayed, click OK.

14.2 ACL Settings

14.2.1 Basic ACL

Context

After basic ACLs are configured, routers classify IPv4 packets based on information such as source IP addresses, destination IP addresses, and time ranges in the packets.

Procedure

Creating a basic ACL

Choose Security Management > ACL Settings > Basic ACL.
Figure 14-6 Basic ACL
In the Basic ACL Settings area, click Create. In the Create Basic ACL dialog box, enter an ACL name, ACL number and ACL description, and click OK.
NOTE:
If you enter only the ACL name, the device automatically assigns an ACL number. The ACL number is the greatest number in the available ACL numbers.
Click Add rules and set parameters to add basic ACL rules. Table 14-12 describes the parameters.
Figure 14-7 Add rules

Click

. To delete a basic ACL rule, click f6ca4c98778e4bad86956d2ba332b618

Table 14-12 Basic ACL rule parameters

Parameter	Description
Rule Number	ACL rule number. NOTE: If you do not specify a rule number, the system allocates a number for the rule. The rule number cannot be changed.
Action	Whether to permit or deny packets.
Source IP/Wildcard	Source IP address and wildcard of packets to be matched by the ACL rule. The source address and wildcard are both in dotted decimal notation. NOTE: A wildcard is in dotted decimal notation. After the value is converted into a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The value 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. If no source address or wildcard is specified, the packets with any source address are matched with the ACL rule.
Time Range	Name of a time range during which ACL rules take effect. NOTE: The time range name is displayed on the Time Range tab page. If this parameter is not specified, ACL rules are always valid.

Deleting a basic ACL
1. Choose Security Management > ACL Settings > Basic ACL.
2. Click next to a basic ACL, or select a basic ACL and click Delete.
3. In the dialog box that is displayed, click OK.

14.2.2 Advanced ACL

Context

After advanced ACLs are configured, routers classify IPv4 packets based on information such as source IP addresses, destination IP addresses, source port numbers, destination port numbers, protocol types, priorities, and time ranges in the packets.

Procedure

Creating an advanced ACL

Choose Security Management > ACL Settings > Advanced ACL.
Figure 14-8 Advanced ACL
In the Advanced ACL Setting List area, click Create. In the Create Advanced ACL dialog box, enter an ACL name, ACL number and ACL description, and click OK.
NOTE:
If you enter only the ACL name, the device automatically assigns an ACL number. The ACL number is the greatest number in the available ACL numbers.

Click Add rules to add advanced ACL rules. You can add advanced ACL rules in either of the following ways:

In the ACL rule list
1. Set parameters in the ACL list. Table 14-13 describes the parameters.
  Figure 14-9 Add Rules
2. Click . To delete an advanced ACL rule, click .
In the Add Rules dialog box
1. Click Advanced and set parameters in the Add Rules dialog box that is displayed. Table 14-13 describes the parameters.
  Figure 14-10 Add Rules
2. Click OK. To delete an advanced ACL rule, click .

Table 14-13 Advanced ACL rule parameters

Parameter	Description
Rule Number	ACL rule number. NOTE: If you do not specify a rule number, the system allocates a number for the rule. The rule number cannot be changed.
Source IP/Wildcard	Source IP address and wildcard of packets to be matched by the ACL rule. The source address and wildcard are both in dotted decimal notation. NOTE: A wildcard is in dotted decimal notation. After the value is converted into a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The value 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. If no source address or wildcard is specified, the packets with any source address are matched with the ACL rule.
Destination IP/Wildcard	Destination IP address and wildcard of packets to be matched by the ACL rule. The destination address and wildcard are both in dotted decimal notation. NOTE: If no destination address or wildcard is specified, the packets with any destination address are matched with the ACL rule.
Action	Whether to permit or deny packets.
Protocol Type	Advanced ACL rules support the following protocol types: ICMP (1) When this parameter is set to ICMP(1), set ICMP parameter whose value is in the format of ICMP message type/message code. To set ICMP parameter, click Add Rules and click Advanced. IGMP (2) GRE (47) IP IPINIP (4) OSPF (89) TCP (6) UDP (17) User-defined type NOTE: The value User-defined type is valid only in the Add Rules dialog box. When this parameter is set to User-defined type, enter a protocol number in the User-defined parameter text box.
Source Port	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets with any source port are matched.
Destination Port	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.
Matched priority	The following types of priority to be matched are supported: none The ACL rule does not filter packets based on the priority field. Differentiated services code point (DSCP) priority The ACL rule filters packets based on the DSCP value. Enter a DSCP priority in the text box displayed after you select DSCP priority. IP priority The ACL rule filters packets based on the IP priority field. Enter an IP priority in the text box displayed after you select IP priority. Type of service (ToS) priority The ACL rule filters packets based on the ToS field. Enter a ToS priority in the text box displayed after you select ToS priority.
Time range	Name of a time range during which ACL rules take effect. NOTE: The time range name is displayed on the Time Range tab page. If this parameter is not specified, ACL rules are always valid.

Deleting an advanced ACL
1. Choose Security Management > ACL Settings > Advanced ACL.
2. Click next to an advanced ACL, or select an advanced ACL and click Delete.
3. In the dialog box that is displayed, click OK.

14.2.3 User ACL

Context

After user ACLs are configured, routers classify IPv4 packets based on information such as source IP addresses, destination IP addresses, source port numbers, destination port numbers, protocol types, priorities, time ranges and user group in the packets.

Procedure

Creating an user ACL

Choose Security Management > ACL Settings > User ACL.
Figure 14-11 User ACL
In the User ACL Setting List area, click Create. In the Create User ACL dialog box, enter an ACL number and ACL description, and click OK.

Click Add rules to add user ACL rules. You can add user ACL rules in either of the following ways:

In the ACL rule list
1. Set parameters in the ACL list. Table 14-14 describes the parameters.
  Figure 14-12 Add Rules
2. Click . To delete a user ACL rule, click .
In the Add Rules dialog box
1. Click Advanced and set parameters in the Add Rules dialog box that is displayed. Table 14-14 describes the parameters.
  Figure 14-13 Add Rules
2. Click OK. To delete a user ACL rule, click .

Table 14-14 User ACL rule parameters

Parameter	Description
Rule Number	ACL rule number. NOTE: If you do not specify a rule number, the system allocates a number for the rule. The rule number cannot be changed.
Action	Whether to permit or deny packets.
Source IP/Wildcard	Source IP address and wildcard of packets to be matched by the ACL rule. The source address and wildcard are both in dotted decimal notation. NOTE: A wildcard is in dotted decimal notation. After the value is converted into a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The value 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. If no source address or wildcard is specified, the packets with any source address are matched with the ACL rule.
Destination IP/Wildcard	Destination IP address and wildcard of packets to be matched by the ACL rule. The destination address and wildcard are both in dotted decimal notation. NOTE: If no destination address or wildcard is specified, the packets with any destination address are matched with the ACL rule.
Source ACL User Group	User group information about the source user whose IP address matches the ACL rule.
Destination ACL User Group	User group information about the destination user whose IP address matches the ACL rule.
Protocol Type	User ACL rules support the following protocol types: ICMP (1) When this parameter is set to ICMP(1), set ICMP parameter whose value is in the format of ICMP message type/message code. To set ICMP parameter, click Add Rules and click Advanced. IGMP (2) GRE (47) IP IPINIP (4) OSPF (89) TCP (6) UDP (17) User-defined type NOTE: The value User-defined type is valid only in the Add Rules dialog box. When this parameter is set to User-defined type, enter a protocol number in the User-defined parameter text box.
Source Port	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets with any source port are matched.
Destination Port	This parameter is valid only when the protocol type is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.
Matched priority	The following types of priority to be matched are supported: none The ACL rule does not filter packets based on the priority field. Differentiated services code point (DSCP) priority The ACL rule filters packets based on the DSCP value. Enter a DSCP priority in the text box displayed after you select DSCP priority. IP priority The ACL rule filters packets based on the IP priority field. Enter an IP priority in the text box displayed after you select IP priority. Type of service (ToS) priority The ACL rule filters packets based on the ToS field. Enter a ToS priority in the text box displayed after you select ToS priority.
Time range	Name of a time range during which ACL rules take effect. NOTE: The time range name is displayed on the Time Range tab page. If this parameter is not specified, ACL rules are always valid.

Deleting a user ACL
1. Choose Security Management > ACL Settings > User ACL.
2. Click next to a user ACL, or select a user ACL and click Delete.
3. In the dialog box that is displayed, click OK.

14.2.4 Time Range

Context

To start services or functions periodically or in a specified period of time, you can set a time range for ACL rules.

Procedure

Creating a time range

Choose Security Management > ACL Settings > Time Range.
Figure 14-14 Time Range
Click Create and set parameters in the Create Time Range dialog box that is displayed. Table 14-15 describes the parameters.

Click OK. The created time range is displayed.

Table 14-15 Time range parameters

Parameter	Description
Time range name	Name of a time range during which ACL rules take effect.
Periodic Time Range	Period during which ACL rules take effect. The Periodic Time Range area has parameters Validity time week, Start time, and End time. Set Validity time week to one or more days of the week. Both the values of Start time and End time range from 00:00 to 23:59. When both the start time and end time are set to 00:00, the ACL validity period starts at 0 am and ends at 12 pm. After setting the three parameters, click Add. To create multiple ACL validity periods, repeat this procedure.
Valid Period	Time range during which ACL rules take effect. The Valid Period area has parameters Start time and End time. After setting the two parameters, click Add. To create multiple validity time ranges, repeat this procedure. NOTE: If the end time is not specified, the device takes the allowed maximum value, for example, 23:59 2099/12/31.

Parameter

Description

Time range name

Name of a time range during which ACL rules take effect.

Periodic Time Range

Period during which ACL rules take effect. The Periodic Time Range area has parameters Validity time week, Start time, and End time.

Set Validity time week to one or more days of the week.

Both the values of Start time and End time range from 00:00 to 23:59. When both the start time and end time are set to 00:00, the ACL validity period starts at 0 am and ends at 12 pm.

After setting the three parameters, click Add. To create multiple ACL validity periods, repeat this procedure.

Valid Period

Time range during which ACL rules take effect. The Valid Period area has parameters Start time and End time.

After setting the two parameters, click Add. To create multiple validity time ranges, repeat this procedure.

NOTE:

If the end time is not specified, the device takes the allowed maximum value, for example, 23:59 2099/12/31.

Modifying a time range
1. Choose Security Management > ACL Settings > Time Range.
2. Click next to a time range.
3. In the Modify Time Range dialog box that is displayed, modify parameters listed in Table 14-15. The parameter Time range name cannot be modified. To delete a validity time range, click in the Time Range Has Been Added area.
4. Click OK.
Deleting a time range
1. Choose Security Management > ACL Settings > Time Range.
2. Select the check box of a validity period and click Delete.
3. In the dialog box that is displayed, click OK.

14.3 User Group

Context

After a WLAN user is authenticated, the RADIUS server sends user group information to the AC to control authorization of the user.

A user group can be bound to one or more ACLs, so users' data packets are filtered based on the bound ACL.
A user group can be bound to one QoS profile, so the bandwidth used by users in the user group is restricted based on the bound QoS profile. To configure a QoS profile, see 13.1 QoS Profile.
Isolation flags can be set in user groups to isolate users in the same group or in different groups. The inter-group isolation flag isolates users in the same group, and the intra-group isolation flat isolates users in a group from users in other groups.
User VLANs can be configured in a user group. Users can visit resources in the same VLAN.

The administrator configures a user group using the delivered user group name.

Procedure

Creating a user group

Choose Security Management > User Group.
Figure 14-15 User Group
In the User Group List area, click Create. In the Create User Group dialog box that is displayed, set parameters described in Table 14-16.

Click OK. The user group is added to the user group list.

