华为无线设备配置攻击检测功能（华为网络检测）

华为无线设备配置攻击检测功能（华为网络检测）

1. 配置LSW和AC，使AP与AC之间能够传输CAPWAP报文

[LSW1]vlan batch 100

[LSW1-GigabitEthernet0/0/1]port link-type trunk

[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

[LSW1-GigabitEthernet0/0/2]port link-type trunk

[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100

[LSW1-GigabitEthernet0/0/2]port trunk pvid vlan 100

[AC1]vlan batch 100 101

[AC1-GigabitEthernet0/0/1]port link-type trunk

[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100

2. 配置AC与上层网络设备互通

[AC1-GigabitEthernet0/0/2]port link-type trunk

[AC1-GigabitEthernet0/0/2]port trunk allow-pass vlan 101

3. 配置AC作为DHCP服务器，为STA和AP分配IP地址

[AC1]dhcp enable

[AC1-Vlanif100]ip add 10.1.100.1 24

[AC1-Vlanif100]dhcp select interface

[AC1-Vlanif101]ip add 10.1.101.1 24

[AC1-Vlanif101]dhcp select interface

4. 配置AP上线

[AC1]wlan

创建AP组

[AC1-wlan-view]ap-group name ap-group1

创建域管理模板，在域管理模板下配置AC的国家码并在AP组下引用域管理模板

[AC1-wlan-view]regulatory-domain-profile name domain1

[AC1-wlan-regulate-domain-domain1]country-code cn

[AC1-wlan-view]ap-group name ap-group1

[AC1-wlan-ap-group-ap-group1]regulatory-domain-profile domain1

配置AC的源接口

[AC1]capwap source interface Vlanif 100

在AC上离线导入AP，并将AP1和AP3加入AP组

[AC1]wlan

[AC1-wlan-view]ap auth-mode mac-auth

[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc44-4f80

[AC1-wlan-ap-0]ap-name ap1

[AC1-wlan-ap-0]ap-group ap-group1

5. 配置攻击检测功能

开启WPA2-PSK认证方式的暴力破解密钥攻击检测功能和泛洪攻击检测功能

[AC1-wlan-view]ap-group name ap-group1

[AC1-wlan-ap-group-ap-group1]radio 0

[AC1-wlan-group-radio-ap-group1/0]wids attack detect enable wpa2-psk

[AC1-wlan-group-radio-ap-group1/0]wids attack detect enable flood

创建WIDS模板

[AC1-wlan-view]wids-profile name wlan-wids

配置WPA2-PSK认证方式的暴力破解密钥攻击检测的检测周期为70秒，检测周期内允许密钥错误的次数为25次，静默时间为700秒

[AC1-wlan-wids-prof-wlan-wids]brute-force-detect interval 70

[AC1-wlan-wids-prof-wlan-wids]brute-force-detect threshold 25

[AC1-wlan-wids-prof-wlan-wids]brute-force-detect quiet-time 700

配置泛洪攻击检测的检测周期为70秒，泛洪攻击检测阈值为350个，静默时间为700秒

[AC1-wlan-wids-prof-wlan-wids]flood-detect interval 70

[AC1-wlan-wids-prof-wlan-wids]flood-detect threshold 350

[AC1-wlan-wids-prof-wlan-wids]flood-detect quiet-time 700

使能动态黑名单功能

[AC1-wlan-wids-prof-wlan-wids]dynamic-blacklist enable

创建AP系统模板，配置动态黑名单老化时间为200秒

[AC1-wlan-view]ap-system-profile name wlan-system

[AC1-wlan-ap-system-prof-wlan-system]dynamic-blacklist aging-time 200

6. 配置WLAN业务参数

创建安全模板，并配置安全策略

[AC1-wlan-view]security-profile name wlan-security

[AC1-wlan-sec-prof-wlan-security]security  wpa2 psk pass-phrase abc@1234 aes

创建SSID模板，并配置SSID名称

[AC1-wlan-view]ssid-profile name wlan-ssid

[AC1-wlan-ssid-prof-wlan-ssid]ssid wlan-net

创建VAP模板，配置业务数据转发模式、业务VLAN，并且引用安全模板和SSID模板

[AC1-wlan-view]vap-profile name wlan-vap

[AC1-wlan-vap-prof-wlan-vap]forward-mode tunnel

[AC1-wlan-vap-prof-wlan-vap]service-vlan vlan-id 101

[AC1-wlan-vap-prof-wlan-vap]security-profile wlan-security

[AC1-wlan-vap-prof-wlan-vap]ssid-profile wlan-ssid

配置AP组引用VAP模板、WIDS模板和AP系统模板

[AC1-wlan-view]ap-group name ap-group1

[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap wlan 1 radio 0

[AC1-wlan-ap-group-ap-group1]vap-profile wlan-vap wlan 1 radio 1

[AC1-wlan-ap-group-ap-group1]wids-profile wlan-wids

[AC1-wlan-ap-group-ap-group1]ap-system-profile wlan-system

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。