01-14 WLAN Security Configuration Commands (Common AP) PDF
Uploaded by
alan smith01-14 WLAN Security Configuration Commands (Common AP) PDF
Uploaded by
alan smithFat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14 WLAN Security Configuration
Commands (Common AP)
About This Chapter
14.1 anti-attack flood blacklist enable
14.2 anti-attack flood disable
14.3 anti-attack flood sta-rate-threshold
14.4 arp anti-attack check user-bind enable
14.5 brute-force-detect interval
14.6 brute-force-detect quiet-time
14.7 brute-force-detect threshold
14.8 contain
14.9 contain-mode
14.10 device report-interval
14.11 dhcp trust port
14.12 display ap radio-environment
14.13 display wlan wids manual-contain device-mac-list
14.14 display wlan ids attack-detected
14.15 display wlan ids attack-detected statistics
14.16 display wlan ids attack-history
14.17 display wlan ids contain
14.18 display wlan ids device-detected
14.19 display wlan ids device-detected statistics
14.20 display wlan dynamic-blacklist
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1559
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.21 display wlan ids rogue-history
14.22 display wlan ids spoof-ssid fuzzy-match
14.23 dynamic-blacklist aging-time
14.24 dynamic-blacklist enable
14.25 flood-detect interval
14.26 flood-detect quiet-time
14.27 flood-detect threshold
14.28 ip source check user-bind enable
14.29 learn-client-address dhcp-strict
14.30 learn-client-address disable (VAP profile view)
14.31 permit-ap
14.32 reset wlan ids attack-detected
14.33 reset wlan ids attack-detected statistics
14.34 reset wlan ids attack-history
14.35 reset wlan dynamic-blacklist
14.36 reset wlan ids rogue-history
14.37 rogue-device log enable
14.38 spoof-detect quiet-time
14.39 spoof-ssid
14.40 sta arp-nd-proxy before-assoc
14.41 weak-iv-detect quiet-time
14.42 wids
14.43 wids attack detect enable
14.44 wids contain enable
14.45 wids device detect enable
14.46 wids manual-contain
14.47 work-mode
14.1 anti-attack flood blacklist enable
Function
The anti-attack flood blacklist enable command enables the flood blacklist
function.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1560
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
The undo anti-attack flood blacklist enable command disables the flood
blacklist function.
By default, the flood blacklist function is disabled.
Format
anti-attack flood { arp | dhcp | dhcpv6 | igmp | mdns | nd | other-broadcast |
other-multicast } blacklist enable
undo anti-attack flood { arp | dhcp | dhcpv6 | igmp | mdns | nd | other-
broadcast | other-multicast } blacklist enable
Parameters
Parameter Description Value
arp Indicates whether to -
enable the ARP flood
blacklist function.
dhcp Indicates whether to -
enable the DHCP flood
blacklist function.
dhcpv6 Indicates whether to -
enable the DHCPv6 flood
blacklist function.
igmp Indicates whether to -
enable the IGMP flood
blacklist function.
mdns Indicates whether to -
enable the mDNS flood
blacklist function.
nd Indicates whether to -
enable the ND flood
blacklist function.
other-broadcast Indicates whether to -
enable the flood blacklist
function for broadcast
packets other than ARP,
DHCP, DHCPv6, and ND
packets.
other-multicast Indicates whether to -
enable the flood blacklist
function for multicast
packets other than IGMP
and mDNS packets.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1561
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Views
VAP profile view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After the protocol-based flood blacklist function is enabled, the device considers
traffic of a specified protocol (such as DHCP or ARP) with a rate higher than that
specified in anti-attack flood sta-rate-threshold a flood attack and adds the STA
to the blacklist.
Prerequisites
The flood prevention function has been enabled using the undo anti-attack flood
disable command.
Example
# Enable the DHCP flood blacklist function.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack flood dhcp blacklist enable
14.2 anti-attack flood disable
Function
The anti-attack flood disable disables the flood prevention function.
The undo anti-attack flood disable command enables the flood prevention
function.
By default, the flood prevention function is enabled.
Format
anti-attack flood { all | arp | dhcp | dhcpv6 | igmp | mdns | nd | other-broadcast
| other-multicast } disable
undo anti-attack flood { all | arp | dhcp | dhcpv6 | igmp | mdns | nd | other-
broadcast | other-multicast } disable
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1562
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameters
Parameter Description Value
all Indicates whether to -
enable the flood
prevention function for
ARP, DHCP, DHCPv6,
IGMP, mDNS, and ND
multicast, broadcast, and
unicast packets.
arp Indicates whether to -
enable the ARP flood
prevention function.
dhcp Indicates whether to -
enable the DHCP flood
prevention function.
dhcpv6 Indicates whether to -
enable the DHCPv6 flood
prevention function.
igmp Indicates whether to -
enable the IGMP flood
prevention function.
mdns Indicates whether to -
enable the mDNS flood
prevention function.
nd Indicates whether to -
enable the ND flood
prevention function.
other-broadcast Indicates whether to -
enable the flood
prevention function for
broadcast packets other
than ARP, DHCP,
DHCPv6, and ND
packets.
other-multicast Indicates whether to -
enable the flood
prevention function for
multicast packets other
than IGMP and mDNS
packets.
Views
VAP profile view
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1563
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
If a large number of packets are sent to a device in a short time, the device
becomes busy processing the packets and cannot process normal services. To
prevent flood attacks, you can configure protocol-based flood prevention.
Precautions
The flood prevention function takes effect only for incoming traffic on an AP's
wired interface.
Example
# Disable the DHCP flood prevention function.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-vap-prof-profile1] anti-attack flood dhcp disable
14.3 anti-attack flood sta-rate-threshold
Function
The anti-attack flood sta-rate-threshold command sets the flood threshold.
The undo anti-attack flood sta-rate-threshold command restores the default
flood threshold.
The default flood threshold is 4 pps for ARP, DHCP, DHCPv6, IGMP, and mDNS
packets, 8 pps for ND packets, 10 pps for broadcast packets other than ARP, DHCP,
DHCPv6, and ND packets, and 10 pps for multicast packets other than IGMP and
mDNS packets.
Format
anti-attack flood { arp | dhcp | dhcpv6 | igmp | mdns | nd | other-broadcast |
other-multicast } sta-rate-threshold sta-rate-threshold
undo anti-attack flood { arp | dhcp | dhcpv6 | igmp | mdns | nd | other-
broadcast | other-multicast } sta-rate-threshold
Parameters
Parameter Description Value
arp Specifies ARP packets. -
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1564
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameter Description Value
dhcp Specifies DHCP packets. -
dhcpv6 Specifies DHCPv6 -
packets.
igmp Specifies IGMP packets. -
mdns Specifies mDNS packets. -
nd Specifies ND packets. -
other-broadcast Specifies broadcast -
packets other than ARP,
DHCP, DHCPv6, and ND
packets.
other-multicast Specifies multicast -
packets other than IGMP
and mDNS packets.
sta-rate-threshold Specifies the rate The value is an integer
threshold of broadcast that ranges from 1 to
traffic from STAs. 5000, in pps.
Views
VAP profile view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After the flood prevention function is enabled, you can run this command to set
the broadcast traffic threshold.
When the traffic rate exceeds the threshold, the device considers a flood attack
from the STA and discards the traffic. This prevents the upper-layer network from
being affected by the flood.
If the flood blacklist function is enabled using the anti-attack flood blacklist
enable command, the device adds flood STAs to the blacklist.
Prerequisites
The flood prevention function has been enabled using the undo anti-attack flood
disable command.
Precautions
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1565
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
The flood prevention function takes effect only for incoming traffic on an AP's
wired interface.
Example
# Set the DHCP flood threshold to 100 pps.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-vap-prof-profile1] anti-attack flood dhcp sta-rate-threshold 100
14.4 arp anti-attack check user-bind enable
Function
The arp anti-attack check user-bind enable command enables dynamic ARP
inspection (DAI).
The undo arp anti-attack check user-bind enable command disables DAI.
By default, DAI is disabled.
Format
arp anti-attack check user-bind enable
undo arp anti-attack check user-bind enable
Parameters
None
Views
VAP profile view
Default Level
2: Configuration level
Usage Guidelines
DAI allows an AP to detect the ARP Request and Reply packets transmitted on the
VAPs of the AP, to discard invalid and attack ARP packets, and to record an alarm.
This function prevents ARP packets of unauthorized users from accessing the
external network through the AP, protecting authorized users against interference
or spoofing, and protecting the AP.
● Invalid ARP packets: The source IP and MAC addresses of ARP Request and
Reply packets do not match.
● Attack ARP packets: When an AP receives a large number of consecutive ARP
packets and the number of ARP packets exceeds the ARP attack alarm
threshold, an ARP attack occurs.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1566
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Example
# Enable DAI.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
14.5 brute-force-detect interval
Function
The brute-force-detect interval command sets the interval for brute force key
cracking detection.
The undo brute-force-detect interval command restores the default interval for
brute force key cracking detection.
By default, the interval for brute force key cracking detection is 60 seconds.
Format
brute-force-detect interval interval
undo brute-force-detect interval
Parameters
Parameter Description Value
interval Specifies the interval for brute force key The value is an
interval cracking detection. integer that ranges
from 10 to 120, in
seconds.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
In a brute force key cracking attack, an attacker tries all possible key combinations
one by one to obtain the correct password. To improve password security, enable
defense against brute force key cracking to prolong the time used to crack
passwords.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1567
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
An AP checks whether the number of key negotiation failures during WPA/WPA2-
PSK, WAPI-PSK, or WEP-Share-Key authentication of a user exceeds the threshold
configured using the brute-force-detect threshold command. If so, the AP
considers that the user is using the brute force method to crack the password. If
the dynamic blacklist function is enabled, the AP adds the user to the dynamic
blacklist and discards all the packets from the user until the dynamic blacklist
entry ages out.
Follow-up Procedure
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Set the interval for brute force key cracking detection to 100 seconds.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable wpa-psk
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] brute-force-detect interval 100
14.6 brute-force-detect quiet-time
Function
The brute-force-detect quiet-time command sets the quiet time for an AP to
record brute force key attacks.
The undo brute-force-detect quiet-time command restores the default quiet
time for an AP to record brute force key attacks.
By default, the quiet time for an AP to record brute force key attacks is 600
seconds.
Format
brute-force-detect quiet-time quiet-time-value
undo brute-force-detect quiet-time
Parameters
Parameter Description Value
quiet-time- Specifies the quiet time for an AP to The value is an
value record brute force key attacks. integer that ranges
from 60 to 36000, in
seconds.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1568
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After attack detection is enabled on an AP, the AP reports alarms upon attack
detection. If an attack source launches attacks repeatedly, a large number of
repeated alarms are generated. To prevent this situation, configure the quiet time
function for attack detection. When detecting attack sources of the same MAC
address, the AP does not report alarms in the quiet time. However, if the AP still
detects attacks from the attack source after the quiet time expires, the AP reports
alarms. You can set the quiet time based on attack types.
To obtain attack information in a timely manner, set the quiet time to a small
value. If attacks are frequently detected, set the quiet time to a large value to
prevent frequent alarm reports.
Follow-up Procedure
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Set the quiet time for an AP to record brute force key attacks to 300 seconds.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable wpa-psk
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] brute-force-detect quiet-time 300
14.7 brute-force-detect threshold
Function
The brute-force-detect threshold command sets the maximum number of key
negotiation failures allowed within a brute force key cracking attack detection
period.
The undo brute-force-detect threshold command restores the default maximum
number of key negotiation failures allowed within a brute force key cracking
attack detection period.