Table 14-16 Parameters for creating a user group

Parameter	Description
User group name	Indicates a new user group name.
Isolation mode	Inter-group isolation and inner-group isolation can take effect at the same time.
VLAN	ID of a user VLAN.
QoS profile	QoS profile used to monitor traffic for users in the user group. Click , you can create or delete a QoS profile. Select a QoS profile in the QoS Profile List dialog box, and click OK. You can enter a profile name or keyword and click Search to search for a QoS profile.
ACL	ACL to be selected and configured. A user group can be bound to a single ACL, multiple ACLs, or no ACL.

Modifying a user group
1. Choose Security Management > User Group.
2. In User Group List area, click corresponding to a user group to be modified.
3. In the Modify User Group dialog box that is displayed, set parameters described in Table 14-16.
Deleting a user group
1. Choose Security Management > User Group.
2. In the User Group List area, select a user group, and click Delete.
3. In the dialog box that is displayed, click OK. If the user group is removed from the user group list, the user group is deleted.

14.4 WIDS Configuration

14.4.1 WIDS Configuration

Context

WLAN networks are vulnerable to threats from rouge APs and users, ad-hoc networks, and so on. The device supports the following mechanisms:

WIDS: detects rouge APs, bridges, STAs, ad-hoc networks, and APs using the same working channel.
WIPS: disconnects authorized users from bogus APs and disconnects unauthorized STAs and ad-hoc networks from APs.

Wireless Intrusion Detection System (WIDS) supports attack detection and can detect flood attacks, weak IV attacks, spoofing attacks, and brude force cracking of the WPA/WPA2/WAPI pre-shared key and the WEP shared key, and notify the network administrator of insecurity factors using logs, statistics, and alarms. When detecting a device that initiates flood attacks or brude force cracking, the AC adds the device to the blacklist and rejects packets from the device within the blacklist timeout period.

Procedure

Querying the status of an AP configured with WIDS
1. Choose Security Management > WIDS Configuration > WIDS Configuration.
  Figure 14-16 WIDS Configuration
2. In the WIDS Configuration List, view the status of an AP configured with WIDS. You can set Search, enter a keyword, and click Go to search for an AP.

Configuring WIDS for an AP

Choose Security Management > WIDS Configuration > WIDS Configuration.
In the WIDS Configuration List area, click Create. The page for setting parameters is displayed. Table 14-17 describes the parameters.
In the Select AP area, click Add. In the AP dialog box that is displayed, select an AP and click OK.
In the Select AP area, select the AP to be configured.
Click next to WIDS Configuration, and set parameters described in Table 14-17.
In the Radio Configuration area. you can configure attack detection, device detection, and countermeasure. To configure these functions for multiple radios, click New. Table 14-17 describes parameters of these functions.

Click OK. The AP configured with WIDS is displayed in the WIDS configuration list.

Table 14-17 WIDS parameters

Parameter	Description
Flood attack detection interval(s)	Interval for detecting flood attacks.
Flood attack packet count	Maximum number of packets of the same type that an AP receives within the detection period.
Brude force cracking detection interval(s)	Interval for detecting brude force cracking of the PSK key.
Brude force cracking count	Maximum number of key negotiation failures allowed by an AP within the detection period.
Blacklist	Dynamic blacklist enabled or disabled.
Blacklist aging time(s)	Aging time of the dynamic blacklist. After the dynamic blacklist is aged, the AP allows a device goes online if the AP detects no attack from the device.
Radio	Radios on which the detection function is configured.
Working mode	normal: An AP transmits data of wireless users and does not monitor wireless devices on the network. monitor: An AP scans wireless devices on the network and listens on all 802.11 frames on wireless channels. In this mode, all WLAN services on the AP are disabled and the AP cannot transmit data of wireless users. hybrid: An AP can monitor wireless devices while transmitting data of wireless users.
Attack detection	Type of attacks to be detected.
Device detection	Device detection enabled or disabled. Device detection can be enabled on an AP that works in monitor or hybrid mode.
Countermeasure function	Countermeasure enabled or disabled. If countermeasure is enabled, the device detection function must be enabled.
Countermeasure mode	Type of rouge devices to be countered. The countermeasure function prevents rouge devices from accessing the WLAN.

Modifying WIDS configurations of an AP
1. Choose Security Management > WIDS Configuration > WIDS Configuration.
2. In the WIDS Configuration List area, click corresponding to an AP to be modified.
3. In the Modify WIDS Configuration dialog box that is displayed, set parameters described in Table 14-17.
4. Click OK.
Disabling WIDS from an AP
1. Choose Security Management > WIDS Configuration > WIDS Configuration.
2. In the WIDS Configuration List area, select an AP and click Delete.
  If the AP is removed from the WIDS configuration list, the AP is deleted.

14.4.2 SSID Whitelist

Context

SSIDs in the whitelist can be used only by the AC. If the rouge AP uses the SSIDs, the monitor AP does not counter the AP although SSIDs are countered.

Procedure

Querying an SSID whitelist
1. Choose Security Management > WIDS Configuration > SSID Whitelist.
  Figure 14-17 SSID Whitelist
2. In the SSID Whitelist area, enter a keyword or an SSID, and click Search.
Creating an SSID whitelist
1. Choose Security Management > WIDS Configuration > SSID Whitelist.
2. In the SSID Whitelist area, click Create. In the Create SSID Whitelist dialog box that is displayed, set SSID.
3. Click OK. If the SSID is displayed in the SSID whitelist, the SSID whitelist is created.
Modifying an SSID whitelist
1. Choose Security Management > WIDS Configuration > SSID Whitelist.
2. In the SSID Whitelist area, click corresponding to an SSID to be modified.
3. In the Modify SSID Whitelist dialog box that is displayed, change the SSID.
4. Click OK.
Deleting an SSID whitelist
1. Choose Security Management > WIDS Configuration > SSID Whitelist.
2. In the SSID Whitelist area, select an SSID, and click Delete.
  If the SSID is removed from the SSID whitelist, the SSID is deleted.

14.4.3 Rogue Device

Context

After device detection is enabled, you can view information about rogue devices and historical records. All rouge devices are recorded in the historical records.

Procedure

Viewing information about a rouge device

Choose Security Management > WIDS Configuration > Rogue Device.
Figure 14-18 Rogue Device

In the Rogue Device List area, set Search, enter a keyword, and click Go. Table 14-18describes search items of a rouge device.

