< Home

Configuring WPA/WPA2-802.1X

Context

Both WPA and WPA2 support 802.1X authentication and TKIP or AES encryption algorithm. The WPA and WPA2 protocols provide almost the same security level and their difference lies in the protocol packet format.

WPA/WPA2-802.1X applies to enterprise networks that require high security. An independent authentication server needs to be deployed. If customers' devices support only WEP encryption, the devices can implement 802.1X+TKIP without hardware upgrading, whereas the devices may need to upgrade their hardware to implement 802.1X+AES.

Wireless terminals vary and support different authentication and encryption modes. To enable terminals of various types to access the network and facilitate network management, you can configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports TKIP or AES can implement service packet encryption.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run security-profile name profile-name

    The security profile view is displayed.

  4. Run security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }, or security wpa-wpa2 dot1x tkip aes

    The security policy is set to WPA/WPA2-802.1X.

    An authentication profile must be configured for 802.1X access authentication. For details, see "NAC Configuration (Unified Mode)" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - User Access and Authentication Configuration Guide.

    The authentication type in the security profile and authentication profile must both be set to 802.1X authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.

  5. (Optional) Run wpa ptk-update enable

    Periodic PTK update is enabled.

    By default, periodic PTK update is disabled.

    When periodic PTK update is implemented, some STAs may encounter service interruptions or go offline due to individual problems.

  6. (Optional) Run wpa ptk-update ptk-update-interval ptk-rekey-interval

    The PTK update interval is configured.

    By default, the interval for updating PTKs is 43200 seconds.

  7. (Optional) Run pmf { optional | mandatory }

    The PMF function is configured.

    By default, the PMF function is disabled for a VAP.

    The authentication mode WPA2 and encryption mode AES are required.

Parent Topic: Configuring a Security Policy
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >