- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
01-WIPS典型配置
本章节下载: 01-WIPS典型配置 (280.63 KB)
本文档介绍了无线控制器WIPS特性的典型配置举例。
如图1所示,AP通过交换机与AC相连,AP1和AP2为Client提供无线服务,配置SSID为service,在Sensor上开启WIPS功能,当检测到非法AP提供SSID为service诱使Client接入时,对非法AP进行反制,阻止Client在非法AP上线。
图1 WIPS组网图
把提供SSID为“service”无线服务的AP分类为Rogue AP,配置Rogue AP反制,因为关联AP分类优先级高于自定义分类,因此提供SSID为“service”无线服务的关联AP依旧会被分类为授权AP。
配置AP的序列号时请确保该序列号与AP唯一对应。
# 创建VLAN 100及其对应的VLAN接口,并为该接口配置IP地址。AP将通过该IP地址与AC建立CAPWAP隧道。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 112.12.1.25 16
[AC-Vlan-interface100] quit
# 创建VLAN 200及其对应的VLAN接口,并为该接口配置IP地址。Client使用VLAN200接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 112.13.1.25 16
[AC-Vlan-interface200] quit
# 配置AC和Switch相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
(2) 配置DHCP server
# 开启DHCP server功能。
[AC] dhcp enable
# 配置DHCP地址池vlan100为AP分配地址范围为112.12.0.0/16,网关地址为112.12.1.25。
[AC] dhcp server ip-pool vlan100
[AC-dhcp-pool-vlan100] network 112.12.0.0 mask 255.255.0.0
[AC-dhcp-pool-vlan100] gateway-list 112.12.1.25
[AC-dhcp-pool-vlan100] quit
# 配置DHCP地址池vlan200为Client分配地址范围为112.13.0.0/16,为Client分配的DNS服务器地址为网关地址(实际使用过程中请根据实际网络规划配置无线客户端的DNS服务器地址),网关地址为112.13.1.25。
[AC] dhcp server ip-pool vlan200
[AC-dhcp-pool-vlan200] network 112.13.0.0 mask 255.255.0.0
[AC-dhcp-pool-vlan200] gateway-list 112.13.1.25
[AC-dhcp-pool-vlan200] dns-list 112.13.1.25
[AC-dhcp-pool-vlan200] quit
(3) 配置WIPS
# 进入WIPS视图。
[AC] wips
# 配置AP分类规则,对无线服务的SSID进行匹配。
[AC-wips] ap-classification rule 1
[AC-wips-cls-rule-1] ssid equal service
[AC-wips-cls-rule-1] quit
# 配置AP分类策略,对符合分类规则rule1的AP分类为非法AP。
[AC-wips] classification policy class1
[AC-wips-cls-class1] apply ap-classification rule 1 rogue-ap
[AC-wips-cls-class1] quit
# 创建虚拟安全域,并应用分类策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-1] apply classification policy class1
[AC-wips-vsd-1] quit
# 配置反制策略,反制非法AP。
[AC-wips] countermeasure policy 1
[AC-wips-cms-1] countermeasure rogue-ap
[AC-wips-cms-1] quit
# 应用反制策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply countermeasure policy 1
[AC-wips-vsd-vsd1] quit
[AC-wips] quit
(4) 配置AP
在大规模组网时,推荐在AP组内进行配置。
# 创建无线服务模板service,并配置SSID为service,配置Client从无线服务模板service上线后会被加入VLAN 200。
[AC] wlan service-template service
[AC-wlan-st-service] ssid service
[AC-wlan-st-service] vlan 200
# 配置身份认证与密钥管理模式为PSK模式,配置PSK密钥为明文字符串12345678。
[AC-wlan-st-service] akm mode psk
[AC-wlan-st-service] preshared-key pass-phrase simple 12345678
# 配置加密套件为CCMP,安全信息元素为RSN。
[AC-wlan-st-service] cipher-suite ccmp
[AC-wlan-st-service] security-ie rsn
# 配置客户端数据报文转发位置为AC。(如果客户端数据报文的缺省转发位置与本配置相同,请跳过此步骤)
[AC-wlan-st-service] client forwarding-location ac
# 开启无线服务模板。
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# 创建手工AP,名称为ap1,选择AP型号并配置序列号。
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
[AC-wlan-ap-ap1] quit
# 创建手工AP,名称为ap2,选择AP型号并配置序列号。
[AC] wlan ap ap2 model WA6320
[AC-wlan-ap-ap2] serial-id 219801A28N819CE0003T
[AC-wlan-ap-ap2] quit
# 创建AP组group1,并配置AP名称入组规则。
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] ap ap1 ap2
# 将无线服务模板service绑定到AP组group1下的Radio 1上。
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template service
# 开启Radio 1的射频功能。
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-group1-ap-model-WA6320] quit
[AC-wlan-ap-group-group1] quit
# 创建手工AP,名称为sensor,选择AP型号并配置序列号。
[AC] wlan ap sensor model WA6320
[AC-wlan-ap-sensor] serial-id 219801A28N819CE0004T
[AC-wlan-ap-sensor] quit
# 创建AP组group2,并配置AP名称入组规则。
[AC] wlan ap-group group2
[AC-wlan-ap-group-group2] ap sensor
# 将无线服务模板service绑定到AP组group3下的Radio 1上。
[AC-wlan-ap-group-group2] ap-model WA6320
[AC-wlan-ap-group-group2-ap-model-WA6320] radio 1