Table 14-18 Search items of rouge device and historical records

Search item	Description
MAC Address	MAC address of a rouge device.
Discovery Time	Time when a rouge device is detected.
Device Type	Type of a rouge device.
Channel	Channel of a rouge device.
Countermeasure Status	Whether a rouge device is countered.
Monitor AP	Monitoring AP that counters the detected rouge device.

Deleting information about a rouge device
1. Choose Security Management > WIDS Configuration > Rogue Device.
2. In the Rogue Device List area, select a rogue device, and click Delete.
Viewing historical records of a rouge device
1. Choose Security Management > WIDS Configuration > Rogue Device.
2. In the Historical Records of Rogue Devices area, set Search, enter a keyword, and click Go. Table 14-18 describes search items of a rouge device.
Deleting historical records of a rouge device
1. Choose Security Management > WIDS Configuration > Rogue Device.
2. In the Historical Records of Rogue Devices area, select a rogue device, and click Delete.

14.4.4 Attack Statistics

Context

After attack detection is enabled, you can view or delete statistics on attacks of different types.

Procedure

Viewing statistics on attacks

Choose Security Management > WIDS Configuration > Attack Statistics.
Figure 14-19 Attack Statistics

In the Attack Statistics area, view statistics on attacks of different types. Table 14-19describes different types of attacks.

Table 14-19 Types of attacks

Attack Type	Description
Probe Request Frame Flood Attack	Flood attack caused by Probe Request frames
Authentication Request Frame Flood Attack	Flood attack caused by Authentication Request frames
Deauthentication Frame Flood Attack	Flood attack caused by Deauthentication Request frames
Association Request Frame Flood Attack	Flood attack caused by Association Request frames
Disassociation Request Frame Flood Attack	Flood attack caused by Disassociation Request frames
Reassociation Request Frame Flood Attack	Flood attack caused by Reassociation Request frames
Action Frame Flood Attack	Flood attack caused by Action frames
Null Data Frame Flood Attack	Flood attack caused by null data frames
Null Qos Frame Flood Attack	Flood attack caused by null QoS frames
EAPOL Start Frame Flood Attack	Flood attack caused by EAPOL start frames
EAPOL Logoff Frame Flood Attack	Flood attack caused by EAPOL logoff frames
Weak IVs Detected	Weak IV attack
Spoofed Deauthentication Frame Attack	Deauthentication frame spoofing attack
Spoofed Disassociation Frame Attack	Disassociation frame spoofing attack
WEP Share-key Attack	Brude force cracking of the WEP shared key
WPA Attack	Brude force cracking of the WPA pre-shared key
WPA2 Attack	Brude force cracking of the WPA2 pre-shared key
WAPI Attack	Brude force cracking of the WAPI pre-shared key

Deleting statistics on attacks
1. Choose Security Management > WIDS Configuration > Attack Statistics.
2. In the Attack Statistics area, click Reset all. In the dialog box that is displayed, click OK.

14.4.5 Attack Records

Context

After attack detection is enabled, information about a detected attack device will be saved in the attack detection list. If the attack device starts no more attacks, the device is removed from the attack detection list. This attack is added to the attack record list. You can check or delete entries in the attack detection list and attack record list.

Procedure

Querying attack detection list

Choose Security Management > WIDS Configuration > Attack Records.
Figure 14-20 Attack Records

In the Attack Detection List area, set Search, enter a keyword, and click Go. Table 14-20describes search items.

Table 14-20 Search items of attack detection and attack records

Search item	Description
MAC Address	When a spoofing attack occurs, this parameter indicates the BSSID. When other attacks occur, this parameter indicates the MAC address of the device initiating the attacks.
Attack Type	Type of the detected attack, which is in abbreviation mode. act: Action Frame Flood Attack asr: Association Request Frame Flood Attack aur: Authentication Request Frame Flood Attack daf: Deauthentication Frame Flood Attack dar: Disassociation Request Frame Flood Attack ndf: Null Data Frame Flood Attack pbr: Probe Request Frame Flood Attack rar: Reassociation Request Frame Flood Attack eap_start: EAPOL Start Frame Flood Attack eap_logoff: EAPOL Logoff Frame Flood Attack saf: Spoofed Disassociation Frame Attack sdf: Spoofed Deauthentication Frame Attack wiv: Weak IVs Detected wep: WEP Share-key Attack wpa: WPA Attack wpa2: WPA2 Attack wapi: WAPI Attack
Channel	Channel of the detected attack.
RSSI	Average RSSI of the detected attack frames.
Detection Time	Time when an attack is detected.
Monitoring AP	AP that detects the attack.

Deleting attack detection list
1. Choose Security Management > WIDS Configuration > Attack Records.
2. In the Attack Detection List area, click Clear. In the dialog box that is displayed, click OK. All attack records are deleted.
Querying attack records
1. Choose Security Management > WIDS Configuration > Attack Records.
2. In the Attack Records area, set Search, enter a keyword, and click Go. Table 14-20describes search items.
Deleting attack records
1. Choose Security Management > WIDS Configuration > Attack Records.
2. In the Attack Records area, click Clear. In the dialog box that is displayed, click OK. All attack records are deleted.

14.4.6 Dynamic Blacklist

Context

After attack detection and dynamic blacklist are enabled, an AP adds devices that initiate attacks to the dynamic blacklist and rejects packets from these devices within the blacklist timeout period.

Devices that initiate flood attacks and brute force cracking of the WPA/WPA2/WAPI pre-shared key and the WEP shared key can be added to the dynamic blacklist.

Procedure

Viewing the dynamic blacklist

Choose Security Management > WIDS Configuration > Dynamic Blacklist.
Figure 14-21 Dynamic Blacklist

In the Dynamic Blacklist area, set Search, enter a keyword, and click Go. Table 14-21describes search items.

Table 14-21 Search items of dynamic blackist

Search item	Description
MAC Address	MAC address of a device in the dynamic blacklist.
Attack Type	Type of the detected attack, which is in abbreviation mode.
Monitoring AP	AP that detects the device and adds the device to the dynamic device.

