Configuring WAPI-Certificate
Context
WAPI allows only robust security network association (RSNA), providing higher security than WEP or WPA/WPA2.
WAPI-PSK applies to large-scale enterprise networks or carrier networks that can deploy and maintain an expensive certificate system.
WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The X.509 V3 certificate file has the name extension .cer. Before importing a certificate for WAPI, ensure that the certificate file is saved in the root directory of the storage medium.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. Both the unicast session key (USK) and multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
The AP7030DE and AP9330DN do not support WAPI.
Procedure
- Run system-view
The system view is displayed.
- Run wlan
The WLAN view is displayed.
- Run security-profile name profile-name
The security profile view is displayed.
- Run security wapi certificate
The security policy is set to WAPI-certificate.
- Configure the certificate file and ASU server.
- (Optional) Run the wapi source interface { vlanif vlan-id | loopback loopback-number } command to configure a VLANIF interface or a loopback interface as the source interface for the AC to communicate with the ASU server.
By default, no source interface is configured for an AC to communicate with an ASU server.
The IP address of the WAPI source interface on the AC must be on the same network segment as the IP address of the ASU server. If no WAPI source interface is configured, the IP address of the AC source interface is used as the source IP address for sending WAPI packets to the WAPI server by default.
- (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }
The interval for updating a Base Key (BK) and the BK lifetime percentage are set.
The value obtained by multiplying the interval for updating a BK by the BK lifetime percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is less than 300s, the BK may be updated before negotiation is complete due to low STA performance. In this case, some STAs may be forced offline or cannot go online.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
- (Optional) Run wapi sa-timeout sa-time
The timeout period of a security association is set.
By default, the timeout period for a SA is 60s.
If a STA is not authenticated within the timeout period, no SA is established and the STA cannot go online.
- (Optional) Run wapi { usk | msk } key-update { disable | time-based }
The WAPI USK or MSK update mode is set.
By default, USKs and MSKs are updated based on time.
- (Optional) Run wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }
The interval for updating a USK, and number of retransmissions of USK negotiation packets are set.
By default, the interval for updating a USK is 86400s; the number of retransmissions of USK negotiation packets is 3.
- (Optional) Run wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }
The interval for updating an MSK, and number of retransmissions of MSK negotiation packets are set.
By default, the interval for updating an MSK is 86400s; the number of retransmissions of MSK negotiation packets is 3.