By default, an AP allows a maximum of 20 key negotiation failures within a brute
force key cracking attack detection period.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1569
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Format
brute-force-detect threshold threshold
undo brute-force-detect threshold
Parameters
Parameter Description Value
threshold Specifies the number of key negotiation The value is an
threshold failures within a detection period. integer that ranges
from 1 to 100.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
In a brute force key cracking attack, an attacker tries all possible key combinations
one by one to obtain the correct password. To improve password security, enable
defense against brute force key cracking to prolong the time used to crack
passwords.
An AP checks whether the number of key negotiation failures during WPA/WPA2-
PSK, WAPI-PSK, or WEP-Share-Key authentication of a user exceeds the threshold
configured using the brute-force-detect threshold command. If so, the AP
considers that the user is using the brute force method to crack the password. If
the dynamic blacklist function is enabled, the AP adds the user to the dynamic
blacklist and discards all the packets from the user until the dynamic blacklist
entry ages out. If the threshold is set to a small value, the AP may incorrectly add
authorized users to the dynamic blacklist, causing the users unable to go online.
Follow-up Procedure
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Set the maximum number of key negotiation failures allowed within a brute
force key cracking attack detection period to 60.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable wpa-psk
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1570
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] brute-force-detect threshold 60
14.8 contain
Function
The contain command enables containment of rogue and interfering devices
based on the RSSI and number of associated STAs on the devices.
The undo contain command disables containment of rogue and interfering
devices based on the RSSI and number of associated STAs on the devices.
By default, containment of rogue and interfering devices based on the RSSI and
number of associated STAs on the devices is disabled.
Format
contain { min-rssi min-rssi | min-sta-num min-sta-num }
undo contain { min-rssi | min-sta-num }
Parameters
Parameter Description Value
min-rssi min- Specifies the minimum RSSI value. The value is an
rssi integer that ranges
from -95 to -50.
min-sta-num Specifies the minimum number of The value is an
min-sta-num associated STAs. integer that ranges
from 1 to 10.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After RSSI-based containment is enabled, if the RSSIs of detected rogue and
interfering devices are no more than the specified minimum RSSI value, the
devices are not contained. They are contained only when their RSSIs exceed the
specified minimum RSSI value.
After containment based on the number of associated STAs is enabled, if the
number of STAs associated with detected rogue and interfering devices is smaller
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1571
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
than the specified minimum value, the devices are not contained. They are
contained only when the number of STAs associated with them reaches the
specified minimum value.
Prerequisites
Detection and containment of rogue and interfering devices have been enabled.
Precautions
This function is not supported in manual containment mode.
Example
# Enable containment of rogue and interfering APs with spoofing SSIDs and set
the number of associated STAs that triggers containment to 5.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids contain enable
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] contain-mode spoof-ssid-ap
[HUAWEI-wlan-wids] contain min-sta-num 5
14.9 contain-mode
Function
The contain-mode command sets the containment mode against rogue or
interference devices.
The undo contain-mode command deletes the containment mode against rogue
or interference devices.
By default, no containment mode against rogue or interference devices is set.
Format
contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile
profile-name ] | adhoc }
undo contain-mode { open-ap | spoof-ssid-ap | client [ protect ] | adhoc }
Parameters
Parameter Description Value
open-ap Sets the containment mode against -
open-authentication rogue or
interference APs.
spoof-ssid- Sets the containment mode against -
ap rogue or interference APs using spoofing
SSIDs.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1572
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameter Description Value
client Sets the containment mode against -
unauthorized STAs or interference STAs.
protect sta- Protects STAs based on the STA whitelist. -
whitelist- Authorized STAs in the whitelist are
profile protected from connecting to rogue or
profile-name interference APs.
adhoc Sets the containment mode against Ad- -
hoc devices.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Rogue or interference devices pose serious security threats to enterprise networks.
After the containment mode is set against rogue or interference APs, the monitor
AP uses the identity of the rogue or interference AP to broadcast deauthentication
frames to forcibly disconnect STAs. To prevent the STAs from connecting to the
rogue or interference AP again, the monitor AP will periodically and continuously
send deauthentication frames.
After the containment mode is set against rogue STAs, interference STAs or Ad-hoc
devices, the monitor AP uses the MAC address of a rogue device to continuously
send unicast deauthentication frames.
Example
# Counter rogue and interference APs with spoofing SSIDs.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids contain enable
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] contain-mode spoof-ssid-ap
14.10 device report-interval
Function
The device report-interval command sets the interval at which an AP detects
incremental wireless device information.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1573
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
The undo device report-interval command restores the default interval at which
an AP detects incremental wireless device information.
By default, an AP detects incremental wireless device information at an interval of
300 seconds.
Format
device report-interval interval
undo device report-interval
Parameters
Parameter Description Value
interval Specifies the interval at which an AP The value is an
detects incremental wireless device integer that ranges
information. from 60 to 3600, in
seconds.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
Prerequisites
The device detection function has been enabled using the wids device detect
enable command for the AP.
Example
# Set the interval at which an AP detects incremental wireless device information
to 120 seconds.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids device detect enable
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] device report-interval 120
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1574
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.11 dhcp trust port
Function
The dhcp trust port command configures a DHCP trusted interface on an AP.
The undo dhcp trust port command cancels the configuration.
By default, the DHCP trusted interface is enabled on the AP.
Format
dhcp trust port
undo dhcp trust port
Parameters
None
Views
GE interface view, Eth-Trunk interface view, , MultiGE interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
When STA address learning is enabled using the undo learn-client-address
disable (VAP profile view) command:
● If the STA gateway is deployed on the AP, disable the DHCP trusted interface
function to prevent attacks to STAs from bogus DHCP servers.
● If the STA gateway is deployed on a non-AP device, configure the AP interface
connected to the gateway as a DHCP trusted interface so that STAs can
obtain IP addresses of the same VLAN from the DHCP server.
When STA address learning is disabled using the learn-client-address disable
(VAP profile view) command, STAs can obtain IP addresses of the same VLAN
through the interface regardless of whether the interface is configured as a DHCP
trusted interface.
Example
# Configure GE0/0/0 on the AP as a DHCP trusted interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/0
[HUAWEI-GigabitEthernet0/0/0] dhcp trust port
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1575
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.12 display ap radio-environment
Function
The display ap radio-environment command displays air interface environment
information about AP radios.
Format
display ap radio-environment [ radio radio-id ]
Parameters
Parameter Description Value
radio radio-id Displays air interface environment The radio ID must
information about the AP radio with a exist.
specified ID.
Views
All views
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
When WLAN access experience is poor, you can run this command to view air
interface environment information and Wi-Fi interference sources. The interference
can be determined based on the noise floor, signal to interference plus noise ratio
(SINR), co-channel interference, and adjacent-channel interference. After this
command is executed, radio scanning of the AP is automatically enabled, and the
AP starts to scan the air interface environment of radios. You can run this
command again to view air interface environment scanning results.
Precautions
When you run this command for the first time, no air interface environment
scanning result is displayed. To view air interface environment scanning results,
run this command again.
After AP radio scanning is enabled using this command, the air interface
performance of an AP is affected. If this command is not executed again after five
minutes, AP radio scanning is automatically disabled.
If the radio radio-id parameter is not specified, air interface environment
information about all radios of the AP is displayed.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1576
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
NOTE
In the scanning result, the channel utilization, co-channel interference, and adjacent-channel
interference are calculated with the impact of non-Wi-Fi interference. However, non-Wi-Fi
interference devices are not displayed in the interference source list.
Example
# Display air interface environment information about radio 0.
<HUAWEI> display ap radio-environment radio 0
Warning: This operation will enable scanning for the specified radio, affecting AP's air interface
performance. Scanning will be aut
omatically disabled 5 minutes after you run this command. Continue? [Y/N]y
Info: This operation may take a few seconds. Please wait for a moment.done.
p: permit
i: interference
Ch: Channel
CU: Channel Utility
NF: Noise Floor
CommIf: Common-Channel Interference
AdjaceIf: Adjacent-Channel Interference
SINR: Signal to Interference and Noise Ratio
#AP: Number of APs detected
Radio: 0
ScanChannel: 1
WorkChannel: 1
ScanCycle: 1
---------------------------------------------------------------------------
Ch NF CU(%) CommIf(%) AdjaceIf(%) SINR #APs
---------------------------------------------------------------------------
1 -105 75 19 - 245 57
---------------------------------------------------------------------------
Total: 1
---------------------------------------------------------------------------
Ch MAC Type RSSI SSID
---------------------------------------------------------------------------
1 c88d-833a-8d41 i -65 xw9-2g-tunnel
1 00e0-fc3a-8d41 i -65 xw9-2g-tunnel
Total: 1
Table 14-1 Description of the display ap radio-environment [ radio radio-id ]
command output
Item Description
Radio Radio on which the air interface
environment is scanned.
ScanChannel Scanning channel.
WorkChannel Working channel of the AP.
ScanCycle Scanning count.
Ch Channel that has scanned a device.
NF Noise floor.
CU(%) Channel utilization.
CommIf(%) Co-channel interference.
AdjaceIf(%) Adjacent-channel interference.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1577
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
#APs Number of scanned radio neighbors.
SINR Signal to interference plus noise ratio
(SINR).
MAC MAC address of the scanned device.
Type Type of the scanned interference
device.
● i: WIDS device
● p: Non-WIDS device
RSSI RSSI of the scanned device.
SSID SSID to which the scanned device is
connected.
NOTE
If an AP detects that a channel has a high co-channel interference (higher than 50%), another
Wi-Fi device is using this channel and affects the local AP. In this case, it is recommended that
the AP channel be switched using radio calibration or other methods.
14.13 display wlan wids manual-contain device-mac-
list
Function
The display wlan wids manual-contain device-mac-list command displays the
list of MAC addresses of devices to be manually contained.
Format
display wlan wids manual-contain device-mac-list
Parameters
None
Views
All views
Default Level
1: Monitoring level
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1578
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Usage Guidelines
After the manual containment function is enabled, you can run this command to
check the list of MAC addresses of devices to be manually contained.
Example
# Display the list of MAC addresses of devices to be manually contained.
<HUAWEI> display wlan wids manual-contain device-mac-list
--------------------------------------------------------------------------------
Index MAC
--------------------------------------------------------------------------------
0 1211-2222-3331
1 1211-2222-3332
2 1211-2222-3333
3 1211-2222-3334
4 1211-2222-3335
5 1211-2222-3336
6 1211-2222-3337
7 1211-2222-3338
8 1211-2222-3339
--------------------------------------------------------------------------------
Total: 9
Table 14-2 Description of the display wlan wids manual-contain device-mac-
list command output
Item Description
Index Serial number.
MAC MAC address of a device to be
manually contained.
14.14 display wlan ids attack-detected
Function
The display wlan ids attack-detected command displays information about the
detected attacking devices.
Format
display wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv |
wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address }
Parameters
Parameter Description Value
all Displays information about all types of -
attacking devices.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1579
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameter Description Value
flood Displays information about devices -
launching flood attacks.
spoof Displays information about devices -
launching spoofing attacks.
wapi-psk Displays information about devices that -
perform brute force cracking in WAPI-
PSK authentication mode.
weak-iv Displays information about devices -
launching weak IV attacks.
wep-share- Displays information about devices that -
key perform brute force cracking in WEP-SK
authentication mode.
wpa-psk Displays information about devices that -
perform brute force cracking in WPA-PSK
authentication mode.
wpa2-psk Displays information about devices that -
perform brute force cracking in WPA2-
PSK authentication mode.
mac-address Displays information about the detected The value is in H-H-
mac-address attacking devices with specified MAC H format. An H is a
addresses. hexadecimal
number of 4 digits.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After attack detection is enabled, you can run this command to view information
about the attacking devices.