Deleting entries from the dynamic blacklist
1. Choose Security Management > WIDS Configuration > Dynamic Blacklist.
2. In the Dynamic Blacklist area, select an entry, and click Delete.

14.5 Portal Authentication

14.5.1 Global Portal Authentication Configuration

Context

Portal authentication is also referred to as Web authentication. When a user opens a browser for the first time and enters any website address, the user is forcibly redirected to an authentication page of a Portal server and can access network resources only after being authenticated.

The Portal protocol is based on a client/server structure and uses the User Datagram Protocol (UDP) as the transmission protocol. The Portal protocol is used in information exchange between the Portal server and other devices. In Portal authentication, the Portal protocol is used in communication between the Portal server and a device that is used as a client.

The administrator can set the maximum number of Portal authentication users that can access a device and the offline detection period for the users. If a user does not respond within the detection period, the device considers that the user is offline and release the occupied resources.

Procedure

Choose Security Management > Portal Authentication > Global Portal Authentication Configuration.
Figure 14-22 Global Portal Authentication Configuration
Set Maximum number of users and Probe timer(s), and click Apply.

14.5.2 External Portal Server

Context

The Portal server is classified as either the external Portal server or the built-in Portal server. The external Portal server has independent hardware, while the built-in Portal server is an entity embedded in the access device (that is, functions of the Portal server are implemented by the access device).

During external Portal authentication, you must configure parameters for the Portal server (for example, the IP address for the Portal server) to ensure smooth communication between the device and the Portal server.

Procedure

Querying an authentication server
1. Choose Security Management > Portal Authentication > External Portal Server.
  Figure 14-23 External Portal Server
2. In the Portal Servers area, view all authentication servers. You can set Search, enter a keyword, and click Go to search for an authentication server.

Creating an authentication server

Choose Security Management > Portal Authentication > External Portal Server.
In the Portal Servers area, click Create. In the Create Portal Server dialog box that is displayed, set parameters described in Table 14-22.

Click OK. The authentication server is displayed in the Portal server list.

Table 14-22 Parameters for creating an authentication server

Parameter	Description
Server name	User-defined name of the Portal server, which identifiers an authentication server.
URL	URL of the Portal server.
SSID	Specifies the SSID that users associate with.
URL Option	Click User-defined and set parameters for the URL in User-Defined URL. For details, see Table 14-23. URL Example displays the URL that carries the configured parameters.
Port number	Number of the interface that the device uses to listen to Portal protocol packets.
Shared key	Shared key that the device uses to exchange information with the Portal server is configured.
Server IP address	An IP address is configured for the Portal server. Enter an IP address and click . To delete an IP address, select an IP address and click . To configure multiple IP addresses, set URL for the Portal server.

ddecb9e9147d475b8c1a3e62eba1a58d

Table 14-23 URL parameters

Parameter	Description
AC-IP	Specifies the AC IP address carried in the URL and sets the parameter name.
AC-MAC	Specifies the AC MAC address carried in the URL and sets the parameter name.
AP-IP	Specifies the AP IP address carried in the URL and sets the parameter name.
AP-MAC	Specifies the AP MAC address carried in the URL and sets the parameter name.
Redirect-to URL	Specifies the original URL that a user accesses carried in the URL and sets the parameter name.
SSID	Specifies the SSID associated that users associate with carried in the URL and sets the parameter name.
User IP address	Specifies the user IP address carried in the URL and sets the parameter name.
User MAC address	Specifies the user MAC address carried in the URL and sets the parameter name.
System name	Specifies the device system name carried in the URL and sets the parameter name.
MAC address format	Without hyphens. normal: Sets the MAC address format to XXXX-XXXX-XXXX. You can specify a character as the delimiter. compact: Sets the MAC address format to XX-XX-XX-XX-XX-XX. You can specify a character as the delimiter.

Modifying an authentication server
1. Choose Security Management > Portal Authentication > External Portal Server.
2. In the Portal Servers area, click corresponding to an authentication server.
3. In the Modify Portal Server dialog box that is displayed, set parameters described in Table 14-22.
4. Click OK.
Deleting an authentication server
1. Choose Security Management > Portal Authentication > External Portal Server.
2. In the Portal Servers area, select an authentication server and click Delete.
  If the authentication server is removed from the Portal server list, the authentication server is deleted.

14.5.3 Built-in Portal Server

Context

During the built-in Portal server configuration process, to ensure that the server can provide the web authentication service, set parameters such as SSL policy, Port, and Web page file.

Procedure

Choose Security Management > Portal Authentication > Built-in Portal Server.
Figure 14-24 Built-in Portal Server

On the Built-in Portal Server tab page, set parameters described in Table 14-24, and click Apply.

Table 14-24 Built-in Portal server parameters

Parameter	Description
Portal server IP	IP address of the Portal server. Users are then redirected to the Portal server if they enter URLs that are not located in the free IP subnet. NOTE: The IP address assigned to the built-in Portal server must have a reachable route to the user. The built-in Portal server cannot use the gateway IP address of the device interface connected to clients. It is recommended that a loopback interface address be assigned to the built-in Portal server because the loopback interface is stable. Additionally, packets destined for loopback interfaces are not sent to other interfaces on the network; therefore, system performance is not deteriorated even if many users request to go online.
SSL policy	SSL policy applied to HTTPS services provided by the Portal server.
Port	Port that provides the authentication service on the Portal server.
Authentication mode	Authentication mode including PAP and CHAP. You are advised to use the CHAP with high security.
Web page file	File in .zip format. The file contains web pages that users access during authentication.
Maximum number of users	Maximum number of users that can access the Portal server.
Acceptable Use Policy(in HTML format)	The administrator can edit the login page used for user authentication to customize a disclaimer page. The hyperlink Acceptable Use Policy will be displayed on the login page. You can click the link to visit the disclaimer page.
Portal usage guideline(in HTML format)	There is a blank area on the login page of the built-in Portal server. You can customize the display contents on the login page.

14.5.4 Portal Free Rule

Context

You can set portal free rules for portal authentication users so that the users can access specified network resources without being authenticated or when the users fail authentication.

