通过对非法入侵的设备和非法攻击的用户进行检测和反制,保护无线网络边界的安全;对用户接入的合法性和安全性进行认证,保证用户无线业务数据的安全。
用户可以结合实际业务需求选择相应的功能进行部署。
配置示例
- 配置WIDS/WIPS功能示例# 配置设备检测和反制功能示例。
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] radio 0 [Huawei-wlan-radio-0/0] wids device detect enable //使能设备检测功能 [Huawei-wlan-radio-0/0] wids contain enable //使能设备反制功能 [Huawei-wlan-radio-0/0] quit [Huawei-wlan-ap-0] quit [Huawei-wlan-view] wids-profile name wlan-wids //创建WIDS模板 [Huawei-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap //配置对非法设备或干扰设备的反制模式 [Huawei-wlan-wids-prof-wlan-wids] quit [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] wids-profile wlan-wids //在AP中引用WIDS模板
# 配置攻击检测和动态黑名单功能示例。<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] radio 0 [Huawei-wlan-radio-0/0] wids attack detect enable all //使能攻击检测功能 [Huawei-wlan-radio-0/0] quit [Huawei-wlan-ap-0] quit [Huawei-wlan-view] wids-profile name wlan-wids //创建WIDS模板 [Huawei-wlan-wids-prof-wlan-wids] dynamic-blacklist enable //使能动态黑名单功能 [Huawei-wlan-wids-prof-wlan-wids] quit [Huawei-wlan-view] ap-id 0 [Huawei-wlan-ap-0] wids-profile wlan-wids //在AP中引用WIDS模板
- 配置安全策略功能示例WLAN安全策略均在安全模板内配置,模板下仅能配置一种安全策略。用户可以根据需要,创建多个安全模板来承载不同的安全策略,应用于不同的VAP。这里以配置WPA2-PSK-AES认证为例:
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] security-profile name wlan-security //创建安全模板 [HUAWEI-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes //配置安全策略为WPA2-PSK-AES [HUAWEI-wlan-sec-prof-wlan-security] quit [Huawei-wlan-view] vap-profile name vap1 //创建VAP模板 [HUAWEI-wlan-vap-prof-vap1] security-profile wlan-security //在VAP模板中引用安全模板
- 配置STA黑白名单功能示例
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] sta-whitelist-profile name sta-whitelist //创建STA白名单模板 [Huawei-wlan-whitelist-prof-sta-whitelist] sta-mac 0001-0001-0001 //将STA的MAC地址加入STA白名单 [Huawei-wlan-whitelist-prof-sta-whitelist] quit [Huawei-wlan-view] sta-blacklist-profile name sta-blacklist //创建STA黑名单模板 [Huawei-wlan-blacklist-prof-sta-blacklist] sta-mac 0002-0002-0002 //将STA的MAC地址加入STA黑名单
- 配置VAP内的用户隔离功能示例
<Huawei> system-view [Huawei] wlan [Huawei-wlan-view] traffic-profile name traff1 //创建流量模板 [HUAWEI-wlan-traffic-prof-traff1] user-isolate l2 //配置用户隔离功能 Warning: Enabling user isolation may interrupt services. Are you sure you want to continue? [Y/N]:y [HUAWEI-wlan-traffic-prof-traff1] quit [Huawei-wlan-view] vap-profile name vap1 //创建VAP模板 [HUAWEI-wlan-vap-prof-vap1] traffic-profile traff1 //在VAP模板中引用流量模板
- 配置端口隔离功能示例
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port-isolate enable //配置该接口的端口隔离功能