# 开启Radio 1的射频功能。
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] radio enable
# 射频接口开启WIPS功能并加入虚拟安全域中。
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] wips enable
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-group2-ap-model-WA6320] quit
[AC-wlan-ap-group-group2] wips virtual-security-domain vsd1
[AC-wlan-ap-group-group2] quit
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200用于转发Client无线报文。
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] vlan 200
[Switch-vlan200] quit
# 配置Switch与AC相连的GigabitEthernet1/0/1接口的属性为Trunk,禁止VLAN 1报文通过,允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100
[Switch-GigabitEthernet1/0/1] quit
# 配置Switch与Sensor相连的GigabitEthernet1/0/2接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
# 配置Switch与AP1相连的GigabitEthernet1/0/3接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/3] poe enable
[Switch-GigabitEthernet1/0/3] quit
# 配置Switch与AP2相连的GigabitEthernet1/0/4接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/4
[Switch-GigabitEthernet1/0/4] port link-type access
[Switch-GigabitEthernet1/0/4] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/4] poe enable
[Switch-GigabitEthernet1/0/4] quit
(1) 查看sensor所在虚拟安全域扫描到的设备,Rogue AP提供的服务SSID和本地AC关联的业务AP提供的服务SSID相同,WIPS能正确识别关联的业务AP为授权AP,Rogue AP为非法AP。
<AC> display wips virtual-security-domain vsd1 device
Total 3 detected devices in virtual-security-domain vsd1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
000f-1111-0101 AP Auth 00h 05m 24s 1 161 Active
000f-1111-0111 AP Auth 00h 05m 26s 1 13 Active
000f-e200-1202 AP Rogue 00h 05m 26s 1 161 Active
可以查看到外部AP被分类成Rogue AP,正确关联的AP被分类成授权AP。
(2) 验证反制功能正常,通过display wips virtual-security-domain命令查看反制记录。
<AC> display wips virtual-security-domain vsd1 countermeasure record
Total 1 times countermeasure, current 1 countermeasure record in virtual-security-domain vsd1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Sensor name Radio ID Time
000f-e200-1202 AP Rogue sensor 1 2015-11-27/15:52:53
· AC:
#
dhcp enable
#
vlan 100
#
vlan 200
#
dhcp server ip-pool vlan100
gateway-list 112.12.1.25
network 112.12.0.0 mask 255.255.0.0
#
dhcp server ip-pool vlan200
gateway-list 112.13.1.25
network 112.13.0.0 mask 255.255.0.0
dns-list 112.13.1.25
#
wlan service-template service
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$j4R+Ff8S4XNa/uaUjAgwUO5fbtdy+yVXzC+Z
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface100
ip address 112.12.1.25 255.255.0.0
#
interface Vlan-interface200
ip address 112.13.1.25 255.255.0.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 200
#
wlan ap-group group1
vlan 1
ap ap1
ap ap2
ap-model WA6320
radio 1
radio enable
service-template service
radio 2
gigabitethernet 1
#
wlan ap-group group2
vlan 1
ap sensor
wips virtual-security-domain vsd1
ap-model WA6320
radio 1
radio enable
wips enable
radio 2
gigabitethernet 1
#
wlan ap ap1 model WA6320
serial-id 219801A2N819CE0002T
#
wlan ap ap2 model WA6320
serial-id 219801A2N819CE0003T
#
wlan ap sensor model WA6320
serial-id 219801A2N819CE0004T
#
wips
#
ap-classification rule 1
ssid equal service
#
classification policy class1
apply ap-classification rule 1 rogue-ap
#
countermeasure policy 1
countermeasure rogue-ap
#
virtual-security-domain vsd1
apply classification policy class1
apply countermeasure policy 1
#
· Switch:
#
vlan 100
#
vlan 200
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
#
interface GigabitEthernet1/0/2
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/3
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/4
port access vlan 100
poe enable
#
· 《H3C无线控制器产品 配置指导》中的“WLAN安全配置指导”。
· 《H3C 无线控制器产品 命令参考》中的“WLAN安全命令参考”。
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