Prerequisites
The attack detection functions of all types have been enabled using the wids
attack detect enable command.
Example
# Display information of all current attacking devices.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1580
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
<HUAWEI> display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detected attack type
CH: Channel number
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address AT CH RSSI(dBm) Last detected time #AP
-------------------------------------------------------------------------------
00e0-fc02-9c81 pbr 165 -87 2014-11-20/15:51:13 1
00e0-fc76-03e9 pbr 165 -84 2014-11-20/15:52:13 1
00e0-fc74-691f act 165 -67 2014-11-20/15:43:33 1
00e0-fcb7-171d pbr 165 -88 2014-11-20/15:41:43 1
00e0-fcb7-171f act 165 -87 2014-11-20/15:44:03 1
-------------------------------------------------------------------------------
Total: 5, printed: 5
Table 14-3 Description of the display wlan ids attack-detected all command
output
Item Description
MAC address ● For spoofing attacks, this parameter
indicates the basic service set
identifier (BSSID) that forges the
MAC address of an AP.
● For other types of attacks, this
parameter indicates the MAC
address of the device launching
attacks.
AT Acronym of the attack type.
CH Channel in which the last attack is
detected.
RSSI(dBm) Average received signal strength
indicator (RSSI) of the attack frames
detected.
Last detected time Last time at which an attack was
detected.
#AP Number of APs which detect this
attack.
# Display information of an attacking device with the specified MAC address.
<HUAWEI> display wlan ids attack-detected mac-address 8c70-5a47-aad0
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1581
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address : 00e0-fc47-aad0
Number of detected APs :1
Channel : 165
RSSI(dBm) : -80
Reported AP 1
AP name : ap-13
Flood attack type : pbr
First detected time(Flood) : 2014-11-20/15:50:33
Spoof attack type :-
First detected time(Spoof) :-
First detected time(Weak-iv) :-
First detected time(WEP) :-
First detected time(WPA) :-
First detected time(WPA2) :-
First detected time(WAPI) :-
-------------------------------------------------------------------------------
Table 14-4 Description of the display wlan ids attack-detected mac-address
mac-address command output
Item Description
MAC address ● For spoofing attacks, this parameter
indicates the basic service set
identifier (BSSID) that forges the
MAC address of an AP.
● For other types of attacks, this
parameter indicates the MAC
address of the device launching
attacks.
Number of detected APs Number of APs which detect this
attack.
Channel Channel in which the last attack is
detected.
RSSI(dBm) Average received signal strength
indicator (RSSI) of the attack frames
detected.
Reported AP Information of the AP which detects
the attack.
AP name Name of the AP which detects the
attack.
Flood attack type Flood attacks detected by the AP.
Spoof attack type Spoofing attacks detected by the AP.
First detected time First time when an attack is detected
by an AP.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1582
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.15 display wlan ids attack-detected statistics
Function
The display wlan ids attack-detected statistics command displays the number of
attacks detected.
Format
display wlan ids attack-detected statistics
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After attack detection is enabled, you can run the display wlan ids attack-
detected statistics command to view the total number of all types of attacks.
Prerequisites
The attack detection functions of all types have been enabled using the wids
attack detect enable command.
Example
# Display the number of attacks detected.
<HUAWEI> display wlan ids attack-detected statistics
Attack tracking since: 2015-01-27/12:02:11
--------------------------------------------------------------------------------
Type Total
--------------------------------------------------------------------------------
Probe request frame flood attack :0
Authentication request frame flood attack :0
Deauthentication frame flood attack :0
Association request frame flood attack :0
Disassociation request frame flood attack :0
Reassociation request frame flood attack :0
Action frame flood attack :0
EAPOL start frame flood attack :0
EAPOL logoff frame flood attack :0
Weak IVs detected :0
Spoofed deauthentication frame attack :0
Spoofed disassociation frame attack :0
Other types of spoofing frame attack :0
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1583
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
WEP share-key attack :0
WPA attack :0
WPA2 attack :0
WAPI attack :0
--------------------------------------------------------------------------------
Table 14-5 Description of the display wlan ids attack-detected statistics
command output
Item Description
Type Attack type:
● Probe request frame flood attack
● Authentication request frame flood
attack
● Deauthentication frame flood
attack
● Association request frame flood
attack
● Disassociation request frame flood
attack
● Reassociation request frame flood
attack
● Action frame flood attack
● EAPOL start frame flood attack
● EAPOL logoff frame flood attack
● Weak IVs detected
● Spoofed deauthentication frame
attack
● Spoofed disassociation frame attack
● Other types of spoofing frame
attack
● WEP share-key attack: brute force
cracking attack in WEP-SK
authentication mode
● WPA attack: brute force cracking
attack in WPA-PSK authentication
mode
● WPA2 attack: brute force cracking
attack in WPA2-PSK authentication
mode
● WAPI attack: brute force cracking
attack in WAPI authentication
mode
Total Total number of attacks detected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1584
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.16 display wlan ids attack-history
Function
The display wlan ids attack-history command displays historical records about
the attacking devices detected.
Format
display wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address }
Parameters
Parameter Description Value
all Displays historical records about all types -
of attacking devices.
flood Displays historical records about devices -
launching flood attacks.
spoof Displays historical records about devices -
launching spoofing attacks.
wapi-psk Displays historical records about devices -
that perform brute force cracking in
WAPI-PSK authentication mode.
weak-iv Displays historical records about devices -
launching weak IV attacks.
wep-share- Displays historical records about devices -
key that perform brute force cracking in
WEP-SK authentication mode.
wpa-psk Displays historical records about devices -
that perform brute force cracking in
WPA-PSK authentication mode.
wpa2-psk Displays information about devices that -
perform brute force cracking in WPA2-
PSK authentication mode.
mac-address Displays historical records about The value is in H-H-
mac-address detected devices launching attacks with H format. An H is a
specified MAC addresses. hexadecimal
number of 4 digits.
Views
All views
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1585
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
After attack detection is enabled, information about the detected attacking
devices are saved in the attacking device list. If an attacking device no longer
launches an attack, the device is removed from the attacking device list and saved
to the historical attacking device list. You can run the display wlan ids attack-
history command to check historical records about the attacking devices detected.
Prerequisites
The attack detection functions of all types have been enabled using the wids
attack detect enable command.
Example
# Display historical records of all attacking devices.
<HUAWEI> display wlan ids attack-history all
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
AP: Name of the monitor AP that has detected the device
AT: Attack type CH: Channel number
-------------------------------------------------------------------------------
MAC address AT CH RSSI(dBm) Last detected time AP
-------------------------------------------------------------------------------
00e0-fc12-37ec pbr 165 -86 2014-11-20/15:51:43 ap-13
00e0-fc12-171d pbr 165 -88 2014-11-20/15:41:43 ap-13
00e0-fc12-0bf4 pbr 165 -81 2014-11-20/15:41:53 ap-13
-------------------------------------------------------------------------------
Total: 3, printed: 3
Table 14-6 Description of the display wlan ids attack-history all command
output
Item Description
MAC address ● For spoofing attacks, this parameter
indicates the basic service set
identifier (BSSID) that forges the
MAC address of an AP.
● For other types of attacks, this
parameter indicates the MAC
address of the device launching
attacks.
AT Acronym of the attack type.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1586
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
CH Channel in which the last attack is
detected.
RSSI(dBm) Average received signal strength
indicator (RSSI) of the attack frames
detected.
Last detected time Last time at which an attack is
detected.
AP Name of the monitor AP.
14.17 display wlan ids contain
Function
The display wlan ids contain command displays information about countered
devices.
Format
display wlan ids contain { all | ap | adhoc | client | ssid | mac-address mac-
address }
Parameters
Parameter Description Value
all Displays information about all countered -
devices.
ap Displays information about countered -
APs.
adhoc Displays information about countered -
ad-hoc devices.
client Displays information about countered -
user terminals.
ssid Displays information about countered -
devices with unauthorized SSIDs.
mac-address Displays information about countered The MAC addresses
mac-address devices with specified MAC addresses. must exist.
Views
All views
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1587
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Default Level
1: Monitoring level
Usage Guidelines
After WIDS or WIPS is enabled, you can run the display wlan ids
countermeasures device command to view information about countered devices.
Example
# Display the list of all countered devices.
<HUAWEI> display wlan ids contain all
#Rf: Number of monitor radios that have contained the device
CH: Channel number
Reason: open-encrypt, spoof-ssid-ap, protect-client,
client, adhoc, manual
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf Reason SSID
-------------------------------------------------------------------------------
00e0-fc12-3456 11 open 2014-11-20/16:16:57 1 manual -
-------------------------------------------------------------------------------
Total: 1, printed: 1
Table 14-7 Description of the display wlan ids contain all command output
Item Description
MAC address MAC address of the countered device.
CH Channel in which the monitoring AP
detects a device for the last time.
Authentication Authentication mode of the countered
device.
Last detected time Last time at which the monitoring AP
detects a device.
#Rf Number of monitor radios that have
contained the device.
Reason Reason for the device to be contained.
The priorities of containment reasons
are in descending order as follows:
manual > open-encrypt > spoof-ap >
protect-client > client > adhoc.
SSID SSID of the countered device.
# Display information about countered SSIDs.
<HUAWEI> display wlan ids contain ssid
#Dev: Number of devices using SSID
----------------------------------------------------------------------
SSID #Dev Last detected time
----------------------------------------------------------------------
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1588
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
CMCC 2 2012-07-27/16:41:55
----------------------------------------------------------------------
Total: 1, printed: 1
Table 14-8 Description of the display wlan ids contain ssid command output
Item Description
SSID Countered SSID.
#Dev Number of devices that use the SSID.
Last detected time Last time at which the device using
the SSID is detected.
# Display information about countered devices with specified MAC addresses.
<HUAWEI> display wlan ids contain mac-address 549f-13c4-627f
-------------------------------------------------------------------------------
MAC address : 00e0-fc12-3456
BSSID : 00e0-fc12-7890
Type : rogue client
SSID :-
Authentication :-
Number of monitor radios that have contained the device : 1
Last detected channel :1
Maximum RSSI(dBm) : -54
Beacon interval(ms) :0
First detected time : 2015-10-20/15:06:26
Reported AP 1
AP name : admin_ap0_admin_ap0_admin
Radio ID :0
MAC address : 00e0-fc12-3455
Radio type : 802.11bg
Channel :1
RSSI(dBm) : -54
Last detected time : 2015-10-20/15:06:26
Counter measure :Y
Reason : manual
-------------------------------------------------------------------------------
Table 14-9 Description of the display wlan ids contain mac-address command
output
Item Description
MAC address MAC address of the detected device.
BSSID BSSID of the detected device.
Type Type of the detected device.
SSID SSID of the detected device.
Authentication Authentication mode of the detected
device.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1589
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
Number of monitor radios that have Number of radios that contain the
contained the device device.
If WIDS is enabled on multiple APs,
the type of the device may be
contained by these APs' radios.
Last detected channel Channel in which the device is
detected for the last time.
Maximum RSSI(dBm) Maximum RSSI of the detected device.
Beacon interval(ms) Interval at which the detected device
sends beacon frames.
First detected time First time at which the device is
detected.
Reported AP 1 Information of the Monitoring AP
which reports detection information.
AP name Name of the monitoring AP.
Radio ID Radio ID of the monitoring AP.
MAC address MAC address of the monitoring AP.
