H3c-technologies H3C WA2600 Series WLAN Access Points Manuel d'utilisateur

H3C WA Series WLAN Access PointsWLAN Configuration GuideHangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 6W100-20100910

2-1 2 Feature Matrix z Support of the H3C WA series WLAN access points for features, commands and parameters may vary by device model. See this do

3-1 3 Command/Parameter Matrix Table 3-1 Command/Parameter matrix Document Module Command/Parameter WA2200 series WA2600 series display ip https

3-2 Document Module Command/Parameter WA2200 series WA2600 series The maximum number of broadcast packets that can be forwarded on an Ethernet int

4-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to you

4-2 To do… Use the Command… Remarks Set the description string for the interface description text Optional By default, the description string of an

4-3 WLAN Mesh Interface Introduction WLAN mesh interfaces are Layer 2 virtual interfaces. You can use them as configuration templates to make and sav

5-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to you

5-2 Figure 5-1 Open system authentication process APClientAuthentication requestAuthentication response z Shared key authentication The following f

5-3 Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP us

5-4 1) PSK authentication Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK authentication, the client a

Copyright © 2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted

5-5 Follow these steps to enable the authentication method: To do… Use the command… Remarks Enter system view system-view — Enter WLAN service temp

5-6 To do… Use the command… Remarks Enter system view system-view — Enter WLAN service template view wlan service-template service-template-number

5-7 Disable 802.1X online user handshake function before starting PTK and GTK negotiation. Configuring WPA security IE Wi-Fi Protected Access (WPA)

5-8 z In open system authentication mode, a WEP key is used for encryption only. A client can go online without having the same key as the authentic

5-9 Configuring TKIP Follow these steps to configure TKIP: To do… Use the command… Remarks Enter system view system-view — Enter WLAN service templ

5-10 To do… Use the command… Remarks Enter system view system-view — Enter WLAN-BSS interface view interface wlan-bss interface-number Required Ena

5-11 To do… Use the command… Remarks Enable 11key negotiation port-security tx-key-type 11key Required Not enabled by default. Enable the PSK and

5-12 WLAN Security Configuration Examples PSK Authentication Configuration Example Network requirements z As shown in Figure 5-3, the AP is connecte

5-13 z You can use the display wlan client and display port-security preshared-key user commands to view the online clients. MAC-and-PSK Authenticat

5-14 authorization, and accounting servers as 12345678, specify the extended RADIUS server type, and configure the scheme to exclude the ISP domain n

Preface The H3C WA documentation set includes 10 configuration guides, which describe the software features for the H3C WA series WLAN access points a

5-15 Figure 5-5 Add access device # Add service. Select the Service tab, and then select Access Service > Access Device from the navigation tree

5-16 z Add an account and password 00146c8a43ff. z Select the service mac. Figure 5-7 Add account 3) Verify the configuration z After the clien

5-17 [AP] dot1x authentication-method eap # Configure a RADIUS scheme name rad. Configure the IP addresses of both the primary authentication and aut

5-18 2) Configure the RADIUS server (iMC) The following takes the iMC (the iMC versions are iMC PLAT 3.20-R2602 and iMC UAM 3.60-E6102) as an exam

5-19 Figure 5-10 Add service # Add account. Select the User tab, and then select Users > All Access Users from the navigation tree to enter the

5-20 Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. Click the Properties

5-21 Figure 5-12 Configure the wireless card (I)

5-22 Figure 5-13 Configure the wireless card (II)

5-23 Figure 5-14 Configure the wireless card (III) 4) Verify the configuration. z The client can pass 802.1X authentication and associate with th

5-24 Figure 5-15 Network diagram for dynamic WEP encryption-802.1X authentication Configuration procedure 1) Configure the AP <Sysname> syst

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n time

5-25 2) Configure the RADIUS server (iMC) See Configure the RADIUS server (iMC). 3) Configure the wireless card See Configure the wireless card. Co

5-26 WPA For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group c

6-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to you

6-2 Task Remarks Configuring Data Transmission Rates Optional Configuring Power Constraint Optional Configuring Only Non-802.11h Channels to Be Sc

6-3 For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to MCS indexes 0 through 5 are configured as 802.

6-4 Configuring Only Non-802.11h Channels to Be Scanned Configuring Only Non-802.11h Channels to Be Scanned Follow these steps to configure only non-

7-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to you

7-2 z Ad-hoc mode: A station in ad-hoc mode can directly communicate with other stations without support from any other device. WLAN IDS IPS WLAN ID

7-3 Configuring IDS Attack Detection Configuring IDS Attack Detection Follow these steps to configure IDS attack detection: To do… Use the command…

7-4 When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame as follows: 1) If the source MAC addr

Category Documents Purposes User FAQ Provides answers to some of the most frequently asked questions on how to troubleshoot your AP. Operations and

7-5 Configuring Static White and Black Lists Follow these steps to configure static white and black lists: To do… Use the command… Remarks Enter sy

