In commercial use environments, secure authentication and encryption modes are required. WPA2-AES encryption is recommended. High-security 802.1X authentication together with AES encryption is more suitable for closed enterprise networks.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa2 dot1x aes
If STAs of multiple types exist, you can configure different authentication and encryption modes. Hybrid encryption is recommended.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
For a large-scale or busy network, configure the shortest retransmission timeout interval for RADIUS request packets. When a long retransmission timeout interval is set, retransmission occupies system resources. A short retransmission timeout interval can improve the AC's packet processing capability.
The default retransmission timeout interval for wireless users is 5 seconds, which is suitable for most wireless user authentication scenarios. When IP addresses of more than eight authentication servers are configured in a RADIUS server template, or 802.1X authentication is used, it is recommended that the retransmission timeout interval be set to 1 second to improve network processing efficiency.
<HUAWEI> system-view [HUAWEI] radius-server template test1 [HUAWEI-radius-test1] radius-server timeout 1
By default, the timeout interval for an AC to send 802.1X authentication requests is 30 seconds, and the maximum number of retransmission times is 2. In some scenarios, you can adjust these values properly to optimize network deployment.
If one-time passwords (OTPs) are used, for example, access passwords are sent by network maintenance departments to STAs through short messages, users send requests for applying for passwords, and receive the applied passwords, and enter the passwords for authentication. This process may take more than 30 seconds. In this case, set a longer timeout interval for sending 802.1X authentication requests.
If the network environment is poor (for example, wireless interference is severe) and many packets are lost, you are advised to set a short timeout interval for sending 802.1X authentication requests and a large number of retransmission times to improve network convergence performance.
<HUAWEI> system-view [HUAWEI] dot1x timer tx-period 20 [HUAWEI] dot1x-access-profile name d1 [HUAWEI-dot1x-access-profile-d1] dot1x retry 4
SSIDs identify different wireless networks. When you search for available wireless networks on a STA, the displayed wireless network names are SSIDs.
It is recommended that a limited number of SSIDs be configured on an AC. A maximum of 16 SSIDs can be configured for each AP. Too many SSIDs occupy AC system resources.
STAs in stadiums move frequently, and a large number of STAs associate with APs deployed at stadium entrances in a short period of time. As a result, no new STA can associate with the APs after the number of associated STAs reaches the upper limit.
Many STAs will leave the coverage area of the APs. Therefore, you are advised to set the association aging time of STAs to 1 minute.
In wireless city scenarios, you are advised to reduce the association aging time of STAs. One minute is recommended.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] ssid-profile name ssid1 [HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1 Warning: This action may cause service interruption. Continue?[Y/N]y
On a WLAN, the blacklist or whitelist can be configured to filter access from STAs based on specified rules. The blacklist or whitelist allows authorized STAs to connect to the WLAN and rejects access from unauthorized STAs.
The STA blacklist and whitelist increase the burden on the AC and degrade AC performance. Therefore, the blacklist and whitelist are not recommended, unless otherwise required.
802.11r is an IEEE protocol that defines fast roaming. Before associating with target APs, STAs complete handshakes for initial identity authentication. By default, 802.11r is disabled.
Only iOS 6 and later versions support 802.11r. STAs that do not support 802.11r cannot associate with 802.11r-enabled WLANs. It is recommended that 802.11r be disabled when multiple types of STAs exist on a WLAN.
After AP load balancing is configured, APs in the load balancing group forward received Probe packets to the AC. The AC then determines the APs from which STAs can access the WLAN. Too many Probe packets may degrade AC performance. Therefore, it is recommended that the AP load balancing function be disabled, unless otherwise required.
After the function of recording successful STA associations in the log is enabled, information about successfully associated STAs is recorded in the log, so that the administrator can view information about successful STA associations. Recording successful STA associations in the log degrades AC performance, especially in scenarios with a large number of STAs. Therefore, it is recommended that this function be disabled. This function is disabled by default.
# Disable the function of recording successful STA associations in the log.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] undo report-sta-assoc enable
You can enable an AC to report information about STA traffic and online duration on APs to eSight. After this function is enabled, the AC collects and reports the information to eSight through Syslog when STAs get offline or roam within the AC, which facilitates data query on eSight.
Frequent information reporting degrades AC performance, especially in scenarios with a large number of STAs. Therefore, it is recommended that this function be disabled no matter whether eSight is deployed on a WLAN. This function is disabled by default.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] undo report-sta-info enable
This function is recommended in high-density stadium and higher education scenarios, but not recommended in wireless city scenarios.