Procedure

Searching a portal free rule
1. Choose Security Management > Portal Authentication > Portal Free Rule.
  Figure 14-25 Portal Free Rule
2. In the Portal Free Rule List area, view all portal free rules. You can set Search, enter a keyword, and click Go to search for a portal free rule.

Creating a portal free rule

Choose Security Management > Portal Authentication > Portal Free Rule.
In the Portal Free Rule List area, click Create. In the Create Portal Free Rule dialog box that is displayed, set parameters described in Table 14-25.

Click OK. The portal free rule is displayed in the portal free rule list.

Table 14-25 Parameters for creating a portal free rule

Parameter		Description
-	Rule ID	ID of a portal free rule.
Source IP: If IP addresses carried by packets from a Portal authentication user are the same as the IP address set in the Source IP area, the user does not need to be authenticated and can access IP addresses specified in the Destination IP area.	Free-rule	All users do not need to be authenticated.
	IP address	IP address of a user.
	Mask	Network segment where a user locates.
	Name	Interface for transmitting packets. To select an interface, click , select an interface from the interface list, and click OK.
	VLAN	VLAN where a user locates.
Destination IP: IP addresses that portal free rule users can access is specified in the Destination IP area.	Free-rule	Portal free rule users can access any destination IP.
	IP address	IP address that portal free rule user can access.
	Mask	Network segment that portal free rule user can access.
	Protocol type	Protocols used to access services.
	Destination port	ID of the destination port that portal free rule users can access.

Modifying a portal free rule
1. Choose Security Management > Portal Authentication > Portal Free Rule.
2. In the Portal Free Rule List area, click corresponding to a portal free rule.
3. In the Modify Portal Free Rule dialog box that is displayed, set parameters described in Table 14-25.
4. Click OK.
Deleting a portal free rule
1. Choose Security Management > Portal Authentication > Portal Free Rule.
2. In the Portal Free Rule List area, select a portal free rule and click Delete.
  If the portal free rule is removed from the portal free rule list, the rule is deleted.

14.6 802.1X Authentication

14.6.1 Global 802.1X Authentication Configuration

Context

The IEEE 802.1X standard (802.1X) is an interface-based network access control protocol. The 802.1X configuration takes effect on an interface only after 802.1X authentication is enabled globally and on the interface.

Procedure

Choose Security Management > 802.1X Authentication > Global 802.1X Authentication Configuration.
Figure 14-26 Global 802.1X Authentication Configuration

On the Global 802.1X Authentication Configuration tab page, set parameters described in Table 14-26, and click Apply.

To reset parameters, click Reset.

Table 14-26 Global 802.1X authentication configuration parameters

Parameter	Description
Global 802.1X authentication	Global 802.1X authentication enabled or disabled.
Silence function	Silence function enabled or disabled. After the silence function is enabled, when the number of times that a user fails 802.1X authentication reaches the maximum number, the device makes the user to enter the silence state, and during the silence period, the device discards the 802.1X authentication requests from the user. This prevents the impact of frequent user authentications on the system.
Authentication failure count	After the silence function is enabled, a user enters the silence state when the number of failed authentication times exceeds the value of this parameter.
Retransmission count	If a user does not respond in a specified period after the device sends an authentication request to the user, the device sends the authentication request again. If the device fails to receive the response from the offline user when the number of sent authentication request packets reaches the limit, the device stops initiating authentication. The authentication fails. If the device still fails to receive the response from the online user when the number of sent handshake request packets reaches the limit, the device considers that the user is offline, and sets the user to offline state. Repeated authentication requests occupy a lot of system resources. You can set the maximum number of times according to user requirements and device resources. The default value is recommended.
STA response timeout period (s)	If the device fails to receive the response from the offline user when the number of sent authentication request packets reaches the limit, the device stops initiating authentication. The authentication fails.
Reauthentication interval (s)	After reauthentication is enabled, the device sends user's authentication information to the authentication server at a specified interval. If the user's authentication information does not change on the authentication server, the user is online normally. If the authentication information has been changed, the user is forced to go offline. The user then must be re-authenticated according to the changed authentication information.
Authentication request interval (s)	If a client does not respond in a specified period after the client initiates authentication, the device sends an authentication request packet to the client. To authenticate the clients that cannot initiate authentication, the device sends authentication packets through the interface enabled with 802.1X authentication to the clients at a specified interval.
Server response timeout period (s)	If the authentication server does not respond to an authentication request within the timeout interval, the device retransmits the authentication request to the authentication server.
Silence time (s)	Silence duration of a 802.1X user.

14.7 MAC Authentication

14.7.1 Global MAC Authentication Configuration

Context

MAC address authentication controls a user's network access right based on the user's access interface and MAC address. The user does not need to install any client software. The user device MAC address is used as the user name and password. When detecting the user's MAC address the first time, the network access device starts authenticating the user.

The MAC configuration takes effect on an interface only after MAC authentication is enabled globally and on the interface.

Procedure

Choose Security Management > MAC Authentication > Global MAC Authentication Configuration.
Figure 14-27 Global MAC Authentication Configuration

On the Global MAC Authentication Configuration tab page, set parameters described in Table 14-27, and click Apply.

To reset parameters, click Reset.

