< Home

Example for Configuring Attack Detection

Configuration Process

You need to configure and maintain WLAN features and functions in different profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When configuring WLAN services, you need to set related parameters in the WLAN profiles and bind the profiles to the AP group or APs. Then the configuration is automatically delivered to and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to know the relationships among the profiles before configuring them. For details about the profile relationships and their basic configuration procedure, see WLAN Service Configuration Procedure.

Networking Requirements

As shown in Figure 1, the AC and AP are connected through access switch SwitchA. The enterprise branch has deployed WLAN services for mobile office applications. To protect the network against flood attacks and PSK cracking, configure the attack detection and dynamic blacklist functions and add the attacking devices to the blacklist. Packets from the attacking devices are discarded to ensure network stability and security.

Figure 1 Networking diagram for configuring attack detection

Configuration Roadmap

  1. Configure basic WLAN services to enable STAs to connect to the WLAN.
  2. Configure detection of brute force key cracking attacks for WPA2-PSK authentication and detection of flood attacks so that the device can detect information about the attacking devices.
  3. Configure the dynamic blacklist function and add devices that initiate attacks to the dynamic blacklist so that packets from the devices are discarded during the configured aging time.

The following example configures attack detection on the 2.4G radio. The configuration on the 5G radio is similar.

Table 1 Data planning

Item

Data

DHCP server

The AC functions as a DHCP server to assign IP addresses to the STAs and AP.

IP address pool for the AP

10.23.100.2-10.23.100.254/24

IP address pool for STAs

10.23.101.2-10.23.101.254/24

AC's source interface address

VLANIF 100: 10.23.100.1/24

AP group
  • Name: ap-group1
  • Referenced profile: VAP profile wlan-vap, regulatory domain profile domain1, and WIDS profile wlan-wids
  • Attack detection mode on radio 0 in an AP group: detection of brute force key cracking attacks for WPA2-PSK authentication and detection of flood attacks

Regulatory domain profile
  • Name: domain1
  • Country code: CN

SSID profile
  • Name: wlan-ssid
  • SSID name: wlan-net

Security profile
  • Name: wlan-security
  • Security policy: WPA2-PSK-AES
  • Password: a1234567

VAP profile
  • Name: wlan-vap
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Referenced profile: SSID profile wlan-ssid and security profile wlan-security

WIDS profile
  • Name: wlan-wids
  • Interval for brute force PSK cracking attack detection: 70s
  • Quiet time for brute force PSK cracking attack detection: 700s
  • Maximum number of key negotiation failures allowed within a brute force PSK cracking attack detection period: 25
  • Flood attack detection interval: 70s
  • Quiet time for flood attack detection: 700s
  • Flood attack detection threshold: 350
  • Dynamic blacklist: enabled

AP system profile
  • Name: wlan-system
  • Aging time of the dynamic blacklist: 200s

Configuration Notes

  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

  1. Set the NAC mode to unified on the AC so that users can connect to the network properly.

    <HUAWEI> system-view
[HUAWEI] authentication unified-mode

    If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the configuration and restart the device.

  2. Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.

    # Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2 that connects SwitchA to the AC to the same VLAN.

    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit

    # Add GE0/0/1 that connects the AC to SwitchA to VLAN 100.

    [HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit

  3. Configure the AC to communicate with the upstream device.

    Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and communicate with the upstream device.

    # Add AC uplink interface GE0/0/2 to service VLAN 101.

    [AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit

  4. Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.

    # Configure the AC as the DHCP server to allocate an IP address to the AP from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit

  5. Configure the AP to go online.

    # Create an AP group and add the AP to the AP group.

    [AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100
    # Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).

    [AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y  
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-0] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online normally.

    [AC-wlan-view] display ap all
    Total AP information: 
nor  : normal          [1] 
Extrainfo : Extra information 
P  : insufficient power supply 
-------------------------------------------------------------------------------------------------- 
ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo 
-------------------------------------------------------------------------------------------------- 
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         - 
-------------------------------------------------------------------------------------------------- 
Total: 1

  6. Configure attack detection.

    # Enable brute force attack detection for WPA2-PSK authentication and flood attack detection.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] wids attack detect wpa2-psk enable
[AC-wlan-group-radio-ap-group1/0] wids attack detect flood enable
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] quit

    # Create the WIDS profile wlan-wids.

    [AC-wlan-view] wids-profile name wlan-wids

    # Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication, the maximum number of key negotiation failures allowed within the detection period to 25, and quiet time to 700s.

    [AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70
[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700

    # Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to 350, and quiet time to 700s.

    [AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700

    # Enable the dynamic blacklist function.

    [AC-wlan-wids-prof-wlan-wids] undo dynamic-blacklist disable
[AC-wlan-wids-prof-wlan-wids] quit

    # Create the AP system profile wlan-system and set the aging time of dynamic blacklist to 200s.

    [AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit

  7. Configure WLAN service parameters.

    # Create the security profile wlan-security and set the security policy in the profile.

    [AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit

    # Create the SSID profile wlan-ssid and set the SSID name to wlan-net.

    [AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit

    # Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit

    # Bind the VAP profile wlan-vap, WIDS profile wlan-wids, and AP system profile wlan-system to the AP group.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] quit

  8. Verify the configuration.

    After the configuration is complete, run the display wlan ids attack-detected all command to check the detected attacking devices.

    [AC-wlan-view] display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detcted attack type
CH: Channel number
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address     AT     CH   RSSI(dBm)  Last detected time     #AP
-------------------------------------------------------------------------------
000b-c002-9c81  pbr    165  -87        2014-11-20/15:51:13    1
0024-2376-03e9  pbr    165  -84        2014-11-20/15:51:13    1
0046-4b74-691f  act    165  -67        2014-11-20/15:51:13    1
-------------------------------------------------------------------------------
Total: 3, printed: 3

    Run the display wlan dynamic-blacklist all command to check devices on the dynamic blacklist.

    [AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  eapl: EAPOL logoff frame
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address       Last detected time    Reason   #AP
-------------------------------------------------------------------------------
000b-c002-9c81    2014-11-20/16:15:53   pbr      1   
0024-2376-03e9    2014-11-20/16:15:53   pbr      1   
0046-4b74-691f    2014-11-20/16:15:53   act      1   
-------------------------------------------------------------------------------
Total: 3, printed: 3

Configuration Files

  • SwitchA configuration file
    #
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

  • AC configuration file

    #
 sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-security
  security wpa2 psk pass-phrase %^%#4R-.UpLuaWW`dGKS3R':Hg.h4g.hh:ygc7*P$q("%^%# aes
 ssid-profile name wlan-ssid
  ssid wlan-net
 vap-profile name wlan-vap
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
 regulatory-domain-profile name domain1
 wids-profile name wlan-wids
  flood-detect interval 70
  flood-detect threshold 350
  flood-detect quiet-time 700
  brute-force-detect interval 70
  brute-force-detect threshold 25
  brute-force-detect quiet-time 700
  dynamic-blacklist enable
 ap-system-profile name wlan-system
  dynamic-blacklist aging-time 200
 ap-group name ap-group1
  ap-system-profile wlan-system
  regulatory-domain-profile domain1
  wids-profile wlan-wids
  radio 0
   vap-profile wlan-vap wlan 1
   wids attack detect flood enable
   wids attack detect wpa2-psk enable
  radio 1
   vap-profile wlan-vap wlan 1
 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
return
Parent Topic: Configuration Examples for WLAN Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic