无线探针咨询
- 0关注
- 0收藏,488浏览
问题描述:
需求:要求全校区域内每天不定时无线探测是否存在无密码的非法SSID
问题:
1、根据需求,是不是在不同的区域只能手动指定一台AP作为探测AP,能否由设备随机指定AP?
2、能否实现每天不定时的探测?
3、提供下配置案例(V7)
- 2024-03-29提问
- 举报
-
(0)
最佳答案
参考
3 配置举例
3.1 组网需求
如图1所示,AP通过交换机与AC相连,AP1和AP2为Client提供无线服务,配置SSID为service,在Sensor上开启WIPS功能,当检测到非法AP提供非法的SSID(service或其他任意SSID比如free)提供给Client接入时,这时Sensor AP对非法AP会进行反制,阻止Client在非法AP上线。
图1 WIPS针对所有SSID进行反制配置组网图
3.2 配置步骤
3.2.1 配置AC
(1) 配置AC的接口
# 创建VLAN 100及其对应的VLAN接口,并为该接口配置IP地址。AP将通过该IP地址与AC建立CAPWAP隧道。
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 112.12.1.25 16
[AC-Vlan-interface100] quit
# 创建VLAN 200及其对应的VLAN接口,并为该接口配置IP地址。Client使用VLAN200接入无线网络。
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 112.13.1.25 16
[AC-Vlan-interface200] quit
# 配置AC和Switch相连的接口GigabitEthernet1/0/1为Trunk类型,禁止VLAN 1报文通过,允许VLAN 100和VLAN 200通过。
[AC] interface gigabitethernet1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
(2) 配置DHCP server
# 开启DHCP server功能。
[AC] dhcp enable
# 配置DHCP地址池vlan100为AP分配地址范围为112.12.0.0/16,网关地址为112.12.1.25。
[AC] dhcp server ip-pool vlan100
[AC-dhcp-pool-vlan100] network 112.12.0.0 mask 255.255.0.0
[AC-dhcp-pool-vlan100] gateway-list 112.12.1.25
[AC-dhcp-pool-vlan100] quit
# 配置DHCP地址池vlan200为Client分配地址范围为112.13.0.0/16,为Client分配的DNS服务器地址为网关地址(实际使用过程中请根据实际网络规划配置无线客户端的DNS服务器地址),网关地址为112.13.1.25。
[AC] dhcp server ip-pool vlan200
[AC-dhcp-pool-vlan200] network 112.13.0.0 mask 255.255.0.0
[AC-dhcp-pool-vlan200] gateway-list 112.13.1.25
[AC-dhcp-pool-vlan200] dns-list 112.13.1.25
[AC-dhcp-pool-vlan200] quit
(3) 配置WIPS
# 进入WIPS视图。
[AC] wips
# 配置AP分类规则,对SSID为service的进行匹配。
[AC-wips] ap-classification rule 1
[AC-wips-cls-rule-1] ssid equal service
[AC-wips-cls-rule-1] quit
# 配置AP分类规则,对SSID不为service的进行匹配。
[AC-wips] ap-classification rule 2
[AC-wips-cls-rule-2] ssid not equal service
[AC-wips-cls-rule-2] quit
# 配置AP分类策略,对符合分类规则rule1和rule2的AP分类为非法AP,设置反制的优先级为最高,并将AP1和AP2加入到信任列表中。
[AC-wips] classification policy class1
[AC-wips-cls-class1] apply ap-classification rule 1 rogue-ap severity-level 100
[AC-wips-cls-class1] apply ap-classification rule 2 rogue-ap severity-level 100
[AC-wips-cls-class1] trust mac-address 000f-1111-0111
[AC-wips-cls-class1] trust mac-address 000f-1111-0112
[AC-wips-cls-class1] quit
# 创建虚拟安全域,并应用分类策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-1] apply classification policy class1
[AC-wips-vsd-1] quit
# 配制反制策略,反制非法AP。
[AC-wips] countermeasure policy 1
[AC-wips-cms-1] countermeasure rogue-ap
[AC-wips-cms-1] quit
# 应用反制策略到虚拟安全域vsd1。
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply countermeasure policy 1
[AC-wips-vsd-vsd1] quit
[AC-wips] quit
(4) 配置AP
在大规模组网时,推荐在AP组内进行配置。
# 创建无线服务模板service,并配置SSID为service,配置Client从无线服务模板service上线后会被加入VLAN 200。
[AC] wlan service-template service
[AC-wlan-st-service] ssid service
[AC-wlan-st-service] vlan 200
# 配置身份认证与密钥管理模式为PSK模式,配置PSK密钥为明文字符串12345678。
[AC-wlan-st-service] akm mode psk
[AC-wlan-st-service] preshared-key pass-phrase simple 12345678
# 配置加密套件为CCMP,安全信息元素为RSN。
[AC-wlan-st-service] cipher-suite ccmp
[AC-wlan-st-service] security-ie rsn
# 配置客户端数据报文转发位置为AC。(如果客户端数据报文的缺省转发位置与本配置相同,请跳过此步骤)
[AC-wlan-st-service] client forwarding-location ac
# 开启无线服务模板。
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# 创建手工AP,名称为ap1,选择AP型号并配置序列号。
[AC] wlan ap ap1 model WA6320
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
[AC-wlan-ap-ap1] quit
# 创建手工AP,名称为ap2,选择AP型号并配置序列号。
[AC] wlan ap ap2 model WA6320
[AC-wlan-ap-ap2] serial-id 219801A28N819CE0003T
[AC-wlan-ap-ap2] quit
# 创建AP组group1,并配置AP名称入组规则。
[AC] wlan ap-group group1
[AC-wlan-ap-group-group1] ap ap1 ap2
# 将无线服务模板绑定到AP组group1下的Radio 1上。
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template service
# 开启Radio 1的射频功能。
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-group1-ap-model-WA6320] quit
[AC-wlan-ap-group-group1] quit
# 创建手工AP,名称为sensor,选择AP型号并配置序列号。
[AC] wlan ap sensor model WA6320
[AC-wlan-ap-sensor] serial-id 219801A28N819CE0004T
[AC-wlan-ap-sensor] quit
# 创建AP组group2,并配置AP名称入组规则。
[AC] wlan ap-group group2
[AC-wlan-ap-group-group2] ap sensor
# 开启Radio 1的射频功能。
[AC-wlan-ap-group-group2] ap-model WA6320
[AC-wlan-ap-group-group2-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] radio enable
# 射频接口开启WIPS功能并加入虚拟安全域中。
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] wips enable
[AC-wlan-ap-group-group2-ap-model-WA6320-radio-1] quit
[AC-wlan-ap-group-group2-ap-model-WA6320] quit
[AC-wlan-ap-group-group2] wips virtual-security-domain vsd1
[AC-wlan-ap-group-group2] return
3.2.2 配置Switch
# 创建VLAN 100和VLAN 200,其中VLAN 100用于转发AC和AP间CAPWAP隧道内的流量,VLAN 200用于转发Client无线报文。
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] vlan 200
[Switch-vlan200] quit
# 配置Switch与AC相连的GigabitEthernet1/0/1接口的属性为Trunk,禁止VLAN 1报文通过,允许VLAN 100和200通过。
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# 配置Switch与Sensor相连的GigabitEthernet1/0/2接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
# 配置Switch与AP1相连的GigabitEthernet1/0/3接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
[Switch-GigabitEthernet1/0/3] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/3] poe enable
[Switch-GigabitEthernet1/0/3] quit
# 配置Switch与AP2相连的GigabitEthernet1/0/4接口属性为Access,并允许VLAN 100通过。
[Switch] interface gigabitethernet1/0/4
[Switch-GigabitEthernet1/0/4] port link-type access
[Switch-GigabitEthernet1/0/4] port access vlan 100
# 开启PoE接口远程供电功能。
[Switch-GigabitEthernet1/0/4] poe enable
[Switch-GigabitEthernet1/0/4] quit
3.3 验证配置
(1) 查看Sensor所在虚拟安全域扫描到的设备,Rogue AP提供的服务SSID和本地AC关联的业务AP提供的服务SSID相同,WIPS能正确识别关联的业务AP为授权AP,Rogue AP为非法AP。
<AC> display wips virtual-security-domain vsd1 device
Total 3 detected devices in virtual-security-domain vsd1
Class: Auth - authorization; Ext - external; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
000f-1111-0111 AP Auth 00h 05m 26s 1 161 Active
000f-1111-0112 AP Auth 00h 05m 26s 1 161 Active
000f-e200-1202 AP Rogue 00h 05m 26s 1 161 Active
000f-e200-1222 AP Rogue 00h 05m 26s 1 161 Active
可以查看到外部AP被分类成Rogue AP,正确关联的AP被分类成授权AP。
(2) 验证反制功能正常,通过display wips virtual-security-domain vsd1 countermeasure record命令查看反制记录。
<AC> display wips virtual-security-domain vsd1 countermeasure record
Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1
Reason: Attack; Ass - associated; Black - blacklist;
Class - classification; Manu - manual;
MAC address Type Reason Countermeasure AP Radio ID Time
000f-e200-1202 AP Class sensor 1 2019-09-20/07:20:38
000f-e200-1222 AP Class sensor 1 2019-09-20/07:20:38
3.4 配置文件
· AC:
#
dhcp enable
#
vlan 100
#
vlan 200
#
dhcp server ip-pool vlan100
gateway-list 112.12.1.25
network 112.12.0.0 mask 255.255.0.0
#
dhcp server ip-pool vlan200
gateway-list 112.13.1.25
network 112.13.0.0 mask 255.255.0.0
dns-list 112.13.1.25
#
wlan service-template service
ssid service
vlan 200
client forwarding-location ac
akm mode psk
preshared-key pass-phrase cipher $c$3$jJ5Vq5IaYJJP9g7gA9h4rbGHLlUK/iEIQlFB
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface100
ip address 112.12.1.25 255.255.0.0
#
interface Vlan-interface200
ip address 112.13.1.25 255.255.0.0
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 200
#
wlan ap-group group1
vlan 1
ap ap1
ap ap2
ap-model WA6320
radio 1
radio enable
service-template service
radio 2
gigabitethernet 1
#
wlan ap-group group2
vlan 1
ap sensor
wips virtual-security-domain vsd1
ap-model WA6320
radio 1
radio enable
wips enable
radio 2
gigabitethernet 1
#
wlan ap ap1 model WA6320
serial-id 219801A2N819CE0002T
#
wlan ap ap2 model WA6320
serial-id 219801A2N819CE0003T
#
wlan ap sensor model 6320
serial-id 219801A2N819CE0004T
#
wips
#
ap-classification rule 1
ssid equal service
#
ap-classification rule 2
ssid not equal service
#
classification policy class1
apply ap-classification rule 1 rogue-ap severity-level 100
apply ap-classification rule 2 rogue-ap severity-level 100
trust mac-address 000f-1111-0111
trust mac-address 000f-1111-0112
#
countermeasure policy 1
countermeasure rogue-ap
#
virtual-security-domain vsd1
apply classification policy class1
apply countermeasure policy 1
#
· Switch:
#
vlan 100
#
vlan 200
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100 200
#
interface GigabitEthernet1/0/2
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/3
port access vlan 100
poe enable
#
interface GigabitEthernet1/0/4
port access vlan 100
poe enable
#
- 2024-03-29回答
- 评论(0)
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论