Radio type Radio type of the monitoring AP.
Channel Channel of the monitoring AP.
RSSI(dBm) RSSI of the monitoring AP.
Last detected time Last time when the device is detected.
Counter measure Whether the device is contained.
Reason Reason for the device to be contained.
The priorities of containment reasons
are in descending order as follows:
manual > open-encrypt > spoof-ap >
protect-client > client > adhoc.
14.18 display wlan ids device-detected
Function
The display wlan ids device-detected command displays various wireless devices
detected on a WLAN.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1590
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Format
display wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ]
bridge | [ rogue ] client [ bssid bssid ] | adhoc | [ rogue ] ssid | mac-address
mac-address }
Parameters
Parameter Description Value
all Displays all wireless devices detected on -
the WLAN.
interference Displays interfering devices detected on -
the WLAN.
rogue Displays rogue devices detected on the -
WLAN.
ap Displays APs detected on the WLAN. -
bridge Displays bridge devices detected on the -
WLAN.
client Displays user terminals detected on the -
WLAN.
bssid bssid Displays detailed information about The format is H-H-
devices with the specified BSSID detected H. An H is a
on the WLAN. hexadecimal
number of 4 digits.
adhoc Displays detected user terminals that -
belong to the ad-hoc network on the
WLAN.
ssid Displays SSIDs detected on the WLAN. -
mac-address Displays detailed information about The MAC addresses
mac-address devices with specified MAC addresses must exist.
detected on the WLAN.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1591
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
To ensure the WLAN reliability, all the wireless devices on the current WLAN must
be monitored. You can run the display wlan ids detected command to view
information about the wireless devices detected.
Prerequisites
The device detection function has been enabled on the AP using the wids device
detect enable command.
Example
# Display all devices detected on a WLAN.
<HUAWEI> display wlan ids device-detected all
Flags: r: rogue, p: permit, i: interference, a: adhoc, w: AP, b: wireless-bridge, c: client
#Rf: Number of monitor radios that have detected the device
CH: Channel number
RSSI(dBm): Maximum RSSI of detected device
StaNum: Number of detected STAs associated with the device
-------------------------------------------------------------------------------------------------
MAC address Type CH RSSI(dBm) StaNum Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------------------------
00e0-fc20-de2b i/w 1 -60 5 open 2014-11-20/11:03:44 1 -
-------------------------------------------------------------------------------------------------
Total: 1, printed: 1
Table 14-10 Description of the display wlan ids device-detected all command
output
Item Description
MAC address MAC address of the detected device.
Type Type of the detected device:
● r: rogue device
● p: authorized device
● i: interfering device
● a: user terminal on the ad-hoc
network
● w: AP
● b: bridge device
● c: user terminal
CH Authentication mode of the detected
device.
RSSI(dBm) RSSI of the detected device.
StaNum Channel in which the device is
detected for the last time.
Authentication Authentication mode of the detected
device.
Last detected time Last time when the device is detected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1592
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
#Rf Number of radios that detect the
device.
SSID SSID of the detected device.
# Display information about APs detected on the WLAN.
<HUAWEI> display wlan ids device-detected ap
Flags: r: rogue, p: permit, i: interference
#Rf: Number of monitor radios that have detected the device
CH: Channel number
RSSI(dBm): Maximum RSSI of detected device
StaNum: Number of detected STAs associated with the device
-------------------------------------------------------------------------------------------------
MAC address Type CH RSSI(dBm) StaNum Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------------------------
00e0-fc20-de2b r 1 -60 5 open 2014-11-20/11:03:44 1 -
-------------------------------------------------------------------------------------------------
Total: 1, printed: 1
# Display information about rogue APs detected on the WLAN.
<HUAWEI> display wlan ids device-detected rogue ap
#Rf: Number of monitor radios that have detected the device
CH: Channel number
RSSI(dBm): Maximum RSSI of detected device
StaNum: Number of detected STAs associated with the device
-------------------------------------------------------------------------------------------------
MAC Address CH RSSI(dBm) StaNum Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------------------------
00e0-fc20-de2b 1 -60 5 open 2014-11-20/11:03:44 1 -
-------------------------------------------------------------------------------------------------
Total: 1, printed: 1
# Display information about interfering APs detected on the WLAN.
<HUAWEI> display wlan ids device-detected interference ap
Flags: r: rogue, p: permit, i: interference
#Rf: Number of monitor radios that have detected the device
CH: Channel number
RSSI(dBm): Maximum RSSI of detected device
StaNum: Number of detected STAs associated with the device
-------------------------------------------------------------------------------------------------
MAC address Type CH RSSI(dBm) StaNum Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------------------------
00e0-fc20-de2b i 1 -60 5 open 2014-11-20/11:03:44 1 -
-------------------------------------------------------------------------------------------------
Total: 1, printed: 1
# Display information about ad-hoc devices detected on the WLAN.
<HUAWEI> display wlan ids device-detected adhoc
Flags: r: rogue
#Rf: Number of monitor radios that have detected the device
CH: Channel number
RSSI(dBm): Maximum RSSI of detected device
StaNum: Number of detected STAs associated with the device
-------------------------------------------------------------------------------------------------
MAC address Type CH RSSI(dBm) StaNum Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------------------------
00e0-fc20-de2d r 6 -60 - - 2014-11-20/11:12:58 2 -
-------------------------------------------------------------------------------------------------
Total: 1, printed: 1
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1593
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
# Display information about SSIDs detected on the WLAN.
<HUAWEI> display wlan ids device-detected ssid
#Dev: Number of devices using SSID
-------------------------------------------------------------------------------
SSID #Dev Last detected time
-------------------------------------------------------------------------------
trad 1 2014-11-20/11:01:44
CMCC-4G 6 2014-11-20/11:14:13
-------------------------------------------------------------------------------
Total: 2, printed: 2
Table 14-11 Description of the display wlan ids device-detected ssid command
output
Item Description
SSID SSID detected.
#Dev Number of devices that use the SSID.
Last detected time Last time at which the device using
the SSID is detected.
# Display information about spoofing SSIDs detected on the WLAN.
<HUAWEI> display wlan ids device-detected rogue ssid
#Dev: number of devices using rogue SSID
--------------------------------------------------------------------------------
Rogue SSID Spoof profile #Dev Last detected time
Pattern rule
--------------------------------------------------------------------------------
ao a0 1 2014-11-20/11:14:39
ao
al a1 2 2014-11-20/11:14:39
al
--------------------------------------------------------------------------------
ssid -- 1 2014-11-20/15:59:45
---------------------------------------------------------------------------------
Total: 3
Table 14-12 Description of the display wlan ids device-detected rogue ssid
command output
Item Description
Rogue SSID Spoofing SSIDs detected, including
SSIDs same as the authorized SSIDs
and SSIDs matching the specified fuzzy
rules.
Spoof profile WIDS spoof SSID profile owned the
fuzzy matching rule.
Pattern rule Fuzzy matching rule for the spoofing
SSID.
#Dev Number of APs using the SSID.
Last detected time Last time when the SSID is detected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1594
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
# Display detailed information about devices with MAC address 0008-cbe9-1c00
detected on the WLAN.
<HUAWEI> display wlan ids device-detected mac-address 0008-cbe9-1c00
Detected MAC List
--------------------------------------------------------------------------------
MAC address : 00e0-fce9-1c00
BSSID : 00e0-fce9-1c00
00e0-fce9-1c00Type :
SSID :-
Authentication : 802.1x
Number of monitor radios that have detected the device : 1
Last detected channel :1
Maximum RSSI(dBm) : -80
Beacon interval(TUs) :-
First detected time : 2015-10-20/15:07:23
Reported AP 1
AP name : admin_ap0_admin_ap0_admin
Radio ID :0
00e0-fc1e-c4a0 Radio type :
Radio type : 802.11bg
Channel :1
RSSI(dBm) : -80
Last detected time : 2015-10-20/15:07:23
Counter measure :Y
Counter measure reason : spoof-ssid-ap
--------------------------------------------------------------------------------
Table 14-13 Description of the display wlan ids device-detected mac-address
command output
Item Description
MAC address MAC address of the detected device.
BSSID BSSID of the detected device.
Type Type of the detected device.
SSID SSID of the detected device.
Authentication Authentication mode of the detected
device.
Number of monitor radios that have Number of radios that detect the
detected the device device.
If WIDS is enabled on multiple APs,
the type of the device may be detected
by these APs' radios.
Last detected channel Channel of the detected device.
Maximum RSSI(dBm) Maximum RSSI of the detected device.
Beacon interval(TUs) Interval at which the detected device
sends Beacon frames.
First detected time First time when the device is detected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1595
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
Reported AP 1 Information about the monitor AP
which reports detection information.
AP name Name of the monitor AP.
Radio ID Radio ID of the monitor AP.
MAC address MAC address of the monitor AP.
Radio type Radio type of the monitor AP.
Channel Channel of the monitor AP.
RSSI(dBm) RSSI of the monitor AP.
Last detected time Last time when the device is detected.
Counter measure Whether the device is contained.
Counter measure reason Reason why the device is contained.
● open-encrypt: The authentication
mode of the device is open.
● spoof-ssid-ap: The device is a rogue
AP or interference AP with a
spoofing SSID.
● protect-client: The device is a STA in
the STA whitelist and is contained
to prevent it from accessing a rogue
AP.
● client: The device is a rogue STA or
interference STA.
● adhoc: The device is a rogue ad-hoc
device.
● manual: The device is manually
contained.
14.19 display wlan ids device-detected statistics
Function
The display wlan ids device-detected statistics command displays statistics on
all wireless devices detected on a WLAN.
Format
display wlan ids device-detected statistics
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1596
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameters
None
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
You can run the display wlan ids device-detected statistics command to view
statistics on all wireless devices detected on a WLAN.
Example
# Display statistics on wireless devices detected on a WLAN.
<HUAWEI> display wlan ids device-detected statistics
------------------------------------------------------------------------------------------------
Rogue Adhoc :0
Contain Adhoc :0
Rogue AP :0
Permit AP :0
Interference AP :0
Contain AP :0
Rogue client :2
Permit client :0
Interference Client : 0
Contain client :2
Permit Bridge :2
Rogue Bridge :0
Interference Bridge : 0
------------------------------------------------------------------------------------------------
Table 14-14 Description of the display wlan ids device-detected statistics
command output
Item Description
Rogue Adhoc Number of rogue ad-hoc devices.
Contain Adhoc Number of contained ad-hoc devices.
Rogue AP Number of rogue APs.
Permit AP Number of authorized APs.
Interference AP Number of interfering APs.
Contain AP Number of contained APs.
Rogue Client Number of rogue terminal devices.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1597
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
Permit Client Number of authorized terminal
devices.
Interference Client Number of interfering terminal
devices.
Contain Client Number of contained terminal devices.
Permit Bridge Number of authorized bridge devices.
Rogue Bridge Number of unauthorized bridge
devices.
Interference Bridge Number of interfering bridge devices.
14.20 display wlan dynamic-blacklist
Function
The display wlan dynamic-blacklist command displays information about devices
in the dynamic blacklist.
Format
display wlan dynamic-blacklist { all | mac-address mac-address }
Parameters
Parameter Description Value
all Displays information about all devices in -
the dynamic blacklist.
mac-address Displays information about attack The MAC address
mac-address devices with a specified MAC address. must exist.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
An AP uses attack detection and dynamic blacklist functions to add a detected
attack device to the dynamic blacklist, and rejects packets sent from this device
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1598
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
until the device entry in the dynamic blacklist ages. You can run this command to
view information about devices in the dynamic blacklist.
