02-H3C无线控制器WIPS针对所有SSID进行反制典型配置举例
本章节下载: 02-H3C无线控制器WIPS针对所有SSID进行反制典型配置举例 (255.03 KB)
H3C无线控制器WIPS针对所有SSID进行反制典型配置举例
Copyright © 2023 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
本文档介绍了WIPS针对所有SSID进行反制典型配置举例。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解WIPS特性。
如图1所示,AP通过交换机与AC相连,AP1和AP2为Client提供无线服务,配置SSID为service,在Sensor上开启WIPS功能,当检测到非法AP提供非法的SSID(service或其他任意SSID比如free)提供给Client接入时,这时Sensor AP对非法AP会进行反制,阻止Client在非法AP上线。
图1 WIPS针对所有SSID进行反制配置组网图
(1) 配置AC的接口
# 创建VLAN 100及其对应的VLAN接口,并为该接口配置IP地址。AP将通过该IP地址与AC建立CAPWAP隧道。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 112.12.1.25 16
[AC-Vlan-interface100] quit
# 创建VLAN 200及其对应的VLAN接口,并为该接口配置IP地址。Client使用VLAN200接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 112.13.1.25 16
[AC-Vlan-interface200] quit
# 配置AC和Switch相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
(2) 配置DHCP server
# 开启DHCP server功能。
[AC] dhcp enable
# 配置DHCP地址池vlan100为AP分配地址范围为112.12.0.0/16,网关地址为112.12.1.25。
[AC] dhcp server ip-pool vlan100
[AC-dhcp-pool-vlan100] network 112.12.0.0 mask 255.255.0.0
[AC-dhcp-pool-vlan100] gateway-list 112.12.1.25
[AC-dhcp-pool-vlan100] quit
# 配置DHCP地址池vlan200为Client分配地址范围为112.13.0.0/16,为Client分配的DNS服务器地址为网关地址(实际使用过程中请根据实际网络规划配置无线客户端的DNS服务器地址),网关地址为112.13.1.25。
[AC] dhcp server ip-pool vlan200
[AC-dhcp-pool-vlan200] network 112.13.0.0 mask 255.255.0.0
[AC-dhcp-pool-vlan200] gateway-list 112.13.1.25
[AC-dhcp-pool-vlan200] dns-list 112.13.1.25
[AC-dhcp-pool-vlan200] quit
(3) 配置WIPS
# 进入WIPS视图。
[AC] wips
# 配置AP分类规则,对SSID为service的进行匹配。
[AC-wips] ap-classification rule 1
[AC-wips-cls-rule-1] ssid equal service
[AC-wips-cls-rule-1] quit
# 配置AP分类规则,对SSID不为service的进行匹配。
[AC-wips] ap-classification rule 2
[AC-wips-cls-rule-2] ssid not equal service
[AC-wips-cls-rule-2] quit
# 配置AP分类策略,对符合分类规则rule1和rule2的AP分类为非法AP,设置反制的优先级为最高,并将AP1和AP2加入到信任列表中。
[AC-wips] classification policy class1
[AC-wips-cls-class1] apply ap-classification rule 1 rogue-ap severity-level 100
[AC-wips-cls-class1] apply ap-classification rule 2 rogue-ap severity-level 100
[AC-wips-cls-class1] trust mac-address 000f-1111-0111
[AC-wips-cls-class1] trust mac-address 000f-1111-0112
[AC-wips-cls-class1] quit
# 创建虚拟安全域,并应用分类策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-1] apply classification policy class1
[AC-wips-vsd-1] quit
# 配制反制策略,反制非法AP。
[AC-wips] countermeasure policy 1
[AC-wips-cms-1] countermeasure rogue-ap
[AC-wips-cms-1] quit
# 应用反制策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply countermeasure policy 1
[AC-wips-vsd-vsd1] quit
[AC-wips] quit
(4) 配置AP
在大规模组网时,推荐在AP组内进行配置。
# 创建无线服务模板service,并配置SSID为service,配置Client从无线服务模板service上线后会被加入VLAN 200。
[AC] wlan service-template service
[AC-wlan-st-service] ssid service
[AC-wlan-st-service] vlan 200
# 配置身份认证与密钥管理模式为PSK模式,配置PSK密钥为明文字符串12345678。
[AC-wlan-st-service] akm mode psk
[AC-wlan-st-service] preshared-key pass-phrase simple 12345678
# 配置加密套件为CCMP,安全信息元素为RSN。
[AC-wlan-st-service] cipher-suite ccmp
[AC-wlan-st-service] security-ie rsn
# 配置客户端数据报文转发位置为AC。(如果客户端数据报文的缺省转发位置与本配置相同,请跳过此步骤)
[AC-wlan-st-service] client forwarding-location ac
# 开启无线服务模板。
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# 创建手工AP,名称为ap1,选择AP型号并配置序列号。
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
[AC-wlan-ap-ap1] quit
# 创建手工AP,名称为ap2,选择AP型号并配置序列号。
[AC] wlan ap ap2 model WA6320
[AC-wlan-ap-ap2] serial-id 219801A28N819CE0003T
[AC-wlan-ap-ap2] quit
# 创建AP组group1,并配置AP名称入组规则。
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] ap ap1 ap2
# 将无线服务模板绑定到AP组group1下的Radio 1上。
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template service
# 开启Radio 1的射频功能。
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-group1-ap-model-WA6320] quit
[AC-wlan-ap-group-group1] quit
# 创建手工AP,名称为sensor,选择AP型号并配置序列号。
[AC] wlan ap sensor model WA6320
[AC-wlan-ap-sensor] serial-id 219801A28N819CE0004T
[AC-wlan-ap-sensor] quit
# 创建AP组group2,并配置AP名称入组规则。
[AC] wlan ap-group group2
[AC-wlan-ap-group-group2] ap sensor
# 开启Radio 1的射频功能。
[AC-wlan-ap-group-group2] ap-model WA6320
