The permit-ap command configures a WIDS whitelist.
The undo permit-ap command deletes entries in the WIDS whitelist.
By default, no WIDS whitelist is configured.
permit-ap { mac-address mac-address | oui oui | ssid ssid }
undo permit-ap { mac-address { mac-address | all } | oui { oui | all } | ssid { name ssid | all } }
Parameter |
Description |
Value |
|---|---|---|
mac-address mac-address |
Adds or deletes an authorized MAC address. |
The value is in H-H-H format. An H is a hexadecimal number of 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
mac-address all |
Deletes an authorized MAC address list. |
- |
oui oui |
Adds or deletes an authorized OUI. |
The value is in H-H-H format. An H is a hexadecimal number of 2 digits. |
oui all |
Deletes an authorized OUI list. |
- |
ssid name ssid |
Deletes an authorized SSID. |
The SSID must exist. To specify an SSID starting with a space, include the SSID with double quotation marks (" "). For example, in the SSID " hello", the double quotation marks at the start and end of the SSID occupy two characters. To specify an SSID starting with a double quotation mark ("), enter an escape character (\) before the double quotation mark. For example, in the SSID \"hello, the escape character (\) occupies one character. |
ssid ssid |
Adds an authorized SSID. |
The SSID must exist. To specify an SSID starting with a space, include the SSID with double quotation marks (" "). For example, in the SSID " hello", the double quotation marks at the start and end of the SSID occupy two characters. To specify an SSID starting with a double quotation mark ("), enter an escape character (\) before the double quotation mark. For example, in the SSID \"hello, the escape character (\) occupies one character. |
ssid all |
Deletes an authorized SSID list. |
- |
Usage Scenario
After WIDS/WIPS is enabled, rogue APs can be detected and countered. However, there may be APs of other vendors or other networks working in the existing signal coverage areas. If these APs are countered, their services will be affected. To prevent this situation, configure an authorized AP list, including an authorized MAC address list, OUI list, and SSID list. If an unauthorized AP is detected but matches the authorized AP list, the AP is considered an authorized AP and will not be countered.
For example, APs of other vendors are deployed on the existing WLAN to expand network capacity. To prevent the APs from being countered, add OUIs of the vendors to a whitelist and add SSIDs of these APs to a whitelist. In this way, the device will consider the APs as authorized APs.
Precautions
If you add or delete an entry, the device will re-check the validity of the unauthorized APs. If an unauthorized AP becomes authorized, the device stops countering the AP. If an authorized AP becomes unauthorized, the device starts countering the AP.
# Add an MAC address, an OUI, and an SSID to the WIDS whitelist.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] wids-whitelist-profile name huawei [HUAWEI-wlan-wids-whitelist-huawei] permit-ap mac-address 0011-2233-4455 [HUAWEI-wlan-wids-whitelist-huawei] permit-ap oui 00-11-22 [HUAWEI-wlan-wids-whitelist-huawei] permit-ap ssid huawei