Example
# Display information about all devices in the dynamic blacklist.
<HUAWEI> display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
LAT: Left aging time(s)
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame sti: Static IP
brf: Broadcast flood
-------------------------------------------------------------------------------
MAC address Last detected time Reason #AP LAT
-------------------------------------------------------------------------------
00e0-fc12-3451 2015-07-27/12:51:25 brf 1 100
00e0-fc12-3452 2015-07-27/12:51:25 pbr 1 200
00e0-fc12-3453 2015-07-27/12:51:25 pbr 1 200
00e0-fc12-3454 2015-07-27/12:51:25 sti 1 200
00e0-fc12-3455 2015-07-27/12:51:25 pbr 1 200
00e0-fc12-3456 2015-07-27/12:51:25 pbr 1 200
-------------------------------------------------------------------------------
Total: 6, printed: 6
Table 14-15 Description of the display wlan dynamic-blacklist all command
output
Item Description
MAC address MAC address of the device in the
dynamic blacklist.
Last detected time Latest time when the device was
added to the dynamic blacklist.
Reason Reason why the device is added to the
dynamic blacklist.
#AP Number of APs that have detected and
added the device to the dynamic
blacklist.
LAT Remaining aging time for the device in
the dynamic blacklist.
# Display information about specified devices in the dynamic blacklist.
<HUAWEI> display wlan dynamic-blacklist mac-address 0006-f476-cb70
LAT: Left aging time(s) BT: Block time(s)
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame sti: Static IP
brf: Broadcast flood
-------------------------------------------------------------
AP name Last detected time Reason LAT BT
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1599
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
-------------------------------------------------------------
wcw 2015-07-27/12:51:25 pbr 100 900
wcw2 2015-07-27/12:51:25 pbr 100 1900
-------------------------------------------------------------
Total: 2, printed: 2
Table 14-16 Description of the display wlan dynamic-blacklist mac-address
command output
Item Description
AP name Name of the monitoring AP.
Last detected time Last time when the device is detected.
Reason Reason why the device is added to the
dynamic blacklist.
LAT Remaining aging time for the device in
the dynamic blacklist.
BT Duration for which the device is in the
dynamic blacklist.
14.21 display wlan ids rogue-history
Function
The display wlan ids rogue-history command displays historical records of rogue
devices.
Format
display wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid | mac-
address mac-address }
Parameters
Parameter Description Value
all Displays historical records of all rogue -
devices.
ap Displays historical records of rogue APs. -
bridge Displays historical records of rogue -
bridge devices.
client Displays historical records of rogue user -
terminals.
adhoc Displays historical records of rogue ad- -
hoc devices.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1600
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameter Description Value
ssid Displays historical records of contained -
devices with unauthorized SSIDs.
mac-address Displays historical records of devices with The MAC addresses
mac-address specified MAC addresses. must exist.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
Usage Scenario
You can run the display wlan ids rogue-history command to view the historical
records of rogue devices.
Prerequisites
The device detection function has been enabled on the AP using the wids device
detect enable command.
Example
# Display historical records of all rogue devices.
<HUAWEI> display wlan ids rogue-history all
Flags: a: adhoc, w: AP, b: wireless-bridge, c: client
CH: Channel number
-------------------------------------------------------------------------------
MAC address Type CH Authentication Last detected time SSID
-------------------------------------------------------------------------------
00e0-fc12-3456 w 11 open 2014-11-20/11:20:37 wlan
00e0-fc12-3457 c 11 - 2014-11-20/11:16:07 -
-------------------------------------------------------------------------------
Total: 2, printed: 2
Table 14-17 Description of the display wlan ids rogue-history all command
output
Item Description
MAC address MAC address of the rogue device listed
in the historical record list.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1601
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
Type Type of the rogue device listed in the
historical record list:
● a: user terminal on the ad-hoc
network
● w: AP
● b: bridge device
● c: user terminal
CH Channel in which the device is
detected for the last time.
Authentication Authentication mode of the rogue
device listed in the historical record
list.
Last detected time Last time when the device is detected.
SSID SSID of the detected device.
# Display historical records of rogue APs.
<HUAWEI> display wlan ids rogue-history ap
CH: channel number
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time SSID
-------------------------------------------------------------------------------
00e0-fc12-3458 11 open 2014-11-20/11:20:37 wlan
00e0-fc12-3459 11 open 2014-11-20/11:20:44 -
-------------------------------------------------------------------------------
Total: 2, printed: 2
# Display historical records of SSIDs.
<HUAWEI> display wlan ids rogue-history ssid
#Dev: number of devices using SSID
-------------------------------------------------------------------------------
SSID #Dev Last detected time
-------------------------------------------------------------------------------
trad 1 2014-11-20/11:01:44
CMCC-4G 6 2014-11-20/11:14:13
X+Z_007 1 2014-11-20/11:20:15
tntjoyo 1 2014-11-20/11:18:42
-------------------------------------------------------------------------------
Total: 4, printed: 4
Table 14-18 Description of the display wlan ids rogue-history ssid command
output
Item Description
SSID SSID of the detected device.
#Dev Number of devices that use the SSID.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1602
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Item Description
Last detected time Last time at which the device using
the SSID is detected.
# Display historical records of an AP or STA with a specified MAC address.
<HUAWEI> display wlan ids rogue-history mac-address 00e0-fc03-0206
-------------------------------------------------------------------
MAC address : 00e0-fc03-0206
SSID : wlan
Type : rogue ap
Authentication : 802.1x
Last detected time : 2012-10-25/09:22:29
-------------------------------------------------------------------
Table 14-19 Description of the display wlan ids rogue-history mac-address
command output
Item Description
MAC address MAC address of the detected device.
Type Type of the detected device.
SSID SSID of a BSS.
Authentication Authentication mode of the detected
device.
Last detected time Last time when the device is detected.
14.22 display wlan ids spoof-ssid fuzzy-match
Function
The display wlan ids spoof-ssid fuzzy-match command displays fuzzy matching
rules for spoofing SSIDs.
Format
display wlan ids spoof-ssid fuzzy-match regex regex-value
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1603
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameters
Parameter Description Value
regex regex- Specifies the matching rules for spoofing The rules must exist.
value SSIDs and displays spoofing SSIDs that The value is in text
match the rules. format and can
contain 1 to 48
case-sensitive
characters. It
supports Chinese
characters or
mixture of Chinese
and English
characters.
NOTE
You can only use a
command editor of
the UTF-8 encoding
format to edit
Chinese characters.
Views
All views
Default Level
1: Monitoring level
Usage Guidelines
To view SSIDs that match a specific rule, run the display wlan ids spoof-ssid
fuzzy-match regex regex-value command.
Example
# Display SSIDs that match a specific rule.
<HUAWEI> display wlan ids spoof-ssid fuzzy-match regex ^HUAWE[1l]$
#Dev: Number of devices using SSID
--------------------------------------------------------------------------------
Match SSID #Dev Last detected time WIDS spoof profile
--------------------------------------------------------------------------------
HUAWE1 2 2014-03-06/12:44:37 huawei
HUAWEl 1 2014-03-06/12:44:50 huawei
--------------------------------------------------------------------------------
Total: 2
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1604
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Table 14-20 Description of the display wlan ids spoof-ssid fuzzy-match regex
command output
Item Description
Match SSID SSID matching a specific rule.
#Dev Number of APs using the matching
SSID.
Last detected time Latest time when the SSID is detected.
WIDS spoof profile WIDS spoof profile to which the rules
belong.
14.23 dynamic-blacklist aging-time
Function
The dynamic-blacklist aging-time command sets an aging time for a dynamic
blacklist.
The undo dynamic-blacklist aging-time command restores the aging time of a
dynamic blacklist to the default value.
By default, the aging time of a dynamic blacklist is 600 seconds.
Format
dynamic-blacklist aging-time time
undo dynamic-blacklist aging-time
Parameters
Parameter Description Value
time Specifies the aging time at the expiry of The value is an
which a specified MAC address is integer that ranges
removed from the dynamic blacklist. from 180 to 3600, in
seconds.
Views
WLAN view
Default Level
2: Configuration level
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1605
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Usage Guidelines
When detecting attacks from a STA, an AP forbids the STA to go online, and
rejects any packets sent from the STA. As long as the STA is blacklisted, it cannot
go online again even if it no longer launches attacks. To avoid that, you can run
the dynamic-blacklist aging-time command to configure an aging time for the
dynamic blacklist. If the configured aging time expires and the AP detects no
attack from the STA, the STA is once again allowed to go online.
Example
# Set the aging time of the dynamic blacklist to 200 seconds.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] dynamic-blacklist aging-time 200
14.24 dynamic-blacklist enable
Function
The dynamic-blacklist enable command enables the dynamic blacklist function.
The undo dynamic-blacklist enable command disables the dynamic blacklist
function.
By default, the dynamic blacklist function is disabled.
Format
dynamic-blacklist enable
undo dynamic-blacklist enable
Parameters
None
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
Attack detection is enabled to detect flood attacks, weak IV attacks, spoofing
attacks, and brute force key cracking attacks. When detecting attacks initiated by
a device, an AP reports an alarm. In addition, you can run the dynamic-blacklist
enable command to enable the dynamic blacklist function on the AP for handling
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1606
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
flood attacks and brute force key cracking attacks. The AP then automatically adds
the attacking device to a dynamic blacklist and discards packets sent from the
attacking device till the dynamic blacklist ages out.
An AP can use the dynamic blacklist to filter out the blacklisted wireless devices to
avoid malicious attacks.
Follow-up Procedure
Run the dynamic-blacklist aging-time command to set an aging time for the
dynamic blacklist.
Example
# Enable the dynamic blacklist function.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] dynamic-blacklist enable
14.25 flood-detect interval
Function
The flood-detect interval command sets the flood attack detection interval.
The undo flood-detect interval command restores the default flood attack
detection interval.
By default, the flood attack detection interval is 10 seconds.
Format
flood-detect interval interval
undo flood-detect interval
Parameters
Parameter Description Value
interval Specifies the interval for flood attack The value is an
interval detection. integer that ranges
from 10 to 120, in
seconds.
Views
WIDS view
Default Level
2: Configuration level
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1607
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Usage Guidelines
Usage Scenario
A flood attack occurs when an AP receives a large number of packets of the same
type within a short period. As a result, the AP is flooded by too many attack
packets to process service packets from authorized wireless terminals.
After the flood attack detection function is enabled, an AP counts the number of
packets of the same type that it receives from a user at regular intervals. When
the number exceeds a specified threshold, the AP considers that the user launches
a flood attack. If the dynamic blacklist function is enabled, the user will be added
to a dynamic blacklist.
Follow-up Procedure
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Set the flood attack detection interval to 120s.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable flood
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] flood-detect interval 120
14.26 flood-detect quiet-time
Function
The flood-detect quiet-time command sets the quiet time for an AP to record the
detected flood attacks.
The undo flood-detect quiet-time command restores the quiet time for an AP to
record the detected flood attacks.
By default, the quiet time is 600 seconds for an AP to record the detected flood
attacks.
Format
flood-detect quiet-time quiet-time-value
undo flood-detect quiet-time
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1608
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameters
Parameter Description Value
quiet-time- Specifies the quiet time for an AP to The value is an
value record the detected flood attacks. integer that ranges
from 60 to 36000, in
seconds.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After attack detection is enabled on an AP, the AP reports alarms upon attack
detection. If an attack source launches attacks repeatedly, a large number of
repeated alarms are generated. To prevent this situation, configure the quiet time
for an AP to report alarms. When detecting attack sources of the same MAC
address, the AP does not report alarms in the quiet time. However, if the AP still
detects attacks from the attack source after the quiet time expires, the AP reports
alarms. You can set the quiet time based on attack types.