[AC-wlan-ap-group-group2-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] radio enable
# 射频接口开启WIPS功能并加入虚拟安全域中。
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] wips enable
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-group2-ap-model-WA6320] quit
[AC-wlan-ap-group-group2] wips virtual-security-domain vsd1
[AC-wlan-ap-group-group2] return
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200用于转发Client无线报文。
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] vlan 200
[Switch-vlan200] quit
# 配置Switch与AC相连的GigabitEthernet1/0/1接口的属性为Trunk,禁止VLAN 1报文通过,允许VLAN 100和200通过。
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# 配置Switch与Sensor相连的GigabitEthernet1/0/2接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
# 配置Switch与AP1相连的GigabitEthernet1/0/3接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/3] poe enable
[Switch-GigabitEthernet1/0/3] quit
# 配置Switch与AP2相连的GigabitEthernet1/0/4接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/4
[Switch-GigabitEthernet1/0/4] port link-type access
[Switch-GigabitEthernet1/0/4] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/4] poe enable
[Switch-GigabitEthernet1/0/4] quit
(1) 查看Sensor所在虚拟安全域扫描到的设备,Rogue AP提供的服务SSID和本地AC关联的业务AP提供的服务SSID相同,WIPS能正确识别关联的业务AP为授权AP,Rogue AP为非法AP。
<AC> display wips virtual-security-domain vsd1 device
Total 3 detected devices in virtual-security-domain vsd1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
000f-1111-0111 AP Auth 00h 05m 26s 1 161 Active
000f-1111-0112 AP Auth 00h 05m 26s 1 161 Active
000f-e200-1202 AP Rogue 00h 05m 26s 1 161 Active
000f-e200-1222 AP Rogue 00h 05m 26s 1 161 Active
可以查看到外部AP被分类成Rogue AP,正确关联的AP被分类成授权AP。
(2) 验证反制功能正常,通过display wips virtual-security-domain vsd1 countermeasure record命令查看反制记录。
<AC> display wips virtual-security-domain vsd1 countermeasure record
Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1
Reason: Attack; Ass - associated; Black - blacklist;
Class - classification; Manu - manual;
MAC address Type Reason Countermeasure AP Radio ID Time
000f-e200-1202 AP Class sensor 1 2019-09-20/07:20:38
000f-e200-1222 AP Class sensor 1 2019-09-20/07:20:38
· AC:
#
dhcp enable
#
vlan 100
#
vlan 200
#
dhcp server ip-pool vlan100
gateway-list 112.12.1.25
network 112.12.0.0 mask 255.255.0.0
#
dhcp server ip-pool vlan200
gateway-list 112.13.1.25
network 112.13.0.0 mask 255.255.0.0
dns-list 112.13.1.25
#
wlan service-template service
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$jJ5Vq5IaYJJP9g7gA9h4rbGHLlUK/iEIQlFB
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface100
ip address 112.12.1.25 255.255.0.0
#
interface Vlan-interface200
ip address 112.13.1.25 255.255.0.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 200
#
wlan ap-group group1
vlan 1
ap ap1
ap ap2
ap-model WA6320
radio 1
radio enable
service-template service
radio 2
gigabitethernet 1
#
wlan ap-group group2
vlan 1
ap sensor
wips virtual-security-domain vsd1
ap-model WA6320
radio 1
radio enable
wips enable
radio 2
gigabitethernet 1
#
wlan ap ap1 model WA6320
serial-id 219801A2N819CE0002T
#
wlan ap ap2 model WA6320
serial-id 219801A2N819CE0003T
#
wlan ap sensor model 6320
serial-id 219801A2N819CE0004T
#
wips
#
ap-classification rule 1
ssid equal service
#
ap-classification rule 2
ssid not equal service
#
classification policy class1
apply ap-classification rule 1 rogue-ap severity-level 100
apply ap-classification rule 2 rogue-ap severity-level 100
trust mac-address 000f-1111-0111
trust mac-address 000f-1111-0112
#
countermeasure policy 1
countermeasure rogue-ap
#
virtual-security-domain vsd1
apply classification policy class1
apply countermeasure policy 1
#
· Switch:
#
vlan 100
#
vlan 200
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 200
#
interface GigabitEthernet1/0/2
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/3
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/4
port access vlan 100
poe enable
#
· 《H3C无线控制器产品 配置指导》中的“WLAN安全配置指导”。
· 《H3C无线控制器产品 命令参考》中的“WLAN安全命令参考”。
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!