capwap message-integrity psk
Function
The capwap message-integrity psk command configures a pre-shared key (PSK) for checking integrity of CAPWAP packets.
The undo capwap message-integrity psk command restores the default PSK for checking integrity of CAPWAP packets.
The default PSK for checking integrity of CAPWAP packets is huawei_seccwp.
Parameters
Parameter |
Description |
Value |
|---|---|---|
psk-value |
Specifies the PSK for checking integrity of CAPWAP packets. |
The value can be a string of 48 or 68 characters in cipher text (for example, %^%#u(Oz:BL,QKYZw%-JWC*P8aGC,="C&M'OI*Gmt.V(%^%#) or a string of 6 to 32 characters in plain text (for example, a1234567). The key must contain at least two of the following: uppercase letters, lowercase letters, digits, and special characters except the question mark (?) and space. |
Usage Guidelines
Usage Scenario
CAPWAP packets are transmitted between the AC and APs. To prevent the packets from being forged or tampered with and prevent malformed packet attacks, you can configure integrity check of CAPWAP packets. When a PSK is used to check integrity of CAPWAP packets, you can run this command on the AC to configure a PSK.
It is recommended that you change the pre-shared key in a timely manner to ensure device security.
Follow-up Procedure
Run the undo capwap message-integrity check disable command to enable integrity check of CAPWAP packets.
Configuration Impact
After this configuration is complete, all online APs on the AC go offline.
Example
# Set the PSK for checking integrity of CAPWAP packets to z0020011@11.
<HUAWEI> system-view [HUAWEI] capwap message-integrity psk z0020011@11 Warning: In a backup scenario, the PSK and status of CAPWAP message integrity check must be the same between the master and backup e nds. This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]:y