To obtain attack information in a timely manner, set the quiet time to a small
value. If attacks are frequently detected, set the quiet time to a large value to
prevent frequent alarm reports.
Follow-up Procedure
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Set the quiet time to 300 seconds for an AP to record the detected flood attacks.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable flood
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] flood-detect quiet-time 300
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1609
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.27 flood-detect threshold
Function
The flood-detect threshold command sets the flood attack detection threshold. A
flood attack occurs when an AP receives a large number of packets of the same
type within a short period.
The undo flood-detect threshold command restores the default flood attack
detection threshold.
By default, the flood attack detection threshold is 500.
Format
flood-detect threshold threshold
undo flood-detect threshold
Parameters
Parameter Description Value
threshold Specifies the flood attack detection The value is an
threshold threshold. integer that ranges
from 1 to 1000.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
A flood attack occurs when a device receives a large number of packets of the
same type within a short period. As a result, the device is flooded by too many
attack packets to process service packets from authorized wireless terminals.
After the flood attack detection function is enabled, a device counts the number
of packets of the same type that it receives from a user at regular intervals. When
the number exceeds a specified threshold, the device considers that the user
launches a flood attack. If the dynamic blacklist function is enabled, the user will
be added to a dynamic blacklist. If the threshold is set to a small value, the device
may incorrectly add authorized users to the dynamic blacklist, causing the users
unable to go online.
Follow-up Procedure
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1610
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Set the flood attack detection threshold to 350.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable flood
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] flood-detect threshold 350
14.28 ip source check user-bind enable
Function
The ip source check user-bind enable command enables IP source guard (IPSG)
on APs.
The undo ip source check user-bind enable command disables IPSG on APs.
By default, IPSG is disabled on APs.
Format
ip source check user-bind enable
undo ip source check user-bind enable
Parameters
None
Views
VAP profile view
Default Level
2: Configuration level
Usage Guidelines
Users can configure static IP addresses for their clients and connect to the Internet
after passing 802.1X authentication. To defend against source IP address spoofing
attacks, you need to enable IPSG on APs.
To prevent IP packets of unauthorized users from entering external networks
through an AP, enable IPSG in a VAP profile and bind the VAP profile to an AP
radio interface. The IPSG function can filter incoming packets on an AP radio
interface, preventing unauthorized packets from passing through the AP.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1611
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Example
# Enable IPSG on APs.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] ip source check user-bind enable
14.29 learn-client-address dhcp-strict
Function
The learn-client-address dhcp-strict command enables strict STA IP address
learning through DHCP.
The undo learn-client-address dhcp-strict command disables strict STA IP
address learning through DHCP.
By default, strict STA IP address learning through DHCP is disabled.
Format
learn-client-address dhcp-strict [ blacklist enable ]
undo learn-client-address dhcp-strict
Parameters
Parameter Description Value
blacklist Adds STAs with bogus IP addresses to a -
enable blacklist.
By default, STAs with bogus IP addresses
are not added to a blacklist.
Views
VAP profile view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
When a STA associates with an AP, the following situation occurs after strict STA IP
address learning through DHCP is enabled:
● If the STA obtains an IP address through DHCP, the AP will save the IP
address. The STA IP address can be used to maintain the mapping between
STA IP addresses and MAC addresses.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1612
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
● For a STA using a static IP address:
– If blacklist enable is specified, the STA will be added to a dynamic
blacklist of the AP and cannot associate with the AP before the blacklist
entry ages.
– If blacklist enable is not specified, the STA can associate with the AP but
the AP does not learn the IP address of the STA.
Prerequisites
STA address learning has been enabled using the undo learn-client-address ipv4
disable command.
Precautions
After strict STA IP address learning is enabled, it is recommended that you run the
ip source check user-bind enable and arp anti-attack check user-bind enable
commands to enable IPSG and DAI so that STAs can communicate with the
network only after obtaining an IP address through DHCP.
If this function is disabled, you can manually configure a static IP address.
However, if a STA obtains an IP address dynamically using DHCP, goes online, and
then is assigned a static IP address, the administrator cannot detect the IP address
change of this STA.
Example
# Enable strict STA IP address learning through DHCP.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] learn-client-address dhcp-strict
14.30 learn-client-address disable (VAP profile view)
Function
The learn-client-address disable command disables STA address learning.
The undo learn-client-address disable command disables STA address learning.
By default, STA address learning is enabled.
Format
learn-client-address ipv4 disable
undo learn-client-address ipv4 disable
Parameters
Parameter Description Value
ipv4 Indicates the IPv4 address. -
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1613
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Views
VAP profile view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
If a STA is associated with a STA address learning-enabled AP and obtains an IP
address, the AP saves the STA's IP address locally to maintain the IP address-MAC
address binding entry of the STA. In addition, when a STA requests an IP address
using DHCP, the AP can learn the IPv4 address of the STA gateway.
Prerequisites
● Before STA address learning is disabled, strict STA IPv4 address learning has
been disabled using the undo learn-client-address dhcp-strict command.
Precautions
● If a bridging device functions as a STA to connect to an AP enabled with STA
address learning, the AP cannot learn IP addresses of users connected to the
bridging device; therefore, the users cannot communicate with the network.
In this situation, disable STA address learning.
● Disabling STA address learning will lead to a Portal authentication failure.
● If no STA connected to a STA address learning-enabled AP requests an IP
address using DHCP, the AP cannot learn the gateway IP address.
Example
# Disable STA IPv4 address learning.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap1
[HUAWEI-wlan-vap-prof-vap1] learn-client-address ipv4 disable
14.31 permit-ap
Function
The permit-ap command configures a WIDS whitelist.
The undo permit-ap command deletes entries in the WIDS whitelist.
By default, no WIDS whitelist is configured.
Format
permit-ap { mac-address mac-address | oui oui | ssid ssid }
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1614
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
undo permit-ap { mac-address { mac-address | all } | oui { oui | all } | ssid
{ name ssid | all } }
Parameters
Parameter Description Value
mac-address Adds or deletes an authorized MAC The value is in H-H-
mac-address address. H format. An H is a
hexadecimal
number of 4 digits.
The MAC address
cannot be FFFF-
FFFF-FFFF,
0000-0000-0000, or
a multicast MAC
address.
mac-address Deletes an authorized MAC address list. -
all
oui oui Adds or deletes an authorized OUI. The value is in H-H-
H format. An H is a
hexadecimal
number of 2 digits.
oui all Deletes an authorized OUI list. -
ssid name Deletes an authorized SSID. The SSID must exist.
ssid To specify an SSID
starting with a
space, include the
SSID with double
quotation marks ("
"). For example, in
the SSID " hello",
the double
quotation marks at
the start and end of
the SSID occupy two
characters. To
specify an SSID
starting with a
double quotation
mark ("), enter an
escape character (\)
before the double
quotation mark. For
example, in the
SSID \"hello, the
escape character (\)
occupies one
character.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1615
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameter Description Value
ssid ssid Adds an authorized SSID. The SSID must exist.
To specify an SSID
starting with a
space, include the
SSID with double
quotation marks ("
"). For example, in
the SSID " hello",
the double
quotation marks at
the start and end of
the SSID occupy two
characters. To
specify an SSID
starting with a
double quotation
mark ("), enter an
escape character (\)
before the double
quotation mark. For
example, in the
SSID \"hello, the
escape character (\)
occupies one
character.
ssid all Deletes an authorized SSID list. -
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
After WIDS/WIPS is enabled, rogue APs can be detected and countered. However,
there may be APs of other vendors or other networks working in the existing
signal coverage areas. If these APs are countered, their services will be affected. To
prevent this situation, configure an authorized AP list, including an authorized
MAC address list, OUI list, and SSID list. If an unauthorized AP is detected but
matches the authorized AP list, the AP is considered an authorized AP and will not
be countered.
For example, APs of other vendors are deployed on the existing WLAN to expand
network capacity. To prevent the APs from being countered, add OUIs of the
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1616
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
vendors to a whitelist and add SSIDs of these APs to a whitelist. In this way, the
device will consider the APs as authorized APs.
The device determines whether a detected AP is authorized as follows:
1. Check whether the AP's MAC address is in the authorized MAC address list.
– If so, the AP is an authorized AP.
– If not, go to step 2.
2. Check whether the AP's OUI and SSID are in the OUI and SSID lists.
– If only the SSID is configured, check whether the AP's SSID is in the
authorized SSID list.
▪ If so, the AP is an authorized AP.
▪ If not, the AP is an unauthorized AP.
– If only the OUI is configured, check whether the AP's OUI is in the
authorized OUI list.
▪ If so, the AP is an authorized AP.
▪ If not, the AP is an unauthorized AP.
– Check whether the AP's OUI and SSID are in the OUI and SSID lists.
▪ If so, the AP is an authorized AP.
▪ If neither or either of them is in the list, the AP is an unauthorized
AP.
Precautions
If you add or delete an entry, the device will re-check the validity of the
unauthorized APs. If an unauthorized AP becomes authorized, the device stops
countering the AP. If an authorized AP becomes unauthorized, the device starts
countering the AP.
Example
# Add an MAC address, an OUI, and an SSID to the WIDS whitelist.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] permit-ap mac-address 0011-2233-4455
[HUAWEI-wlan-wids] permit-ap oui 00-11-22
[HUAWEI-wlan-wids] permit-ap ssid huawei
14.32 reset wlan ids attack-detected
Function
The reset wlan ids attack-detected command deletes information about the
attacking devices detected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1617
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Format
reset wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address }
Parameters
Parameter Description Value
all Deletes information about all types of -
attacking devices.
flood Deletes information about devices -
launching flood attacks.
spoof Deletes information about devices -
launching spoofing attacks.
wapi-psk Deletes information about devices that -
perform brute force cracking in WAPI-
PSK authentication mode.
weak-iv Deletes information about devices -
launching weak IV attacks.
wep-share- Deletes information about devices that -
key perform brute force cracking in WEP-SK
authentication mode.
wpa-psk Deletes information about devices that -
perform brute force cracking in WPA-PSK
authentication mode.
wpa2-psk Deletes information about devices that -
perform brute force cracking in WPA2-
PSK authentication mode.
mac-address Deletes information about detected The value is in H-H-
mac-address devices launching attacks with specified H format. An H is a
MAC addresses. hexadecimal
number of 4 digits.
Views
All views
Default Level
3: Management level
Usage Guidelines
After attack detection is enabled, information about attacking devices detected is
recorded. When there is excessive information recorded or the recorded
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1618
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
information is useless, you can run the reset wlan ids attack-detected command
to delete the information.
Example
# Delete information about all the current attacking devices.
<HUAWEI> reset wlan ids attack-detected all
14.33 reset wlan ids attack-detected statistics
Function
The reset wlan ids attack-detected statistics command deletes the number of
attacks detected.
Format
reset wlan ids attack-detected statistics
Parameters
None
Views
All views
Default Level
3: Management level
Usage Guidelines
After attack detection is enabled, the number of attacks detected is recorded.
When there is excessive information recorded or the recorded information is
useless, you can run the reset wlan ids attack-detected statistics command to
delete the information.