7-6 Figure 7-2 WLAN IDS frame filtering configuration Configuration procedure # Add MAC address 0000-000f-1211 of Client 1 into the blacklist. <

8-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to you

8-2 4) CAC Connection admission control (CAC) limits the number of clients that are using high-priority ACs (AC-VO and AC-VI) to guarantee sufficient

8-3 Figure 8-1 Per-AC channel contention parameters in WMM CAC admission policies CAC requires that a client obtain permission of the AP before it

8-4 SVP SVP can assign packets with the protocol ID 119 in the IP header to a specific AC. SVP stipulates that random backoff is not performed for SV

8-5 To do… Use the command… Remarks Set the EDCA parameters of AC-BE or AC-BK for clients wmm edca client { ac-be | ac-bk } { aifsn aifsn-value | e

8-6 Table 8-2 Default EDCA parameters for APs AC AIFSN ECWmin ECWmax TXOP Limit AC-BK 7 4 10 0 AC-BE 3 4 6 0 AC-VI 1 3 4 94 AC-VO 1 2 3 47 Displ

8-7 [AP-Ethernet1/0/1] quit # Create a clear-type WLAN service template, configure its SSID as market, configure its authentication method as open-sy

8-8 # Create a clear-type WLAN service template, configure its SSID as market, configure its authentication method as open-system, and then enable th

i Table of Contents 1 Applicable Models and Software Versions...

8-9 Solution 1) Use the wmm enable command to enable the WMM function. 2) Check the state of the SVP priority mapping function or CAC again.

9-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to you

9-2 z Easy to deploy in scenarios of metro, company, office, large warehouses, manufacturing, ports and waterfronts and so on Deployment Scenarios

9-3 Figure 9-3 Mesh bridging MP 2MP 1LAN Segment 2LAN Segment 1MP 4MP 3 WDS Configuration Task List Complete the following tasks to configure WDS: T

9-4 For more information about the port-security tx-key-type, port-security preshared-key, and port-security port-mode commands, see Port Security

9-5 To do… Use the command… Remarks Configure the link saturation RSSI link-saturation-rssi valueOptional 100 dBm by default Configure the probe re

9-6 Specifying a Peer MAC Address on the Radio You need to specify the MAC addresses of allowed peers on the local radio interface. Follow these ste

9-7 Figure 9-4 WDS point to point configuration AP 2AP 1LAN Segment 2LAN Segment 1 Configuration procedure Because the WDS point to point configurat

9-8 [AP1-WLAN-Radio1/0/1] mesh-profile 1 The configuration of AP 2 is the same as that of AP 1. You only need to configure the peer MAC address as th

10-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to yo

ii 6 WLAN RRM Configuration...6-1

10-2 Fat AP A fat AP controls and manages all associated wireless stations and bridges frames between wired and wireless networks. SSID The service s

10-3 Figure 10-2 Active scanning (the SSID of the probe request is null, that is, no SSID information is carried) z When the wireless c

10-4 Authentication To secure wireless links, a wireless client must be authenticated before accessing an AP, and only wireless clients passing the a

10-5 z Ethernet to Dot11 Frame Conversion z Keep Alive Mechanism z Idle Timeout Mechanism z Clear Channel Search WLAN Topologies WLAN has the fol

10-6 Figure 10-6 Multiple ESS network Generally, Fat AP can provide more than one logical ESS at the same time. The configuration of ESS in Fat AP

10-7 Protocols and Standards For more information on protocols and standards, see: z ANSI/IEEE Std 802.11, 1999 Edition z IEEE Std 802.11a z IEEE

10-8 To do… Use the command… Remarks Enter system view system-view — Specify the country code wlan country-code code Required By default the count

10-9 Configuring the Radio of an AP Follow these steps to configure the radio of an AP: To do… Use the command… Remarks Enter system view system-vi

10-10 To do… Use the command… Remarks Set the maximum number of attempts for transmitting a frame larger than the RTS threshold long-retry threshol

10-11 To do… Use the command… Remarks Enable the short GI function short-gi enable Optional Enabled by default. Enable the A-MSDU function a-msdu e

iii Deployment Scenarios ...9-2 WDS C

10-12 To do… Use the command… Remarks Enter system view system-view — Specify the uplink interface (Ethernet interface) wlan uplink-interface inter

10-13 Figure 10-10 User isolation network diagram As shown in Figure 10-10, after the fat AP is enabled with user isolation, clients 1 through 4 ca

10-14 Configuration procedure 1) Configuration on the fat AP # Create a WLAN BSS interface. <AP> system-view [AP] interface WLAN-BSS 1 [AP-WLA

10-15 Configuration procedure 1) Configuration on the fat AP # Create a WLAN-ESS interface. <AP> system-view [AP] interface WLAN-BSS 1 [AP-WLA

11-1 11 Index 802.11 Overview 10-4 C Configuration Task list 6-1 Configuring Data Transmission Rates 6-2 Configuring IDS Attack Detection 7-3 Config

1-1 z The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your