The security dot1x command configures 802.1X authentication and encryption for WPA and WPA2.
The undo security command restores the default security policy.
By default, the security policy is open system.
security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }
security wpa-wpa2 dot1x tkip aes
undo security
Parameter |
Description |
Value |
|---|---|---|
wpa |
Configures WPA authentication. |
- |
wpa2 |
Configures WPA2 authentication. |
- |
| wpa-wpa2 | Configures WPA-WPA2 authentication. STAs can be authenticated using WPA or WPA2. |
- |
aes |
Configures AES encryption. |
- |
tkip |
Configures TKIP encryption. |
- |
aes-tkip |
Configures AES-TKIP encryption. After passing the authentication, STAs can use the AES or TKIP algorithm for data encryption. |
- |
Usage Scenario
WPA/WPA2 authentication includes WPA/WPA2 PSK authentication and 802.1X authentication, which are also called WPA/WPA2 personal edition and WPA/WPA2 enterprise edition, respectively. 802.1X authentication is of high security and is applicable to enterprise networks.
To access a WLAN device using WPA or WPA2 802.1X authentication, run the security dot1x command. If multiple types of STAs are available, you can configure the WPA-WPA2 and TKIP-CCMP security policy for authentication and data encryption.
The security wpa-wpa2 dot1x tkip aes command indicates that WPA and WPA2 use TKIP and AES for data encryption, respectively.
Precautions
The authentication type in the security profile and authentication profile must both be set to 802.1X authentication. You can run the display wlan config-errors command to check whether error messages are generated for authentication type mismatch between the security profile and authentication profile.
The system displays the message only when the security profile has been bound to the other profiles.
If 802.1X authentication and TKIP or AES-TKIP encryption for WPA/WPA2 are configured, the access of non-HT STAs fails to be denied.
The offline management VAP does not support 802.1X authentication and encryption modes. Therefore, if the offline management VAP is enabled for a VAP profile, the VAP profile cannot be bound to a security profile with WPA/WPA2 802.1X authentication and encryption configured. If the VAP profile has been bound to a security profile, the authentication and encryption modes of the security profile cannot be changed to WPA/WPA2 802.1X.
# Configure WPA (802.1X authentication and TKIP encryption).
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa dot1x tkip Warning: If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is configured, the function of denying access of legacy STAs cannot take effect.
# Configure WPA2 (802.1X authentication and TKIP encryption).
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa2 dot1x tkip Warning: If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is configured, the function of denying access of legacy STAs cannot take effect.
<HUAWEI> system-view [HUAWEI] wlan [HUAWEI-wlan-view] security-profile name p1 [HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip Warning: If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is configured, the function of denying access of legacy STAs cannot take effect.