Example
# Delete the number of attacks detected.
<HUAWEI> reset wlan ids attack-detected statistics
14.34 reset wlan ids attack-history
Function
The reset wlan ids attack-history command deletes historical records about the
attacking devices detected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1619
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Format
reset wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address }
Parameters
Parameter Description Value
all Deletes historical records about all types -
of attacking devices.
flood Deletes historical records about devices -
launching flood attacks.
spoof Deletes historical records about devices -
launching spoofing attacks.
wapi-psk Deletes historical records about devices -
that perform brute force cracking in
WAPI-PSK authentication mode.
weak-iv Deletes historical records about devices -
launching weak IV attacks.
wep-share- Deletes historical records about devices -
key that perform brute force cracking in
WEP-SK authentication mode.
wpa-psk Deletes historical records about devices -
that perform brute force cracking in
WPA-PSK authentication mode.
wpa2-psk Deletes historical records about devices -
that perform brute force cracking in
WPA2-PSK authentication mode.
mac-address Deletes historical records about detected The value is in H-H-
mac-address devices launching attacks with specified H format. An H is a
MAC addresses. hexadecimal
number of 4 digits.
Views
All views
Default Level
3: Management level
Usage Guidelines
After attack detection is enabled, historical records about attacking devices
detected are recorded. When there is excessive information recorded or the
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1620
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
recorded information is useless, you can run the reset wlan ids attack-history
command to delete the information.
Example
# Delete historical records about all the current attacking devices.
<HUAWEI> reset wlan ids attack-history all
14.35 reset wlan dynamic-blacklist
Function
The reset wlan dynamic-blacklist command deletes information about devices in
the dynamic blacklist.
Format
reset wlan dynamic-blacklist { mac-address mac-address | all }
Parameters
Parameter Description Value
mac-address Deletes the device with a specified MAC The MAC address
mac-address address from the dynamic blacklist. must exist.
all Deletes all information in the dynamic -
blacklist.
Views
All views
Default Level
3: Management level
Usage Guidelines
Usage Scenario
The reset wlan dynamic-blacklist command is applicable to the following
scenarios:
● To re-collect the dynamic blacklist information, run the reset wlan dynamic-
blacklist all command to delete all information in the dynamic blacklist.
After that, the AP re-collects the information.
● To remove an authorized device from the dynamic blacklist, run the reset
wlan dynamic-blacklist mac-address command to remove the MAC address
of the device from the dynamic blacklist. After that, information sent from the
device is not rejected.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1621
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Precautions
Running the reset wlan dynamic-blacklist command affects packet receiving of
APs. Exercise caution when running this command.
Example
# Delete the device with the MAC address 00e0-FC12-3456 from the dynamic
blacklist.
<HUAWEI> reset wlan dynamic-blacklist mac-address 00e0-fc12-3456
14.36 reset wlan ids rogue-history
Function
The reset wlan ids rogue-history command deletes historical records of rogue
devices.
Format
reset wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid [ ssid ] |
mac-address mac-address }
Parameters
Parameter Description Value
all Deletes historical records of all rogue -
devices.
ap Deletes historical records of rogue APs. -
bridge Deletes historical records of rogue bridge -
devices.
client Deletes historical records of rogue user -
terminals.
adhoc Deletes historical records of rogue ad- -
hoc devices.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1622
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Parameter Description Value
ssid [ ssid ] Deletes historical records of devices with The SSID must exist.
specified SSIDs. To specify an SSID
starting with a
space, include the
SSID with double
quotation marks ("
"). For example, in
the SSID " hello",
the double
quotation marks at
the start and end of
the SSID occupy two
characters. To
specify an SSID
starting with a
double quotation
mark ("), enter an
escape character (\)
before the double
quotation mark. For
example, in the
SSID \"hello, the
escape character (\)
occupies one
character.
mac-address Deletes historical records of devices with The value must be
mac-address specified MAC addresses. an existing MAC
address.
Views
All views
Default Level
3: Management level
Usage Guidelines
When there are excessive historical records of rogue devices or their historical
records are useless, you can run the reset wlan ids rogue-history command to
delete the historical records.
Example
# Delete all detected historical records of the rogue devices.
<HUAWEI> reset wlan ids rogue-history all
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1623
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.37 rogue-device log enable
Function
The rogue-device log enable command enables the function of recording rogue
device information in the log.
The undo rogue-device log enable command disables the function of recording
rogue device information in the log.
By default, the function of recording rogue device information in the log is
disabled.
Format
rogue-device log enable
undo rogue-device log enable
Parameters
None
Views
WLAN view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
If a rogue device is detected after this function is enabled, information about the
device is recorded in the log.
Example
# Enable the function of recording rogue device information in the log.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] rogue-device log enable
14.38 spoof-detect quiet-time
Function
The spoof-detect quiet-time command sets the quiet time for an AP to record
the detected spoofing attacks.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1624
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
The undo spoof-detect quiet-time command restores the default quiet time for
an AP to record the detected spoofing attacks.
By default, the quiet time is 600 seconds for an AP to record the detected spoofing
attacks.
Format
spoof-detect quiet-time quiet-time-value
undo spoof-detect quiet-time
Parameters
Parameter Description Value
quiet-time- Specifies the quiet time for an AP to The value is an
value record the detected spoofing attacks. integer that ranges
from 60 to 36000, in
seconds.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
After attack detection is enabled on an AP, the AP reports alarms upon attack
detection. If an attack source launches attacks repeatedly, a large number of
repeated alarms are generated. To prevent this situation, configure the quiet time
for an AP to report alarms. When detecting attack sources of the same MAC
address, the AP does not report alarms in the quiet time. However, if the AP still
detects attacks from the attack source after the quiet time expires, the AP reports
alarms. You can set the quiet time based on attack types.
To obtain attack information in a timely manner, set the quiet time to a small
value. If attacks are frequently detected, set the quiet time to a large value to
prevent frequent alarm reports.
Example
# Set the quiet time to 300 seconds for an AP to record the detected spoofing
attacks.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable spoof
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] spoof-detect quiet-time 300
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1625
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.39 spoof-ssid
Function
The spoof-ssid command configures a fuzzy matching rule for spoofing SSIDs.
The undo spoof-ssid command deletes a fuzzy matching rule for spoofing SSIDs.
By default, no fuzzy matching rule is configured for spoofing SSIDs.
Format
spoof-ssid fuzzy-match regex regex-value
undo spoof-ssid { fuzzy-match regex regex-value | all }
Parameters
Parameter Description Value
fuzzy-match Configures a fuzzy matching rule to -
identify spoofing SSIDs.
regex regex- Specifies the regular expression for an The value is in text
value SSID. If an SSID matches the regular format and can
expression, the SSID is considered a contain 1 to 48
spoofing SSID. case-sensitive
characters. It
supports Chinese
characters or
mixture of Chinese
and English
characters.
When the regular
expression is used,
you can press Ctrl+T
to enter a question
mark (?). For how
to set the regular
expression, see
"Filtering the
Command Outputs"
in Configuration
Guide.
NOTE
You can only use a
command editor of
the UTF-8 encoding
format to edit
Chinese characters.
all Deletes all fuzzy matching rules. -
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1626
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
WLAN services are available in public places, such as banks and airports. Users can
connect to the WLANs after associating with corresponding SSIDs. If a rogue AP is
deployed and provides spoofing SSIDs similar to authorized SSIDs, the users may
be misled and connect to the rogue AP, which brings security risks. To address this
problem, configure a fuzzy matching rule to identify spoofing SSIDs. The device
compares a detected SSID with the matching rule. If the SSID matches the rule,
the SSID is considered a spoofing SSID. The AP using the spoofing SSID is a rogue
AP. After rogue AP containment is configured, the device contains the rogue AP
and disconnects users from the spoofing SSID.
Precautions
To make fuzzy matching rules for spoofing SSIDs take effect, enable device
detection and rogue device containment so that the device can take
countermeasures against rogue APs.
To contain all SSIDs except those on the local device, set the fuzzy matching rule
to * and then run the contain-mode command to set the containment mode to
spoof-ssid-ap.
Example
# Configure a fuzzy matching rule using the regular expression ^TES[1l]$ to
identify spoofing SSIDs TEST1 or TESL similar to TEST.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] spoof-ssid fuzzy-match regex ^TES[1l]$
14.40 sta arp-nd-proxy before-assoc
Function
The sta arp-nd-proxy before-assoc command enables an AP to send ARP/ND
proxy packets for a STA before the STA is successfully associated.
The undo sta arp-nd-proxy before-assoc command disables an AP from sending
ARP/ND proxy packets for a STA before the STA is successfully associated.
By default, an AP does not send ARP/ND proxy packets for a STA before the STA is
successfully associated.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1627
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Format
sta arp-nd-proxy before-assoc
undo sta arp-nd-proxy before-assoc
Parameters
None
Views
WLAN view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
If an AP is enabled to send ARP/ND proxy packets for a STA before the STA
succeeds in authentication or key negotiation, the Layer 2 switch connected to the
AP will learn the MAC address of the STA. If an attack floods thousands of STA
MAC addresses, the MAC address table on the switch will be seriously corrupted,
bringing security risks. To avoid this issue, you can run the undo sta arp-nd-proxy
before-assoc command to configure the AP to send ARP/ND proxy packets for a
STA after the STA succeeds in authentication or key negotiation.
In scenarios with low security requirements, you can run the sta arp-nd-proxy
before-assoc command to configure the AP to send ARP/ND proxy packets for a
STA before the STA is successfully associated to improve link update efficiency.
Precautions
After the undo sta arp-nd-proxy before-assoc command is run on an AP, the AP
does not send ARP/ND proxy packets for a STA that goes online in open or WEP
mode.
Example
# Configure an AP to send ARP/ND proxy packets for a STA before the STA is
successfully associated.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] sta arp-nd-proxy before-assoc
14.41 weak-iv-detect quiet-time
Function
The weak-iv-detect quiet-time command sets the quiet time for an AP to record
the detected weak IV attacks.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1628
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
The undo weak-iv-detect quiet-time command restores the default quiet time
for an AP to record the detected weak IV attacks.
By default, the quiet time is 600 seconds for an AP to record the detected weak IV
attacks.
Format
weak-iv-detect quiet-time quiet-time-value
undo weak-iv-detect quiet-time
Parameters
Parameter Description Value
quiet-time- Specifies the quiet time for an AP to The value is an
value record the detected weak IV attacks. integer that ranges
from 60 to 36000, in
seconds.
Views
WIDS view
Default Level
2: Configuration level
Usage Guidelines
After attack detection is enabled on an AP, the AP reports alarms upon attack
detection. If an attack source launches attacks repeatedly, a large number of
repeated alarms are generated. To prevent this situation, configure the quiet time
for an AP to report alarms. When detecting attack sources of the same MAC
address, the AP does not report alarms in the quiet time. However, if the AP still
detects attacks from the attack source after the quiet time expires, the AP reports
alarms. You can set the quiet time based on attack types.
To obtain attack information in a timely manner, set the quiet time to a small
value. If attacks are frequently detected, set the quiet time to a large value to
prevent frequent alarm reports.
Example
# Set the quiet time to 300 seconds for an AP to record the detected weak IV
attacks.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/1
[HUAWEI-wlan-Radio0/0/1] wids attack detect enable weak-iv
[HUAWEI-wlan-Radio0/0/1] quit
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids] weak-iv-detect quiet-time 300
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1629
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
14.42 wids
Function
The wids command displays the WIDS view.
Format
wids
Parameters
None
Views
WLAN view
Default Level
2: Configuration level
Usage Guidelines
To perform WIDS configurations, run the wids command to enter the WIDS view.
All WIDS configuration commands need to be run in the WIDS view.
Example
# Display the WIDS view.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wids
[HUAWEI-wlan-wids]
14.43 wids attack detect enable
Function
The wids attack detect enable command enables attack detection on an AP
radio.
The undo wids attack detect enable command disables attack detection on an
AP radio.
By default, attack detection is disabled on an AP radio.
Format
wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk |
wapi-psk | wep-share-key }
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1630
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
undo wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-
psk | wapi-psk | wep-share-key }
Parameters
Parameter Description Value
all Enables all attack detection functions. -
flood Enables flood attack detection. -
weak-iv Enables weak IV attack detection. -
spoof Enables spoofing attack detection. -
wpa-psk Enables brute force attack detection for -
WPA-PSK authentication.
wpa2-psk Enables brute force attack detection for -
WPA2-PSK authentication.
wapi-psk Enables brute force attack detection for -
WAPI-PSK authentication.
wep-share- Enables brute force attack detection for -
key shared key authentication.
Views
Radio interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
To monitor and prevent malicious or unintentional attacks on WLANs in real time,
network administrators can enable the following attack detection functions based
on actual requirements:
● flood: indicates flood attack detection used to detect whether an AP receives
a large number of packets of the same type in a short period.
● weak-iv: indicates weak IV attack detection used to detect whether weak IV is
used for WEP encryption on a WLAN.
● spoof: indicates spoofing attack detection used to detect whether a potential
attacker pretends to be an AP to broadcast Deauthentication and
Disassociation packets.
● wpa-psk, wpa2-psk, wapi-psk, wep-share-key: indicates brute force attack
detection. If the WPA-PSK, WPA2-PSK, WAPI-PSK, or WEP-SK security policy is
configured on a WLAN, brute force attack detection can be enabled to
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1631
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
increase the time required for password cracking and improve password
security.
Follow-up Procedure
Run the dynamic-blacklist enable command to enable the dynamic blacklist
function.
Example
# Enable brute force attack detection for WPA-PSK authentication on radio 0.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/0
[HUAWEI-wlan-Radio0/0/0] wids attack detect enable wpa-psk
14.44 wids contain enable
Function
The wids contain enable command enables rogue or interference device
containment on an AP radio.
The undo wids contain enable command disables rogue or interference device
containment on an AP radio.
By default, rogue or interference device containment is disabled on an AP radio.
Format
wids contain enable
undo wids contain enable
Parameters
None
Views
Radio interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
Rogue or interference devices pose serious security threats to enterprise networks.
After the containment mode is set against rogue or interference APs, the monitor
AP uses the identity of the rogue or interference AP to broadcast deauthentication
frames to forcibly disconnect STAs. To prevent the STAs from connecting to the
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1632
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
rogue or interference AP again, the monitor AP will periodically and continuously
send deauthentication frames.
After the containment mode is set against rogue or interference STAs or ad-hoc
devices, the monitor AP uses the MAC address of a rogue or interference device to
continuously send unicast deauthentication frames.
Follow-up Procedure
Run the contain-mode command to set the rogue or interference device
containment mode.
Example
# Enable rogue or interference device containment on radio 0.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/0
[HUAWEI-wlan-Radio0/0/0] wids contain enable
14.45 wids device detect enable
Function
The wids device detect enable command enables device detection on an AP
radio.
The undo wids device detect enable command disables device detection on an
AP radio.
By default, device detection is disabled on an AP radio.
Format
wids device detect enable
undo wids device detect enable
Parameters
None
Views
Radio interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1633
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
After the wireless device detection function is enabled, the monitoring AP detects
information about wireless devices in its coverage range. The AP determines
whether unauthorized devices exist on the WLAN.
Example
# Enable device detection on radio 0.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/0
[HUAWEI-wlan-Radio0/0/0] wids device detect enable
14.46 wids manual-contain
Function
The wids manual-contain command manually contains specified devices.
The undo wids manual-contain command disables containment of specified
devices.
By default, no device is manually contained.
Format
wids manual-contain device-mac device-mac
undo wids manual-contain { all | device-mac device-mac }
Parameters
Parameter Description Value
device-mac Specifies the MAC address of a device to The value is in H-H-
device-mac be contained. H format. An H is a
hexadecimal
number of 4 digits.
all Contains all devices. -
Views
WLAN view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
You can run the wids manual-contain command in the WLAN view to manually
contain a specified device in a complicated environment.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1634
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
Precautions
Wireless bridges are not contained.
Example
# Contain the AP with the MAC address of 0004-0004-0004.
<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wids manual-contain device-mac 0004-0004-0004
14.47 work-mode
Function
The work-mode command sets the radio working mode in the radio profile view.
The undo work-mode command restores the default radio working mode.
By default, AP radios work in normal mode.
Format
work-mode { monitor | normal }
undo work-mode
Parameters
Parameter Description Value
monitor Indicates the monitor mode. -
normal Indicates the normal mode. -
Views
Radio interface view
Default Level
2: Configuration level
Usage Guidelines
Usage Scenario
An AP can work in two modes:
● normal: indicates the normal mode.
– If air scan functions (such as WIDS and terminal location) are disabled on
a radio, the radio is used to transmit common WLAN services.
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1635
Fat AP and Cloud AP 14 WLAN Security Configuration Commands
Command Reference (Common AP)
– If air scan functions (such as WIDS, spectrum analysis, and terminal
location) are enabled on a radio, the radio transmits common WLAN
services and also provides the monitoring function. A transient increase in
the WLAN service latency may occur, which does not affect network
access. However, if any latency-sensitive service (such as
videoconferencing) is running, it is recommended that a separate radio be
used for air scan.
● monitor: indicates the monitor mode.
In this mode, the radio can only transmit WLAN services scanned by the air
interface but cannot transmit common WLAN services.
Precautions
● The change of the radio working mode can lead to service interruption. Users
cannot associate with the AP when its radio works in monitor mode.
● In monitor mode, the working channels and power of AP radios change at
any time. In this situation, the working channels and power of the AP radios
display as -.
Example
# Set the working mode of radio 0 to monitor.
<HUAWEI> system-view
[HUAWEI] interface wlan-radio 0/0/0
[HUAWEI-wlan-Radio0/0/0] work-mode monitor
Warning: Modify the work mode may cause business interruption, continue?[y/n]
:y
Issue 08 (2021-11-15) Copyright © Huawei Technologies Co., Ltd. 1636
You might also like
- Ruijie RG-WLAN Series Access Points RGOS Command Reference, Release 11.9 (0) B7P4No ratings yetRuijie RG-WLAN Series Access Points RGOS Command Reference, Release 11.9 (0) B7P41,064 pages
- 01-09 WLAN Service Configuration Commands (Common AP) PDFNo ratings yet01-09 WLAN Service Configuration Commands (Common AP) PDF181 pages
- 01-33 Network Management and Monitoring CommandsNo ratings yet01-33 Network Management and Monitoring Commands174 pages
- Ruijie RG-WLAN Series Access Points RGOS Configuration Guide, Release 11.1 (5) B40P2No ratings yetRuijie RG-WLAN Series Access Points RGOS Configuration Guide, Release 11.1 (5) B40P21,249 pages
- Ruckus Wireless Zoneflex Access Point Command Line Interface Reference GuideNo ratings yetRuckus Wireless Zoneflex Access Point Command Line Interface Reference Guide87 pages
- Measuring The Effectiveness of Playing StrategiesNo ratings yetMeasuring The Effectiveness of Playing Strategies12 pages
- Beat The Penguin Checklist: Before You BeginNo ratings yetBeat The Penguin Checklist: Before You Begin11 pages
- 01-17 Hotspot2 0 Configuration Commands (Common AP)No ratings yet01-17 Hotspot2 0 Configuration Commands (Common AP)72 pages
- Updated Basic Competencies As of Sept 9, 2019No ratings yetUpdated Basic Competencies As of Sept 9, 2019318 pages
- Deployment Profiles - SD-WAN Orchestrator DocsNo ratings yetDeployment Profiles - SD-WAN Orchestrator Docs1 page
- ZD 10 - 0 - CLI - Ref - Guide 800 71576 001 RevA 20170526No ratings yetZD 10 - 0 - CLI - Ref - Guide 800 71576 001 RevA 20170526561 pages
- 01-04 Cloud-Based Management Configuration CommandsNo ratings yet01-04 Cloud-Based Management Configuration Commands27 pages
- 01-12 WLAN Roaming Commands (Common AP) PDFNo ratings yet01-12 WLAN Roaming Commands (Common AP) PDF5 pages
- 01-16 Vehicle-Ground Fast Link Handover Configuration Commands PDFNo ratings yet01-16 Vehicle-Ground Fast Link Handover Configuration Commands PDF60 pages
- W02 Application Activity Template: Pacing Guide: Step 1 - Chart Your PaceNo ratings yetW02 Application Activity Template: Pacing Guide: Step 1 - Chart Your Pace4 pages
- MTK Wi-Fi Softap Software Programming Guide v4.6No ratings yetMTK Wi-Fi Softap Software Programming Guide v4.6163 pages
- WX3800X SAC WLAN Adv Features Configuration GuideNo ratings yetWX3800X SAC WLAN Adv Features Configuration Guide143 pages
- 01-15 WLAN Mesh Configuration Commands (Cloud AP)No ratings yet01-15 WLAN Mesh Configuration Commands (Cloud AP)25 pages
- 01-10 AP Management Configuration Commands PDFNo ratings yet01-10 AP Management Configuration Commands PDF21 pages
- 700 - 7000 Managed Industrial Ethernet Switches Software ManualNo ratings yet700 - 7000 Managed Industrial Ethernet Switches Software Manual153 pages
- 4.2.9 Example For Configuring Wlan Services On A Small-Scale Network (Ipv4 Network)No ratings yet4.2.9 Example For Configuring Wlan Services On A Small-Scale Network (Ipv4 Network)16 pages
- 01-03 Basic Configurations Commands PDFNo ratings yet01-03 Basic Configurations Commands PDF286 pages
- Non Verbal Communication in Different CountriesNo ratings yetNon Verbal Communication in Different Countries12 pages
- Research Into Practice: Strategies For Teaching and Learning Vocabulary Feng TengNo ratings yetResearch Into Practice: Strategies For Teaching and Learning Vocabulary Feng Teng17 pages
- 01-06 Interface Management Commands PDFNo ratings yet01-06 Interface Management Commands PDF68 pages
- Ruijie RG-WLAN Series Access Points Web-Based Configuration Guide, Release 11.1 (5) B40P2No ratings yetRuijie RG-WLAN Series Access Points Web-Based Configuration Guide, Release 11.1 (5) B40P271 pages
- WiFi Installation Best Practices Part 2 of 2No ratings yetWiFi Installation Best Practices Part 2 of 237 pages
- FortiADC 4 4 0 Handbook D Series Revision1No ratings yetFortiADC 4 4 0 Handbook D Series Revision1388 pages
- International Journal of Education & The ArtsNo ratings yetInternational Journal of Education & The Arts6 pages
- Madwifi/Atheros Wireless Linux Driver Users Guide: Protocols Group June 2, 2006No ratings yetMadwifi/Atheros Wireless Linux Driver Users Guide: Protocols Group June 2, 200642 pages
- TP Link - AP300 (US) - V1 - UG - 1479805586914qNo ratings yetTP Link - AP300 (US) - V1 - UG - 1479805586914q57 pages
- Week 1 - Traditional and Coventional Literacy100% (1)Week 1 - Traditional and Coventional Literacy8 pages
- Configuring Firewall For Huawei MA5600 SeriesNo ratings yetConfiguring Firewall For Huawei MA5600 Series4 pages
- DRBD-Cookbook: How to create your own cluster solution, without SAN or NAS!From EverandDRBD-Cookbook: How to create your own cluster solution, without SAN or NAS!No ratings yet