一、WLAN安全威胁

• WiFi无认证：An attacker can connect to a wireless network at will,And then attack the entire network.
• Wireless data is not encrypted：Attackers can eavesdrop and tamper with the services transmitted in the wireless channel by capturing packets over the air interface.
• border threats：非法AP与合法APput out the sameSSID,It is illegal to trick users into connectingAP,Intercept user data.

二、WLAN安全防御

• 安全认证：Make sure that only authorized users are allowed to connect to the network,比如家里的WiFi连接需要密码.
• 数据加密和完整性：Ensure privacy during data transfer,使用CRC（循环冗余校验）确保数据完整性.
  • WLAN加密方式： TKIP（临时密钥完整性协议）、CCMP（Block password chain-Information Authenticity Check Code Protocol）
• WPA采用了TKIP加密算法,Provides a key reset mechanism,And enhance the effective length of the key,Safety is far greater thanWEP.
• WAP2采用CCMP加密机制,The encryption mechanism used is AES（高级加密标准）,比TKIP更难被破解.
• WPA和WPA2都可以使用TKIP或AES加密算法.

2.1、WLANComparison of security policies

2.2、RADIUS概述

• RADIUS是实现AAA的一种方式、C/S结构、基于UDP1812、1813The port is used as the authentication and accounting port.

• The user connects firstAP,APPass user information to AC,AC与RADIUS服务器进行交互,对用户的身份进行验证,这里AC充当了RADIUS客户端的角色.

2.2.1、需要RADIUSSeveral authentications for the server

802.1x认证
由IEEEEstablished authentication standards for users to access the network,The user is required to enter the account password for authentication,Similar to home broadbandPPPoE拨号与RADIUSAuthentication online this way.

MAC认证
是基于MACThe authentication method used by the address to control the user's network authority,The authentication process does not require the user to manually enter the user name and password,It is an authentication method suitable for devices such as printers that are not easy to interact with.

Portal认证
The classic application scenario of this kind of authentication is in places with high traffic such as train stations or shopping malls,connect to publicWiFiThe page will then be directed to oneweb认证界面,Enter your phone number to get a verification code to access the Internet.

MAC优先Portal认证
用户进行Portal认证成功后,Disconnect from the network for a certain period of time,能够直接通过MACAuthenticate to reconnect to the network.

三、WLAN安全配置

3.1、Configure open authentication

• 创建安全模板

[AC] wlan
[AC-wlan-view] security-profile name "profile-name"

• 配置安全策略为开放认证

[AC-wlan-sec-prof-wlan] security open

3.2、配置WEP安全策略

• 创建安全模板

[AC] wlan
[AC-wlan-view] security-profile name "profile-name"

• 配置安全策略为WEP

[AC-wlan-sec-prof-wlan] security wep share-key

• 配置wep共享密钥

[AC-wlan-sec-prof-wlan] wep key "key-id" {wep-40|wep-104|wep-128} pass-phrase "key-value"

3.3、配置WPA/WPA2-PPSK认证

• 创建安全模板

[AC] wlan
[AC-wlan-view] security-profile name "profile-name"

• 配置安全策略为WPA/WPA2-PPSK

[AC-wlan-sec-prof-wlan] security {wpa|wpa2|wpa-wpa2} psk pass-phrase "key-value" {aes|tkip|aes-tkip}

• 配置PPSK关键参数

[AC-wlan-view] ppsk-user psk pass-phrase "key-value" [user-name "user-name"|user-group "user-group"|vlan "vlan-id"|expire-date "expire-date"|max-device "max-device-number"|branch-goup "branch-group"|mac-address "mac-address"] ssid "ssid"

3.4、实验案例

3.4.1、实验拓扑

3.4.2、实验介绍

• 业务VLAN ID：10
• 管理VLAN ID：20
• AP从AC中自动获取IP地址
• STAfrom a Layer 3 switchLSW1中自动获取ip地址
• AR2Simulate a router in the public network,AR1是出口路由器

3.4.3、实验配置

LSW7：
sys
vlan  batch 10 20
int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
port trunk pvid vlan 20

LSW1:
sys
vlan  batch 10 20

int g0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
q

int g0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
q

dhcp enable
ip pool sta
gateway-list 192.168.10.254
network 192.168.10.0 mask 24
dns-lis 8.8.8.8
q

int vlanif 10
ip add 192.168.10.254 24
dhcp select global
q

vlan 30
int vlanif 30
ip add 192.168.30.1 24
q

int g0/0/1
port link-type access
port default vlan 30

ip route-s 0.0.0.0 0 192.168.30.2

AC1:
sys
vlan batch 10 20
dhcp enable

ip pool ap
gateway-list 192.168.20.254
network 192.168.20.0 mask 24
dns-list 8.8.8.8

int vlanif20
ip add 192.168.20.254 24
dhcp select global

int g0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20

wlan
ap-group name group1
q
regulatory-domain-profile name default
country-code cn
q
ap-group name group1
regulatory-domain-profile  default
选择y

capwap source int vlanif 20

wlan
ap auth-mode mac-auth
ap-id 0 ap-mac 00e0-fca9-1fe0
ap-name ap1
ap-group group1
选择y

security-profile name A //创建安全模板
security wpa2 psk pass-phrase A1234567 aes
q
ssid-profile name test //创建ssid模板
ssid test
q
vap-profile name A //创建vap模板
forward-mode direct-forward 
service-vlan vlan-id 10 //很重要,Must be set to businessVLAN号
security-profile A //绑定安全模板
ssid-profile test //绑定ssid模板
q
ap-group name group1 //把group1组里面的ap根据vap A设置启动
vap-profile A wlan 1 radio all 

AR1:
sys
int g0/0/1
ip add 192.168.30.2 24
q
acl 2000
rule 5 permit
int g0/0/0
ip add 30.30.30.1 24
nat outbound 2000
q
ip route-s 0.0.0.0 0 30.30.30.2
ip route-s 192.168.0.0 16 192.168.30.1

AR2:
sys
int g0/0/0
ip add 30.30.30.2 24

3.4.4、结果验证

• 查看STA获取到的ip地址,可以看到是192.168.10.253,is businessVLAN10.
  
• 用STApingTest the public network address.
  
• 在AC上查看AP的信息,可以看到AP已经正常上线,And get to the managementVLAN20的IP地址.
  

四、总结

service-vlan vlan-id 10 这个很重要,Must be set to businessVLAN号,不然STABusiness cannot be obtained normallyVLAN的IP地址,The port type of the switch and the allowed onevlanLabels are also carefully set correctly.