Table 14-27 Global MAC authentication parameters

Parameter	Description
Global MAC authentication	Global MAC authentication enabled or disabled.
Authentication domain	When the MAC address without a domain name is used as the user name in MAC address authentication, the user is authenticated in a default domain if the administrator does not configure an authentication domain. Before configuring a domain for MAC address authentication, ensure that the domain has been configured.
User name format	MAC address: The user's MAC address is used as the user name and password during authentication. Fixed: Regardless of users' MAC addresses, all users have a fixed name and password specified by the administrator as an identity for authentication. Many users may be authenticated on the same interface. In this case, all users requiring MAC address authentication on the interface use the same fixed user name, and the server must only configure one user account to authenticate all users. This is applicable to a network environment with reliable access clients. NOTE: When local authentication is used, a fixed user name must be used for MAC address authentication. If configured in the interface page and this page at the same time, the user name format configured in the interface page has higher priority.
MAC address type	In MAC address authentication, the device sends the user's MAC address as the user name and password to the authentication server. You can determine whether the MAC address contains a hyphen (-). Hyphenated: Indicates that the MAC address with hyphens is used as the user name, for example, 0005-e01c-02e3. Unhyphenated: Indicates that the MAC address without hyphens is used as the user name, for example, 0005e01c02e3.
User name	Fixed user name used for MAC address authentication.
Password	Password used for MAC address authentication.
Confirm password	Confirm password used for MAC address authentication.
Silence time(s)	Specifies the value of the quiet timer. If a user fails authentication, the device does not process the user's authentication requests until the quiet timer expires. During the quiet period, the device does not process the user's authentication requests.
Server response timeout period(s)	If the authentication server does not respond to an authentication request within the timeout period, the device retransmits the authentication request to the authentication server.
Reauthentication interval(s)	After reauthentication is enabled, the device sends user's authentication information to the authentication server at a specified interval. If the user's authentication information does not change on the authentication server, the user is online normally. If the authentication information has been changed, the user is forced to go offline. The user then must be re-authenticated according to the changed authentication information.

14.8 SSL

Context

A device supports server Secure Sockets Layer (SSL) policies and client SSL policies.

To use a device as an SSL server, configure a server SSL policy on the device. During an SSL handshake, the device uses SSL parameters in the server SSL policy to negotiate session parameters with an SSL client. After the handshake is complete, the device establishes a session with the client.
To use a device as an SSL client, configure a client SSL policy on the device. During an SSL handshake, the device uses SSL parameters in the client SSL policy to negotiate session parameters with the SSL server. After the handshake is complete, the device establishes a session with the server.

Procedure

Creating an SSL policy

Creating a server SSL policy

Access the SSL tab page.
Choose Security Management > SSL.
Figure 14-28 SSL configuration page
Click Create and set parameters in the Create SSL Policy dialog box that is displayed. Set SSL policy type to Server. Table 14-28 describes other parameters.
Click OK. A server SSL policy is added to the SSL policy list.

Table 14-28 Server SSL policy parameters

Parameter	Description
SSL policy name	Name of an SSL policy, which is case-sensitive.
PKI domain	Name of a PKI domain. For details about the PKI domain configuration, see 14.9 PKI.
Maximum session count	Maximum number of sessions that can be saved on the SSL server.
Session timeout interval(s)	Timeout period of a saved session.
Supported cipher suite	Cipher suite supported by the server SSL policy.

Creating a client SSL policy

Access the SSL tab page.
Choose Security Management > SSL.
Click Create and set parameters in the Create SSL Policy dialog box that is displayed. Set SSL policy type to Client. Table 14-29 describes other parameters.
Click OK. A client SSL policy is added to the SSL policy list.

Table 14-29 Client SSL policy parameters

Parameter	Description
SSL policy name	Name of an SSL policy, which is case-sensitive.
SSL server identity authentication	Whether to enable SSL server identity authentication.
PKI domain	Name of a PKI domain. For details about the PKI domain configuration, see 14.9 PKI.
SSL version	SSL protocol version.
Preferred cipher suite	Cipher suite used by the client SSL policy.

Modifying an SSL policy
1. Choose Security Management > SSL.
2. Click of an SSL policy in the SSL Configuration List area.
3. In the Modify SSL Policy dialog box that is displayed, modify parameters listed in Table 14-28 or Table 14-29. The parameter SSL policy name and SSL policy type cannot be modified.
4. Click OK.
Deleting an SSL policy
1. Choose Security Management > SSL.
2. Select an SSL policy and click Delete. In the dialog box that is displayed, click OK.

14.9 PKI

14.9.1 PKI Entity

Context

A certificate binds a public key to a set of information that uniquely identifies a public key interface (PKI) entity. The parameters of an entity indicate the identity information of the entity. A Certificate Authority (CA) uniquely identifies a certificate applicant based on identity information provided by an entity.

Procedure

Creating a PKI entity

Choose Security Management > PKI > PKI Entity.
Figure 14-29 PKI Entity
Click Create and set parameters in the Create PKI Entity dialog box that is displayed. Table 14-30 describes the parameters.

Click OK.

Table 14-30 PKI entity parameters

Parameter	Description
PKI entity name	Name of a PKI entity.
Common name	Common name of a PKI entity.
IP address	IP address of a PKI entity.
Domain name	Fully qualified domain name (FQDN) of a PKI entity.
Country/Area	Country name or province name of a PKI entity.
State/Province	State name or province name of a PKI entity.
Geographic region	Geographic area of a PKI entity.
Organization	Organization name of a PKI entity.
Department	Department name of a PKI entity.

Modifying a PKI entity
1. Choose Security Management > PKI > PKI Entity.
2. Select a PKI entity in the PKI Entity Information area, and click .
3. In the Modify PKI Entity dialog box that is displayed, modify the parameters. The parameter PKI entity name cannot be modified.
4. Click OK.
Deleting a PKI entity
1. Choose Security Management > PKI > PKI Entity.
2. Select the check box of a PKI entity and click Delete.
3. In the dialog box that is displayed, click OK.
  NOTE:
  When a PKI entity is referenced by a PKI domain, delete the PKI entity from the PKI domain before you delete the PKI entity.

14.9.2 PKI Domain

Context

Before an entity applies for a certificate, some enrollment information must be configured. The collection of the enrollment information is called the PKI domain of an entity.

Procedure

Creating a PKI domain

Choose Security Management > PKI > PKI Domain.
Figure 14-30 PKI Domain
Click Create and set parameters in the Create PKI Domain dialog box that is displayed. Table 14-31 describes the parameters.

Click OK.

Table 14-31 PKI domain parameters

Parameter	Description
PKI domain name	Name of a PKI domain. By default, the PKI domain named default exists on the device.
PKI entity name	Name of a created PKI entity.
Certificate check method	Certificate check mode of crl, ocsp, or none.
Certificate revocation password	Revocation password of the certificate.
Confirm password	Confirmed revocation password of the certificate.
Certificate key length	Length of the certificate key.
Certificate save path	Path where certificates are saved.
Automatic registration and update	Whether to enable the automatic certificate enrollment and update function.
Percentage (%)	Percentage of the certificate's validity period after which a new certificate is requested automatically. This parameter is valid only when Automatic registration and update is set to Enable.
Regenerate key	Whether to generate a key again. This parameter is valid only when Automatic registration and update is set to Enable.
CA identifier	ID of a CA.
Certificate request URL	Enrollment URL. The URL is in the format of http://server_location/ca_script_location. The server_location field supports only the IP address format and the ca_script_location field is the path where CA's application script is located, for example, http://10.137.145.158:8080/certsrv/mscep/mscep.dll.
RA mode	Whether to enable the registration authority (RA) mode.
CA root certificate fingerprint	CA certificate fingerprint used in CA certificate authentication. The options are as follows: MD5: message digest algorithm 5 SHA1: secure hash algorithm 1
OCSP server URL	URL of the Online Certificate Status Protocol (OCSP) server.
CDP URL	CRL distribution point (CDP) URL. CRL refers to certificate revocation list.
CRL cache	Whether to use the buffered CRL in the PKI domain.
CRL update interval (hours)	Interval for updating the CRL.

Modifying a PKI domain
1. Choose Security Management > PKI > PKI Domain.
2. Select a PKI domain in the PKI Domain Information area, and click .
3. In the Modify PKI Domain dialog box that is displayed, modify the parameters. The parameter PKI domain name cannot be modified.
4. Click OK.
Deleting a PKI domain
1. Choose Security Management > PKI > PKI Domain.
2. Select the check box of a PKI domain and click Delete.
3. In the dialog box that is displayed, click OK.
NOTE:
A PKI domain is referenced by the SSL policy cannot be deleted. To delete the PKI domain, remove the PKI domain from the SSL policy first. For details on how to modify or delete an SSL policy, see 14.8 SSL.

14.10 Security Protection

14.10.1 ACL Filtering

Context

An ACL is a set of rules that can only differentiate packets.

After ACLs are configured, you can configure ACL filtering to apply the ACLs so that packets are filtered.

Procedure

Creating an ACL filtering rule

Choose Security Management > Security Protection > ACL Filtering.
Figure 14-31 ACL Filtering
Click Create and set parameters in the Create ACL Filtering dialog box that is displayed. Table 14-32 describes the parameters.

Click OK. An ACL filtering rule is added to the ACL filtering list.

Table 14-32 Parameters for creating an ACL filtering rule

Parameter	Description
Filter Type	Interface: ACL filtering applied to an interface Service Set: ACL filtering applied to a service set Click , select an interface or service set from the list, and click OK. You can enter the interface name or service set name and click Search to find an interface or a service set.
ACL	Name of an ACL to apply. Click , select an ACL from the list, and click OK. You can enter the ACL name and click Search to find an interface or a service set. NOTE: You can select a created 14.2.1 Basic ACL, 14.2.2 Advanced ACL or 14.2.3 User ACL from the ACL name drop-down list box. Basic, advanced, and user ACLs can be applied to an interface to filter packets. Only advanced ACLs ranging 3000 to 3031 and user ACLs 6000 to 6031 can be applied to a service set to filter packets.
Direction	Direction of the packets where an ACL filtering rule is applied.

Parameter

Description

Filter Type

Interface: ACL filtering applied to an interface
Service Set: ACL filtering applied to a service set

Click 1c6583137dad42b88c81f35fa4346a63 , select an interface or service set from the list, and click OK. You can enter the interface name or service set name and click Search to find an interface or a service set.

ACL

Name of an ACL to apply.

Click 1c6583137dad42b88c81f35fa4346a63 , select an ACL from the list, and click OK. You can enter the ACL name and click Search to find an interface or a service set.

NOTE:

You can select a created 14.2.1 Basic ACL, 14.2.2 Advanced ACL or 14.2.3 User ACL from the ACL name drop-down list box.

Basic, advanced, and user ACLs can be applied to an interface to filter packets. Only advanced ACLs ranging 3000 to 3031 and user ACLs 6000 to 6031 can be applied to a service set to filter packets.

Direction

Direction of the packets where an ACL filtering rule is applied.

Modifying an ACL filtering rule
1. Choose Security Management > Security Protection > ACL Filtering.
2. Click of an ACL filtering rule.
3. In the Modify ACL Filtering dialog box that is displayed, modify parameters described in Table 14-32.
4. Click OK.
Deleting an ACL filtering rule
1. Choose Security Management > Security Protection > ACL Filtering.
2. Select the check box of an ACL filtering rule and click Delete.
3. In the dialog box that is displayed, click OK.

From group: WLAN

Enterprise

Consumer

Corporate

Carriers

Huawei Wireless Access Controllers V200R003C00 Web Platform Configuration Guide-Security Management

14 Security Management

14.1 AAA

14.1.1 AAA Schemes

Context

Procedure

14.1.2 RADIUS Setting

Context

Procedure

14.1.3 HWTACACS Setting

Context

Procedure

14.1.4 Domain Management

Context

Procedure

14.1.5 User Management

Context

Procedure

14.2 ACL Settings

14.2.1 Basic ACL

Context

Procedure

14.2.2 Advanced ACL

Context

Procedure

14.2.3 User ACL

Context

Procedure

14.2.4 Time Range

Context

Procedure

14.3 User Group

Context

Procedure

14.4 WIDS Configuration

14.4.1 WIDS Configuration

Context

Procedure

14.4.2 SSID Whitelist

Context

Procedure

14.4.3 Rogue Device

Context

Procedure

14.4.4 Attack Statistics

Context

Procedure

14.4.5 Attack Records

Context

Procedure

14.4.6 Dynamic Blacklist

Context

Procedure

14.5 Portal Authentication

14.5.1 Global Portal Authentication Configuration

Context

Procedure

14.5.2 External Portal Server

Context

Procedure

14.5.3 Built-in Portal Server

Context

Procedure

14.5.4 Portal Free Rule

Context

Procedure

14.6 802.1X Authentication

14.6.1 Global 802.1X Authentication Configuration

Context

Procedure

14.7 MAC Authentication

14.7.1 Global MAC Authentication Configuration

Context

Procedure

14.8 SSL

Context